View Full Version : Deleted shortcuts, desktop folders & files reappear!
JonathanHK
2006-12-28, 00:29
I downloaded a program called Mailwasher, found it did not do what I wanted, but after trying to remove it I noticed that its desktop shortcut kept mysteriously reappearing. Then a folder called %SystemDrive% started reappearing on the desktop, and now in addition to those, there is a zip file called NEMAtalker2.zip (which I did download to another location), a SecondCopy 2000 shortcut, and a POPfile UI shortcut that all keep reappearing even after I have deleted the shortcuts, run Spybot and AdAware, and Norton SystemWorks.
I have followed Tashi's instructions and performed all of the steps requested.
Here is the HiJackThis Logfile:
Logfile of HijackThis v1.99.1
Scan saved at 15:05:03 , on 12/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\SecCopy\SecCopy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\SimpleDesktop\1.4.2\bin\javaw.exe
C:\Program Files\Utilities\NoteWhen\notewhen.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\PROGRA~1\POPFile\popfileib.exe
C:\Program Downloads\Utilities\HiJackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.crh.noaa.gov/apx/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/w/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Second Copy 2000] "C:\Program Files\SecCopy\SecCopy.exe" /InitialWait=30
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Notewhen.lnk = C:\Program Files\Utilities\NoteWhen\notewhen.exe
O4 - Startup: Profiles.dat
O4 - Startup: Run POPFile.lnk = C:\Program Files\POPFile\runpopfile.exe
O4 - Startup: Second Copy 2000.lnk = C:\Program Files\SecCopy\SecCopy.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: SimpleDesktop Server.lnk = C:\Program Files\SimpleDesktop\sdesktopserv.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\Office\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {11A02365-2859-4598-A9D5-4FDE99D67723} (PQIEBrowserConnector Class) - http://www.pqprintcenter.com/plugin/axversion/1611/printquick1611.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{ADF841E4-B49B-4799-91FF-61D282BE6CE7}: NameServer = 64.66.240.130,216.52.41.1
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
and here is the PandaScan Logfile:
Incident Status Location
Adware:adware/comet Not disinfected Windows Registry
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\JON\Cookies\jon@2o7[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\JON\Cookies\jon@ad.yieldmanager[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\JON\Cookies\jon@ads.pointroll[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\JON\Cookies\jon@advertising[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\JON\Cookies\jon@as-us.falkag[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\JON\Cookies\jon@atwola[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\JON\Cookies\jon@azjmp[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\JON\Cookies\jon@bluestreak[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\JON\Cookies\jon@burstnet[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\JON\Cookies\jon@doubleclick[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\JON\Cookies\jon@go[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\JON\Cookies\jon@hitbox[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\JON\Cookies\jon@mediaplex[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\JON\Cookies\jon@overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\JON\Cookies\jon@questionmarket[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\JON\Cookies\jon@realmedia[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\JON\Cookies\jon@serving-sys[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\JON\Cookies\jon@trafficmp[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\JON\Cookies\jon@tribalfusion[2].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\JON\Cookies\jon@www.burstbeacon[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\JON\Cookies\jon@zedo[2].txt
Dialer:Dialer.B Not disinfected C:\Program Downloads\Linksys\Linksys-Driver W95\WPC11v3 Driver\UTILITY\DATA1.CAB[WPC11Cfg.exe]
pskelley
2006-12-28, 16:16
Welcome to the forum, I am sorry but from the information you posted I am not really sure what your problem is and what you wish to remove from your computer. Please take the time to explain in detail.
The Panda scan is showing all cookies which you should be able to delete except for this item:
Dialer:Dialer.B Not disinfected C:\Program Downloads\Linksys\Linksys-Driver W95\WPC11v3 Driver\UTILITY\DATA1.CAB[WPC11Cfg.exe]
My information show it to be valid and it may be a false positive from Panda:
http://www.liutilities.com/products/wintaskspro/processlibrary/WPC11Cfg/
We sure do not want to remove something that may effect your Linksys Wireless USB Wireless Network Monitor
You can scan that files here: http://virusscan.jotti.org/ to find out if Panda has made an error or if the file is infected.
Then a folder called %SystemDrive% started reappearing on the desktop, and now in addition to those, there is a zip file called NEMAtalker2.zip (which I did download to another location), a SecondCopy 2000 shortcut, and a POPfile UI shortcut that all keep reappearing even after I have deleted the shortcuts, run Spybot and AdAware, and Norton SystemWorks.What exactly does that mean and what exact is it you are trying to remove, at least this:
POPfile UI scans as valid: http://www.liutilities.com/products/wintaskspro/processlibrary/popfileib/
You have me more than a little confused and I can not proceed without clarification.
Do this: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Let's see what a anti-virus program says is bad, follow the instructions in this link, and delete or at least quarantine what it finds, save the scan results, I must see them.
http://forums.security-central.us/showthread.php?t=3165
Post some information so I will know exactly what you are trying to do, the uninstall list from HJT and the scan results from AVG Anti-Spyware. Please also include a fresh HJT log in case something have changed.
Thanks
This topic is closed due to lack of a response.
If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original topic starter.
Re-opened upon request. :)
JonathanHK
2007-01-02, 21:42
Thanks for your response. Let's try to deal with just the mysterious folder on the desktop first.
At the end of November, everything was running well. I downloaded a program called "Mailwasher" thinking it would help get rid of SPAM but it did not do what I wanted, so I uninstalled it. However, right after that, a folder appeared on my desktop named %SystemDrive%
This folder has the following sub-folders: %systemdrive%>Documents & Settings>Jon>Application Data>Microsoft>CryptnetURLCache
CryptnetURLCache has two folders under it: Content and Metadata
Each of those folders have what appear to be system files of some sort:
6OE31627FDAOA46932BOE5948949F2A5 and another one like that
There is an identical hierarchy of folders right at the top of the folder list on the C Drive.
If I delete the %systemdrive% folder from the desktop and reboot the computer, nothing bad seems to be affected, but after some period of time, all of a sudden the %systemdrive% folder is back on the desktop again.
Here is the uninstall list from HijackThis:
Active Disk
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Download Manager 1.2 (Remove Only)
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 6.0.1
Advanced Administrative Tools
AM-DeadLink 2.8.1
ArcSoft Camera Suite
ArcSoft Software Suite
aspi
avast! Antivirus
BCM V.92 56K Modem
Canon Camera Window for ZoomBrowser EX
Canon IJ Network Tool
Canon iP5200R
Canon PhotoRecord
Canon Setup Utility 2.0
Canon Utilities Easy-PhotoPrint
Canon Utilities File Viewer Utility 1.2
Canon Utilities PhotoStitch 3.1
Canon Utilities RemoteCapture 2.7
Canon Utilities ZoomBrowser EX
CCHelp
CCleaner (remove only)
CCScore
Classic PhoneTools
Click'N Design 3D (V5)
Convert
Dell Picture Studio - Dell Image Expert
Dell ResourceCD
Dell Solution Center
DellTouch
DivX 5.0.3 Bundle
Easy CD Creator 5 Basic
Easy-WebPrint
eBay Toolbar
ESSAdpt
ESSANUP
ESSCAM
ESSCDBK
ESScore
ESSgui
ESShelp
ESSini
ESSPCD
ESSvpaht
ESSvpot
HAI Dealer PC Access 2.3
HAI Dealer PC Access 2.4a
HijackThis 1.99.1
Intel(R) PRO Network Adapters and Drivers
IomegaWare 4.0.2
IP Owner's Q&A
Java 2 Runtime Environment Standard Edition v1.3.0_02
Jewel Case Creator
Kodak EasyShare software
KSU
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Macromedia Flash Player 8
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Data Access Components KB870669
Microsoft Office 2000 SR-1 Disc 2
Microsoft Office 2000 SR-1 Small Business
Microsoft Windows Journal Viewer
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
Norton SystemWorks 2002
Norton WMI Update
Notifier
NVIDIA Display Driver
NVIDIA Drivers
OTtBP
Paint Shop Pro 7
Panda ActiveScan
Picasa 2
PictureProject
PKZIP for Windows - Shareware Version
Plaxo Toolbar for Outlook and Outlook Express
POPFile 0.22.4
Port Pilot and Log Book Icons
PowerDVD
QuickBooks Basic 2002
Quicken 2006
QuickTime
Registry First Aid
Second Copy 2000
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917537)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
SFR
SFR2
SoundMAX
Spybot - Search & Destroy 1.4
Symantec pcAnywhere
Tweaki...for Power Users
Tweakui Powertoy for Windows XP
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
Xteq Systems X-Setup 6.2
Here is the scan from AVG AntiSpyware:
__________________________________________________
ewido anti-spyware online scanner
http://www.ewido.net
__________________________________________________
Name: TrackingCookie.247realmedia
Path: C:\Documents and Settings\JON\Cookies\jon@247realmedia[1].txt
Risk: Medium
Name: TrackingCookie.2o7
Path: C:\Documents and Settings\JON\Cookies\jon@2o7[2].txt
Risk: Medium
Name: TrackingCookie.Pointroll
Path: C:\Documents and Settings\JON\Cookies\jon@ads.pointroll[2].txt
Risk: Medium
Name: TrackingCookie.Advertising
Path: C:\Documents and Settings\JON\Cookies\jon@advertising[1].txt
Risk: Medium
Name: TrackingCookie.Falkag
Path: C:\Documents and Settings\JON\Cookies\jon@as-us.falkag[1].txt
Risk: Medium
Name: TrackingCookie.Burstnet
Path: C:\Documents and Settings\JON\Cookies\jon@burstnet[2].txt
Risk: Medium
Name: TrackingCookie.Com
Path: C:\Documents and Settings\JON\Cookies\jon@com[1].txt
Risk: Medium
Name: TrackingCookie.Overture
Path: C:\Documents and Settings\JON\Cookies\jon@data2.perf.overture[1].txt
Risk: Medium
Name: TrackingCookie.Doubleclick
Path: C:\Documents and Settings\JON\Cookies\jon@doubleclick[1].txt
Risk: Medium
Name: TrackingCookie.Ru4
Path: C:\Documents and Settings\JON\Cookies\jon@edge.ru4[2].txt
Risk: Medium
Name: TrackingCookie.Hitbox
Path: C:\Documents and Settings\JON\Cookies\jon@ehg-chartercommunications.hitbox[1].txt
Risk: Medium
Name: TrackingCookie.Hitbox
Path: C:\Documents and Settings\JON\Cookies\jon@ehg-comcast.hitbox[2].txt
Risk: Medium
Name: TrackingCookie.Hitbox
Path: C:\Documents and Settings\JON\Cookies\jon@ehg-consumerenergyco.hitbox[1].txt
Risk: Medium
Name: TrackingCookie.2o7
Path: C:\Documents and Settings\JON\Cookies\jon@geosign.112.2o7[1].txt
Risk: Medium
Name: TrackingCookie.2o7
Path: C:\Documents and Settings\JON\Cookies\jon@hertz.122.2o7[1].txt
Risk: Medium
Name: TrackingCookie.Hitbox
Path: C:\Documents and Settings\JON\Cookies\jon@hitbox[2].txt
Risk: Medium
Name: TrackingCookie.Overture
Path: C:\Documents and Settings\JON\Cookies\jon@overture[1].txt
Risk: Medium
Name: TrackingCookie.Overture
Path: C:\Documents and Settings\JON\Cookies\jon@perf.overture[1].txt
Risk: Medium
Name: TrackingCookie.Hitbox
Path: C:\Documents and Settings\JON\Cookies\jon@phg.hitbox[1].txt
Risk: Medium
Name: TrackingCookie.Questionmarket
Path: C:\Documents and Settings\JON\Cookies\jon@questionmarket[1].txt
Risk: Medium
Name: TrackingCookie.Liveperson
Path: C:\Documents and Settings\JON\Cookies\jon@sales.liveperson[2].txt
Risk: Medium
Name: TrackingCookie.Liveperson
Path: C:\Documents and Settings\JON\Cookies\jon@server.iad.liveperson[1].txt
Risk: Medium
Name: TrackingCookie.Serving-sys
Path: C:\Documents and Settings\JON\Cookies\jon@serving-sys[2].txt
Risk: Medium
Name: TrackingCookie.Tacoda
Path: C:\Documents and Settings\JON\Cookies\jon@tacoda[2].txt
Risk: Medium
Name: TrackingCookie.Trafficmp
Path: C:\Documents and Settings\JON\Cookies\jon@trafficmp[2].txt
Risk: Medium
Name: TrackingCookie.Tribalfusion
Path: C:\Documents and Settings\JON\Cookies\jon@tribalfusion[1].txt
Risk: Medium
Name: TrackingCookie.Burstbeacon
Path: C:\Documents and Settings\JON\Cookies\jon@www.burstbeacon[1].txt
Risk: Medium
Name: TrackingCookie.Burstnet
Path: C:\Documents and Settings\JON\Cookies\jon@www.burstnet[2].txt
Risk: Medium
And here is the most-recent HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 12:12:26 , on 1/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SecCopy\SecCopy.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Utilities\NoteWhen\notewhen.exe
C:\Program Files\SimpleDesktop\1.4.2\bin\javaw.exe
C:\PROGRA~1\POPFile\popfileib.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Program Downloads\Utilities\HiJackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.crh.noaa.gov/apx/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/w/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Second Copy 2000] "C:\Program Files\SecCopy\SecCopy.exe" /InitialWait=30
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Notewhen.lnk = C:\Program Files\Utilities\NoteWhen\notewhen.exe
O4 - Startup: Profiles.dat
O4 - Startup: Run POPFile.lnk = C:\Program Files\POPFile\runpopfile.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: SimpleDesktop Server.lnk = C:\Program Files\SimpleDesktop\sdesktopserv.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\Office\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {11A02365-2859-4598-A9D5-4FDE99D67723} (PQIEBrowserConnector Class) - http://www.pqprintcenter.com/plugin/axversion/1611/printquick1611.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{ADF841E4-B49B-4799-91FF-61D282BE6CE7}: NameServer = 64.66.240.130,216.52.41.1
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Thanks for your help. Would it be possible for you to send me a private email at jhkinne@chartermi.net to tell me when you have replied? For some reason the Forum notifications are not getting through to me.
Best regards,
Jon Kinne
pskelley
2007-01-03, 00:09
%SystemDrive% <<< I have no idea why the folder is on the Desktop, here is the google on that item:
http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLG,GGLG:2006-16,GGLG:en&q=%25SystemDrive%25
Appears you not the first one to experience this, see this Google:
http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLG,GGLG:2006-16,GGLG:en&q=CryptnetURLCache
Perhaps you can get some information there. The number you posted returns nothing in Google. If you want to scan any of the files, here are free online scanners:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
_________________________________________________
Uninstall list:
Java 2 Runtime Environment Standard Edition v1.3.0_02Please see this information: http://forums.spybot.info/showpost.php?p=12880&postcount=2
I suggest you open the Java Console in the Control Panel and update to the newest version, then uninstall all old versions.
POPFile 0.22.4 <<< I would open that program and find out what it is, it is one you commented on in your opening post.
avast! Antivirus
Norton SystemWorks 2002From here it looks like you may be running two antivirus programs at the same time, if this is the case, please view this information:
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000031316555206
"Microsoft recommends that you have only one anti-virus program installed on your computer."
http://www.washingtonpost.com/wp-dyn/content/article/2005/12/03/AR2005120300087.html
There are programs I do not know, but nothing jumps out as looking like malware, you may one to look them over and get rid of stuff you no longer use?
________________________________________________
The link I gave you: http://forums.security-central.us/showthread.php?t=3165 was for a free trial download which would have located and deleted or quarantined what it found. It looks like you ran an online scan:
ewido anti-spyware online scanner
http://www.ewido.net
and it found only tracking cookies which I can not tell by the results you posted if it removed them or not.
Logfile of HijackThis v1.99.1 Scan saved at 12:12:26 , on 1/2/2007
I am really not sure if you want this item removed or not, I will remove it and you can pass over the instructions if you do not want it removed.
C:\PROGRAM FILES~1\POPFile\popfileib.exe
I suggest you follow these instructions:
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
You are running MSConfig in Selective Startup mode, I need to see the HJT log in Normal Mode, please enable all in MSConfig and you can return to Selective Startup to save your resrouces when we are finished.
Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
Start > Control Panel > Add Remove programs and uninstall POPFile
TeaTimer will block changes we must make, follow these instructions to turn it off until you are finished:
http://russelltexas.com/malware/teatimer.htm
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/w/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O4 - Startup: Run POPFile.lnk = C:\Program Files\POPFile\runpopfile.exe
(Next is optional, if you want it, leave it)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
Close all programs but HJT and all browser windows, then click on "Fix Checked"
RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\Program Files\POPFile\ <<< delete that file
Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart the computer and post a new HJT log so I can see a log with everything enabled in MSConfig.
Thanks
JonathanHK
2007-01-03, 03:28
I tried to follow the message about the cryptneturlcache problem, but that site is restricted to residents of Australia. Since the folders also appear on the root of the C drive, I deleted them from the desktop...we'll see if the folder reappears on the desktop.
The POPfile program IS one that I intended to have running...my only question was that I had never selected to have a shortcut to it appear on the desktop, and this was one of the shortcuts that kept reappearing. But I have left the program in the startup menu.
Norton Systemworks is not an anti-virus, just some disk-management utilities, so it can stay.
Here is the log from AVG AntiSpyware:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 17:12:54 1/2/2007
+ Scan result:
C:\Documents and Settings\JON\Cookies\jon@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\JON\Cookies\jon@hertz.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\JON\Cookies\jon@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\JON\Cookies\jon@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned.
::Report end
And here is the HJT log in Normal mode for startup:
Logfile of HijackThis v1.99.1
Scan saved at 18:04:52 , on 1/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\SecCopy\SecCopy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Utilities\NoteWhen\notewhen.exe
C:\Program Files\SimpleDesktop\1.4.2\bin\javaw.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\PROGRA~1\POPFile\popfileib.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Downloads\Utilities\HiJackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.crh.noaa.gov/apx/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Second Copy 2000] "C:\Program Files\SecCopy\SecCopy.exe" /InitialWait=30
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: Notewhen.lnk = C:\Program Files\Utilities\NoteWhen\notewhen.exe
O4 - Startup: Profiles.dat
O4 - Startup: Run POPFile.lnk = C:\Program Files\POPFile\runpopfile.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: SimpleDesktop Server.lnk = C:\Program Files\SimpleDesktop\sdesktopserv.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~2\Office\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {11A02365-2859-4598-A9D5-4FDE99D67723} (PQIEBrowserConnector Class) - http://www.pqprintcenter.com/plugin/axversion/1611/printquick1611.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{ADF841E4-B49B-4799-91FF-61D282BE6CE7}: NameServer = 64.66.240.130,216.52.41.1
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
I ran ATF Cleaner
Thanks,
Jon
pskelley
2007-01-03, 15:09
Hi Jon, here are some tips for the Desktop, perhaps something there will help:
http://www.onecomputerguy.com/desktop.htm
As far as I can see your HJT log appears clean of malware. I wanted to say that some programs place Desktop shortcuts by default if the eula is not read and the change made before the download. Possibly this is what happened?
Let's clean the System Restore files to be safe:
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...Phil
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
JonathanHK
2007-01-03, 18:41
Thanks, Phil, for all of your help. Hopefully this will resolve the problem, and if not, you have given me some good resources to try.
I appreciate all you have done.
Best regards,
Jon Kinne
Glad we could help, :) as the problem appears to be resolved this topic has been archived.
If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread; this applies only to the original topic starter.
Anyone else with similar problems please start a new topic.