View Full Version : Winantivrus Popup Hell
Hi, Can you help?
I am getting miriads of pop ups since I upgraded to IE-7 (not sure if that's co-incidence). I am getting Winativirus popups, amaena etc etc. I have run Spybot - it picks ths and many others up, but they keep re-appearing after being cleaned.
This hijackthis log (renamed the application from Hijackthis) was produced within a few minutes of "cleaning", although the pop-ups had started re-appearing!
Would be most grateful for your support.
Logfile of HijackThis v1.99.1
Scan saved at 16:10:56, on 09/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\Belkin\F5D7051\WLService.exe
C:\Program Files\Belkin\F5D7051\WLanCfgG.exe
C:\Program Files\Firebird\bin\ibguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Firebird\bin\ibserver.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0R2.EXE
C:\WINDOWS\Dit.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\WINDOWS\system32\gsicon.exe
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\DitExp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee\McAfee VirusScan\VsMain.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Ian\My Documents\Setup Directory\Hijackthis\sillyname.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [EPSON Stylus C86 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0R2.EXE /P23 "EPSON Stylus C86 Series" /O6 "USB001" /M "Stylus C86"
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\bin\4.4.5.0\WeatherOnTray.exe
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [gjnksmhoyr] c:\windows\system32\gjnksmhoyr.exe gjnksmhoyr
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.com
O16 - DPF: {0A46CB52-CFA0-4E78-A181-948D5E361BE3} (EpsonObj Class) - http://esupport.epson-europe.com/ePC/activex/EpsonSetup.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Belkin High-Speed Mode Wireless G USB Driver (Belkin High-Speed Mode Wireless G USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\F5D7051\WLService.exe
O23 - Service: Firebird Guardian Service (InterBaseGuardian) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Firebird Server (InterBaseServer) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
steamwiz
2007-04-09, 20:09
Hi
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
1. Double-click VundoFix.exe to run it.
2. When VundoFix re-opens, click the Scan for Vundo button.
3. Once it's done scanning, click the Remove Vundo button.
4. You will receive a prompt asking if you want to remove the files, click "YES".
5. Once you click yes, your desktop will go blank as it starts removing Vundo.
6. When completed, it will prompt that it will reboot your computer, click "OK".
7. Please post the contents of C:\vundofix.txt and a new HiJackThis log.
If vundofix cannot delete a file, it will try to delete it during a reboot, after the reboot vundofix will open again, you must run vundofix again, from "Click the Scan for Vundo button" ... and you must keep running vundofix until it does delete the file... I've known a stubborn vundo file take 5 or 6 reboots before it is deleted...
steam
HI Steam.
Thanks for your reply.
Ran Vundo, which took a while. It concluded that there were no infected files first time. Can't find a log - presumably it doesn't create one if there's nothing to report.
Here's the latest Hijack file.....
Thanks for your help.
I
Logfile of HijackThis v1.99.1
Scan saved at 22:58:42, on 09/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\Belkin\F5D7051\WLService.exe
C:\Program Files\Belkin\F5D7051\WLanCfgG.exe
C:\Program Files\Firebird\bin\ibguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Firebird\bin\ibserver.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0R2.EXE
C:\WINDOWS\Dit.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\WINDOWS\system32\gsicon.exe
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\DitExp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Ian\My Documents\Setup Directory\Hijackthis\sillyname.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [EPSON Stylus C86 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0R2.EXE /P23 "EPSON Stylus C86 Series" /O6 "USB001" /M "Stylus C86"
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\bin\4.4.5.0\WeatherOnTray.exe
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [gjnksmhoyr] c:\windows\system32\gjnksmhoyr.exe gjnksmhoyr
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.com
O16 - DPF: {0A46CB52-CFA0-4E78-A181-948D5E361BE3} (EpsonObj Class) - http://esupport.epson-europe.com/ePC/activex/EpsonSetup.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Belkin High-Speed Mode Wireless G USB Driver (Belkin High-Speed Mode Wireless G USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\F5D7051\WLService.exe
O23 - Service: Firebird Guardian Service (InterBaseGuardian) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Firebird Server (InterBaseServer) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
steamwiz
2007-04-10, 23:10
Hi
Please go here and upload this file ...
c:\windows\system32\gjnksmhoyr.exe
http://www.virustotal.com/flash/index_en.html
Click the browse button & browse to the file on your computer
Post back the results ... right click on the page > select all
right click again copy
past the results in your next post here...
I know the file is bad, but I want to see if any of the scans tag it as vundo...
Then do this :-
Disconnect from the internet Close ALL browser windows (including this one) - run hijackthis and tick to fix (check the box next to) the list below.........when all are ticked (checked) click the Fix Checked button at the bottom. :-
O4 - HKLM\..\Run: [gjnksmhoyr] c:\windows\system32\gjnksmhoyr.exe gjnksmhoyr
Reboot then find and delete :-
c:\windows\system32\gjnksmhoyr.exe ... file
--
Vundofix should have produced a log, even if clean...
have a look for it here :-
C:\vundofix.txt
--
Post a new hijackthis log & the C:\vundofix.txt if you find it...
steam
Hi Steam
This has me scratching my head. The file you refer to is not present! First I tried to browse it into the virustotal website, but couldn't find it. Checked with explorer and couldn't find it, checked that explorer was set to show hidden files. Yet I can see it in yesterday's HJS logfile! Ermm!!
The popups are still coming - have done whilst I'm working and before running the HJS log. I did no work on the PC after I posted the item last night and this is the first thing I did tonight.
So here the latest HJS log (ran from a false name) plus the Vundo log which was in the root as you had suggested. I'll reboot and see if anything new appears / disappears and let you know.
HJS log:
Logfile of HijackThis v1.99.1
Scan saved at 22:43:15, on 10/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\Belkin\F5D7051\WLService.exe
C:\Program Files\Belkin\F5D7051\WLanCfgG.exe
C:\Program Files\Firebird\bin\ibguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Firebird\bin\ibserver.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee VirusScan\AlogServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0R2.EXE
C:\WINDOWS\Dit.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\gsicon.exe
C:\WINDOWS\DitExp.exe
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Ian\My Documents\Setup Directory\Hijackthis\sillyname.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [EPSON Stylus C86 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0R2.EXE /P23 "EPSON Stylus C86 Series" /O6 "USB001" /M "Stylus C86"
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\bin\4.4.5.0\WeatherOnTray.exe
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [esmcvn] c:\windows\system32\esmcvn.exe esmcvn
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.com
O16 - DPF: {0A46CB52-CFA0-4E78-A181-948D5E361BE3} (EpsonObj Class) - http://esupport.epson-europe.com/ePC/activex/EpsonSetup.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Belkin High-Speed Mode Wireless G USB Driver (Belkin High-Speed Mode Wireless G USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\F5D7051\WLService.exe
O23 - Service: Firebird Guardian Service (InterBaseGuardian) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Firebird Server (InterBaseServer) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
Last nights Vundo log:
VundoFix V6.3.15
Checking Java version...
Scan started at 21:42:59 13/03/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.3.19
Checking Java version...
Scan started at 21:23:19 09/04/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
Hi Steam
This has me scratching my head. The file you refer to is not present! First I tried to browse it into the virustotal website, but couldn't find it. Checked with explorer and couldn't find it, checked that explorer was set to show hidden files. Yet I can see it in yesterday's HJS logfile! Ermm!!
The popups are still coming - have done whilst I'm working and before running the latest HJS log. I did no work on the PC after I posted the item last night and this is the first thing I did tonight.
So here the latest HJS log (ran from a false name) plus the Vundo log which was in the root as you had suggested. I'll reboot and see if anything new appears / disappears and let you know.
HJS log:
Logfile of HijackThis v1.99.1
Scan saved at 22:43:15, on 10/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\Belkin\F5D7051\WLService.exe
C:\Program Files\Belkin\F5D7051\WLanCfgG.exe
C:\Program Files\Firebird\bin\ibguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Firebird\bin\ibserver.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee VirusScan\AlogServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0R2.EXE
C:\WINDOWS\Dit.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\gsicon.exe
C:\WINDOWS\DitExp.exe
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Ian\My Documents\Setup Directory\Hijackthis\sillyname.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [EPSON Stylus C86 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0R2.EXE /P23 "EPSON Stylus C86 Series" /O6 "USB001" /M "Stylus C86"
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\bin\4.4.5.0\WeatherOnTray.exe
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [esmcvn] c:\windows\system32\esmcvn.exe esmcvn
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.com
O16 - DPF: {0A46CB52-CFA0-4E78-A181-948D5E361BE3} (EpsonObj Class) - http://esupport.epson-europe.com/ePC/activex/EpsonSetup.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Belkin High-Speed Mode Wireless G USB Driver (Belkin High-Speed Mode Wireless G USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\F5D7051\WLService.exe
O23 - Service: Firebird Guardian Service (InterBaseGuardian) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Firebird Server (InterBaseServer) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
Last nights Vundo log:
VundoFix V6.3.15
Checking Java version...
Scan started at 21:42:59 13/03/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.3.19
Checking Java version...
Scan started at 21:23:19 09/04/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
steamwiz
2007-04-11, 00:30
Hi
It's changed it's name ...
O4 - HKLM\..\Run: [gjnksmhoyr] c:\windows\system32\gjnksmhoyr.exe gjnksmhoyr
to
O4 - HKLM\..\Run: [esmcvn] c:\windows\system32\esmcvn.exe esmcvn
Try to upload esmcvn.exe to virustotal ...
if you can't find it, run hijackthis and look at the same place in the log, that the ones above were, for another similar random named file...
steam
Hi Steam.
Rebooted - no effect. Then ran Spybot (no results), rebooted again and hey presto there it is again, along with colleagues - gjnksmhoyr.dat gjnksmhoyr_nav.dat and gjnksmhoyr_navps.dat.
The virus total site result is as follows:
VirusTotalVirusTotal is a free file analisys service that works using several antivirus engines.
Select file : DistributeSSL
Enter your email, choose the file to be scanned with multiple antivirus engines and click Send.Menu:
News Hot news in the virus/antivirus sector.
Estadisticas Statistics of VirusTotal procesing.
Virustotal More info about Virustotal.
STATUS: FINISHEDComplete scanning result of "gjnksmhoyr.exe", received in VirusTotal at 04.11.2007, 00:36:39 (CET).
Antivirus Version Update Result
AhnLab-V3 2007.4.10.0 04.10.2007 no virus found
AntiVir 7.3.1.50 04.10.2007 HEUR/Malware
Authentium 4.93.8 04.09.2007 no virus found
Avast 4.7.936.0 04.10.2007 no virus found
AVG 7.5.0.447 04.10.2007 no virus found
BitDefender 7.2 04.11.2007 no virus found
CAT-QuickHeal 9.00 04.10.2007 (Suspicious) - DNAScan
ClamAV devel-20070312 04.10.2007 no virus found
DrWeb 4.33 04.11.2007 no virus found
eSafe 7.0.15.0 04.10.2007 Suspicious Trojan/Worm
eTrust-Vet 30.7.3557 04.10.2007 no virus found
Ewido 4.0 04.10.2007 no virus found
FileAdvisor 1 04.11.2007 no virus found
Fortinet 2.85.0.0 04.10.2007 no virus found
F-Prot 4.3.1.45 04.08.2007 no virus found
F-Secure 6.70.13030.0 04.10.2007 no virus found
Ikarus T3.1.1.5 04.10.2007 not-a-virus:AdWare.Win32.NaviPromo
Kaspersky 4.0.2.24 04.10.2007 not-a-virus:AdWare.Win32.NaviPromo.gen
McAfee 5005 04.10.2007 no virus found
Microsoft 1.2405 04.10.2007 no virus found
NOD32v2 2178 04.10.2007 no virus found
Norman 5.80.02 04.10.2007 no virus found
Panda 9.0.0.4 04.09.2007 Adware/NaviPromo
Prevx1 V2 04.11.2007 Covert.Sys.Exec
Sophos 4.16.0 04.06.2007 no virus found
Sunbelt 2.2.907.0 04.07.2007 VIPRE.Suspicious
Symantec 10 04.11.2007 Trojan.Skintrim
TheHacker 6.1.6.088 04.09.2007 no virus found
VBA32 3.11.3 04.10.2007 no virus found
VirusBuster 4.3.7:9 04.10.2007 no virus found
Webwasher-Gateway 6.0.1 04.10.2007 Heuristic.Malware
Aditional Information
File size: 315904 bytes
MD5: 29d159d802fbc65e2d047961c798e373
SHA1: b70af3852832b6104291eed757d9fa34932ec727
packers: PECOMPACT
packers: PecBundle, PECompact
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=555482972612
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.
VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
> Go to: Home Contactar En Español
--------------------------------------------------------------------------------
www.virustotal.com :: ©Hispasec Sistemas 2004-07:: e-mail info@virustotal.com
Now following the rest of your instructions will be back on shortly.
I
Hi Steam
Thanks for your help, here.
Followed the process - deleted the files, rebooted, HJS log below - seems OK but......
I've had 2 popups already :-(
I
Logfile of HijackThis v1.99.1
Scan saved at 00:27:43, on 11/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\Belkin\F5D7051\WLService.exe
C:\Program Files\Belkin\F5D7051\WLanCfgG.exe
C:\Program Files\Firebird\bin\ibguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Firebird\bin\ibserver.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0R2.EXE
C:\WINDOWS\Dit.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\WINDOWS\system32\gsicon.exe
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\DitExp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Ian\My Documents\Setup Directory\Hijackthis\sillyname.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [EPSON Stylus C86 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0R2.EXE /P23 "EPSON Stylus C86 Series" /O6 "USB001" /M "Stylus C86"
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\bin\4.4.5.0\WeatherOnTray.exe
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.com
O16 - DPF: {0A46CB52-CFA0-4E78-A181-948D5E361BE3} (EpsonObj Class) - http://esupport.epson-europe.com/ePC/activex/EpsonSetup.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Belkin High-Speed Mode Wireless G USB Driver (Belkin High-Speed Mode Wireless G USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\F5D7051\WLService.exe
O23 - Service: Firebird Guardian Service (InterBaseGuardian) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Firebird Server (InterBaseServer) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
steamwiz
2007-04-11, 21:36
HI
Your last hijackthis log's clean ... you can fix this, but it's just to "tidy up" it's not causing any problems...
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
We may be dealing with a rootkit here...
Please download & run blacklight Rootkit diagnostic tool from :-
https://europe.f-secure.com/blacklight/try.shtml
click I ACCEPT
click download "Download Blacklight Beta graphical user interface version" > save it to your desktop
then ...
1. Double-click blbeta.exe
2. Accept the agreement > click next
3. click scan
4. A list of all items found will be displayed, or it will say "No hidden items found"
if anything is found do NOT elect to rename or clean anything, as legitimate entries could be found - click close
5. if you see "No hidden items found" click next then exit
On your desktop you will now see a log file, it will look something like this fsbl-20060105183235.log
6. open the log file and paste the contents into a post here... (if the log is too large to paste, then please attach it)
steam
Hi Steam
Guess what? It's picked up our old friends in System 32......
04/11/07 21:35:03 [Info]: BlackLight Engine 1.0.61 initialized
04/11/07 21:35:03 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/11/07 21:35:03 [Note]: 7019 4
04/11/07 21:35:03 [Note]: 7005 0
04/11/07 21:35:13 [Note]: 7006 0
04/11/07 21:35:13 [Note]: 7011 3960
04/11/07 21:35:14 [Note]: 7026 0
04/11/07 21:35:14 [Note]: 7026 0
04/11/07 21:35:14 [Note]: 7024 3
04/11/07 21:35:14 [Info]: Hidden process: C:\windows\system32\esmcvn.exe
04/11/07 21:35:27 [Note]: FSRAW library version 1.7.1021
04/11/07 22:01:12 [Info]: Hidden file: c:\WINDOWS\system32\esmcvn.dat
04/11/07 22:01:12 [Note]: 10002 1
04/11/07 22:01:12 [Info]: Hidden file: C:\windows\system32\esmcvn.exe
04/11/07 22:01:12 [Note]: 10002 1
04/11/07 22:01:12 [Info]: Hidden file: c:\WINDOWS\system32\esmcvn_nav.dat
04/11/07 22:01:12 [Note]: 10002 1
04/11/07 22:01:12 [Info]: Hidden file: c:\WINDOWS\system32\esmcvn_navps.dat
04/11/07 22:01:12 [Note]: 10002 1
04/11/07 22:04:20 [Note]: 2000 1012
steamwiz
2007-04-12, 21:24
HI
Please run Blacklight again, when it gets to the Step 2 - Clean hidden items screen ...
We need to rename all these files :-
C:\windows\system32\esmcvn.exe
c:\WINDOWS\system32\esmcvn.dat
C:\windows\system32\esmcvn.exe
c:\WINDOWS\system32\esmcvn_nav.dat
c:\WINDOWS\system32\esmcvn_navps.dat
1. Left click one of the hidden files to highlight it ..
2. press the Rename button. When you do this, the action will change from None to Rename ..
Once you set a file to Rename, you can untag it by pressing the None button so that no action is performed on this particular item. ( if you accidentally tag the wrong one)
When the computer reboots it will rename the files with a .ren extension. Because these files are no longer be loaded at startup, they will now become visible so that you can delete them. For example :-
C:\windows\system32\esmcvn.exe
c:\WINDOWS\system32\esmcvn.dat
They would now be named:
C:\windows\system32\esmcvn.exe.ren
c:\WINDOWS\system32\esmcvn.dat.ren
After you have selected all of the files you would like to rename, you should press the Next button.
A warning screen will now show stating that renaming legitimate files can cause Windows not to operate properly. If you would still like to continue renaming the files, put a checkmark in the checkbox labelled I have understood the warning and wish to continue and then press the OK button.
You should then press the Restart Now, and then the OK button again, to restart your computer ....
Once the computer has restarted, go to the system32 folder & delete the renamed files...
Then run Blacklight again and post the new log... also a new hijackthis log...
steam
HI Steam
Not had any popups for the last half hour, so feels good so far. I'm interested why the files were invisible - is this a windows "feature"?
Followed your advice - see logs below.
Thanks for your support on this.
I
Updated Blacklight log:
04/12/07 23:17:39 [Info]: BlackLight Engine 1.0.61 initialized
04/12/07 23:17:39 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/12/07 23:17:39 [Note]: 7019 4
04/12/07 23:17:39 [Note]: 7005 0
04/12/07 23:17:43 [Note]: 7006 0
04/12/07 23:17:43 [Note]: 7011 840
04/12/07 23:17:43 [Note]: 7026 0
04/12/07 23:17:43 [Note]: 7026 0
04/12/07 23:17:47 [Note]: FSRAW library version 1.7.1021
04/12/07 23:47:39 [Note]: 2000 1012
04/12/07 23:51:35 [Note]: 7007 0
updated HJS log:
Logfile of HijackThis v1.99.1
Scan saved at 23:56:07, on 12/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\Belkin\F5D7051\WLService.exe
C:\Program Files\Belkin\F5D7051\WLanCfgG.exe
C:\Program Files\Firebird\bin\ibguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Firebird\bin\ibserver.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0R2.EXE
C:\WINDOWS\Dit.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\WINDOWS\system32\gsicon.exe
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\DitExp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Ian\My Documents\Setup Directory\Hijackthis\sillyname.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [EPSON Stylus C86 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0R2.EXE /P23 "EPSON Stylus C86 Series" /O6 "USB001" /M "Stylus C86"
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\bin\4.4.5.0\WeatherOnTray.exe
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [esmcvn] c:\windows\system32\esmcvn.exe esmcvn
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.com
O16 - DPF: {0A46CB52-CFA0-4E78-A181-948D5E361BE3} (EpsonObj Class) - http://esupport.epson-europe.com/ePC/activex/EpsonSetup.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Belkin High-Speed Mode Wireless G USB Driver (Belkin High-Speed Mode Wireless G USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\F5D7051\WLService.exe
O23 - Service: Firebird Guardian Service (InterBaseGuardian) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Firebird Server (InterBaseServer) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
Hi Steam
Spotted on the last HJT log that our friend c:\windows\system32\esmcvn.exe esmcvn had returned. So followed your previous advice, deleted with HJT, but when I rebooted the files did not appear in system 32 for deletion, so I'm wondering if the entry in the last HJT was just a hangover or whether somethings still lurking.
The latest hi-jack log is as follows, looks like that record was successfully deleted
Logfile of HijackThis v1.99.1
Scan saved at 00:12:35, on 13/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\Belkin\F5D7051\WLService.exe
C:\Program Files\Belkin\F5D7051\WLanCfgG.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Firebird\bin\ibguard.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0R2.EXE
C:\WINDOWS\Dit.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\WINDOWS\system32\gsicon.exe
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\vVX3000.exe
C:\WINDOWS\DitExp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Firebird\bin\ibserver.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Ian\My Documents\Setup Directory\Hijackthis\sillyname.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [EPSON Stylus C86 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0R2.EXE /P23 "EPSON Stylus C86 Series" /O6 "USB001" /M "Stylus C86"
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\bin\4.4.5.0\WeatherOnTray.exe
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.com
O16 - DPF: {0A46CB52-CFA0-4E78-A181-948D5E361BE3} (EpsonObj Class) - http://esupport.epson-europe.com/ePC/activex/EpsonSetup.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Belkin High-Speed Mode Wireless G USB Driver (Belkin High-Speed Mode Wireless G USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\F5D7051\WLService.exe
O23 - Service: Firebird Guardian Service (InterBaseGuardian) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Firebird Server (InterBaseServer) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
Hi Steam.
just following my last 2 posts thought I'd better run Blacklight again. Here' the log....
04/13/07 00:16:34 [Info]: BlackLight Engine 1.0.61 initialized
04/13/07 00:16:34 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/13/07 00:16:34 [Note]: 7019 4
04/13/07 00:16:34 [Note]: 7005 0
04/13/07 00:16:37 [Note]: 7006 0
04/13/07 00:16:37 [Note]: 7011 532
04/13/07 00:16:37 [Note]: 7026 0
04/13/07 00:16:37 [Note]: 7026 0
04/13/07 00:16:41 [Note]: FSRAW library version 1.7.1021
04/13/07 00:46:37 [Note]: 2000 1012
04/13/07 09:35:25 [Note]: 7007 0
Hope to hear from you soon.
I
steamwiz
2007-04-13, 11:20
HI Ian
I'm interested why the files were invisible - is this a windows "feature"?
Nope... it's a malware feature ... a lot of malware is now hiding itself from windows using rootkits, it's getting harder all the time, to find some of it & remove it... however it looks like we got yous OK...
The run key you saw in the hijackthis log was being hidden by the rootkit (hidden process) once we removed it with Blacklight the key became visible again, as did the renamed files ... that should be the last you see of it...
Empty your recycle bin if you haven't allready ...
just this one other unrelated leftover in your log, you can fix this :-
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
while the rootkit was on your computer it may have downloaded other malware, which was hidden from removal programs, I would like you to run an on-line scan for virus (pandascan) & a scan for spyware/adware (SUPERantispyware)
---
Download Superantispyware.
http://www.superantispyware.com/
Once downloaded and installed update the definitions
and then run a full system scan quarantine what it finds!
* Double-click SUPERAntiSypware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
http://www.superantispyware.com/definitions.html
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
---
Perform an online scan with Internet Explorer with
http://www.pandasoftware.com/products/activescan.htm
Panda ActiveScan Click on http://usera.imagecave.com/dorts/TSF/pandascanyourpc.gif located at the bottom of the page. A pop up window will appear. Please ensure that your pop up blocker doesn't block it Enter your e-mail address, country, and state & click Free Online Scan *The download of the 8 MB Panda's ActiveX control will take place*Begin the scan by selecting http://usera.imagecave.com/dorts/TSF/pandamycomputer.gif If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on http://usera.imagecave.com/dorts/TSF/pandaseereport.gif then click http://usera.imagecave.com/dorts/TSF/pandasavereport.gif
Turn off the real time scanner of any existing antivirus program while performing the online scan.
Please post the Panda log scan.
steam
Hi Steam.
Thanks for your advice...
I got through the first bit fine - see log below, but I've ran the pandasoftware thing twice - it runs through its process - picks up Spyware, Dialers, and Rootkits (20, 1 and 3 found the last time I saw it) then all the browser windows automatically close and I have no record of what it's picked up! Ran it twice and it did the same thing both times - the second whilst I was watching it.
Here's the Superantispy log
SUPERAntiSpyware Scan Log
Generated 04/13/2007 at 10:49 PM
Application Version : 3.6.1000
Core Rules Database Version : 3219
Trace Rules Database Version: 1229
Scan type : Complete Scan
Total Scan Time : 01:24:17
Memory items scanned : 429
Memory threats detected : 0
Registry items scanned : 6207
Registry threats detected : 0
File items scanned : 115978
File threats detected : 248
Adware.Tracking Cookie
C:\Documents and Settings\Ian\Cookies\ian@adtech[2].txt
C:\Documents and Settings\Ian\Cookies\ian@serving-sys[2].txt
C:\Documents and Settings\Ian\Cookies\ian@inteletrack[2].txt
C:\Documents and Settings\Ian\Cookies\ian@www.clash-media[2].txt
C:\Documents and Settings\Ian\Cookies\ian@login.tracking101[2].txt
C:\Documents and Settings\Ian\Cookies\ian@bs.serving-sys[2].txt
C:\Documents and Settings\Ian\Cookies\ian@questionmarket[1].txt
C:\Documents and Settings\Beth\Cookies\beth@112.2o7[1].txt
C:\Documents and Settings\Beth\Cookies\beth@247realmedia[1].txt
C:\Documents and Settings\Beth\Cookies\beth@2o7[2].txt
C:\Documents and Settings\Beth\Cookies\beth@4.adbrite[1].txt
C:\Documents and Settings\Beth\Cookies\beth@ad.yieldmanager[2].txt
C:\Documents and Settings\Beth\Cookies\beth@ad.zanox[1].txt
C:\Documents and Settings\Beth\Cookies\beth@ad1.emediate[1].txt
C:\Documents and Settings\Beth\Cookies\beth@adbrite[2].txt
C:\Documents and Settings\Beth\Cookies\beth@adopt.euroclick[1].txt
C:\Documents and Settings\Beth\Cookies\beth@adopt.hbmediapro[2].txt
C:\Documents and Settings\Beth\Cookies\beth@ads.accelerator-media[1].txt
C:\Documents and Settings\Beth\Cookies\beth@ads.accelerator-media[2].txt
C:\Documents and Settings\Beth\Cookies\beth@ads.ims[1].txt
C:\Documents and Settings\Beth\Cookies\beth@ads.monster[1].txt
C:\Documents and Settings\Beth\Cookies\beth@ads.pointroll[2].txt
C:\Documents and Settings\Beth\Cookies\beth@ads.vitalix[2].txt
C:\Documents and Settings\Beth\Cookies\beth@ads2.drivelinemedia[1].txt
C:\Documents and Settings\Beth\Cookies\beth@adsense[2].txt
C:\Documents and Settings\Beth\Cookies\beth@adserve.v-store.co[2].txt
C:\Documents and Settings\Beth\Cookies\beth@adtech[2].txt
C:\Documents and Settings\Beth\Cookies\beth@advertising[1].txt
C:\Documents and Settings\Beth\Cookies\beth@anad.tacoda[1].txt
C:\Documents and Settings\Beth\Cookies\beth@as1.falkag[1].txt
C:\Documents and Settings\Beth\Cookies\beth@atdmt[2].txt
C:\Documents and Settings\Beth\Cookies\beth@azjmp[2].txt
C:\Documents and Settings\Beth\Cookies\beth@banner.cdpoker[2].txt
C:\Documents and Settings\Beth\Cookies\beth@bs.serving-sys[2].txt
C:\Documents and Settings\Beth\Cookies\beth@burstnet[1].txt
C:\Documents and Settings\Beth\Cookies\beth@burstnet[2].txt
C:\Documents and Settings\Beth\Cookies\beth@burstnet[3].txt
C:\Documents and Settings\Beth\Cookies\beth@burstnet[4].txt
C:\Documents and Settings\Beth\Cookies\beth@burstnet[5].txt
C:\Documents and Settings\Beth\Cookies\beth@burstnet[6].txt
C:\Documents and Settings\Beth\Cookies\beth@casalemedia[2].txt
C:\Documents and Settings\Beth\Cookies\beth@citi.bridgetrack[2].txt
C:\Documents and Settings\Beth\Cookies\beth@clicksor[2].txt
C:\Documents and Settings\Beth\Cookies\beth@cs.hotbar[1].txt
C:\Documents and Settings\Beth\Cookies\beth@digitalclarity.112.2o7[1].txt
C:\Documents and Settings\Beth\Cookies\beth@doubleclick[1].txt
C:\Documents and Settings\Beth\Cookies\beth@fastclick[2].txt
C:\Documents and Settings\Beth\Cookies\beth@h.starware[1].txt
C:\Documents and Settings\Beth\Cookies\beth@http.edge.vru4[2].txt
C:\Documents and Settings\Beth\Cookies\beth@i.screensavers[2].txt
C:\Documents and Settings\Beth\Cookies\beth@ilead.itrack[2].txt
C:\Documents and Settings\Beth\Cookies\beth@image.masterstats[1].txt
C:\Documents and Settings\Beth\Cookies\beth@imrworldwide[2].txt
C:\Documents and Settings\Beth\Cookies\beth@indexstats[1].txt
C:\Documents and Settings\Beth\Cookies\beth@inteletrack[2].txt
C:\Documents and Settings\Beth\Cookies\beth@interclick[1].txt
C:\Documents and Settings\Beth\Cookies\beth@itxt.vibrantmedia[1].txt
C:\Documents and Settings\Beth\Cookies\beth@kanoodle[2].txt
C:\Documents and Settings\Beth\Cookies\beth@login.tracking101[2].txt
C:\Documents and Settings\Beth\Cookies\beth@m1.webstats4u[1].txt
C:\Documents and Settings\Beth\Cookies\beth@maxis.112.2o7[1].txt
C:\Documents and Settings\Beth\Cookies\beth@mediaplex[1].txt
C:\Documents and Settings\Beth\Cookies\beth@msnaccountservices.112.2o7[1].txt
C:\Documents and Settings\Beth\Cookies\beth@msnportal.112.2o7[1].txt
C:\Documents and Settings\Beth\Cookies\beth@nbcuniversal.122.2o7[1].txt
C:\Documents and Settings\Beth\Cookies\beth@overture[2].txt
C:\Documents and Settings\Beth\Cookies\beth@partygaming.122.2o7[2].txt
C:\Documents and Settings\Beth\Cookies\beth@partypoker[2].txt
C:\Documents and Settings\Beth\Cookies\beth@perf.overture[1].txt
C:\Documents and Settings\Beth\Cookies\beth@postclicktracking[1].txt
C:\Documents and Settings\Beth\Cookies\beth@qksrv[2].txt
C:\Documents and Settings\Beth\Cookies\beth@questionmarket[1].txt
C:\Documents and Settings\Beth\Cookies\beth@realmedia[1].txt
C:\Documents and Settings\Beth\Cookies\beth@revenue[2].txt
C:\Documents and Settings\Beth\Cookies\beth@revsci[1].txt
C:\Documents and Settings\Beth\Cookies\beth@rocku.adbureau[2].txt
C:\Documents and Settings\Beth\Cookies\beth@roiservice[2].txt
C:\Documents and Settings\Beth\Cookies\beth@screensavers[1].txt
C:\Documents and Settings\Beth\Cookies\beth@sel.as-us.falkag[1].txt
C:\Documents and Settings\Beth\Cookies\beth@serenataflowers.112.2o7[1].txt
C:\Documents and Settings\Beth\Cookies\beth@server.cpmstar[1].txt
C:\Documents and Settings\Beth\Cookies\beth@server.iad.liveperson[1].txt
C:\Documents and Settings\Beth\Cookies\beth@server.iad.liveperson[2].txt
C:\Documents and Settings\Beth\Cookies\beth@serving-sys[2].txt
C:\Documents and Settings\Beth\Cookies\beth@serving-sys[3].txt
C:\Documents and Settings\Beth\Cookies\beth@smiley.smileycentral[1].txt
C:\Documents and Settings\Beth\Cookies\beth@smileycentral[1].txt
C:\Documents and Settings\Beth\Cookies\beth@sonyeurope.112.2o7[1].txt
C:\Documents and Settings\Beth\Cookies\beth@stat.dealtime[1].txt
C:\Documents and Settings\Beth\Cookies\beth@statcounter[2].txt
C:\Documents and Settings\Beth\Cookies\beth@stats.privacyprotector[1].txt
C:\Documents and Settings\Beth\Cookies\beth@tacoda[1].txt
C:\Documents and Settings\Beth\Cookies\beth@toplist[1].txt
C:\Documents and Settings\Beth\Cookies\beth@tracker.netklix[2].txt
C:\Documents and Settings\Beth\Cookies\beth@tracker.roitesting[2].txt
C:\Documents and Settings\Beth\Cookies\beth@tradedoubler[1].txt
C:\Documents and Settings\Beth\Cookies\beth@trafficmp[2].txt
C:\Documents and Settings\Beth\Cookies\beth@tribalfusion[1].txt
C:\Documents and Settings\Beth\Cookies\beth@try.starware[1].txt
C:\Documents and Settings\Beth\Cookies\beth@videoegg.adbureau[2].txt
C:\Documents and Settings\Beth\Cookies\beth@weborama[1].txt
C:\Documents and Settings\Beth\Cookies\beth@www.3dstats[1].txt
C:\Documents and Settings\Beth\Cookies\beth@www.addfreestats[1].txt
C:\Documents and Settings\Beth\Cookies\beth@www.burstnet[1].txt
C:\Documents and Settings\Beth\Cookies\beth@www.clash-media[1].txt
C:\Documents and Settings\Beth\Cookies\beth@www.dgm2[1].txt
C:\Documents and Settings\Beth\Cookies\beth@www.free-counter.co[1].txt
C:\Documents and Settings\Beth\Cookies\beth@www.googleadservices[1].txt
C:\Documents and Settings\Beth\Cookies\beth@www.googleadservices[2].txt
C:\Documents and Settings\Beth\Cookies\beth@www.movieland[2].txt
C:\Documents and Settings\Beth\Cookies\beth@www.ppctracking[1].txt
C:\Documents and Settings\Beth\Cookies\beth@www.screensavers[1].txt
C:\Documents and Settings\Beth\Cookies\beth@www2.mystats[1].txt
C:\Documents and Settings\Beth\Cookies\beth@www2.mystats[3].txt
C:\Documents and Settings\Beth\Cookies\beth@x.gcapmedia[2].txt
C:\Documents and Settings\Beth\Cookies\beth@xml.bravenetmedianetwork[2].txt
C:\Documents and Settings\Beth\Cookies\beth@yieldmanager[2].txt
C:\Documents and Settings\Beth\Cookies\beth@yourmedia[1].txt
C:\Documents and Settings\Beth\Local Settings\Temp\Cookies\beth@2o7[2].txt
C:\Documents and Settings\Beth\Local Settings\Temp\Cookies\beth@accelerator-media[2].txt
C:\Documents and Settings\Beth\Local Settings\Temp\Cookies\beth@advertising[2].txt
C:\Documents and Settings\Beth\Local Settings\Temp\Cookies\beth@atdmt[2].txt
C:\Documents and Settings\Beth\Local Settings\Temp\Cookies\beth@data4.perf.overture[1].txt
C:\Documents and Settings\Beth\Local Settings\Temp\Cookies\beth@doubleclick[1].txt
C:\Documents and Settings\Beth\Local Settings\Temp\Cookies\beth@etype.adbureau[2].txt
C:\Documents and Settings\Beth\Local Settings\Temp\Cookies\beth@perf.overture[1].txt
C:\Documents and Settings\Beth\Local Settings\Temp\Cookies\beth@spylog[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@008.free-counter.co[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@122.2o7[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@247realmedia[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@2o7[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@4.adbrite[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@ad.zanox[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@adbrite[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@adopt.euroclick[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@adopt.hbmediapro[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@adrevenue[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@ads.adbrite[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@ads.addynamix[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@ads.adsag[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@ads.aol.co[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@ads.mediamayhemcorp[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@ads.monster[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@ads.pointroll[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@adserver.akqa[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@adserver.rozenbergads[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@adsrevenue[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@adtech[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@adv.surinter[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@as-eu.falkag[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@as1.falkag[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@atwola[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@azjmp[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@belnk[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@bs.serving-sys[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@burstnet[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@burstnet[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@burstnet[3].txt
C:\Documents and Settings\Ellie\Cookies\ellie@burstnet[4].txt
C:\Documents and Settings\Ellie\Cookies\ellie@burstnet[6].txt
C:\Documents and Settings\Ellie\Cookies\ellie@cassava[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@clicksor[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@data3.perf.overture[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@data4.perf.overture[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@digitalclarity.112.2o7[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@dist.belnk[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@e-2dj6wgkiwmazkap.stats.esomniture[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@edge.ru4[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@etype.adbureau[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@findwhat[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@fortunecity[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@gostats[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@h.starware[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@ilead.itrack[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@indexstats[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@inteletrack[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@interclick[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@login.tracking101[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@m1.webstats4u[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@metacafe.122.2o7[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@microsofteup.112.2o7[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@microsoftwlsearchcrm.112.2o7[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@msnaccountservices.112.2o7[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@msnportal.112.2o7[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@myticketmarket.112.2o7[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@mywebsearch[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@optimost[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@overture[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@partygaming.122.2o7[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@partypoker[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@perf.overture[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@qksrv[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@questionmarket[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@realmedia[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@reduxads.valuead[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@revsci[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@rocku.adbureau[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@roiservice[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@sales.liveperson[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@sel.as-eu.falkag[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@sel.as-us.falkag[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@server.cpmstar[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@serving-sys[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@serving-sys[3].txt
C:\Documents and Settings\Ellie\Cookies\ellie@smileycentral[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@stat.dealtime[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@stats.privacyprotector[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@tacoda[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@tracker.roitesting[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@tracking.dc-storm[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@tracking.summitmedia.co[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@trafficmp[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@tribalfusion[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@tripod[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@try.starware[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@videoegg.adbureau[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@weborama[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@www.burstbeacon[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@www.clash-media[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@www.dgm2[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@www.falkag[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@www.googleadservices[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@www.googleadservices[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@www.macromedia[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@www.ppctracking[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@www.w3counter[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@xiti[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@yieldmanager[2].txt
H:\Documents and Settings\Ian\Cookies\ian@247realmedia[1].txt
H:\Documents and Settings\Ian\Cookies\ian@ads.addynamix[1].txt
H:\Documents and Settings\Ian\Cookies\ian@ads.pointroll[2].txt
H:\Documents and Settings\Ian\Cookies\ian@advertising[2].txt
H:\Documents and Settings\Ian\Cookies\ian@atdmt[2].txt
H:\Documents and Settings\Ian\Cookies\ian@counter13.sextracker[1].txt
H:\Documents and Settings\Ian\Cookies\ian@cs.sexcounter[2].txt
H:\Documents and Settings\Ian\Cookies\ian@doubleclick[1].txt
H:\Documents and Settings\Ian\Cookies\ian@gallery.adultlocals[1].txt
H:\Documents and Settings\Ian\Cookies\ian@microsofteup.112.2o7[1].txt
H:\Documents and Settings\Ian\Cookies\ian@msnportal.112.2o7[1].txt
H:\Documents and Settings\Ian\Cookies\ian@questionmarket[1].txt
H:\Documents and Settings\Ian\Cookies\ian@servedby.advertising[1].txt
H:\Documents and Settings\Ian\Cookies\ian@sextracker[2].txt
H:\Documents and Settings\Ian\Cookies\ian@statse.webtrendslive[1].txt
Adware.HotBar (Low Risk)
C:\PROGRAM FILES\HBINST\HBINST.EXE
Malware.DriveCleaner
C:\RECYCLER\S-1-5-21-3377872066-836873440-2400570520-1006\DC226\INSTALLER.EXE
Adware.MovieLand/MediaPipe
C:\RECYCLER\S-1-5-21-3377872066-836873440-2400570520-1008\DC81.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B42518BA-188E-432B-914A-D2C198B52520}\RP452\A0100355.EXE
Adware.Jraun/WinEssential
D:\SYSTEM VOLUME INFORMATION\_RESTORE{530CE4CC-7AA4-472B-AB0A-C4A85E7EDA34}\RP25\A0003090.EXE
Cheers
Ian
steamwiz
2007-04-14, 14:39
HI
Did you turn off McAfee while you did the Pandascan ? it may be causing the conflict...
SUPERAntiSpyware may look as though it found a lot, but it was mostly cookies & nothing to be too concerned about ...
Please run this on-line scan :-
http://www.bitdefender.com/scan8/ie.html
Scan the whole computer & let it Disinfect/delete all it finds ...
copy & paste here its report here please.
steam
Hi Steam
Thanks for your response.
Yes I had turned off McAfee and Superantivirus. However I found that if I stopped the process right near the end it would allow me to save it, so that's what I've done.
Will run bitdefender next
So here's the panda log as far as it got ( i think it has picked up everything).
Incident Status Location
Potentially unwanted tool:Application/Messengerskinner Not disinfected C:\Program Files\MessengerSkinner\MessengerSkinner.exe
Potentially unwanted tool:Application/Messengerskinner Not disinfected C:\Program Files\MessengerSkinner\MessengerSkinnerDll.dll
Potentially unwanted tool:application/mywebsearch Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44cf-8957-5838F569A31D}
Dialer:Dialer.Gen Not disinfected C:\1-2-3-AWM123.exe
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Beth\Cookies\beth@bravenet[1].txt
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\Beth\Cookies\beth@centrport[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Beth\Cookies\beth@com[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Beth\Cookies\beth@go[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Beth\Cookies\beth@searchportal.information[2].txt
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\Beth\Cookies\beth@xmts[1].txt
Spyware:Spyware/Overpro Not disinfected C:\Documents and Settings\Beth\Local Settings\Temp\APP3.tmp
Spyware:Spyware/Overpro Not disinfected C:\Documents and Settings\Beth\Local Settings\Temp\APPD.tmp
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\Beth\Local Settings\Temp\Cookies\beth@xmts[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Ellie\Cookies\ellie@888[2].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Ellie\Cookies\ellie@adtech[2].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Ellie\Cookies\ellie@bravenet[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Ellie\Cookies\ellie@com[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Ellie\Cookies\ellie@go[1].txt
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Ellie\Cookies\ellie@landing.domainsponsor[1].txt
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\Ellie\Cookies\ellie@xmts[2].txt
Adware:Adware/Comet Not disinfected C:\Documents and Settings\Ellie\Local Settings\Temporary Internet Files\Content.IE5\EUS712DT\jokes[1].exe[jokester.dll]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Ian\Cookies\ian@questionmarket[2].txt
Potentially unwanted tool:Application/Messengerskinner Not disinfected C:\Program Files\MessengerSkinner\uninst.exe
Spyware:Cookie/MediaTickets Not disinfected C:\RECYCLER\S-1-5-21-3377872066-836873440-2400570520-1006\Dc210\ian@kinghost[1].txt
Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\system32\stggjcepcq.exe
Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\system32\yohzsvt.exe
Potentially unwanted tool:Application/Messengerskinner Not disinfected C:\WINDOWS\Temp\install_msgskinner.exe
Hi Steam
I have tried bitdefender several times and it falls over with an explorer application error about half way through -same as the panda software. Not sure whether this is an IE7 problem - ive patched up to date.
I'm also getting disk errors in my event logs, so I'm wondering if ive got problems with the HDD.
So - I'm a bit stuck!
On the psotivie side, the chldren used the PC pretty intensively yesterday and no popups!
Ian
steamwiz
2007-04-19, 23:44
HI
Sorry for the late reply...
HI
You should print these instructions or save these to a text file. Follow these instructions carefully.
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
---
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
---
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
---
please post the following logs -:
- AVG's report
Hi Steam
Thaks for your help.
Here's the report as recommended...
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 09:33:26 21/04/2007
+ Scan result:
C:\System Volume Information\_restore{B42518BA-188E-432B-914A-D2C198B52520}\RP484\A0105974.exe -> Adware.Drop : Cleaned with backup (quarantined).
C:\Documents and Settings\Ian\My Documents\Setup Directory\McAfee\HbUninst.exe -> Adware.HotBar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B42518BA-188E-432B-914A-D2C198B52520}\RP484\A0105973.exe -> Adware.HotBar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B42518BA-188E-432B-914A-D2C198B52520}\RP481\A0105837.exe -> Adware.NaviPromo : Cleaned with backup (quarantined).
H:\System Volume Information\_restore{BB444D9F-3597-480B-9C58-B932945C97CF}\RP30\A0006618.exe -> Backdoor.Rbot : Cleaned with backup (quarantined).
C:\Documents and Settings\Ellie\Cookies\ellie@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Ellie\Cookies\ellie@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Beth\Cookies\beth@www.adobe[1].txt -> TrackingCookie.Adobe : Cleaned.
C:\Documents and Settings\Ellie\Cookies\ellie@www.adobe[1].txt -> TrackingCookie.Adobe : Cleaned.
C:\Documents and Settings\Beth\Cookies\beth@centrport[1].txt -> TrackingCookie.Centrport : Cleaned.
C:\Documents and Settings\Beth\Cookies\beth@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Ellie\Cookies\ellie@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Beth\Cookies\beth@connextra[6].txt -> TrackingCookie.Connextra : Cleaned.
C:\Documents and Settings\Ellie\Cookies\ellie@connextra[1].txt -> TrackingCookie.Connextra : Cleaned.
C:\Documents and Settings\Ellie\Cookies\ellie@hit.gemius[2].txt -> TrackingCookie.Gemius : Cleaned.
C:\Documents and Settings\Beth\Cookies\beth@searchportal.information[2].txt -> TrackingCookie.Information : Cleaned.
C:\Documents and Settings\Beth\Cookies\beth@search.live[2].txt -> TrackingCookie.Live : Cleaned.
C:\Documents and Settings\Ellie\Cookies\ellie@search.live[2].txt -> TrackingCookie.Live : Cleaned.
C:\Documents and Settings\Beth\Cookies\beth@search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Ellie\Cookies\ellie@search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Ellie\Cookies\ellie@uk.search.msn[2].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Beth\Cookies\beth@navrcholu[2].txt -> TrackingCookie.Navrcholu : Cleaned.
C:\Documents and Settings\Ellie\Cookies\ellie@navrcholu[1].txt -> TrackingCookie.Navrcholu : Cleaned.
C:\Documents and Settings\Ellie\Cookies\ellie@overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Ellie\Cookies\ellie@try.starware[2].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\Ellie\Cookies\ellie@toplist[1].txt -> TrackingCookie.Toplist : Cleaned.
C:\Documents and Settings\Beth\Cookies\beth@m.webtrends[2].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\Ellie\Cookies\ellie@m.webtrends[2].txt -> TrackingCookie.Webtrends : Cleaned.
C:\System Volume Information\_restore{B42518BA-188E-432B-914A-D2C198B52520}\RP484\A0105975.exe -> Trojan.Agent.qg : Cleaned with backup (quarantined).
::Report end
steamwiz
2007-04-21, 15:00
HI
Make sure you can view hidden files...
In case the files are hidden --- Click here >>> How to Show Hidden/System Files (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)
delete the following files (if found) :-
C:\1-2-3-AWM123.exe ... file
C:\WINDOWS\system32\stggjcepcq.exe ... file
C:\WINDOWS\system32\yohzsvt.exe ... file
Then run a couple more programs ...
--------
Download CCleaner from :-
http://www.filehippo.com/download_ccleaner/ (click the download tab)
During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it.
doubleclick the ccsetup.exe file and install the program...
After installing, go to Start > programs > CCleaner > Options > Advanced > UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
Make sure the "windows" tab is selected
Under "internet explorer" tick...
Temporary internet files
Cookies* > see Note below
History
Recently typed URL's (leave this unticked if you DON'T want to clear the drop down list in the address window of IE)
Delete index.dat files
Last download location
Autocomplete form history
under "Windows explorer" these are optional, but you can safely tick them all if you wish, they are only "most recently used lists"
Other explorer MRU's (leave this unticked if you DON'T want to clear lists such as the start\run list)
under "System"
Tick ALL these ...
under "Advanced"
no need to tick any of these (but you can if you want, and realise what they do)
Applications tab...
These will mostly clean out old log files for these applications...
Clean:- (if you use them)
Firefox/Mozilla (optional - leave the cookies - see note)
Opera
Sun Java
ZoneAlarm
...
Personally I clean everything in the applications tab... but you tick what you want...
Note: *If there are any cookies you want to keep (if you remove the cookie for a site you require a password for, you will need to re-enter your password when you next visit that site) ... click options > cookies > then keep the cookies you want.
click "analyse" if you want to see a list of what is going to be removed, before it is removed.
Or
click "run cleaner" to let it get on with it's work... clicking this will result in the following pop-up
"This process will permanently delete files from your system. Are you sure you wish to proceed?"
click OK.
---
THEN...
Please download Combofix: http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
and save to the desktop.
1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log.
Notes:
* Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
* Disable script blocking if you have NAV installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.
steam
Hi Steam.
Thanks for your help:
FYI, you might notice that I've upgraded from McAfee to Symantec for anti-virus, spyware etc. McAfee seemed not to be doing the job.
Here's the combofix log, followed by the HJT log
"Ian" - 07-04-22 18:54:41 Service Pack 2
ComboFix 07-04-21.2V - Running from: C:\Documents and Settings\Ian\Desktop\
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\nvs2.inf
((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\nm
((((((((((((((((((((((((((((((( Files Created from 2007-03-22 to 2007-04-22 ))))))))))))))))))))))))))))))))))
2007-04-22 18:40 <DIR> d-------- C:\Program Files\CCleaner
2007-04-21 11:57 <DIR> dr-h----- C:\DOCUME~1\Beth\APPLIC~1\yahoo!
2007-04-20 23:21 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-20 17:41 <DIR> dr-h----- C:\DOCUME~1\Ellie\APPLIC~1\yahoo!
2007-04-17 18:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-04-17 18:11 <DIR> d-------- C:\DOCUME~1\Ian\APPLIC~1\Yahoo!
2007-04-17 17:56 48,776 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-04-17 17:56 115,000 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-04-17 17:53 <DIR> d-------- C:\Program Files\Symantec
2007-04-17 17:53 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-04-17 17:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-04-17 17:51 86,016 --a------ C:\WINDOWS\system32\YPcservice.exe
2007-04-17 17:51 84,992 --a------ C:\WINDOWS\system32\ATL70.DLL
2007-04-17 17:51 65,536 --a------ C:\WINDOWS\system32\YCRWin32.dll
2007-04-17 17:51 131,072 --a------ C:\WINDOWS\system32\ypclsp.dll
2007-04-17 17:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!
2007-04-17 17:36 <DIR> d-------- C:\Program Files\Yahoo!
2007-04-14 23:03 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-04-13 23:17 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-04-13 21:29 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE
2007-04-13 21:29 0 --a------ C:\WINDOWS\ORUN32.EXE
2007-04-13 21:18 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-04-13 21:18 <DIR> d-------- C:\DOCUME~1\Ian\APPLIC~1\SUPERAntiSpyware.com
2007-04-13 21:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-03-28 18:51 97,936 --a------ C:\WINDOWS\system32\drivers\symfw.sys
2007-03-28 18:51 538,256 --a------ C:\WINDOWS\system32\SymNeti.dll
2007-03-28 18:51 31,888 --a------ C:\WINDOWS\system32\drivers\symids.sys
2007-03-28 18:51 28,304 --a------ C:\WINDOWS\system32\drivers\symndis.sys
2007-03-28 18:51 24,208 --a------ C:\WINDOWS\system32\drivers\symredrv.sys
2007-03-28 18:51 189,584 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
2007-03-28 18:51 161,424 --a------ C:\WINDOWS\system32\SymRedir.dll
2007-03-28 18:51 12,944 --a------ C:\WINDOWS\system32\drivers\symdns.sys
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-04-14 23:44 -------- d-------- C:\Program Files\messengerskinner
2007-04-14 13:54 -------- d-------- C:\Program Files\quicktime
2007-04-14 13:51 -------- d-------- C:\Program Files\msn messenger
2007-04-14 13:46 -------- d-------- C:\Program Files\microsoft lifecam
2007-04-14 13:20 -------- d-------- C:\Program Files\itunes
2007-04-14 10:59 -------- d-------- C:\Program Files\microsoft activesync
2007-04-13 21:29 -------- d-------- C:\Program Files\flat panel adjust
2007-04-13 21:17 -------- d-------- C:\Program Files\Common Files\wise installation wizard
2007-03-18 10:03 45056 --a------ C:\WINDOWS\ncuninst.exe
2007-03-17 14:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-09 17:21 -------- d-------- C:\Program Files\ipod
2007-03-08 16:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 16:36 40960 --------- C:\WINDOWS\system32\mf3216.dll
2007-03-08 16:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 14:47 1843584 --------- C:\WINDOWS\system32\win32k.sys
2007-03-01 19:28 215245 --a------ C:\WINDOWS\system32\azsmfyrkdw_navtmp.dat
2007-02-05 21:17 185344 --------- C:\WINDOWS\system32\upnphost.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670} C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
{243B17DE-77C7-46BF-B94B-0B5F309A0E64} C:\Program Files\Microsoft Money\System\mnyside.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
{9030D464-4C02-4ABF-8ECC-5164760863C6} C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
{9ECB9560-04F9-4bbc-943D-298DDF1699E1} C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
{A8F38D8D-E480-4D52-B7A2-731BB6995FDD} C:\Program Files\Yahoo!\NAV\NavShExt.dll
{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
{F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"HTpatch"="C:\\WINDOWS\\htpatch.exe"
"VOBRegCheck"="C:\\WINDOWS\\System32\\VOBREGCheck.exe -CheckReg"
"SoundMan"="SOUNDMAN.EXE"
"Microsoft Works Update Detection"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb05.exe"
"EPSON Stylus C86 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I0R2.EXE /P23 \"EPSON Stylus C86 Series\" /O6 \"USB001\" /M \"Stylus C86\""
"DXM6Patch_981116"="C:\\WINDOWS\\p_981116.exe /Q:A"
"Dit"="Dit.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"GSICONEXE"="gsicon.exe"
"DSLAGENTEXE"="dslagent.exe USB"
"VX3000"="C:\\WINDOWS\\vVX3000.exe"
"LifeCam"="\"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"DJSNetCN"="C:\\Program Files\\Common Files\\Symantec Shared\\DJSNETCN.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_GTNDIS5
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Ian.job
C:\WINDOWS\tasks\User_Feed_Synchronization-{03EADB92-FA5C-4221-9598-3DE5DE1C584D}.job
********************************************************************
catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-22 19:07:28
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HTpatch = C:\WINDOWS\htpatch.exe?ows\CurrentVersion\Run???\??????Z????`??Z???Z`??Z???????????????Z???Z???Z???Z$??????Z???????????????Z???????????Z???w????(????3?w???w?????3?w ??w???Z:???????d???r??Z1??Z???Zd??????Z?-?Z????z??w8h?Z\2?Z?1?Zhtinst.INI?Z?u?Z????d????????F?
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
********************************************************************
Completion time: 07-04-22 19:10:18
C:\ComboFix-quarantined-files.txt ... 07-04-22 19:10
<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>
Hi Steam - had to split the message up.....
Logfile of HijackThis v1.99.1
Scan saved at 21:35:32, on 22/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Belkin\F5D7051\WLService.exe
C:\Program Files\Belkin\F5D7051\WLanCfgG.exe
C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
C:\Program Files\Firebird\bin\ibguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Yahoo!\NAV\navapsvc.exe
C:\Program Files\Yahoo!\NAV\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Firebird\bin\ibserver.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0R2.EXE
C:\WINDOWS\Dit.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\gsicon.exe
C:\WINDOWS\system32\dslagent.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\DitExp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Ian\My Documents\Setup Directory\Hijackthis\sillyname.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Norton Personal Firewall - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Yahoo!\NAV\NavShExt.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [EPSON Stylus C86 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0R2.EXE /P23 "EPSON Stylus C86 Series" /O6 "USB001" /M "Stylus C86"
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [DJSNetCN] C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.com
O16 - DPF: {0A46CB52-CFA0-4E78-A181-948D5E361BE3} (EpsonObj Class) - http://esupport.epson-europe.com/ePC/activex/EpsonSetup.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Belkin High-Speed Mode Wireless G USB Driver (Belkin High-Speed Mode Wireless G USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\F5D7051\WLService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Yahoo!\NPF\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec Licensing Detect Internet Connection (DJSNETCN) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
O23 - Service: Firebird Guardian Service (InterBaseGuardian) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Firebird Server (InterBaseServer) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Yahoo!\NAV\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Yahoo!\NAV\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Yahoo!\NAV\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
steamwiz
2007-04-22, 23:39
HI
Find & delete this file :-
C:\WINDOWS\system32\azsmfyrkdw_navtmp.dat
---
This looks a little weird in the gmer log :-
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HTpatch = C:\WINDOWS\htpatch.exe?ows\CurrentVersion\Run???\??????Z????`??Z???Z`??Z???????????????Z???Z???Z???Z$??????Z???????????????Z???????????Z???w????(????3?w???w?????3?w ??w???Z:???????d???r??Z1??Z???Zd??????Z?-?Z????z??w8h?Z\2?Z?1?Zhtinst.INI?Z?u?Z????d????????F?
---
But as C:\WINDOWS\htpatch.exe is legitimate & the startup is clearly not hidden...
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"HTpatch"="C:\\WINDOWS\\htpatch.exe"
hijackthis log :-
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
It looks like some form of corruption in the filepath, but not malware...
---
What problems, if any, are you still having ?
steam
Hi Steam.
Thanks for your help.
Deleted the file.
Not had any popups for over a week now, so feels pretty stable.
Ian
steamwiz
2007-04-24, 22:51
Hi
Excellent ... then I declare this thread as resolved :)
Happy surfing
steam
Thanks for all your help, Steam. Very much appreciated.
Ian