View Full Version : riddled with malware?
ecosarah
2008-10-19, 16:32
Hello,
my laptop has been eating GB of space with no explanation. SB shows all sorts of programs when its scanning that seem dodgy eg AdMoke, *.*.casino.PT, Goldeneye, Virtumonde.dll, Hacker.ag, Eros Paradise, Win32.Tool Hack.Aid(might have got that one bit wrong) etcetc. I have never been on any porno or gambling sites. Also my laptop is now very slow.
I have ZoneAlarm installed but switched off because it blocks me going on the internet. I believe my problems probably started when I first switched that off, as I didn't get the windows firewall on straight away...!.... several times... easy to be wise afterwards.
As I have been posting this, I have also been trying to uninstall adobe. dont know whether I have succeeded and whether you need a log again if I have?
I have updated to SP3 but not re-started my laptop as I read not to update to SP3 if I have Malware after installing. I am not very au fait with this level of computers and it has just taken me an hour to get this far (ie get logfile and paste it here!) just downloading HT was challenging to me as there were a couple of steps not meantioned in the instructions on your site.I'm just telling you this to give you an idea of my level of competence.
sarah
http://forums.spybot.info/images/smilies/Snorkle.gif
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:15:05, on 19/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [ControlCenter] "C:\Program Files\IBM fingerprint software\ctlcntr.exe" /startup
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IBM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{951AC99B-C831-46E9-A999-D129F4179D24}: NameServer = 212.139.132.20 212.139.132.21
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Protector Suite Virtual Token (vtserver) - UPEK Inc. - C:\Program Files\Common Files\Virtual Token\vtserver.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/1SARAH~1/LOCALS~1/Temp/msoclip1/01/clip_image002.jpg
--
End of file - 9336 bytes
Hello and welcome to Safer Networking.
My name is km2357 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.
If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.
Please do not start another thread or topic, I will assist you at this thread until we solve your problems.
Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.
I will be back as soon as possible with your first instructions!
Step # 1: Disable Teatimer
Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.
This is a two step process.
First step: Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
If you have the version 1.5 or 1.6, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version : Open Spybot S&D
Click Mode, choose Advanced Mode
Go To the bottom of the Vertical Panel on the Left, Click Tools
then, also in left panel, click Resident shows a red/white shield.
If your firewall raises a question, say OK
In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
OK any prompts.
Use File, Exit to terminate Spybot
Reboot your machine for the changes to take effect.
Step # 2: Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:
1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
Step # 3: Download and Run ComboFix
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the Uninstall List, C:\ComboFix.txt and a fresh HiJackThis Log in your next reply.
Use multiple posts if you can't fit everything into one post.
ecosarah
2008-10-21, 13:27
Thanks very much, I feel really good being in good hands!
got rid of tick against resident protection on spybot icon, but it hasn't gone colourless. have ticked it on again until I hear back from you. Is version 1.6.0
so I havent' proceeded because you said to check out any quieries.
also I need to tell you that I re-started laptop by mistake, so presumably SP3 is now active.
lastly that I remembered that I had a problem before getting Zonealarm, and that was why I got it.
thanks sarah
That's ok that it didn't go colorless. Go ahead and do Steps #2 and 3 and post back the Uninstall List, ComboFix Log, and a fresh HiJackThis Log so we can continue. :)
ecosarah
2008-10-21, 22:55
here is the uninstall list, but have got into huge muddle trying to disable antispy/virus: right clicked on sys tray on AVG and it said I was disabling part of avg and did I want to do that. so I did and then saw that everything was still ticked and working. I exited, then clicked on desktop icon to reopen to see if it was disabled. It said it couldn't do various things and I should re boot. then I tried again and found I was re installing avg. as I need to go onto net to paste this I thought I'd better reinstall it anyway.once it reinstalled it said the following:
Local machine: installed successfully
Installation:
Warning: Action failed for file avgmfx86.sys: stopping service....
Service AvgMfx86 failed to progress during stopping at checpoint 0 (wait hint 10000 ms) in 90219 ms.
I haven't even begun to work out how to disable adaware and spybot (no icons on sys tray) just shortcuts on desk top.so maybe you could instruct??
Also I realised that I had downloaded HJT into My Docs, so have moved it onto desktop, but should I uninstall and reinstall it?
ABBYY FineReader 5.0 Sprint
Access IBM
Access IBM Message Center
Ad-Aware
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Photoshop 7.0
AVG Free 8.0
Canon iP4200
Canon Setup Utility 2.0
Canon Utilities Easy-PhotoPrint
Canon Utilities Easy-PrintToolBox
CD-LabelPrint
Dell AIO Printer A920
Easy-WebPrint
FaxTools
Flatbed Scanner
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
IBM 32-bit Runtime Environment for Java 2, v1.4.2
IBM Access Connections
IBM Active Protection System
IBM DLA
IBM Integrated 56K Modem
IBM Integrated Bluetooth IV Software
IBM RecordNow!
IBM Rescue and Recovery with Rapid Restore
IBM SATA Power Management Driver
IBM Themes
IBM ThinkPad Configuration
IBM ThinkPad EasyEject Utility
IBM ThinkPad Keyboard Customizer Utility
IBM ThinkPad Power Management Driver
IBM ThinkPad Power Manager
IBM ThinkPad Presentation Director
IBM ThinkPad UltraNav Driver
IBM ThinkPad UltraNav Wizard
IBM ThinkVantage Technologies Welcome Message
IBM TrackPoint Accessibility Features
IBM Update Connector
IBM ViaVoice Pro 10.0 - UK English
Intel(R) Graphics Media Accelerator Driver for Mobile
Intel(R) PROSet/Wireless Software
InterVideo WinDVD
mCore
mDriver
Micrografx Picture Publisher 7
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office 2000 Disc 2
Microsoft Office 2000 Small Business
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Script Host
mMHouse
Mozilla Firefox (3.0.1)
Mozilla Thunderbird (1.5)
mPfMgr
mProSafe
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MT882
mWlsSafe
mXML
Nikon View 6
PC-Doctor for Windows
QuickTime
RealPlayer
SAGEM F@st 800-840
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Sonic Update Manager
SpeedTouch USB Software
Spybot - Search & Destroy
Sunny Data
Targus USB Adapter
TextBridge Classic
ThinkPad FullScreen Magnifier
ThinkPad Software Installer
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Wallpapers
Windows Genuine Advantage v1.3.0254.0
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinZip
ZoneAlarm
ZoneAlarm Spy Blocker
Also I realised that I had downloaded HJT into My Docs, so have moved it onto desktop, but should I uninstall and reinstall it?
Looking at your first HJT log, we see the following:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
That shows that HJT was installed correctly, so no need to uninstall and reinstall it. :)
Don't worry about Ad-Aware and Spybot.
Local machine: installed successfully
Installation:
Warning: Action failed for file avgmfx86.sys: stopping service....
Service AvgMfx86 failed to progress during stopping at checpoint 0 (wait hint 10000 ms) in 90219 ms.
That error has to do with AVG's real-time monitor. If you keep getting that error when you run AVG/AVG loads, go ahead and uninstall it and reinstall a fresh copy of AVG Free 8.0.
Go ahead and run ComboFix and post back the ComboFix Log and a fresh HiJackThis Log. :)
ecosarah
2008-10-22, 10:47
ComboFix 08-10-19.04 - 1 Sarah 2008-10-22 9:14:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.125 [GMT 1:00]
Running from: C:\Documents and Settings\1 Sarah\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2008-09-22 to 2008-10-22 )))))))))))))))))))))))))))))))
.
2008-10-21 21:39 . 2008-10-21 21:43 8,192 --a--c--- C:\Documents and Settings\2TIM~3
2008-10-19 15:11 . 2008-10-19 15:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-18 11:19 . 2008-09-15 13:12 1,846,400 --------- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-18 11:19 . 2008-09-08 11:41 333,824 --------- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-18 11:18 . 2008-08-14 11:11 2,189,184 --------- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-18 11:18 . 2008-08-14 11:09 2,145,280 --------- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-18 11:18 . 2008-08-14 10:33 2,066,048 --------- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-18 11:18 . 2008-08-14 10:33 2,023,936 --------- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-10-14 14:32 . 2008-10-14 14:32 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-10-14 14:32 . 2008-10-14 14:32 <DIR> d-------- C:\WINDOWS\system32\en
2008-10-14 14:32 . 2008-10-14 14:32 <DIR> d-------- C:\WINDOWS\system32\bits
2008-10-14 14:32 . 2008-10-14 14:32 <DIR> d-------- C:\WINDOWS\l2schemas
2008-10-14 14:21 . 2008-10-14 14:33 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-10-10 16:04 . 2008-04-14 01:12 1,737,856 --------- C:\WINDOWS\system32\mtxparhd.dll
2008-10-10 16:03 . 2008-04-14 01:11 397,312 --------- C:\WINDOWS\system32\mmcex.dll
2008-10-10 16:03 . 2008-04-14 01:11 184,320 --------- C:\WINDOWS\system32\microsoft.managementconsole.dll
2008-10-10 16:03 . 2008-04-14 01:11 106,496 --------- C:\WINDOWS\system32\mmcfxcommon.dll
2008-10-10 16:03 . 2008-04-14 01:11 37,376 --------- C:\WINDOWS\system32\l2gpstore.dll
2008-10-10 16:03 . 2008-04-14 01:12 33,792 --------- C:\WINDOWS\system32\mmcperf.exe
2008-10-10 16:02 . 2008-04-14 01:11 61,440 --------- C:\WINDOWS\system32\kmsvc.dll
2008-10-10 16:02 . 2008-04-14 01:09 6,144 --------- C:\WINDOWS\system32\kbdpash.dll
2008-10-10 16:02 . 2008-04-14 01:09 6,144 --------- C:\WINDOWS\system32\kbdnepr.dll
2008-10-10 16:02 . 2008-04-14 01:09 6,144 --------- C:\WINDOWS\system32\kbdiultn.dll
2008-10-10 16:02 . 2008-04-14 01:09 6,144 --------- C:\WINDOWS\system32\kbdbhc.dll
2008-10-10 16:01 . 2008-04-13 19:45 46,592 --------- C:\WINDOWS\system32\drivers\irbus.sys
2008-10-10 16:01 . 2008-04-14 01:12 10,752 --------- C:\WINDOWS\system32\smtpapi.dll
2008-10-10 16:01 . 2008-04-14 01:12 9,728 --------- C:\WINDOWS\system32\rwnh.dll
2008-10-10 16:01 . 2007-06-21 06:52 974 --------- C:\WINDOWS\system32\pid.inf
2008-10-10 16:00 . 2004-08-03 22:41 1,041,536 --------- C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2008-10-10 16:00 . 2004-08-03 22:41 685,056 --------- C:\WINDOWS\system32\drivers\hsfcxts2.sys
2008-10-10 16:00 . 2004-08-03 22:41 220,032 --------- C:\WINDOWS\system32\drivers\hsfbs2s2.sys
2008-10-10 16:00 . 2008-04-13 17:36 144,384 --------- C:\WINDOWS\system32\drivers\hdaudbus.sys
2008-10-10 16:00 . 2008-04-14 01:11 32,285 --------- C:\WINDOWS\system32\hsfcisp2.dll
2008-10-10 16:00 . 2008-04-13 19:46 25,600 --------- C:\WINDOWS\system32\drivers\hidbth.sys
2008-10-10 16:00 . 2008-04-13 19:45 19,200 --------- C:\WINDOWS\system32\drivers\hidir.sys
2008-10-10 16:00 . 2008-04-13 19:43 9,728 --------- C:\WINDOWS\system32\comsdupd.exe
2008-10-10 15:58 . 2008-04-14 01:11 650,752 --------- C:\WINDOWS\system32\dot3ui.dll
2008-10-10 15:58 . 2008-04-14 01:11 132,096 --------- C:\WINDOWS\system32\dot3svc.dll
2008-10-10 15:58 . 2008-04-14 01:11 57,856 --------- C:\WINDOWS\system32\dot3cfg.dll
2008-10-10 15:58 . 2008-04-14 01:11 56,320 --------- C:\WINDOWS\system32\dot3msm.dll
2008-10-10 15:58 . 2008-04-14 01:11 48,640 --------- C:\WINDOWS\system32\dhcpqec.dll
2008-10-10 15:58 . 2008-04-14 01:11 39,936 --------- C:\WINDOWS\system32\dot3gpclnt.dll
2008-10-10 15:58 . 2008-04-14 01:11 39,936 --------- C:\WINDOWS\system32\dimsroam.dll
2008-10-10 15:58 . 2008-04-14 01:11 26,112 --------- C:\WINDOWS\system32\dot3api.dll
2008-10-10 15:58 . 2008-04-14 01:11 19,456 --------- C:\WINDOWS\system32\dimsntfy.dll
2008-10-10 15:58 . 2008-04-14 01:11 9,216 --------- C:\WINDOWS\system32\dot3dlg.dll
2008-10-10 15:56 . 2008-04-14 01:11 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll
2008-10-10 15:55 . 2008-04-14 01:11 136,192 --------- C:\WINDOWS\system32\aaclient.dll
2008-09-29 14:12 . 2004-02-05 15:52 53,248 --a------ C:\WINDOWS\setFireWall.exe
2008-09-29 14:12 . 2003-12-05 19:09 2,238 --a------ C:\WINDOWS\tiscali04.ico
2008-09-29 14:06 . 2008-09-29 14:06 <DIR> d-------- C:\Program Files\SAGEM
2008-09-29 14:06 . 2003-01-30 05:48 143,360 --a------ C:\WINDOWS\autoclk.exe
2008-09-29 14:06 . 2004-01-07 16:29 81,088 --a------ C:\WINDOWS\system32\drivers\rtbldep4.bnm
2008-09-29 14:06 . 2001-05-24 16:24 22,395 --a------ C:\WINDOWS\system32\drivers\fpga.bin
2008-09-29 14:06 . 2008-09-29 14:07 184 --a--c--- C:\setuplog.exe
2008-09-29 14:03 . 2008-09-29 14:03 <DIR> d-------- C:\Program Files\Tiscali Broadband
2008-09-29 14:03 . 2004-01-23 16:51 2,238 --a------ C:\WINDOWS\TiscaliHelp04.ico
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-22 08:23 241,460 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-10-22 08:23 21,884,960 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-10-22 08:02 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-10-22 07:57 97,928 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-10-22 07:57 76,040 ----a-w C:\WINDOWS\system32\drivers\avgtdix.sys
2008-10-22 07:57 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll
2008-10-21 20:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-10-19 14:11 --------- d-----w C:\Program Files\Common Files\Adobe
2008-10-11 09:32 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-29 13:07 23 ----a-w C:\WINDOWS\system32\drivers\adidsl.cfg
2008-09-29 13:06 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-15 12:12 1,846,400 ------w C:\WINDOWS\system32\win32k.sys
2008-09-14 17:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-08 10:41 333,824 ------w C:\WINDOWS\system32\drivers\srv.sys
2008-09-01 13:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-01 13:38 --------- d-----w C:\Program Files\Lavasoft
2008-09-01 11:25 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-28 14:35 --------- d-----w C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-08-20 05:30 666,112 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-20 05:30 666,112 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2008-08-20 05:30 619,520 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2008-08-20 05:30 3,067,904 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-08-20 05:30 1,499,136 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2008-08-14 10:11 2,189,184 ------w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 10:04 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-08-14 09:33 2,066,048 ------w C:\WINDOWS\system32\ntkrnlpa.exe
2007-02-06 11:54 18,040,176 -c----w C:\Program Files\Install_Messenger_nous.exe
2007-01-28 14:34 6,342,864 -c----w C:\Program Files\Thunderbird Setup 1.5.0.9.exe
2006-10-17 19:52 2,855,080 -c----w C:\Program Files\aawsepersonal.exe
2006-05-30 13:10 6,322,168 -c----w C:\Program Files\Thunderbird Setup 1.5.0.2.exe
2005-11-01 12:14 1,148,416 -c----w C:\Program Files\PA082.exe
2005-10-15 13:58 13,399,472 -c----w C:\Program Files\avg70free_344a618.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-08 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-08 512000]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-12-13 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-12-13 126976]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2004-02-05 897024]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2005-03-04 94208]
"ControlCenter"="C:\Program Files\IBM fingerprint software\ctlcntr.exe" [2004-11-04 284766]
"EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2004-11-24 212992]
"UC_Start"="C:\Program Files\IBM\Updater\\ucstartup.exe" [2004-07-15 36864]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-09-02 127035]
"QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-03-18 86016]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2005-01-21 135168]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 919016]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 409600]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-10-22 1234712]
"TpShocks"="TpShocks.exe" [2005-01-24 C:\WINDOWS\system32\TpShocks.exe]
"TP4EX"="tp4ex.exe" [2004-11-12 C:\WINDOWS\system32\TP4EX.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 15360]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-10-11 113664]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-08-15 24576]
DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2008-09-29 962660]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2004-11-04 17:51 108636 C:\Program Files\IBM fingerprint software\psfus.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
2005-03-18 11:07 262144 C:\WINDOWS\system32\QConGina.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2004-08-13 04:11 24576 C:\WINDOWS\system32\tphklock.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
Notification Packages REG_MULTI_SZ scecli pwdmon
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkvMon.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk
backup=C:\WINDOWS\pss\NkvMon.exe.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TextBridge Instant Access OCR.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TextBridge Instant Access OCR.lnk
backup=C:\WINDOWS\pss\TextBridge Instant Access OCR.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A920]
--a------ 2003-06-02 19:25 270336 C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IBM Warranty Notification]
--------- 2004-03-12 19:24 106496 C:\Program Files\IBM\acp\ERTS0749\ERTS0749.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ibmmessages]
--------- 2004-08-06 10:10 442368 C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IBMPRC]
--------- 2004-12-16 11:41 90112 C:\IBMTOOLS\utils\ibmprc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-14 01:12 1695232 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
--a------ 2004-01-26 11:38 866816 C:\Program Files\Thomson\SpeedTouch USB\dragdiag.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-09-16 12:16 1833296 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--------- 2003-08-19 09:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"btwdins"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"=
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"=
"C:\\Program Files\\IBM\\Updater\\ucsmb.exe"=
"C:\\Program Files\\ViaVoice\\BIN\\audmig.exe"=
"C:\\Program Files\\ViaVoice\\BIN\\macroeditor.exe"=
"C:\\Program Files\\ViaVoice\\BIN\\msaadmn.exe"=
"C:\\Program Files\\ViaVoice\\BIN\\navcentral.exe"=
"C:\\Program Files\\ViaVoice\\BIN\\smart.exe"=
"C:\\Program Files\\ViaVoice\\BIN\\speechbar.exe"=
"C:\\Program Files\\Microsoft Office\\Office\\WINWORD.EXE"=
"C:\\Program Files\\ViaVoice\\BIN\\engine.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2004-05-14 59776]
R0 TPDiskPM;TPDiskPM;C:\WINDOWS\system32\drivers\TPDiskPM.sys [2004-12-03 14208]
R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-03-18 11520]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-10-22 97928]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\drivers\IBMBLDID.SYS [2005-03-18 2432]
R1 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2004-05-14 4608]
R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2005-01-21 4442]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-10-21 282904]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-10-22 76040]
R2 ibmfilter;ibmfilter;C:\WINDOWS\system32\drivers\ibmfilter.sys [2004-12-16 63616]
R2 ScanDrv;ScanDrv;C:\WINDOWS\system32\drivers\ScanDrv.sys [1999-04-08 195384]
R3 portio;TPM Service;C:\WINDOWS\system32\DRIVERS\NscTpmDD.sys [2004-05-19 13757]
R3 TPInput;TPInput;C:\WINDOWS\system32\DRIVERS\TPInput.sys [2004-12-02 6016]
S2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-10-22 875288]
S3 iadusb;MT882;C:\WINDOWS\system32\DRIVERS\glauiad.sys [2006-07-27 30336]
S3 QCNDISIF;QCNDISIF;C:\WINDOWS\system32\drivers\qcndisif.SYS [2005-03-18 12288]
.
Contents of the 'Scheduled Tasks' folder
2008-10-22 C:\WINDOWS\Tasks\PMTask.job
- C:\PROGRA~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2005-01-21 09:00]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-updateMgr - C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKLM-Run-adiras - adiras.exe
MSConfigStartUp-Adobe Reader Speed Launcher - C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
MSConfigStartUp-swg - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\1 Sarah\Application Data\Mozilla\Firefox\Profiles\wyor7n6s.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.indymedia.org.uk/
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPZoneSB.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-22 09:26:45
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tphklock.dll
PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\pwdmon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\system32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\TPHDEXLG.exe
C:\WINDOWS\system32\TpKmpSvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-10-22 9:35:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-22 08:35:02
Pre-Run: 10,760,769,536 bytes free
Post-Run: 10,802,593,792 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
278 --- E O F --- 2008-10-19 13:29:51
forgottn how to produce a HJT log, so will look it up and then post
thanks
ecosarah
2008-10-22, 11:01
hjt log hopefully
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:56:15, on 22/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [ControlCenter] "C:\Program Files\IBM fingerprint software\ctlcntr.exe" /startup
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IBM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Protector Suite Virtual Token (vtserver) - UPEK Inc. - C:\Program Files\Common Files\Virtual Token\vtserver.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/1SARAH~1/LOCALS~1/Temp/msoclip1/01/clip_image002.jpg
--
End of file - 8822 bytes
think that is all of your instructions so far,
thank you
ecosarah
2008-10-22, 15:42
will it affect what you are doing if I uninstall and reinstall Zonealarm? I have a feeling it will work then.
sarah
Uninstalling and reinstalling ZoneAlarm should not affect what we're doing. Go ahead and uninstall/reinstall it.
Step # 1: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it.
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Step # 2: Remove Hijackthis Entries
Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/1SARAH~1/LOCALS~1/Temp/msoclip1/01/clip_image002.jpg
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.
Go to Start -> Control Panel -> Display Properties -> Desktop -> Customize Desktop... -> Web tab, then uncheck and delete everything you find in there (except for "My Current Home Page"),
Also remove the checkmark from the the Lock Desktop Items box if it is checked.
Click Apply.
Click Apply and then Exit Display Properties.
Step # 3 Download and Run OTMoveIt3
Please download OTMoveIt3 by OldTimer (http://oldtimer.geekstogo.com/OTMoveIt3.exe).
Save it to your desktop.
Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
:files
C:/DOCUME~1/1SARAH~1/LOCALS~1/Temp/msoclip1/01/clip_image002.jpg
Return to OTMoveIt3, right click in the "Paste List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Step # 4 Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Before running a scan, click the Update tab, next click Check for Updates to download any updates, if available.
Next click the Scanner tab and select Perform Quick Scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location.
You can also access the log by doing the following:
Click on the Malwarebytes' Anti-Malware icon to launch the program.
Click on the Logs tab.
Click on the log at the bottom of those listed to highlight it.
Click Open.
In your next post/reply, I need to see the following:
1. OTMoveIT3 Log
2. MalwareBytes' Log
3. A fresh HiJackThis Log
ecosarah
2008-10-22, 21:37
got to Empty Selected under firefox on AFT cleaner and it said no files were deleted. and Opera is in grey so I cannot select it - what do I do about both?
thanks
ecosarah
2008-10-22, 21:38
pressed it again and it said it was done cleaning. but opera still not lit.
It looks like ATF Cleaner didn't find any junk files to delete in/from Firefox.
And Opera is greyed out because you don't have it installed on your computer, so no need to worry about it. :)
Contine on with Steps 2-4. :)
ecosarah
2008-10-23, 11:52
under customise desktop there was nothing except My Current Home Page unchecked. so I left it all as it was.
at first it said it couldn't move it and something to do with time error, I pressed move it again and it went with the following results:
Error: Unable to interpret <C:/DOCUME~1/1SARAH~1/LOCALS~1/Temp/msoclip1/01/clip_image002.jpg> in the current context!
OTMoveIt3 by OldTimer - Version 1.0.5.0 log created on 10232008_104929
rest coming...
ecosarah
2008-10-23, 12:08
no malware found by malwarebytes
Malwarebytes' Anti-Malware 1.30
Database version: 1308
Windows 5.1.2600 Service Pack 3
23/10/2008 11:05:21
mbam-log-2008-10-23 (11-05-21).txt
Scan type: Quick Scan
Objects scanned: 50181
Time elapsed: 8 minute(s), 41 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:08:11, on 23/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [ControlCenter] "C:\Program Files\IBM fingerprint software\ctlcntr.exe" /startup
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IBM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{951AC99B-C831-46E9-A999-D129F4179D24}: NameServer = 212.139.132.10 212.139.132.11
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: Protector Suite Virtual Token (vtserver) - UPEK Inc. - C:\Program Files\Common Files\Virtual Token\vtserver.exe
--
End of file - 8840 bytes
thanks for your time!
Please go to Eset website (http://www.eset.com/onlinescan/) to perform an online scan. Please use Internet Explorer as it uses ActiveX.
Check (tick) this box: YES, I accept the Terms of Use.
Click on the Start button next to it.
When prompted to run ActiveX. click Yes.
You will be asked to install an ActiveX. Click Install.
Once installed, the scanner will be initialized.
After the scanner is initialized, click Start.
Uncheck (untick) Remove found threats box.
Check (tick) Scan unwanted applications.
Click on Scan.
It will start scanning. Please be patient.
Once the scan is done, you will find a log in C:\Program Files\esetonlinescanner\log.txt. Please post this log in your next reply.
In your next post/reply, I need to see the following:
1. Eset Log
2. A fresh HiJackThis Log
3. How is your computer doing, any problems?
ecosarah
2008-10-24, 10:50
zonealarm is now allowing me on the net. but a pop up from zonealarm came up when I followed your instructions and further info said:
ZoneAlarm has prevented a connection to port 23 on your computer. This was most likely a port scan by a remote computer trying to find out if you are running Telnet software.
was that the right thing or will it have affected things?
ecosarah
2008-10-24, 11:41
the scan has been going 18 minutes and has stopped at 4170 files scanned for a number of minutes now. I'll give it longer and then stop it. stopped after 23 minutes
log:
# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3550 (20081023)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.060 (20070601)
# EOSSerial=7fc86484ca65b54da76c071c51c8d7b3
# end=stopped
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-10-24 09:18:15
# local_time=2008-10-24 10:18:15 (+0000, GMT Daylight Time)
# country="United Kingdom"
# osver=5.1.2600 NT Service Pack 3
# scanned=4298
# found=0
# scan_time=1777
and trying again...
got from za:"ZoneAlarm prevented a remote computer from connecting to port 1080 on your computer. This connection attempt was probably a port scan attempting to locate unprotected or misconfigured proxy servers. To learn more about port scans, see the Details tab."
on 411? now, 7 mins... forgot to say, computer VERY slow while scan is on, even though its not doing anything... 4071 and 20 mins but laptop got quicker since I closed thunderbird. will now post this and close Firefox, so I just have internet explorer open.
I had huge difficulty loading ZA. my computer crashed several times in various ways & ZA kept reporting malfunctions eg that I wasn't logged on as the adminstrator when I was. even cnt
the laptop is still slow, and 3 extra GB have arrived since I last lchecked (a few months ago). Apart from a some photos from a 3megapixel camera, I have added nothing except the programs you have asked me to, I cannot see any way I have added more than a gig, at the very outside. My Docs have used 11.4GB in total which is also higher than I would have expected but the whole laptop has 23gb on it, which I cannot explain. SOmething is eating my space!
Yesterday I had a problem with LEXPPS trying to access the internet and googled it. Bleeping computer said that LEX.exe can use up loads of processing power so as it is connected to printers I uninstalled 2 printers I dont use. However, that program adn another LEX one were still there today on cnt,del,alt so I have ended the processes today. I could uninstall my printer (epson) and see if that makes it go! I wont be printing til I get more ink anyway.
ecosarah
2008-10-24, 13:23
eset has been going 56 mins and got through 5600 items. I've got task manager on, set at processes and it seems that iexplore.exe is using 100% cpu usage a lot of hte time. ZA has done some more blocking and I am wondering whether to stop the scan or continue. I am unable to run it all day, which seems to be what it needs!
I will leave it running a bit longer to see if I get a response from you...
As I was writing this, it set off again and has got to 8k items but the colour on the progress bar shows only a couple of mm ie less than 1/20th done so far.
thanks
ecosarah
2008-10-24, 16:29
finally got it!
# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3551 (20081024)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.060 (20070601)
# EOSSerial=7fc86484ca65b54da76c071c51c8d7b3
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-10-24 02:10:19
# local_time=2008-10-24 03:10:20 (+0000, GMT Daylight Time)
# country="United Kingdom"
# osver=5.1.2600 NT Service Pack 3
# scanned=287495
# found=0
# scan_time=13645
ecosarah
2008-10-24, 16:31
hjt log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:30:14, on 24/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\IBM\Updater\jre\bin\javaw.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [ControlCenter] "C:\Program Files\IBM fingerprint software\ctlcntr.exe" /startup
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\IBM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{951AC99B-C831-46E9-A999-D129F4179D24}: NameServer = 212.139.132.36 212.139.132.37
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Protector Suite Virtual Token (vtserver) - UPEK Inc. - C:\Program Files\Common Files\Virtual Token\vtserver.exe
--
End of file - 9080 bytes
look forward to your response: where is hte malware?
sarah
Hi Sarah.
The ESET log came back clean and your latest HJT log looks to be clean as well. All the scans with the different tools we've done haven't found any malware. It looks like Malware may not be the cause of your Hard Drive filling up.
I can you some tips to see if it helps speed up your computer and get back some HD space. I'll also give you some links to some general troubleshooting forums.
1. But, first since you mention troubles loading ZA and your computer crashing while using it, here are a few alternatives (all free) to ZA for you to use:
Whatever one you choose from the list below, download its setup file first, disconnect from the net, then uninstall ZA, then install the new firewall, then reconnect to the Internet.
Jetico Personal Firewall (http://www.jetico.com/jpf2.htm)
Soft perfect (http://www.softperfect.com/products/firewall/)
Sunbelt Kerio Firewall (http://www.sunbelt-software.com/Kerio-Download.cfm)
Please download and install only one!
Once the firewall is installed, check to see that the Windows Firewall is disabled. To do so follow these steps:
1. Click Start, click Run, type Firewall.cpl, and then click OK.
2. On the General tab, check to see if Off (not recommended) is checkmarked/ticked, if it is not, then checkmark/tick the box and click OK
2. Go to Add/Remove Programs and uninstall any programs/games you are no longer using, this will give some HD space back.
3. For the slow computer, try the tips at the website here (http://www.malwareremoval.com/tutorials/runningslowly.php).
4. And here at the general trouble shooting forums where you can get more help:
Computer Trouble here: http://forum.computertrouble.co.uk/index.php
or
TechSupportGuy here : http://forums.techguy.org/21-windows-nt-2000-xp/
or
VirtualDr here: http://discussions.virtualdr.com/forumdisplay.php?f=48
or
PCPitStop here : http://forums.pcpitstop.com/index.php?showforum=3
All may require free registration before posting for help.
ecosarah
2008-10-25, 06:30
Thanks very much.
I have been told that Malware can hide as normal programs and the fact that everything comes back completely clean struck me as strange. As in: surely its strange that I dont have ANY malware?? also winword and engine.exe (IBM voice recognition prog) keep trying to "act as a server", according to zonealarm (when I'm using Word), so could some malware be hiding there?
Although I am aware I can delete programs and files to make more space, the puzzle is that I dont have any big progs or files on there eg I have no games except any that hte laptop came with. I am puzzled by the dissapearance of GB regularly but not relating to me using gb and its been going on for nearly a year. Do you know if the sites you have recommended are reliable and I can trust them?
thanks again for taking me through every thing. would you suggest I leave all the programs that we have downloaded on?
best wishes sarah
Thanks very much.
I have been told that Malware can hide as normal programs and the fact that everything comes back completely clean struck me as strange. As in: surely its strange that I dont have ANY malware?? also winword and engine.exe (IBM voice recognition prog) keep trying to "act as a server", according to zonealarm (when I'm using Word), so could some malware be hiding there?
It is strange that you reported at the beginning of the thread that SpyBot found some malware, but all the scans we've done have found none. Have you run SpyBot lately and has it found anything?
Also, I'd like to look closer at winword and engine.exe due to ZA saying they are trying act as a server. There may be something more there.
Although I am aware I can delete programs and files to make more space, the puzzle is that I dont have any big progs or files on there eg I have no games except any that hte laptop came with. I am puzzled by the dissapearance of GB regularly but not relating to me using gb and its been going on for nearly a year. Do you know if the sites you have recommended are reliable and I can trust them?
Do you have any idea what you were doing a year ago to start this? Did you use any P2P programs during that time? You can get infections from files you download from P2P programs that if not removed can fill up your HD with lots and lots of files.
Yes, those forums I linked you to last post are very reliable and you can trust them. :)
thanks again for taking me through every thing. would you suggest I leave all the programs that we have downloaded on?
I'll show you how to get rid of OTMoveIT3 before we are done here at Safer Networking. I would keep MalwareBytes' Anti-Malware. Be sure to update it whenever you do a scan with it.
=========================
Step # 1: Download and Run FileFind
Download FileFind (http://www.atribune.org/downloads/FileFind.zip) by Atribune.
Extract FileFind.zip by double-clicking the file.
Double click on FileFind.exe to open the program.
Enter winword.exe into the File: box.
Click on the Search button.
After a while a list of file locations will appear in the List of Files: box.
Click on the Export button.
This will create a Notepad file named Export.txt located in the C:\ folder, copy and paste it to your next post please.
Repeat the above steps, putting engine.exe in the File: box.
Post back both engine.exe and winword.exe logs and we'll go from there.
ecosarah
2008-10-27, 18:00
Hi there,
I think there must have been some misunderstanding with what I first posted.
I wrote "SB shows all sorts of programs when its scanning that seem dodgy eg AdMoke, *.*.casino.PT, Goldeneye, Virtumonde.dll, Hacker.ag, Eros Paradise, Win32.Tool Hack.Aid(might have got that one bit wrong) etcetc. I have never been on any porno or gambling sites. Also my laptop is now very slow."
The problem for me was that SB didn't pick up on these programs, just scanned through them.
ecosarah
2008-10-27, 18:15
on 24th Oct I reported to you that my laptop had 23gb on it, an increase of 3 gb since I had last looked. On the 25th I checked it and it had increased to 24.8GB. The only thing I have downloaded is what you have asked me and I didn't add any music or photos. So what is going ON?!
I checked some files by hand (I have still to go through my docs to check that) and the most suspicious ones are what I collectively call the NODs. here is the pathway of one file: C:\Documents and Settings\1 Sarah\Local Settings\temp\NOD1251.tmp the rest are NOD then a number (some with a letter at the end).tmp
there are 9 in total and 7 have 300mb 1 has 174mb and the last one 17.6mb -they take up 2.2gb in total! they were last modified on 24th October 08 starting at 9.50am and the 10th one was modified on the same day at 10.13am. At those times I was trying to get the eset online scan to work. I continued to get that scan to work for several hours after that so I dont know if it is connected to that. I dont think I have run disk cleanup since but didn't want to incase it gave you an insite to some thing.
I've also noticed that my windows file is now 4Gb and ibm tools 1.1gb. when I first got going they were 3gb in total and I dont think I have added much since. could the windows updates be taking up that extra space?
I haven't had a chance to folow all the links for slow computers that you gave me or follow your last instructions. will get onto that asap.
thanks sarah
ecosarah
2008-10-27, 18:20
what is P2P progs? dont remember doing anything different when it started but will think about this further...
I think there must have been some misunderstanding with what I first posted.
I wrote "SB shows all sorts of programs when its scanning that seem dodgy eg AdMoke, *.*.casino.PT, Goldeneye, Virtumonde.dll, Hacker.ag, Eros Paradise, Win32.Tool Hack.Aid(might have got that one bit wrong) etcetc. I have never been on any porno or gambling sites. Also my laptop is now very slow."
The problem for me was that SB didn't pick up on these programs, just scanned through them.
Thanks for the clairification, I understand now. :)
Did these items (AdMoke, Golderneye, Hacker.ag, etc) that SpyBot was scanning did they appear at the bottom of the screen during the scan? And did they go by really fast? Whenever SpyBot does a scan it lists the infections it scans for/has in its database and if it finds a match, it will pick up on it. Since Spybot didn't pick up on any of these as you said, then you're ok in that regard. :)
I checked some files by hand (I have still to go through my docs to check that) and the most suspicious ones are what I collectively call the NODs. here is the pathway of one file: C:\Documents and Settings\1 Sarah\Local Settings\temp\NOD1251.tmp the rest are NOD then a number (some with a letter at the end).tmp
there are 9 in total and 7 have 300mb 1 has 174mb and the last one 17.6mb -they take up 2.2gb in total! they were last modified on 24th October 08 starting at 9.50am and the 10th one was modified on the same day at 10.13am. At those times I was trying to get the eset online scan to work. I continued to get that scan to work for several hours after that so I dont know if it is connected to that. I dont think I have run disk cleanup since but didn't want to incase it gave you an insite to some thing.
Did some quick research on those and they do seem to be related to the ESET scan. You can go ahead and delete those files and run diskcleanup as well. :)
I've also noticed that my windows file is now 4Gb and ibm tools 1.1gb. when I first got going they were 3gb in total and I dont think I have added much since. could the windows updates be taking up that extra space
The Windows updates are taking up some space, but I don't think they are taking up a whole lot, you need them to keep your computer safe and updated, so I wouldn't remove any.
what is P2P progs? dont remember doing anything different when it started but will think about this further...
It stands for Peer to Peer. Programs that are used to download files from one computer to another across the Internet, as long as both computer have the same P2P program (there are many).
Have you ever downloaded/installed/used any of the programs in the link below:
http://www.malwareremoval.com/p2pindex.php
If not, then P2P infections are not the cause of your Hard Drive filling up.
I haven't had a chance to folow all the links for slow computers that you gave me or follow your last instructions. will get onto that asap.
Ok. :) Let me know how things go with those.
ecosarah
2008-10-28, 09:34
do not recognise any P2P progs listed.
Yes the items (admoke etc) appeared at bottom of screen. a lot of them didn't go by very fast but then my sb scan is always very slow. that wasn't always the case. I am just remembering that I may have loaded spybot around the time the problem started and also adaware. but I might have done it several months before - I cannot remember exactly when??! and I have re-installed sb since due to it crashing lots.
am very concerned that the eset scan downloaded 2.2 gb because we have a limit of 3 gig a month from our internet server and I know I have downloaded several other progs with you. as I am not the only user and we get charged a lot if we go over 3 gb, can you advise please. I wont go ahead with downloading filefind until I hear from you. the rest of our traffic is looking on ebay and emails.
thanks
Since you are not the only person that uses the computer have you asked the others what they have been downloading lately? If they have downloaded any large programs recently?
Go ahead and download FileFind. It's a small program (the .zip is about 19KB and the .exe itself is 69KB). The only really large download we had was ESET. We won't be downloading anything near that large the rest of the time I'm helping you. :)
ecosarah
2008-10-29, 00:03
I am trying to update Adaware and keep getting the msg:
ERROR
cannot connect to the Web update Server.
Server is busy.
even though I am a) connected to the internet
b) tried turning off Zonealarm (turned on MS firewall)
c)Laversoft website is up and running.
shall I post a mail with them to try to sort separately to here or do you think it is connected?
I have downloaded filefind and will get back to you when I have followed your instructions
thanks
It sounds like a seperate issue with Ad-Aware. I would post in their Support Forum (http://www.lavasoftsupport.com/index.php?showforum=61) and let them know about your problem with updating there.
ecosarah
2008-10-29, 15:39
I'll sort out adaware with them, thx.
deleted NOD files and did disk cleanup. ActiveX in there had 13 files depending upon it-so I've written them down incase you want to know. I am wondering if I can del them too?
meanwhile my computer is doing funny things: I found it with a flat battery only hours after I had left battery full. then I hybernated it& left it charging. But later when I pulled the plug it bleeped at me - something it only does when switched on! It didnt seem to have hybernated properly, but the screen wasn't on. got the screen to come on by fiddling and then couldn't get it to hybernate or shut down - it would get nearly there (very slowly) and then stop. pulled the plug in the end last night and today its fine again!
C:\Program Files\Microsoft Office\Office\WINWORD.EXE - 8798260 Bytes
C:\Program Files\ViaVoice\BIN\engine.exe - 974848 Bytes
Javaw wants to access internet regularly, do I let it?
thx again sarah
ecosarah
2008-10-29, 15:41
realise in the previous post I've got slightly muddled. it was I think Onlinescanner Control not ActiveX Control that had the dependant programs (under properties; dependancy). but am bit unclear as I have written ActiveX Control down...
I would leave the ActiveX files there, they should be a small size. What size are they? (KB, MB?)
The problem with the battery sounds like it could be a one time thing or a problem with hardware on your computer. Hence its out of the scope of this forum and would be best be answered at a general troubleshooting/hardware forum.
Let's take scan those two files more closely. Winword.exe might too big for the scanner, but try it anyway.
Javaw is part of Java. Yes allow it access to the Internet. :)
Have you gone to the My Computer is running slow (http://www.malwareremoval.com/tutorials/runningslowly.php) link yet that I posted earlier? And if so, has that helped?
Step # 1 Upload Files
Go to Jotti (http://virusscan.jotti.org)
Copy the following line into the white textbox:
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
Click Submit.
Please post the results of this scan to this thread.
Repeat the above steps with the following files:
C:\Program Files\ViaVoice\BIN\engine.exe
If Jotti is busy, Go to VirusTotal (http://www.virustotal.com/en/indexf.html) and scan the file(s) there.
I believe both files (if not too big for the scanner) should come back clean, we'll see what the log says. :)
All in all, I think your problem(s) are not malware-related and can best be taken care/getting further help at the general troubleshooting forums that I posted at Post #23 (http://forums.spybot.info/showpost.php?p=246604&postcount=23) of this thread.
ecosarah
2008-10-30, 09:44
thanks,
"The problem with the battery sounds like it could be a one time thing or a problem with hardware on your computer."
I wasn't clear enough with you on that- you called it a battery problem but what I meant was that the shutting down function was not working properly! the battery is fine, it just showed that the laptop had been on for those hours by running down. I was trying to say that the computer wasn't shutting down or hibernating completely, just going most of the way but the laptop was still on (hense running by battery). If there is a prob with hardware I'll have to send laptop back!
"Have you gone to the My Computer is running slow link yet that I posted earlier? And if so, has that helped?"
I went through the list of things for computers running slowly until I got to lite startup -a prog. to down load. My landlord is very concerned that I downloaded something of 2.2gig and is looking into how much we have left. After that is Do You Have Host Files Installed. Well I have no idea! so I haven't disabled my DNS. I did check my indexing service and it was already disabled. Lastly I dont want to remove all but the last restore point as I may need to go back.(I'd be happy to remove some but there isn't that option).
do you know if I have host files installed from my logs? Shall I disable DNS?
I would like to disable startup progs manually so I dont have to download any more!-hoping I've got instructions somewhere.
How do I find out ActiveX size? - I was Disk Cleanup and Onlinescanner Control was in there, with only 3 other files. I del all of them as they were temporary. that is where the dependant ones were shown. If they are dependant and I have del Onlinescanner, then do I have a use for those dependant temp files?
will upload as per your instructions, when i know where we are with our internet limit. meanwhile I want to expand on those two - whenever I open a word doc that is an attachment (from different sources) there are several ports involved in those 2 progs trying to act as servers. 3 or 4 or maybe more ports or destinations, the same ones I think for both. so I have to click deny 6-8 times. It takes quite a long time as it goes quite slowly.
thanks for your help and patience, sarah
ecosarah
2008-10-30, 09:49
just checked - when I open word from my computer, it happens too. and it is at least 8 times I have to click Deny - maybe ten?
I wasn't clear enough with you on that- you called it a battery problem but what I meant was that the shutting down function was not working properly! the battery is fine, it just showed that the laptop had been on for those hours by running down. I was trying to say that the computer wasn't shutting down or hibernating completely, just going most of the way but the laptop was still on (hense running by battery). If there is a prob with hardware I'll have to send laptop back!
When you booted the laptop back up after this episode, has it happened again? Or has it been a one time thing so far? And did any error messages pop-up when the computer was booting up and any messages show when the Desktop was loading? We are getting out of my area of expertise here, the best thing would be to mention this at one of the hardware/general troubleshooting forums, they can help you out further if this happens again. :)
Lastly I dont want to remove all but the last restore point as I may need to go back.(I'd be happy to remove some but there isn't that option).
The reason we (malware fighters/removers) suggest that you clear all old restore points and set a new one is that at the end of the fix, those who were infected often have infected restore points. So, we have them remove them so there is not a chance to have the person go back and use that system restore point and get their computer reinfected. Since you don't appear to be infected, you probably don't have any infected restore points. I would still remove old ones every once in awhile as they do take up space on the computer.
do you know if I have host files installed from my logs? Shall I disable DNS?
No, I do not see any thing in any of your logs that says you have host files installed on your computer. No need to disable DNS right now.
How do I find out ActiveX size? - I was Disk Cleanup and Onlinescanner Control was in there, with only 3 other files. I del all of them as they were temporary. that is where the dependant ones were shown. If they are dependant and I have del Onlinescanner, then do I have a use for those dependant temp files?
I was unaware or missed that you had deleted the Onlinescanner. Since you don't have that anymore you can delete those files.
whenever I open a word doc that is an attachment (from different sources) there are several ports involved in those 2 progs trying to act as servers. 3 or 4 or maybe more ports or destinations, the same ones I think for both. so I have to click deny 6-8 times. It takes quite a long time as it goes quite slowly.
just checked - when I open word from my computer, it happens too. and it is at least 8 times I have to click Deny - maybe ten?
Does it happen with any other program or just Word and IBM Viavoice(Engine.exe)? Do you have the latest version of Zone Alarm installed? Acorrding to Zone Alarm's Release History (http://download.zonealarm.com/bin/free/information/znalm/zaReleaseHistory.html) the latest version is 7.0.483.000. If you don't have that, you should upgrade to see if that fixes the problem.
When the message comes up again about Word trying to act like a server, can you click the More Info button and post back here what it says. That is if you are able to click that button or get more information from the pop-up.
will upload as per your instructions, when i know where we are with our internet limit.
Ok, no worries there. Get the reports for those two files when you can. :)
ecosarah
2008-10-31, 11:54
When you booted the laptop back up after this episode, has it happened again? Or has it been a one time thing so far? And did any error messages pop-up when the computer was booting up and any messages show when the Desktop was loading?
Yes it happened again, the next time. there was an error msg, but that always happens if I pull the plug eg when it crashes. no msg when desktop was loading that I remember. and its closing down ok now. also adaware is undating again.
Since you don't appear to be infected, you probably don't have any infected restore points. I would still remove old ones every once in awhile as they do take up space on the computer.
Could the restore points be what's eating up my space? bearing in mind that the last 2gigs was from ESET and so not included in the problem? I will del restore points.
Does it happen with any other program or just Word and IBM Viavoice(Engine.exe)?
I haven't opened many other progs, so so far only those two. In fact I dont open Viavoice, so it must be opening on its own
Do you have the latest version of Zone Alarm installed?
yes
If you don't have that, you should upgrade to see if that fixes the problem.
I'm confused, I thought the problem was word acting as a server, not ZA??
When the message comes up again about Word trying to act like a server, can you click the More Info button and post back here what it says.
Microsoft Word for Windows wants to accept connections from the Internet or your local network
ZoneAlarm is asking you whether to allow this program to act as a server--that is, to accept connection requests from other computers. No breach in your security has occurred. Your computer is safe.
Inside the program alert
Alert property Alert property value Technical explanation
Program Name Microsoft Word for Windows A program running on your computer, which either attempted to send an IP packet over the Internet or is waiting for an incoming packet.
Filename WINWORD.EXE The filename of the program that ZoneAlarm found on your computer.
Program Version 9.0.2717 The version of Microsoft Word for Windows running on your computer.
Program Size 8798260 The size of the program executable file in bytes.
Program MD5 b6720721182610d39a6a9b9306a8cba4 The MD5 hash, or number, that uniquely identifies the executable.
Smart Checksum 33cf3fa3c69fc3edd72c59599c810db2 The SKIMP hash, or number, that uniquely identifies the executable.
Date Modified Mar-18-1999 05:38:10 AM The date when WINWORD.EXE was most recently modified.
Connect Type Server This value can be either Access, which is an Internet connection attempt by Microsoft Word for Windows or Server, which indicates that Microsoft Word for Windows is waiting for connections coming in from the Internet.
Local Port 1978 The port Microsoft Word for Windows is using to receive packets on the local computer.
Remote IP Address 0.0.0.0 The IP address of the remote computer that caused the alert.
Alert Date Oct-31-2008 03:25:08 AM PDT The time when ZoneAlarm detected the alert on your computer.
ZoneAlarm security enforcement at time of alert
Alert property Alert property value Technical explanation
Program Status Repeat Program Microsoft Word for Windows has requested Internet or local network access before and is currently requesting access again.
Zone Internet Zone This ZoneAlarm zone contains all the computers and networks in the world that are connected to the Internet, until you explicitly define them as members of another zone.
That doesn't help you I dont think! here is the link:
http://pralerts.zonelabs.com/pranalyze.jsp?record=ZLN05718144462717-1025/214f6b011d5153b8dc00729f&tab=techinfo
and the link for the first engine.exe:
http://pralerts.zonelabs.com/pranalyze.jsp?record=ZLN05718144462717-1025/1d74c03011d5118ab7c0070e8&tab=techinfo
2nd Word;
http://pralerts.zonelabs.com/pranalyze.jsp?record=ZLN05718144462717-1025/214f6b011d5153b8dc007259&tab=techinfo
2nd engine:
http://pralerts.zonelabs.com/pranalyze.jsp?record=ZLN05718144462717-1025/214f6b011d5153b8dc007247&tab=overview
3rd engine:
http://pralerts.zonelabs.com/pranalyze.jsp?record=ZLN05718144462717-1025/214f6b011d5153b8dc00723a&tab=overview
3rd Word:
bit confused was word..., its now another engine.exe:
4th engine:
http://pralerts.zonelabs.com/pranalyze.jsp?record=ZLN05718144462717-1025/214f6b011d5153b8dc007231&tab=overview
5th engine:
http://pralerts.zonelabs.com/pranalyze.jsp?record=ZLN05718144462717-1025/214f6b011d5153b8dc00721c&tab=overview
6th engine:
http://pralerts.zonelabs.com/pranalyze.jsp?record=ZLN05718144462717-1025/1d74c03011d5118ab7c00708a&tab=techinfo
still waiting for word to open...Ah just realised that I have to press new, but I dont usually need to cos I've set it up to just open a new doc straight.
[COLOR="Red"]Does it happen with any other program or just Word and IBM Viavoice(Engine.exe)?
windows media trys to access the trusted zone and , but I assume that is to link up with online stores and fill in details of cds if I'm ripping any? I cant think of any other prog to try?
Could the restore points be what's eating up my space? bearing in mind that the last 2gigs was from ESET and so not included in the problem? I will del restore points.
Depending on how many restore points you have and how big you make them (the max size is 12% of total HD space) they can definitely eat up some space.
To remove the old restore points and set a new one, do the following:
Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Make sure the C:\ drive is selected and click OK. If your computer's Hard Drive is not located on C:, change it to the correct drive letter then click OK.
Select the More options tab
Choose the option to clean up system restore and OK it.
This will remove all restore points except the new one you just created.
I'm confused, I thought the problem was word acting as a server, not ZA??
I just wanted to make sure you had the latest version and were fully updated with ZoneAlarm. :)
Those links you got from ZoneAlarm did help. :)
I noticed the following words in each link: No breach in your security has occurred. Your computer is safe. And looking over the ZA links for Winword.exe and engine.exe, you have the legit versions of both. When the allow/deny message pops up for those two programs, you can go ahead and click Allow to allow it.
ecosarah
2008-11-01, 20:32
Found the laptop not hybernated again. tried to hybernate again, via several different methods. Then tried to shut down. It got as far as saving my settings but took several mins to get there, then the screen went blank and just the mouse arrow was there. No buttons did anything and I had to pull the plug again.
I dont think it can be hardware as I tried several different methods. Also screen shutdown didn't work and nor did standby. These are the same symptoms as before. I'll let you know if it happens again.
ecosarah
2008-11-01, 20:46
Service load:
0% 100%
File: WINWORD.EXE
Status:
OK
MD5: b6720721182610d39a6a9b9306a8cba4
Packers detected:
-
Scanner results
Scan taken on 01 Nov 2008 19:39:58 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
G DATA
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing
ecosarah
2008-11-01, 20:50
just waiting for engine.exe.
can you explain to me why word needs to act like a server. It seems really annoying because it just takes it longer to open and all I'm doing is typing something into it as a WP.
I'm very glad my computer is so free of Malware, tho that still seems strange! And I will follow those links you gave me to the forums to try to work out what is eating the space and making everything so slow.
as you predicted, all ok:
Service load:
0% 100%
File: engine.exe
Status:
OK
MD5: 5ae8d009317f5be3ee742eff24b32036
Packers detected:
-
Scanner results
Scan taken on 01 Nov 2008 19:46:11 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
G DATA
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing
ecosarah
2008-11-01, 21:14
I've got an icon on my desk top AdbeRdr811_en_US(2) that leads to Adobe Reader set up. But when I look in Add/remove Programs, to remove it so I can re-install it, its not there. Do I just del it off my desk top or look for it in prog files and del?
there are 2 other adobe icons:
AdbeRdr811_en_US
AdbeRdr811_en_US.exe.part
can you advise?
thanks
Edit:
Just delete AdbeRdr811_en_US, AdbeRdr811_en_US.exe.part and AdbeRdr811_en_US(2) from your Desktop. Then just redownload the setup file to reinstall Adobe.
Found the laptop not hybernated again. tried to hybernate again, via several different methods. Then tried to shut down. It got as far as saving my settings but took several mins to get there, then the screen went blank and just the mouse arrow was there. No buttons did anything and I had to pull the plug again.
I dont think it can be hardware as I tried several different methods. Also screen shutdown didn't work and nor did standby. These are the same symptoms as before. I'll let you know if it happens again.
What brand of laptop do you have? I'll do some more research once I know to see if there is anything, otherwise it'd be best to bring this up in the general troubleshooting forums.
As for Word acting like a server, it could be checking in to see if there are any updates or a part of it may need to connect to the Internet to work/function. As the scans showed, both files came back ok, so nothing malicious/worry about there. :)
ecosarah
2008-11-01, 22:33
IBM Thinkpad (T45 I think)- thanks
thanks for all your help and patience
if we have finished with hunting for Malware, there are some things I need to do before I say goodbye. eg teatimer was disabled, do I leave it?
and I have a lot of setup exe type icons on my desktop, what do I do wiht them?eg Mbam-setup and several more
and I need to know which of all the progs I've downloaded with you, to keep or uninstall. If you say keep I assume they are ok for me to use without your instructions
will del all the adobe icons meantioned.
thx v much
Sorry for the delay.
IBM Thinkpad (T45 I think)- thanks
I found a link that may help with your hibernating problems:
Your IBM ThinkPad portable computer may not hibernate as expected in Windows XP (http://support.microsoft.com/kb/328345).
It says in the link to upgrade to the latest SP release which you have already done. It also says there is a speific hotfix for it, and for further information on it you should contact Microsoft Product Support Services (http://support.microsoft.com/contactus/?ws=support) for more info.
if we have finished with hunting for Malware, there are some things I need to do before I say goodbye. eg teatimer was disabled, do I leave it?
You can renable Teatimer now. :)
and I have a lot of setup exe type icons on my desktop, what do I do wiht them?eg Mbam-setup and several more
You can delete Mbam-Setup.exe and I'll tell you how to remove some of the other tools that used in this thread shortly.
and I need to know which of all the progs I've downloaded with you, to keep or uninstall. If you say keep I assume they are ok for me to use without your instructions
As mentioned above, I'll let you know which ones to delete. :) I would keep ATF Cleaner and MalwareBytes' Anti-Malware. Use ATF Cleaner every few weeks to keep your computer free of junk. And use MalwareBytes' every few weeks or so to scan your computer for malware, just be sure to update it before doing a scan.
To remove ComboFix, do the following:
Go to Start > Run - type in ComboFix /u & click OK
Please open OTMoveIt3.
Click on the CleanUp! button. If your Firewall gives a warning about OTMoveIt wanting to download a file, allow it.
Answer Yes to the prompt.
The program will ask for a reboot. Answer Yes.
Empty your Recycle Bin.
Please take the time to read my All Clean Post.
Please follow these simple steps in order to keep your computer clean and secure:
Make your Internet Explorer more secure This can be done by following these simple instructions: From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub frames across different domains to Prompt When all these settings have been made, click on the OK button.
If it asks you if you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Set correct settings for files that should be hidden in Windows XP
Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
If unchecked please checkHide protected operating system files (Recommended)
If necessary check "Display content of system folders"
If necessary Uncheck Hide file extensions for known file types.
Click OK
Use An Antivirus Software and Keep It Updated - It is very important that your computer has an antivirus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a day. If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out.
Visit Microsoft's Update Site Frequently It is important that you visit Microsoft Updates (http://update.microsoft.com/) regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install SpywareBlaster SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
Computer Safety on line Anti Malware (http://forum.malwareremoval.com/viewtopic.php?p=54#54)
Use an alternative instant messenger program.Trillian (http://www.trillian.cc/) and Miranda IM (http://www.miranda-im.com/) These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
Please read Tony Klein's excellent article: How I got Infected in the First Place (http://forums.subratam.org/index.php?showtopic=5931)
Please read Understanding Spyware, Browser Hijackers, and Dialers (http://www.bleepingcomputer.com/forums/tutorial41.html)
Please read Simple and easy ways to keep your computer safe and secure on the Internet (http://www.bleepingcomputer.com/tutorials/tutorial82.html)
If you are using Internet Explorer, please consider using an alternate browser: Mozilla's Firefox (http://www.mozilla.org/products/firefox) or
Opera (http://www.opera.com/download/).
If you decide to use either FireFox or Opera, it is very important that you keep them up to date and check frequently for updates of the browser of your choice.
Update all these programs regularly Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
If your computer was infected by a website, a program, IM, MSN, or p2p, check this site because it is Time To Fight Back (http://spyware-free.us/2006/01/time-to-fight-back.html). Follow these steps and your potential for being infected again will reduce dramatically.
Here's a good website to read about Malware prevention:
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
Please reply one last time so that I know you have read my post and this thread can be closed.
ecosarah
2008-11-02, 21:56
I found a link that may help with your hibernating problems:
thanks for that. I think we are still misunderstanding each other: it wouldn't shut down either, or go to stand by or even turn off the monitor!
You can renable Teatimer now.
please give me instructions how
I'll tell you how to remove some of the other tools that used in this thread shortly...As mentioned above, I'll let you know which ones to delete....Please reply one last time so that I know you have read my post and this thread can be closed.
am confused because you havent' told me which ones (just given instructions for uninstalling combofix and OTmoveit.) but not meantioned some of the others. Please could you instruct me about the rest. thx
Make your Internet Explorer more secure
I use firefox, please instruct me for that?
SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings
will this work with firefox too? is htere anything I need to do differently
also how do I update firefox? An update notice poped up from near my clock (bottom right)offering an update but went again before I could click on it.
You say to update Windows by going to hte site regularly: I've got it set to automatic update, is that good enough?
thanks! again
thanks for that. I think we are still misunderstanding each other: it wouldn't shut down either, or go to stand by or even turn off the monitor!
Sounds like the whole hard drive is freezing/locking up, not sure though. Best to mention this as well as the hibernating problems whenever you post to one of the general troubleshooting forums.
You can renable Teatimer now.
please give me instructions how
To renable Teatimer, do the following:
Open Spybot - Search and Destroy
Click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on System Startup icon.
Put a check in the Teatimer box (click the box to make the check appear).
Click Allow Change box.
am confused because you havent' told me which ones (just given instructions for uninstalling combofix and OTmoveit.) but not meantioned some of the others. Please could you instruct me about the rest. thx
OTMoveIT3 and ComboFix are the tools that I wanted you to remove, sorry if I wasn't being clear. The only tools I had you download were ATF Cleaner, MalwareBytes' Anti-Malware, ComboFix, and OTMoveIT3. I said to keep ATF and MBAM and gave you instructions on how to remove ComboFix and OTMoveIt. Were there other tools you were referring to?
To make FireFox more secure, read through and follow the suggestions in the following website:
Configure Firefox's settings to strengthen security (http://news.zdnet.co.uk/security/0,1000000189,39203958,00.htm)
SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings
will this work with firefox too? is htere anything I need to do differently
Yes, SpywareBlaster will work with Firefox too. It has its own Firefox section. Here's a tutorial on how to setup and use SpywareBlaster:
http://www.bleepingcomputer.com/tutorials/tutorial49.html
also how do I update firefox? An update notice poped up from near my clock (bottom right)offering an update but went again before I could click on it.
To update Firefox, do the following:
Open up Firefox. Once loaded, click Help, then Check for Updates.
You say to update Windows by going to hte site regularly: I've got it set to automatic update, is that good enough?
That's good. It's always good to get in the habit of checking for updates manually everyonce in awhile. Microsoft sends out updates the 2nd Tuesday of every month, so you know when to check for updates. :)
Hi ecosarah.
eg I couldn't find hte teatimer where he told me to go
Let's do it this way then.
Open Spybot S&D
Click Mode, choose Advanced Mode
Go To the bottom of the Vertical Panel on the Left, Click Tools
then, also in left panel, click Resident shows a red/white shield.
If your firewall raises a question, say OK
In the Resident protection status frame, check the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
OK any prompts.
Use File, Exit to terminate Spybot
Reboot your machine for the changes to take effect.
eg comboFix didn't uninstall
Did you do the following:
Go to Start > Run - type in ComboFix /u & click OK
Note that there is a space between the x and the / and there is no space between the / and the u.
If you did enter ComboFix /u (with the proper spacing) and clicked OK, what happened? Did any progress bars appear on the screen?
eg I have other software that I need instructions for
What other software do you need instructions for?
ecosarah
2008-11-08, 12:26
thx, have reset teatimer - was i then meant to click off Advanced Mode? your instructions just said to exit? SB then asked about 10 progs that were changing: I accepted all of them, I hope that was right. I didn't understand them, a couple were google, MS,in the path.
tried uninstall combofix again, progress meter went all the way this time, but combofix icon still on desktop after re-start system. what do I do please.
The other icons/programs that I dont know what to do with, that we put onto my desktop:
Findfile winzip
wpsetup (maybe that was from the slow computer forum?)
hjtInstall
hijackthis
Findfile (with envelopes)
havent removed OTmoveit because when I click on the icon it gives option to run. I dont know where the icon to open it is? I didn't removed it because I didn't think I would want to run it. please advise about all of the above.
big thanks, sarah
You did fine with Teatimer. :) You can keep it in Advanced Mode if you wish.
tried uninstall combofix again, progress meter went all the way this time, but combofix icon still on desktop after re-start system. what do I do please.
Let's remove it manually.
Delete ComboFix.exe from off your Desktop.
Using Windows Explorer, delete the following folders, if found:
C:\ComboFix\
C:\QooBox\
The other icons/programs that I dont know what to do with, that we put onto my desktop:
Findfile winzip
wpsetup (maybe that was from the slow computer forum?)
hjtInstall
hijackthis
Findfile (with envelopes)
You can delete the Findfile winzip icon, the Findfile (with envelopes) icon, the hjtInstall icon and the wpsetup icon off your Desktop.
To remove HiJackThis, do the following:
Go to Start-Settings-Control Panel, click on Add Remove Programs. If any of the following programs are listed there, click on the program to highlight it, and click on remove. Then close the Control Panel.
HijackThis 2.0.2
havent removed OTmoveit because when I click on the icon it gives option to run. I dont know where the icon to open it is? I didn't removed it because I didn't think I would want to run it. please advise about all of the above.
You'll need to run OTMoveIT in order to remove it. Double-click on the icon to run/open the program and do the following:
Click on the CleanUp! button. If your Firewall gives a warning about OTMoveIt wanting to download a file, allow it.
Answer Yes to the prompt.
The program will ask for a reboot. Answer Yes.
Finally, empty your Recycle Bin.
ecosarah
2008-11-11, 17:18
thanks, I will post back when I have followed all those to let you know if I am successful or have any further quieries.
Just to confirm, the instructions for making IE safer: can they be transfered straight to Firefox. Its a little tricky as they are setout a bit differently.
thanks again
ecosarah
2008-11-11, 19:40
Have followed your instructions.
couldn't find any combofix progs but then didn't understand where you meant me to look "using Windows Explorer". saw that cleanup! listed some. do you want me to look again for them and if so where/how?
I didnt do things in the order you put them and wonder if I should have so that clearup was the last? did HijackThis last...is that ok?
have emptied recycle bin
thanks
Just to confirm, the instructions for making IE safer: can they be transfered straight to Firefox. Its a little tricky as they are setout a bit differently.
No, as they are different browsers you can't use the instructions for making IE safer on Firefox.
The following website has good tips on how to configure Firefox:
http://news.zdnet.co.uk/security/0,1000000189,39203958,00.htm
couldn't find any combofix progs but then didn't understand where you meant me to look "using Windows Explorer". saw that cleanup! listed some. do you want me to look again for them and if so where/how?
To go into Windows Explorer, do the following: Right-click on the Start button and choose Explore. That will open up Windows Explorer. In the left-hand window, click on the + next to C:\ so that it expands down. Look for the ComboFix and Qoobox folders under C:\ and if they are there delete them.
I didnt do things in the order you put them and wonder if I should have so that clearup was the last? did HijackThis last...is that ok?
That's fine.
ecosarah
2008-11-11, 21:01
just went into explore and expanded c:/ but there are loads of folders. do I need to expand all those folders to look for the combifix stuff???!!!
thank you very much, I really appreciate all your help and patience!
No, you don't need to expand any more folders. The two folders you want look for are ComboFix and Qoobox. Just look through the folders under C:\. If you don't see them there, that means they've been deleted already. :)
ecosarah
2008-11-15, 00:28
no meantion of those 2 folders. must be gone!
big thank you to you for being so great and talking me through it all so well, step by step. have started a long process of trying to work out what else is going on!!
take care, and have fun. carry on the good work if you have time!!
sarah
You're welcome. I'm glad I was able to help out. :)
Good luck. :)