Hello. I'm not particularly computer literate; I'll try to keep this as relevant and as short as possible (though there's lots I think may help you).

I am using XP Home (SP2). My laptop warned me my MacAfee Antivirus was out of date a while ago. I got F-Secure AV 2006 two days ago to replace it (free download via my online bank). On restart immediately after the installation - and on every start-up since - a small dialogue box appears (before even my desktop image and icons appear) with the text:


------------------------------------------------------------------------------
F-Secure Anti-virus

Malicious code found in file C:\WINDOWS\HELP\SBSI\LOGCMD.DLL.
Infection: Trojan-Spy.Win32.Agent.jr
Action: The file was renamed.

OK
------------------------------------------------------------------------------


Clicking 'OK' brings another idential box up straight away. I have to 'OK' from 4 to 12+ times before they stop appearing. But when they do stop, a wider dialogue box then appears straight away:


------------------------------------------------------------------------------
F-Secure

(the same three lines of text as the smaller box detailed above)

Messages waiting: 12

Next / OK All
------------------------------------------------------------------------------


I select 'OK All' as I've found that all the messages say the same thing, no matter how many of them there are. Immediately after these stop I then get a pop-up box from the F-Secure AV software with the following message:


------------------------------------------------------------------------------

Virus Detected

What happened?
Virus & Spy Protection has detected Trojan-Spy.Win32.Agent.jr virus in your computer.

What should I do?
[x] Delete (recommended)
[ ] Disinfect
[ ] Do nothing

OK

Name: Trojan-Spy.Win32.Agent.jr
Type: Trojan

File: LOGCMD.DLL
Path: C:\WINDOWS\HELP\SBSI
------------------------------------------------------------------------------


If I choose 'delete', once the Anti-virus has done its work and rebooted my laptop the whole alert starts all over again as already described! Same for 'disinfect': they both fail to stop it. Sometimes when trying to delete/disinfect it, a box pops up saying the file could not be opened. Most annoyingly, if I choose 'do nothing' the exact same box pops up a split second later. It never, ever goes away! I've had these boxes constantly for two days now and have tried deleting or disinfecting the virus over 20 times.

Also my fan, usually a rare intrusion, has been on full blast for two days and my laptop is burning super-hot and much slower than normal (calling up 'My Computer' took 30 seconds earlier today). This is even when I'm ignoring the AV problems and the laptop is idle.

Digressing a little, the first thing I tried was try to delete the LOGCMD.DLL file manually (probably the wrong thing to do, but sorry - I panicked). My computer said I could not delete the file as it was being used by another person or program (but I only have one login account and no programs were running). I tried deleting it in 'safe mode', from both the Admin and normal user accounts: the same message stopped the deletion.

An online Trend Micro scan did not cure it. Same for an eTrust Antivirus scan. Spybot has not cured the problem. Nor has the RegCure software I just downloaded which promised it would cure all .DLL problems.....

So, here is my HijackThis report. If anyone can help me I would be eternally grateful.


------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 01:11:07, on 24/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsrw.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\PROGRA~1\F-SECU~1\ANTI-S~1\fsaw.exe
C:\Program Files\F-Secure Internet Security\FSGUI\ispnews.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\ntl\broadband medic\bin\mpbtn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/broadband
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
O1 - Hosts: 127.0.01 virtumonde.com
O1 - Hosts: 27.0.0.1 www.visitfind.net#end of lines added by WinHelp2002.0.0.1 clit16.sextracker.com127.0.0.1 elite.sextracker.com127.0.0.1 graphics1.sextracker.com127.0.0.1 graphics2.sextracker.com127.0.0.1 hosting.sextracker.com127.0.0.1 links.sextracker.com127.0.0.1 mau.sextracker.com127.0.0.1 moneytree.sextracker.com127.0.0.1 ranks.sextracker.com127.0.0.1 stat1.sextracker.com127.0.0.1 start.sextracker.com127.0.0.1 stx.sextracker.com127.0.0.1 stx1.sextracker.com127.0.0.1 stx2.sextracker.com127.0.0.1 stx3.sextracker.com127.0.0.1 stx4.sextracker.com127.0.0.1 stx5.sextracker.com127.0.0.1 stx6.sextracker.com127.0.0.1 stx7.sextracker.com127.0.0.1 stx8.sextracker.com127.0.0.1 stx9.sextracker.com127.0.0.1 stx10.sextracker.com127.0.0.1 stx11.sextracker.com127.0.0.1 stx12.sextracker.com127.0.0.1 stx13.sextracker.com127.0.0.1 stx14.sextracker.com127.0.0.1 stx15.sextracker.com127.0.0.1 stxbans.sextracker.com127.0.0.1 webmasters.sextracker.com127.0.0.1 stx.banners.sextracker.com127.0.0.1 wm.banners.sextracker.com127.0
O1 - Hosts: neoffers.com #[Trojan-Downloader.Win32com127.0.0.1 www.customersupporthelp.com127.0.0.1 secure6.platinumbucks.com127.0.0.1 www.platinumbucks.com127.0.0.1 www.searchexpert.com127.0.0.1 www.sexfind.com127.0.0.1 searchforit.com #[eTrust.AdShooter.SearchForIt]127.0.0.1 dl.searchforit.com #[SunBelt.SearchForIt.AdShooter]127.0.0.1 www.searchforit.com #[Adware.Searchforit]127.0.0.1 surfenhance.com127.0.0.1 dl.surfenhance.com #[IE-SpyAd]127.0.0.1 www.surfenhance.com# [Monteg Inc]127.0.0.1 www.thumbsearcher.net #[klikfeed.com]127.0.0.1 www.toolbar4cash.com# [Netdreams P/L]127.0.0.1 www.egoog.com #[IE-SpyAd]127.0.0.1 www.escortsindex.com127.0.0.1 free-popup-killer.com #[TrojanClicker.Win32.VB.bn]127.0.0.1 www.internetpeace.com #[eTrust.Free Popup Killer]# [PayCounter.com, Inc]127.0.0.1 paycounter.com #[Ad-Aware.Tracking Cookie]127.0.0.1 count.paycounter.com #[IE-SpyAd]127.0.0.1 images1.paycounter.com127.0.0.1 in.paycounter.com127.0.0.1 stats.paycounter.com127.0.0.1 www.paycounter.com127.0.0.1 sort.trafficju
O1 - Hosts: .0.0.1 clit16.sextracker.com
O1 - Hosts: 127.0.
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\F-Secure Internet Security\FSGUI\ispnews.exe"
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Sarah Oliver"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O4 - Global Startup: F-Secure 2006.lnk = C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure Internet Security\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/download/scanner/wlscbase5059.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124098858156
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O20 - Winlogon Notify: logcmd - C:\WINDOWS\Help\SBSI\logcmd.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: F-Secure 2006 (BackWeb Plug-in - 4476822) - F-Secure Internet Security 2005 - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

A new development. The first box I detailed is now appearing every three seconds. If I ignore it it stays on my screen on top of all other programs. If I click 'OK' it comes back three seconds later. I've clicked 'OK' over twenty times already, now I've given up and dragged it to the side.

Should I uninstall the F-Secure Antivirus?

hi CortezTheKiller,


Should I uninstall the F-Secure Antivirus?

hold off on that for now. lets try this first:

VundoFix by Atri
Please download VundoFix.exe to your desktop:

http://www.atribune.org/ccount/click.php?id=4

* Double-click VundoFix.exe to run it.
* Put a check next to Run VundoFix as a task.
* You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
* When VundoFix re-opens, click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click OK.
* Turn your computer back on.
* Please post the contents of C:\vundofix.txt and a new HiJackThis log

shelf life

CortezTheKiller?

Thanks. I had to remove the F-Secure software because my computer became almost unusable, very slow, burning hot, and kept crashing. I installed "ntl Netguard" instead.

(CortezTheKiller is a Neil Young song...I couldn't think of another username that I could remember that was not already taken.)
____________________

Here is the VundoFix.txt:

VundoFix V4.2.84

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Scan started at 20:00:45 29/06/2006

Listing files found while scanning....


C:\WINDOWS\Help\SBSI\dmcgol.bak1
C:\WINDOWS\Help\SBSI\dmcgol.bak2
C:\WINDOWS\Help\SBSI\dmcgol.ini
C:\WINDOWS\Help\SBSI\dmcgol.ini2
C:\WINDOWS\Help\SBSI\logcmd.dll
C:\WINDOWS\Help\SBSI\dmcgol.ini2
C:\WINDOWS\Help\SBSI\dmcgol.bak2
C:\WINDOWS\Help\SBSI\dmcgol.ini
C:\WINDOWS\Help\SBSI\dmcgol.ini2
C:\WINDOWS\Help\SBSI\logcmd.dll
Attempting to delete C:\WINDOWS\Help\SBSI\dmcgol.bak1
C:\WINDOWS\Help\SBSI\dmcgol.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\Help\SBSI\dmcgol.bak2
C:\WINDOWS\Help\SBSI\dmcgol.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\Help\SBSI\dmcgol.ini
C:\WINDOWS\Help\SBSI\dmcgol.ini Has been deleted!

Attempting to delete C:\WINDOWS\Help\SBSI\dmcgol.ini2
C:\WINDOWS\Help\SBSI\dmcgol.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\Help\SBSI\logcmd.dll
C:\WINDOWS\Help\SBSI\logcmd.dll Has been deleted!

Performing Repairs to the registry.
Done!



And here is the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 20:16:23, on 29/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ntl\ntl Netguard\fws.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ntl\ntl Netguard\RPS.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\ntl\broadband medic\bin\mpbtn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/broadband
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
O1 - Hosts: 127.0.01 virtumonde.com
O1 - Hosts: 27.0.0.1 www.visitfind.net#end of lines added by WinHelp2002.0.0.1 clit16.sextracker.com127.0.0.1 elite.sextracker.com127.0.0.1 graphics1.sextracker.com127.0.0.1 graphics2.sextracker.com127.0.0.1 hosting.sextracker.com127.0.0.1 links.sextracker.com127.0.0.1 mau.sextracker.com127.0.0.1 moneytree.sextracker.com127.0.0.1 ranks.sextracker.com127.0.0.1 stat1.sextracker.com127.0.0.1 start.sextracker.com127.0.0.1 stx.sextracker.com127.0.0.1 stx1.sextracker.com127.0.0.1 stx2.sextracker.com127.0.0.1 stx3.sextracker.com127.0.0.1 stx4.sextracker.com127.0.0.1 stx5.sextracker.com127.0.0.1 stx6.sextracker.com127.0.0.1 stx7.sextracker.com127.0.0.1 stx8.sextracker.com127.0.0.1 stx9.sextracker.com127.0.0.1 stx10.sextracker.com127.0.0.1 stx11.sextracker.com127.0.0.1 stx12.sextracker.com127.0.0.1 stx13.sextracker.com127.0.0.1 stx14.sextracker.com127.0.0.1 stx15.sextracker.com127.0.0.1 stxbans.sextracker.com127.0.0.1 webmasters.sextracker.com127.0.0.1 stx.banners.sextracker.com127.0.0.1 wm.banners.sextracker.com127.0
O1 - Hosts: neoffers.com #[Trojan-Downloader.Win32com127.0.0.1 www.customersupporthelp.com127.0.0.1 secure6.platinumbucks.com127.0.0.1 www.platinumbucks.com127.0.0.1 www.searchexpert.com127.0.0.1 www.sexfind.com127.0.0.1 searchforit.com #[eTrust.AdShooter.SearchForIt]127.0.0.1 dl.searchforit.com #[SunBelt.SearchForIt.AdShooter]127.0.0.1 www.searchforit.com #[Adware.Searchforit]127.0.0.1 surfenhance.com127.0.0.1 dl.surfenhance.com #[IE-SpyAd]127.0.0.1 www.surfenhance.com# [Monteg Inc]127.0.0.1 www.thumbsearcher.net #[klikfeed.com]127.0.0.1 www.toolbar4cash.com# [Netdreams P/L]127.0.0.1 www.egoog.com #[IE-SpyAd]127.0.0.1 www.escortsindex.com127.0.0.1 free-popup-killer.com #[TrojanClicker.Win32.VB.bn]127.0.0.1 www.internetpeace.com #[eTrust.Free Popup Killer]# [PayCounter.com, Inc]127.0.0.1 paycounter.com #[Ad-Aware.Tracking Cookie]127.0.0.1 count.paycounter.com #[IE-SpyAd]127.0.0.1 images1.paycounter.com127.0.0.1 in.paycounter.com127.0.0.1 stats.paycounter.com127.0.0.1 www.paycounter.com127.0.0.1 sort.trafficju
O1 - Hosts: .0.0.1 clit16.sextracker.com
O1 - Hosts: 127.0.
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\ntl\ntl Netguard\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\ntl\ntl Netguard\FBHR.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ntl Netguard] "C:\Program Files\ntl\ntl Netguard\RPS.exe"
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Sarah Oliver"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/download/scanner/wlscbase5059.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124098858156
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\ntl\ntl Netguard\fws.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

hi CortezTheKiller,


CortezTheKiller is a Neil Young song
and a good one, i think that songs off his rest never sleeps album.

is that a custom host file your running?

hows it going on that end now?

try this (free) and use it occasionally:

http://www.atribune.org/content/view/19/2

shelf life

PS:
do a full system scan with netguard, if you havent already.

"Cortez" is off the excellent Zuma. But Rust Never Sleeps is a great album nonetheless. :)

I downloaded a hosts file from somewhere when I was trying to deal with a nasty "WinFixer" problem (I forget where I found it), and when I have problems with some unwanted websites I add the URLs to the file. I've got hundreds and hundreds in there. But I don't understand why some of the 'blocked' addresses appear in the HijackThis log below....and are custom hosts files a good or bad thing?

I've already done a full Netguard scan before and it highlighted no issues. I sent the alleged Trojan virus details to ntl's security team and they have no idea what it is. What is the possibility that F-Secure is wrong? Or can it be that only F-Secure have cottoned on to this particular threat and Netguard has missed it?

hi CortezTheKiller


I don't understand why some of the 'blocked' addresses appear in the HijackThis log below

hjt can show the host file content, yours was just to long.



are custom hosts files a good or bad thing
there good, but i have never used one.
looks like you are using this:
http://www.mvps.org/winhelp2002/hosts.htm

heres another one:
http://www.accs-net.com/hosts/

you might want to check out the proxomitron for blocking stuff:
http://www.proxomitron.info/
http://www.jd5000.net/
-----------------------------
its possible that one virus scanner may flag a trojan and another wont, its also possible that they may not be able to remove it. if your av flags something one thing to do to supplement it is a online scan or two at one of these:

BitDefender Free Online Virus Scan
http://www.bitdefender.com/scan/licence.php
check AutoClean under Scan Options.

Panda ActiveScan
http://www.pandasoftware.com/products/activescan?NRMODE=Published&NRORIGINALURL=%2factivescan&NRNODEGUID=%7b3B202047-35D4-4DA2-B310-B1DBEC2971F2%7d&NRCACHEHINT=Guest

Kaspersky virus scanner
http://www.kaspersky.com/virusscanner

Housecall at TrendMicro
http://housecall.trendmicro.com/housecall/start_corp.asp
check Auto Clean.

F-Secure virus scanner
http://support.f-secure.com/enu/home/ols.shtml


eTrust Antivirus Web Scanner
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
---------------------------------------------
if all is good heres some reference material for your reading pleasure:

Be careful of what you download, and where you download it from. Many programs come bundled with extra software.You may be installing more than you think. Visit the makers website, learn more about the program, Does the program you want come bundled with other "3rd party" programs? What do the 3rd party programs do? Will they deliver ads? Track your surfing habits? If you search hard enough you can always find a "clean" alternative to any software. Stay away from warez and crack sites. Becarful what you download from file sharing networks. If you are not sure, scan it with your Antivirus app. A small file (in KB) is probably not what you think it is. DO YOU TRUST THE SOURCE? Check this database:Spyware Guide (http://www.spywareguide.com/) or this one: Library (http://research.sunbelt-software.com/Browse_Library.cfm)

Make sure you keep your Windows OS current by visiting Windows update (http://v4.windowsupdate.microsoft.com/en/default.asp)
occasionaly to download and install any critical updates and service packs.

Adjust your browser settings: Change your(active x) settings in IE. With IE open go to tools, internet options, security tab. Click on the internet globe, then custom level. Set the first option "download signed active x controls" to prompt, the next two to disable. Read more:
Working with Internet Explorer 6 Security (http://www.microsoft.com/windows/ie/using/howto/security/settings.mspx)
Many exploits are directed at Internet Explorer, you dont have to use it. Try a different browser. You can have and use more than one browser on your computer.
Like Firefox (http://www.mozilla.org/products/firefox/),


Install a Firewall:A firewall will help to control what comes in from the internet and what leaves your computer to the internet. A firewall will also alert you when a application trys to connect to the internet from your computer, this is a good way to catch crapware or trojans, trying to connect out bound from your computer- whats that and why does it need a internet connection? You can deny it access it until more investigation is done. Zone Alarm is a free and easy to use firewall, that will provide in and outbound protection.
Zone Alarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=dbtopnav_zass)
OutPost Lite (http://www.agnitum.com/products/outpostfree/download.php)
Jetico Personal Firewall (http://www.jetico.com/index.htm#/jpfirewall.htm)

Outlook Express with the default settings is not secure. It will run scripts, download images etc, just like a browser. You dont have to use it. Windows SP1/SP2 updates have made some improvments to Outlook. Another reason to stay updated.
look here (http://www.codecutters.org/outlook/)
and here (http://www.tames.net/security/oesettings.htm)
Or try Pegasus Mail, safer by default,no tweaking needed. (http://www.pmail.com/)

Make sure you have and keep updated Antivirus software
Free for home users:
avast! 4 Home Edition Download (http://www.avast.com/eng/free_virus_protectio.html)
AVG free version 7.0 (http://free.grisoft.com/freeweb.php/doc/2/)
AntiVir Personal Edition (http://www.free-av.com/)
Clam Win (http://www.Clamwin.com/component/option,com_frontpage/Itemid,1/)

Download one or two of these, install and update before using:(if these are constantly finding malware, then you need to make changes to your browser and or your habits)
CounterSpy (http://www.sunbelt-software.com/)Free trial version
Spybot Search and destroy (http://www.safer-networking.org/en/index.html)
Ad-Aware SE Personal edition (http://www.lavasoft.de/)
Microsoft Windows Defender (http://www.microsoft.com/athome/security/spyware/software/default.mspx)
Becarful with spyware "removers and scanners"-- there are many "rogue/suspect" (http://www.spywarewarrior.com/rogue_anti-spyware.htm) programs that "claim to remove" spyware.Check here first.

Dont be tempted to click on popup ads offering free scans or free downloads for malware removers. Read the above line again.

AntiTrojan software to fill in the gap:
a2 free (http://www.emsisoft.com/en/software/free/)
Ewido Anti-Malware (http://www.ewido.net/en/)
Trojan Hunter (30 day trial version) (http://www.misec.net/)
Tauscan trial version (http://www.agnitum.com/products/tauscan/)

Other programs to consider:
Process Guard (http://www.diamondcs.com.au/processguard/) stop events/processes with user intervention
SpywareBlaster (http://www.bleepingcomputer.com/forums/index.php?showtutorial=49) add security to IE
IE-SPYAD (https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD) adds adware peddlers sites/domains to IE restricted zone
CleanUp (http://www.stevengould.org/software/CleanUp/index.html) cleans out temp files,history, autoforms etc
ATF cleaner (W2K,XP only) (http://www.atribune.org/content/view/25/2/) cleans out temp files, history etc

Learn More:
Browser Checkup (http://www.jasons-toolbox.com/BrowserSecurity/)
Parasite Free (http://www.doxdesk.com/parasite/prevention.html)
Safe Hex (http://www.claymania.com/safe-hex.html)
Shelf Lifes page (http://security-central.us/SafeHex/index.htm)
Home Computer Security (http://www.cert.org/homeusers/HomeComputerSecurity/)

As the problem appears to be resolved this topic will be archived. :bigthumb:

If you need it re-opened please send me a private message (pm) and provide a link to the thread.

Applies only to the original topic starter.

Glad we could help, safe surfing. :)