PDA

View Full Version : Diskcleaner popups



Rustynever
2006-08-25, 16:19
Hi Guys

I have started receiving popups when Internet Explorer opens. It starts with a full screen porn page (no good with the kids) and then does various messages that I need to download diskcleaner to clean up the mess.

I did an online scan with Trend Micro and it found some cookies and removed them and commented that NET 1.1 needed a security patch which I have done.

I went into safemode and ran spybot and it reported no problems.

Here is the odd part: Earlier today I saw a running process called nslphw that was from a file called c:\windows\system32\nslphw.exe. I could not find this file despite having hidden and system files supposedly visible. I opened a dos window and dir /ah or dir /ahs or dir did not show the file. The file was created on 16/08 at 17:12 but now I can't find anything at all about the file. I remember reading about the latest malware installing root kits etc to hide files so this could be the case? I don't know enough about this to comment properly.

Here is the hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 22:45:48, on 25/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EP.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\program files\u-storage tool2.9\ustorage.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Misc\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optusnet.com.au/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [EPSON Stylus CX6500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EP.EXE /P26 "EPSON Stylus CX6500 Series" /O6 "USB002" /M "Stylus CX6500"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [UStorag] c:\program files\u-storage tool2.9\ustorage.exe sys_auto_run C:\Program Files\U-Storage Tool2.9
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1152329255155
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152332304000
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Assistance please.

Cheers

Russell

Rustynever
2006-08-25, 17:00
Well

It just did the same sort of pop up thing so it is still around. This time it suggested that I run WinAntiSpyware 2006.

pskelley
2006-08-25, 21:03
Hi Russell and welcome to the forum. That last addon makes it sound like a Vundo trojan. It is not a rootkit, but they have figured out how to hide it from HJT. Let's see if we can unhide it. Return here:
D:\Misc\HJT\HijackThis.exe <<< it is very important this is on a drive, if it is not move it to C:\ then I want you to rename it to say analyze.exe Then scan for and post a new HJT log and we will see if it shows up, then we can fight it. I do suggest you stay offline as much as possible until you are clean.

Thanks...Phil

Rustynever
2006-08-26, 10:07
Hi Phil

Thanks for your time. I renamed as you suggested and ran hjt again. My D: drive is a partition on my main disk so yes it is permanent. If there is any advantage I have a second physical disk that is going to be used for backups but has plenty of space. I won't shift it unless you say. New log is:

Logfile of HijackThis v1.99.1
Scan saved at 17:02:24, on 26/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EP.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\program files\u-storage tool2.9\ustorage.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Misc\HJT\analyze.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optusnet.com.au/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [EPSON Stylus CX6500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EP.EXE /P26 "EPSON Stylus CX6500 Series" /O6 "USB002" /M "Stylus CX6500"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [UStorag] c:\program files\u-storage tool2.9\ustorage.exe sys_auto_run C:\Program Files\U-Storage Tool2.9
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1152329255155
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152332304000
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Cheers

Russell

Rustynever
2006-08-26, 10:14
Hi Phil

I see the lines don't appear to have changed so it is still hiding.

I tried renaming the hjt file again to 123.exe and it didn't make a difference to the result either.

pskelley
2006-08-26, 13:36
G'Day mate, this one may be tricky. Make sure you write down any information about the popups. The renaming of HJT did not display anything, but the WinAntiSpyware popups are a symptom of Vundo. We will run the tool anyway, all it can do is tell us the infection is not present. This HJT log is displaying absolutely no evidence of malware. Let's try this.

Look in Start > Control Panel > Add Remove programs for Winfixer or anything like it, also any programs you know should not be there and uninstall them. If you are unsure about any, let me know and I will look.

1) Thanks to Atribune and any others who helped with this fix.

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

2) Save those logs until we finish, I would like to run a good scan to look for anything that may be hidden from us.

ewido scan: Delete anything ewido locates unless you are sure it is not bad.
First download ewido anti-spyware from HERE (http://www.ewido.net/en/download/) and save that file to your desktop.
This is a 30 day trial of the program
Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run ewido and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.

Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
Select "Automatically generate report after every scan"
Un-Select "Only if threats were found"

Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.
Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
ewido will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan.


Restart the computer and post the ewido scan results, C:\vundofix.txt, a new HiJackThis log, and any comments you think will help.

Cheers...Phil

Rustynever
2006-08-27, 02:45
I posted the reply last night and it has not appeared. I am sure I submitted it though. (When I reposted it just now I see it is too long - oops! - I will split it.) Here are the results: Still very well hidden it appears. No signs that I can see and no pop ups today (although I use firefox and haven't opened IE much at all)

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 23:21:13 26/08/2006

+ Scan result:



:mozilla.20:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.21:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.22:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.23:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.24:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.25:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.26:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.75:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.81:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Louie\Cookies\louie@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Louie\Cookies\louie@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Rusty\Cookies\rusty@112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Rusty\Cookies\rusty@bellglobemediapublishing.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Rusty\Cookies\rusty@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Rusty\Cookies\rusty@microsoftwga.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Rusty\Cookies\rusty@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Rusty\Cookies\rusty@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Rusty\Cookies\rusty@thomsoneducationdirect.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
D:\Documents and Settings\Louie-old\Cookies\louie@marthastewart.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
D:\RECYCLER\S-1-5-21-1606980848-616249376-682003330-1003\Dd6.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.121:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.122:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
C:\Documents and Settings\Louie\Cookies\louie@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.123:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup (quarantined).
:mozilla.124:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup (quarantined).
:mozilla.78:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\Louie\Cookies\louie@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
D:\RECYCLER\S-1-5-21-1606980848-616249376-682003330-1003\Dd2.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\Louie\Cookies\louie@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup (quarantined).
C:\Documents and Settings\Louie\Cookies\louie@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
C:\Documents and Settings\Louie\Cookies\louie@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
C:\Documents and Settings\Rusty\Cookies\rusty@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
D:\Documents and Settings\Louie-old\Cookies\louie@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
D:\Documents and Settings\Louie-old\Cookies\louie@ad1.clickhype[1].txt -> TrackingCookie.Clickhype : Cleaned with backup (quarantined).
:mozilla.29:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\Documents and Settings\Louie\Cookies\louie@com[1].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\Documents and Settings\Rusty\Cookies\rusty@com[1].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
D:\Documents and Settings\Louie-old\Cookies\louie@com[2].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
:mozilla.28:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Louie\Cookies\louie@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Rusty\Cookies\rusty@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
:mozilla.143:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.144:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.145:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.146:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.147:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.148:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.149:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.150:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.151:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.152:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.153:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.154:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.155:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.156:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.157:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.158:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.159:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.160:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.161:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.40:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Rusty\Cookies\rusty@e-2dj6wfloondjico.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Rusty\Cookies\rusty@e-2dj6wflyupczgep.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Rusty\Cookies\rusty@e-2dj6wgl4wlcpebp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Rusty\Cookies\rusty@e-2dj6wjlyamczshq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Rusty\Cookies\rusty@e-2dj6wjmigkdjoap.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
D:\Documents and Settings\Louie-old\Cookies\louie@e-2dj6wjlyuic5cep.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
D:\Documents and Settings\Louie-old\Cookies\louie@y-1shz2prbmdj6wvny-1sez2pra2dj6wjk4epcjicpgidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.100:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
:mozilla.95:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
:mozilla.97:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
:mozilla.99:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Louie\Cookies\louie@ehg-legonewyorkinc.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\Louie\Cookies\louie@ehg-segaofamerica.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\Louie\Cookies\louie@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\Rusty\Cookies\rusty@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
C:\Documents and Settings\Rusty\Cookies\rusty@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup (quarantined).
C:\Documents and Settings\Rusty\Cookies\rusty@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
:mozilla.203:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\Documents and Settings\Rusty\Cookies\rusty@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
D:\Documents and Settings\Louie-old\Cookies\louie@data1.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
D:\Documents and Settings\Louie-old\Cookies\louie@paypopup[2].txt -> TrackingCookie.Paypopup : Cleaned with backup (quarantined).
C:\Documents and Settings\Louie\Cookies\louie@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
C:\Documents and Settings\Louie\Cookies\louie@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
D:\Documents and Settings\Louie-old\Cookies\louie@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
:mozilla.162:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
:mozilla.163:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
:mozilla.84:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.85:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.86:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.87:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
C:\Documents and Settings\Rusty\Cookies\rusty@cs.sexcounter[2].txt -> TrackingCookie.Sexcounter : Cleaned with backup (quarantined).
D:\Documents and Settings\Louie-old\Cookies\louie@h.starware[2].txt -> TrackingCookie.Starware : Cleaned with backup (quarantined).
D:\Documents and Settings\Louie-old\Cookies\louie@try.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup (quarantined).
:mozilla.218:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.103:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.104:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.105:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.106:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
D:\Documents and Settings\Louie-old\Cookies\louie@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.230:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup (quarantined).
:mozilla.101:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
:mozilla.244:C:\Documents and Settings\Rusty\Application Data\Mozilla\Firefox\Profiles\3pq22e6w.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
C:\Documents and Settings\Rusty\Cookies\rusty@webstat[2].txt -> TrackingCookie.Web-stat : Cleaned with backup (quarantined).
D:\Documents and Settings\Louie-old\Cookies\louie@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).


::Report end

Rustynever
2006-08-27, 02:46
VundoFix V6.1.2

Checking Java version...

Java version is 1.5.0.6

Scan started at 22:02:17 26/08/2006

Listing files found while scanning....

No infected files were found.


Beginning removal...






Logfile of HijackThis v1.99.1
Scan saved at 23:28:43, on 26/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EP.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\program files\u-storage tool2.9\ustorage.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Misc\HJT\123.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optusnet.com.au/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [EPSON Stylus CX6500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EP.EXE /P26 "EPSON Stylus CX6500 Series" /O6 "USB002" /M "Stylus CX6500"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [UStorag] c:\program files\u-storage tool2.9\ustorage.exe sys_auto_run C:\Program Files\U-Storage Tool2.9
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1152329255155
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152332304000
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Cheers

Russell the kangaroo

Rustynever
2006-08-27, 03:29
I also tried attrib /s | findstr SHR to look for really hidden files in the system32 directory which is where I saw nslphw.exe earlier. No show.

Maybe it has gone but this would be wishful thinking.

I shall open IE to see if it pops up.

pskelley
2006-08-27, 04:00
G'Day Russell, This is the first time I have seen the information, says Today, 19:45. I have 8:47 EST, perhaps it did not get sent. I notice a lot of cookies being stored, I have known of a cookie causing popups though it is unlikely with WinAntiSpyware. Do you need information to help you stop storing those cookies?

I am wondering about Vundofix also. That is not a complete log you posted. Sometimes it will not be able to find a file and it will continue to run. Are you sure you allowed enough time for it to do it's job?

This HJT log looks clean, did I mention that Java >>> C:\Program Files\Java\jre1.5.0_06\ needs an update: http://forums.spybot.info/showpost.php?p=12880&postcount=2

I'll go ahead and give you this information now, here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam

Let me know how it is performing.

Cheers

Rustynever
2006-08-27, 04:58
I opened up IE and it came up when I was not even browsing.

I have attached a shrunk down version of the file. It is saying to install
DriveCleaner.

Rustynever
2006-08-27, 05:14
Hi Phil

Sorry about the last posting. You replied whilst I was typing up mine! As per last post I still have it.

Vundofix reported no problems. There was nothing to fix up so that is probably why it stops without any further information.

So I definitely do have it.

pskelley
2006-08-27, 12:26
G'Day, yeah you have something mate that is causing the popups. The something is not appearing in the log and so far you have not given me a clue as to how to locate it. It is like looking for a needle in a haystack. I have no idea either, so this will be a team effort. Keep track of all popups, where they direct you as they may give us a clue. First I want to make sure you scaned with ewido in safe mode. It will find stuff it can't find in normal mode. I have loads of tools but don't know which one to run? Let's take a look for a rootkit first like this:

Download and scan with: https://europe.f-secure.com/blacklight/try.shtml
Do not fix anything at this point, just post the results of the scan, posting the tutorial to help you with the tool.
http://www.bleepingcomputer.com/tutorials/tutorial124.html

To make sure these are not coming from Messenger Service, follow these directions:
http://www.microsoft.com/windowsxp/using/security/learnmore/stopspam.mspx
If it was running, let me know.

Let's have a look at your uninstall list:
Start HiJackThis
Press 'Config'
Press 'Misc Tools'
Press 'Open Uninstall Manager'
Press 'Save List'
Save the log to a convenient location
Copy the log and post its contents in this thread.

This is a new program I am still learning, but it has removed some hard to kill stuff for me in logs that were tough. Take a look at the program, it is free to use:
http://www.prevx.com/ be careful to use the free program in red to the left if you want to see if it will locate the problem.

That will give us direction and I am depending on your eyes and feedback,

Cheers...Phil

Rustynever
2006-08-27, 14:55
BINGO!

Blacklight found it!

I have also included the uninstall list:

08/27/06 21:32:54 [Info]: BlackLight Engine 1.0.46 initialized
08/27/06 21:32:54 [Info]: OS: 5.1 build 2600 (Service Pack 2)
08/27/06 21:32:54 [Note]: 7019 4
08/27/06 21:32:54 [Note]: 7005 0
08/27/06 21:32:58 [Note]: 7006 0
08/27/06 21:32:58 [Note]: 7011 3472
08/27/06 21:32:58 [Note]: 7026 0
08/27/06 21:32:58 [Note]: 7026 0
08/27/06 21:32:58 [Note]: 7024 3
08/27/06 21:32:58 [Info]: Hidden process: C:\windows\system32\nslphw.exe
08/27/06 21:32:58 [Note]: FSRAW library version 1.7.1019
08/27/06 21:36:13 [Info]: Hidden file: c:\WINDOWS\Prefetch\NSLPHW.EXE-1AFAC261.pf
08/27/06 21:36:13 [Note]: 10002 1
08/27/06 21:36:22 [Info]: Hidden file: c:\WINDOWS\system32\nslphw.dat
08/27/06 21:36:22 [Note]: 10002 1
08/27/06 21:36:23 [Info]: Hidden file: C:\windows\system32\nslphw.exe
08/27/06 21:36:23 [Note]: 10002 1
08/27/06 21:36:23 [Info]: Hidden file: c:\WINDOWS\system32\nslphw_nav.dat
08/27/06 21:36:23 [Note]: 10002 1
08/27/06 21:36:23 [Info]: Hidden file: c:\WINDOWS\system32\nslphw_navps.dat
08/27/06 21:36:23 [Note]: 10002 1
08/27/06 21:46:55 [Note]: 7007 0


-----------------------------


ABBYY FineReader 5.0 Sprint Plus
Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.8
Adobe Shockwave Player
AI RoboForm Adapter for Firefox/Mozilla/Netscape
AVG Free Edition
Blue's Art Time Activities
CmdHere Powertoy For Windows XP
Easy CD & DVD Creator 6
EPSON CardMonitor
EPSON Copy Utility 3
EPSON PhotoQuicker3.5
EPSON PhotoStarter3.1
EPSON PRINT Image Framer Tool2.1
EPSON Printer Software
EPSON Scan
EPSON Smart Panel
EPSON Web-To-Page
ESCX6500 Reference Guide
ESCX6500 Software Guide
ewido anti-spyware 4.0
HijackThis 1.99.1
J2SE Runtime Environment 5.0 Update 8
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886904)
Microsoft Office FrontPage 2003
Microsoft Office Professional Edition 2003
Microsoft Office Visio Professional 2003
Mozilla Firefox (1.5.0.6)
PhotoImpression 5
PIF DESIGNER2.1
ProSavageDDR and Utilities
Quicken 2005
S3Display
S3Gamma2
S3Info2
S3Overlay
Safety In The Market ABC Trader
ScanToWeb
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Spybot - Search & Destroy 1.4
Stop the Morbuzakh (remove only)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
U-Storage 2.9
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
ZoneAlarm

I am sure Blacklight has found it.

At this stage I have NOT disabled system restore nor http://www.prevx.com/ as we have got something here.

Getting happier...

Russell

pskelley
2006-08-27, 15:13
G'Day Russell the kangaroo, looks like that is it. Read those instructions carefully and then proceed with renaming the items. You can scan that file to be sure if you wish, here are free online scanners:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
and the file: C:\windows\system32\nslphw.exe

But I think we both know that is a trojan as you check it. You will rename these items:

08/27/06 21:32:58 [Info]: Hidden process: C:\windows\system32\nslphw.exe
08/27/06 21:36:13 [Info]: Hidden file: c:\WINDOWS\Prefetch\NSLPHW.EXE-1AFAC261.pf
08/27/06 21:36:22 [Info]: Hidden file: c:\WINDOWS\system32\nslphw.dat
08/27/06 21:36:23 [Info]: Hidden file: C:\windows\system32\nslphw.exe
08/27/06 21:36:23 [Info]: Hidden file: c:\WINDOWS\system32\nslphw_nav.dat
08/27/06 21:36:23 [Info]: Hidden file: c:\WINDOWS\system32\nslphw_navps.dat

Complete the process and post a new HJT log, we will see the bugger in the log now.

I should mention you can hold the other two items, System Restore we will do just at the end, and save the link to the Prevx tool, you might need it sometime. Your uninstall list had no surprises, you may want to look, good chance to get rid of programs you don't use anymore.

Cheers...Phil

Rustynever
2006-08-27, 15:46
Okay Phil

hjt shows the file and I can see them in c:\windows\system32! We're on the way!

08/27/06 22:16:44 [Info]: BlackLight Engine 1.0.46 initialized
08/27/06 22:16:44 [Info]: OS: 5.1 build 2600 (Service Pack 2)
08/27/06 22:16:44 [Note]: 7019 4
08/27/06 22:16:44 [Note]: 7005 0
08/27/06 22:16:51 [Note]: 7006 0
08/27/06 22:16:51 [Note]: 7011 3472
08/27/06 22:16:51 [Note]: 7026 0
08/27/06 22:16:51 [Note]: 7026 0
08/27/06 22:16:51 [Note]: 7024 3
08/27/06 22:16:51 [Info]: Hidden process: C:\windows\system32\nslphw.exe
08/27/06 22:16:51 [Note]: FSRAW library version 1.7.1019
08/27/06 22:19:56 [Info]: Hidden file: c:\WINDOWS\Prefetch\NSLPHW.EXE-1AFAC261.pf
08/27/06 22:19:56 [Note]: 10002 1
08/27/06 22:20:05 [Info]: Hidden file: c:\WINDOWS\system32\nslphw.dat
08/27/06 22:20:05 [Note]: 10002 1
08/27/06 22:20:06 [Info]: Hidden file: C:\windows\system32\nslphw.exe
08/27/06 22:20:06 [Note]: 10002 1
08/27/06 22:20:06 [Info]: Hidden file: c:\WINDOWS\system32\nslphw_nav.dat
08/27/06 22:20:06 [Note]: 10002 1
08/27/06 22:20:07 [Info]: Hidden file: c:\WINDOWS\system32\nslphw_navps.dat
08/27/06 22:20:07 [Note]: 10002 1
08/27/06 22:39:16 [Note]: 7007 0


Logfile of HijackThis v1.99.1
Scan saved at 22:42:38, on 27/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EP.EXE
C:\program files\u-storage tool2.9\ustorage.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Misc\HJT\123.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optusnet.com.au/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [EPSON Stylus CX6500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EP.EXE /P26 "EPSON Stylus CX6500 Series" /O6 "USB002" /M "Stylus CX6500"
O4 - HKLM\..\Run: [UStorag] c:\program files\u-storage tool2.9\ustorage.exe sys_auto_run C:\Program Files\U-Storage Tool2.9
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nslphw] c:\windows\system32\nslphw.exe nslphw
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1152329255155
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152332304000
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

pskelley
2006-08-27, 15:59
I never thought about the System32 folder other than to kill the .exe? If you see the junk in there, delete it, just be careful to only delete: nslphw. Read all the way through these directions first, because deleting the .exe is part of them.

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O4 - HKLM\..\Run: [nslphw] c:\windows\system32\nslphw.exe nslphw

Close all programs but HJT and all browser windows, then click on "Fix Checked"

RIGHT Click on Start then click on Explore. Locate and delete these items:

c:\windows\system32\nslphw.exe <<< delete that file

Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Here is a tutorial for using ATF-Cleaner in the future.
http://forums.security-central.us/showthread.php?t=1925

I already posted closing information earlier, it will be a couple of days before tashi:) closes your topic in the event anything comes up.

Cheers...Phil
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

Rustynever
2006-08-27, 17:24
Hi Phil

Sincerest thanks for your sleuth work. I did as suggested and it now comes up clear in Blacklight. I think it is well and truly gone.

I'll spend the next few days exploring which additional prevention will suit me. I allow my family to use the PC and encourage it. Putting up too many obstacles will discourage them. Zonealarm and AVG, with weekly AdAware and Spybot are not enough it seems.

tashi
2006-09-02, 19:33
As the problem appears to be resolved this topic has been archived. :)

If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Cheers.