Winantivrus Popup Hell

[IanMcS]

Hi, Can you help?

I am getting miriads of pop ups since I upgraded to IE-7 (not sure if that's co-incidence). I am getting Winativirus popups, amaena etc etc. I have run Spybot - it picks ths and many others up, but they keep re-appearing after being cleaned.

This hijackthis log (renamed the application from Hijackthis) was produced within a few minutes of "cleaning", although the pop-ups had started re-appearing!

Would be most grateful for your support.




Logfile of HijackThis v1.99.1
Scan saved at 16:10:56, on 09/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\Belkin\F5D7051\WLService.exe
C:\Program Files\Belkin\F5D7051\WLanCfgG.exe
C:\Program Files\Firebird\bin\ibguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Firebird\bin\ibserver.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0R2.EXE
C:\WINDOWS\Dit.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\WINDOWS\system32\gsicon.exe
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\DitExp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee\McAfee VirusScan\VsMain.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Ian\My Documents\Setup Directory\Hijackthis\sillyname.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [EPSON Stylus C86 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0R2.EXE /P23 "EPSON Stylus C86 Series" /O6 "USB001" /M "Stylus C86"
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\bin\4.4.5.0\WeatherOnTray.exe
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [gjnksmhoyr] c:\windows\system32\gjnksmhoyr.exe gjnksmhoyr
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.com
O16 - DPF: {0A46CB52-CFA0-4E78-A181-948D5E361BE3} (EpsonObj Class) - http://esupport.epson-europe.com/ePC/activex/EpsonSetup.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Belkin High-Speed Mode Wireless G USB Driver (Belkin High-Speed Mode Wireless G USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\F5D7051\WLService.exe
O23 - Service: Firebird Guardian Service (InterBaseGuardian) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Firebird Server (InterBaseServer) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

 

[steamwiz]

Hi

Please download VundoFix.exe to your desktop.
1. Double-click VundoFix.exe to run it.
2. When VundoFix re-opens, click the Scan for Vundo button.
3. Once it's done scanning, click the Remove Vundo button.
4. You will receive a prompt asking if you want to remove the files, click "YES".
5. Once you click yes, your desktop will go blank as it starts removing Vundo.
6. When completed, it will prompt that it will reboot your computer, click "OK".

7. Please post the contents of C:\vundofix.txt and a new HiJackThis log.

If vundofix cannot delete a file, it will try to delete it during a reboot, after the reboot vundofix will open again, you must run vundofix again, from "Click the Scan for Vundo button" ... and you must keep running vundofix until it does delete the file... I've known a stubborn vundo file take 5 or 6 reboots before it is deleted...

steam

 

[IanMcS]

HI Steam.

Thanks for your reply.

Ran Vundo, which took a while. It concluded that there were no infected files first time. Can't find a log - presumably it doesn't create one if there's nothing to report.

Here's the latest Hijack file.....

Thanks for your help.

I

Logfile of HijackThis v1.99.1
Scan saved at 22:58:42, on 09/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\Belkin\F5D7051\WLService.exe
C:\Program Files\Belkin\F5D7051\WLanCfgG.exe
C:\Program Files\Firebird\bin\ibguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Firebird\bin\ibserver.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0R2.EXE
C:\WINDOWS\Dit.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\WINDOWS\system32\gsicon.exe
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\DitExp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Ian\My Documents\Setup Directory\Hijackthis\sillyname.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [EPSON Stylus C86 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0R2.EXE /P23 "EPSON Stylus C86 Series" /O6 "USB001" /M "Stylus C86"
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\bin\4.4.5.0\WeatherOnTray.exe
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [gjnksmhoyr] c:\windows\system32\gjnksmhoyr.exe gjnksmhoyr
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.com
O16 - DPF: {0A46CB52-CFA0-4E78-A181-948D5E361BE3} (EpsonObj Class) - http://esupport.epson-europe.com/ePC/activex/EpsonSetup.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Belkin High-Speed Mode Wireless G USB Driver (Belkin High-Speed Mode Wireless G USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\F5D7051\WLService.exe
O23 - Service: Firebird Guardian Service (InterBaseGuardian) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Firebird Server (InterBaseServer) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

 

[steamwiz]

Hi

Please go here and upload this file ...

c:\windows\system32\gjnksmhoyr.exe

http://www.virustotal.com/flash/index_en.html

Click the browse button & browse to the file on your computer

Post back the results ... right click on the page > select all

right click again copy

past the results in your next post here...

I know the file is bad, but I want to see if any of the scans tag it as vundo...

Then do this :-

Disconnect from the internet Close ALL browser windows (including this one) - run hijackthis and tick to fix (check the box next to) the list below.........when all are ticked (checked) click the Fix Checked button at the bottom. :-


O4 - HKLM\..\Run: [gjnksmhoyr] c:\windows\system32\gjnksmhoyr.exe gjnksmhoyr


Reboot then find and delete :-

c:\windows\system32\gjnksmhoyr.exe ... file

--
Vundofix should have produced a log, even if clean...

have a look for it here :-

C:\vundofix.txt

--
Post a new hijackthis log & the C:\vundofix.txt if you find it...

steam

 

[IanMcS]

Hi Steam

This has me scratching my head. The file you refer to is not present! First I tried to browse it into the virustotal website, but couldn't find it. Checked with explorer and couldn't find it, checked that explorer was set to show hidden files. Yet I can see it in yesterday's HJS logfile! Ermm!!

The popups are still coming - have done whilst I'm working and before running the HJS log. I did no work on the PC after I posted the item last night and this is the first thing I did tonight.

So here the latest HJS log (ran from a false name) plus the Vundo log which was in the root as you had suggested. I'll reboot and see if anything new appears / disappears and let you know.

HJS log:

Logfile of HijackThis v1.99.1
Scan saved at 22:43:15, on 10/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\Belkin\F5D7051\WLService.exe
C:\Program Files\Belkin\F5D7051\WLanCfgG.exe
C:\Program Files\Firebird\bin\ibguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Firebird\bin\ibserver.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee VirusScan\AlogServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0R2.EXE
C:\WINDOWS\Dit.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\gsicon.exe
C:\WINDOWS\DitExp.exe
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Ian\My Documents\Setup Directory\Hijackthis\sillyname.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [EPSON Stylus C86 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0R2.EXE /P23 "EPSON Stylus C86 Series" /O6 "USB001" /M "Stylus C86"
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\bin\4.4.5.0\WeatherOnTray.exe
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [esmcvn] c:\windows\system32\esmcvn.exe esmcvn
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.com
O16 - DPF: {0A46CB52-CFA0-4E78-A181-948D5E361BE3} (EpsonObj Class) - http://esupport.epson-europe.com/ePC/activex/EpsonSetup.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Belkin High-Speed Mode Wireless G USB Driver (Belkin High-Speed Mode Wireless G USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\F5D7051\WLService.exe
O23 - Service: Firebird Guardian Service (InterBaseGuardian) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Firebird Server (InterBaseServer) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

Last nights Vundo log:


VundoFix V6.3.15

Checking Java version...

Scan started at 21:42:59 13/03/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.3.19

Checking Java version...

Scan started at 21:23:19 09/04/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

 

[IanMcS]

Hi Steam

This has me scratching my head. The file you refer to is not present! First I tried to browse it into the virustotal website, but couldn't find it. Checked with explorer and couldn't find it, checked that explorer was set to show hidden files. Yet I can see it in yesterday's HJS logfile! Ermm!!

The popups are still coming - have done whilst I'm working and before running the latest HJS log. I did no work on the PC after I posted the item last night and this is the first thing I did tonight.

So here the latest HJS log (ran from a false name) plus the Vundo log which was in the root as you had suggested. I'll reboot and see if anything new appears / disappears and let you know.

HJS log:

Logfile of HijackThis v1.99.1
Scan saved at 22:43:15, on 10/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\Belkin\F5D7051\WLService.exe
C:\Program Files\Belkin\F5D7051\WLanCfgG.exe
C:\Program Files\Firebird\bin\ibguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Firebird\bin\ibserver.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee VirusScan\AlogServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0R2.EXE
C:\WINDOWS\Dit.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\gsicon.exe
C:\WINDOWS\DitExp.exe
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Ian\My Documents\Setup Directory\Hijackthis\sillyname.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [EPSON Stylus C86 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0R2.EXE /P23 "EPSON Stylus C86 Series" /O6 "USB001" /M "Stylus C86"
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\bin\4.4.5.0\WeatherOnTray.exe
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [esmcvn] c:\windows\system32\esmcvn.exe esmcvn
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.com
O16 - DPF: {0A46CB52-CFA0-4E78-A181-948D5E361BE3} (EpsonObj Class) - http://esupport.epson-europe.com/ePC/activex/EpsonSetup.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Belkin High-Speed Mode Wireless G USB Driver (Belkin High-Speed Mode Wireless G USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\F5D7051\WLService.exe
O23 - Service: Firebird Guardian Service (InterBaseGuardian) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Firebird Server (InterBaseServer) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

Last nights Vundo log:


VundoFix V6.3.15

Checking Java version...

Scan started at 21:42:59 13/03/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.3.19

Checking Java version...

Scan started at 21:23:19 09/04/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

 

[steamwiz]

Hi

It's changed it's name ...

O4 - HKLM\..\Run: [gjnksmhoyr] c:\windows\system32\gjnksmhoyr.exe gjnksmhoyr

to

O4 - HKLM\..\Run: [esmcvn] c:\windows\system32\esmcvn.exe esmcvn

Try to upload esmcvn.exe to virustotal ...

if you can't find it, run hijackthis and look at the same place in the log, that the ones above were, for another similar random named file...

steam

 

[IanMcS]

Hi Steam.

Rebooted - no effect. Then ran Spybot (no results), rebooted again and hey presto there it is again, along with colleagues - gjnksmhoyr.dat gjnksmhoyr_nav.dat and gjnksmhoyr_navps.dat.

The virus total site result is as follows:

VirusTotalVirusTotal is a free file analisys service that works using several antivirus engines.


Select file : DistributeSSL

Enter your email, choose the file to be scanned with multiple antivirus engines and click Send.Menu:
News Hot news in the virus/antivirus sector.
Estadisticas Statistics of VirusTotal procesing.
Virustotal More info about Virustotal.


STATUS: FINISHEDComplete scanning result of "gjnksmhoyr.exe", received in VirusTotal at 04.11.2007, 00:36:39 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.4.10.0 04.10.2007 no virus found
AntiVir 7.3.1.50 04.10.2007 HEUR/Malware
Authentium 4.93.8 04.09.2007 no virus found
Avast 4.7.936.0 04.10.2007 no virus found
AVG 7.5.0.447 04.10.2007 no virus found
BitDefender 7.2 04.11.2007 no virus found
CAT-QuickHeal 9.00 04.10.2007 (Suspicious) - DNAScan
ClamAV devel-20070312 04.10.2007 no virus found
DrWeb 4.33 04.11.2007 no virus found
eSafe 7.0.15.0 04.10.2007 Suspicious Trojan/Worm
eTrust-Vet 30.7.3557 04.10.2007 no virus found
Ewido 4.0 04.10.2007 no virus found
FileAdvisor 1 04.11.2007 no virus found
Fortinet 2.85.0.0 04.10.2007 no virus found
F-Prot 4.3.1.45 04.08.2007 no virus found
F-Secure 6.70.13030.0 04.10.2007 no virus found
Ikarus T3.1.1.5 04.10.2007 not-a-virus:AdWare.Win32.NaviPromo
Kaspersky 4.0.2.24 04.10.2007 not-a-virus:AdWare.Win32.NaviPromo.gen
McAfee 5005 04.10.2007 no virus found
Microsoft 1.2405 04.10.2007 no virus found
NOD32v2 2178 04.10.2007 no virus found
Norman 5.80.02 04.10.2007 no virus found
Panda 9.0.0.4 04.09.2007 Adware/NaviPromo
Prevx1 V2 04.11.2007 Covert.Sys.Exec
Sophos 4.16.0 04.06.2007 no virus found
Sunbelt 2.2.907.0 04.07.2007 VIPRE.Suspicious
Symantec 10 04.11.2007 Trojan.Skintrim
TheHacker 6.1.6.088 04.09.2007 no virus found
VBA32 3.11.3 04.10.2007 no virus found
VirusBuster 4.3.7:9 04.10.2007 no virus found
Webwasher-Gateway 6.0.1 04.10.2007 Heuristic.Malware


Aditional Information
File size: 315904 bytes
MD5: 29d159d802fbc65e2d047961c798e373
SHA1: b70af3852832b6104291eed757d9fa34932ec727
packers: PECOMPACT
packers: PecBundle, PECompact
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=555482972612
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
> Go to: Home Contactar En Español
--------------------------------------------------------------------------------
www.virustotal.com :: ©Hispasec Sistemas 2004-07:: e-mail info@virustotal.com


Now following the rest of your instructions will be back on shortly.

I

 

[IanMcS]

Hi Steam

Thanks for your help, here.

Followed the process - deleted the files, rebooted, HJS log below - seems OK but......

I've had 2 popups already :-(

I

Logfile of HijackThis v1.99.1
Scan saved at 00:27:43, on 11/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\Belkin\F5D7051\WLService.exe
C:\Program Files\Belkin\F5D7051\WLanCfgG.exe
C:\Program Files\Firebird\bin\ibguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Firebird\bin\ibserver.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0R2.EXE
C:\WINDOWS\Dit.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\WINDOWS\system32\gsicon.exe
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\DitExp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Ian\My Documents\Setup Directory\Hijackthis\sillyname.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [EPSON Stylus C86 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0R2.EXE /P23 "EPSON Stylus C86 Series" /O6 "USB001" /M "Stylus C86"
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\bin\4.4.5.0\WeatherOnTray.exe
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.com
O16 - DPF: {0A46CB52-CFA0-4E78-A181-948D5E361BE3} (EpsonObj Class) - http://esupport.epson-europe.com/ePC/activex/EpsonSetup.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Belkin High-Speed Mode Wireless G USB Driver (Belkin High-Speed Mode Wireless G USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\F5D7051\WLService.exe
O23 - Service: Firebird Guardian Service (InterBaseGuardian) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Firebird Server (InterBaseServer) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

 

[steamwiz]

HI

Your last hijackthis log's clean ... you can fix this, but it's just to "tidy up" it's not causing any problems...

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

We may be dealing with a rootkit here...

Please download & run blacklight Rootkit diagnostic tool from :-

https://europe.f-secure.com/blacklight/try.shtml

click I ACCEPT

click download "Download Blacklight Beta graphical user interface version" > save it to your desktop

then ...

1. Double-click blbeta.exe

2. Accept the agreement > click next

3. click scan

4. A list of all items found will be displayed, or it will say "No hidden items found"

if anything is found do NOT elect to rename or clean anything, as legitimate entries could be found - click close

5. if you see "No hidden items found" click next then exit

On your desktop you will now see a log file, it will look something like this fsbl-20060105183235.log

6. open the log file and paste the contents into a post here... (if the log is too large to paste, then please attach it)

steam

 

[IanMcS]

Hi Steam

Guess what? It's picked up our old friends in System 32......

04/11/07 21:35:03 [Info]: BlackLight Engine 1.0.61 initialized
04/11/07 21:35:03 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/11/07 21:35:03 [Note]: 7019 4
04/11/07 21:35:03 [Note]: 7005 0
04/11/07 21:35:13 [Note]: 7006 0
04/11/07 21:35:13 [Note]: 7011 3960
04/11/07 21:35:14 [Note]: 7026 0
04/11/07 21:35:14 [Note]: 7026 0
04/11/07 21:35:14 [Note]: 7024 3
04/11/07 21:35:14 [Info]: Hidden process: C:\windows\system32\esmcvn.exe
04/11/07 21:35:27 [Note]: FSRAW library version 1.7.1021
04/11/07 22:01:12 [Info]: Hidden file: c:\WINDOWS\system32\esmcvn.dat
04/11/07 22:01:12 [Note]: 10002 1
04/11/07 22:01:12 [Info]: Hidden file: C:\windows\system32\esmcvn.exe
04/11/07 22:01:12 [Note]: 10002 1
04/11/07 22:01:12 [Info]: Hidden file: c:\WINDOWS\system32\esmcvn_nav.dat
04/11/07 22:01:12 [Note]: 10002 1
04/11/07 22:01:12 [Info]: Hidden file: c:\WINDOWS\system32\esmcvn_navps.dat
04/11/07 22:01:12 [Note]: 10002 1
04/11/07 22:04:20 [Note]: 2000 1012

 

[steamwiz]

HI

Please run Blacklight again, when it gets to the Step 2 - Clean hidden items screen ...

We need to rename all these files :-

C:\windows\system32\esmcvn.exe
c:\WINDOWS\system32\esmcvn.dat
C:\windows\system32\esmcvn.exe
c:\WINDOWS\system32\esmcvn_nav.dat
c:\WINDOWS\system32\esmcvn_navps.dat

1. Left click one of the hidden files to highlight it ..

2. press the Rename button. When you do this, the action will change from None to Rename ..

Once you set a file to Rename, you can untag it by pressing the None button so that no action is performed on this particular item. ( if you accidentally tag the wrong one)

When the computer reboots it will rename the files with a .ren extension. Because these files are no longer be loaded at startup, they will now become visible so that you can delete them. For example :-

C:\windows\system32\esmcvn.exe
c:\WINDOWS\system32\esmcvn.dat

They would now be named:

C:\windows\system32\esmcvn.exe.ren
c:\WINDOWS\system32\esmcvn.dat.ren

After you have selected all of the files you would like to rename, you should press the Next button.

A warning screen will now show stating that renaming legitimate files can cause Windows not to operate properly. If you would still like to continue renaming the files, put a checkmark in the checkbox labelled I have understood the warning and wish to continue and then press the OK button.

You should then press the Restart Now, and then the OK button again, to restart your computer ....

Once the computer has restarted, go to the system32 folder & delete the renamed files...

Then run Blacklight again and post the new log... also a new hijackthis log...

steam

 

[IanMcS]

HI Steam

Not had any popups for the last half hour, so feels good so far. I'm interested why the files were invisible - is this a windows "feature"?

Followed your advice - see logs below.

Thanks for your support on this.

I

Updated Blacklight log:

04/12/07 23:17:39 [Info]: BlackLight Engine 1.0.61 initialized
04/12/07 23:17:39 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/12/07 23:17:39 [Note]: 7019 4
04/12/07 23:17:39 [Note]: 7005 0
04/12/07 23:17:43 [Note]: 7006 0
04/12/07 23:17:43 [Note]: 7011 840
04/12/07 23:17:43 [Note]: 7026 0
04/12/07 23:17:43 [Note]: 7026 0
04/12/07 23:17:47 [Note]: FSRAW library version 1.7.1021
04/12/07 23:47:39 [Note]: 2000 1012
04/12/07 23:51:35 [Note]: 7007 0



updated HJS log:

Logfile of HijackThis v1.99.1
Scan saved at 23:56:07, on 12/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\Belkin\F5D7051\WLService.exe
C:\Program Files\Belkin\F5D7051\WLanCfgG.exe
C:\Program Files\Firebird\bin\ibguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Firebird\bin\ibserver.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0R2.EXE
C:\WINDOWS\Dit.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\WINDOWS\system32\gsicon.exe
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\DitExp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Ian\My Documents\Setup Directory\Hijackthis\sillyname.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [EPSON Stylus C86 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0R2.EXE /P23 "EPSON Stylus C86 Series" /O6 "USB001" /M "Stylus C86"
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\bin\4.4.5.0\WeatherOnTray.exe
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [esmcvn] c:\windows\system32\esmcvn.exe esmcvn
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.com
O16 - DPF: {0A46CB52-CFA0-4E78-A181-948D5E361BE3} (EpsonObj Class) - http://esupport.epson-europe.com/ePC/activex/EpsonSetup.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Belkin High-Speed Mode Wireless G USB Driver (Belkin High-Speed Mode Wireless G USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\F5D7051\WLService.exe
O23 - Service: Firebird Guardian Service (InterBaseGuardian) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Firebird Server (InterBaseServer) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

 

[IanMcS]

Hi Steam

Spotted on the last HJT log that our friend c:\windows\system32\esmcvn.exe esmcvn had returned. So followed your previous advice, deleted with HJT, but when I rebooted the files did not appear in system 32 for deletion, so I'm wondering if the entry in the last HJT was just a hangover or whether somethings still lurking.

The latest hi-jack log is as follows, looks like that record was successfully deleted

Logfile of HijackThis v1.99.1
Scan saved at 00:12:35, on 13/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\Belkin\F5D7051\WLService.exe
C:\Program Files\Belkin\F5D7051\WLanCfgG.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Firebird\bin\ibguard.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0R2.EXE
C:\WINDOWS\Dit.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\WINDOWS\system32\gsicon.exe
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\vVX3000.exe
C:\WINDOWS\DitExp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Firebird\bin\ibserver.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Ian\My Documents\Setup Directory\Hijackthis\sillyname.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [EPSON Stylus C86 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0R2.EXE /P23 "EPSON Stylus C86 Series" /O6 "USB001" /M "Stylus C86"
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\bin\4.4.5.0\WeatherOnTray.exe
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.com
O16 - DPF: {0A46CB52-CFA0-4E78-A181-948D5E361BE3} (EpsonObj Class) - http://esupport.epson-europe.com/ePC/activex/EpsonSetup.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Belkin High-Speed Mode Wireless G USB Driver (Belkin High-Speed Mode Wireless G USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\F5D7051\WLService.exe
O23 - Service: Firebird Guardian Service (InterBaseGuardian) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Firebird Server (InterBaseServer) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

 

[IanMcS]

Hi Steam.

just following my last 2 posts thought I'd better run Blacklight again. Here' the log....

04/13/07 00:16:34 [Info]: BlackLight Engine 1.0.61 initialized
04/13/07 00:16:34 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/13/07 00:16:34 [Note]: 7019 4
04/13/07 00:16:34 [Note]: 7005 0
04/13/07 00:16:37 [Note]: 7006 0
04/13/07 00:16:37 [Note]: 7011 532
04/13/07 00:16:37 [Note]: 7026 0
04/13/07 00:16:37 [Note]: 7026 0
04/13/07 00:16:41 [Note]: FSRAW library version 1.7.1021
04/13/07 00:46:37 [Note]: 2000 1012
04/13/07 09:35:25 [Note]: 7007 0

Hope to hear from you soon.

I

 

[steamwiz]

HI Ian

I'm interested why the files were invisible - is this a windows "feature"?

Nope... it's a malware feature ... a lot of malware is now hiding itself from windows using rootkits, it's getting harder all the time, to find some of it & remove it... however it looks like we got yous OK...

The run key you saw in the hijackthis log was being hidden by the rootkit (hidden process) once we removed it with Blacklight the key became visible again, as did the renamed files ... that should be the last you see of it...

Empty your recycle bin if you haven't allready ...

just this one other unrelated leftover in your log, you can fix this :-

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

while the rootkit was on your computer it may have downloaded other malware, which was hidden from removal programs, I would like you to run an on-line scan for virus (pandascan) & a scan for spyware/adware (SUPERantispyware)

---
Download Superantispyware.

http://www.superantispyware.com/

Once downloaded and installed update the definitions
and then run a full system scan quarantine what it finds!

* Double-click SUPERAntiSypware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)

http://www.superantispyware.com/definitions.html

* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.

---
Perform an online scan with Internet Explorer with
http://www.pandasoftware.com/products/activescan.htm
Panda ActiveScan

1. Click on
   
   located at the bottom of the page.
2. A pop up window will appear. Please ensure that your pop up blocker doesn't block it Enter your e-mail address, country, and state & click Free Online Scan *The download of the 8 MB Panda's ActiveX control will take place*

Begin the scan by selecting

• If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on
  
  then click
  

Turn off the real time scanner of any existing antivirus program while performing the online scan.

Please post the Panda log scan.

steam

 

[IanMcS]

Hi Steam.

Thanks for your advice...

I got through the first bit fine - see log below, but I've ran the pandasoftware thing twice - it runs through its process - picks up Spyware, Dialers, and Rootkits (20, 1 and 3 found the last time I saw it) then all the browser windows automatically close and I have no record of what it's picked up! Ran it twice and it did the same thing both times - the second whilst I was watching it.

Here's the Superantispy log

SUPERAntiSpyware Scan Log
Generated 04/13/2007 at 10:49 PM

Application Version : 3.6.1000

Core Rules Database Version : 3219
Trace Rules Database Version: 1229

Scan type : Complete Scan
Total Scan Time : 01:24:17

Memory items scanned : 429
Memory threats detected : 0
Registry items scanned : 6207
Registry threats detected : 0
File items scanned : 115978
File threats detected : 248

Adware.Tracking Cookie
C:\Documents and Settings\Ian\Cookies\ian@adtech[2].txt
C:\Documents and Settings\Ian\Cookies\ian@serving-sys[2].txt
C:\Documents and Settings\Ian\Cookies\ian@inteletrack[2].txt
C:\Documents and Settings\Ian\Cookies\ian@www.clash-media[2].txt
C:\Documents and Settings\Ian\Cookies\ian@login.tracking101[2].txt
C:\Documents and Settings\Ian\Cookies\ian@bs.serving-sys[2].txt
C:\Documents and Settings\Ian\Cookies\ian@questionmarket[1].txt
C:\Documents and Settings\Beth\Cookies\beth@112.2o7[1].txt
C:\Documents and Settings\Beth\Cookies\beth@247realmedia[1].txt
C:\Documents and Settings\Beth\Cookies\beth@2o7[2].txt
C:\Documents and Settings\Beth\Cookies\beth@4.adbrite[1].txt
C:\Documents and Settings\Beth\Cookies\beth@ad.yieldmanager[2].txt
C:\Documents and Settings\Beth\Cookies\beth@ad.zanox[1].txt
C:\Documents and Settings\Beth\Cookies\beth@ad1.emediate[1].txt
C:\Documents and Settings\Beth\Cookies\beth@adbrite[2].txt
C:\Documents and Settings\Beth\Cookies\beth@adopt.euroclick[1].txt
C:\Documents and Settings\Beth\Cookies\beth@adopt.hbmediapro[2].txt
C:\Documents and Settings\Beth\Cookies\beth@ads.accelerator-media[1].txt
C:\Documents and Settings\Beth\Cookies\beth@ads.accelerator-media[2].txt
C:\Documents and Settings\Beth\Cookies\beth@ads.ims[1].txt
C:\Documents and Settings\Beth\Cookies\beth@ads.monster[1].txt
C:\Documents and Settings\Beth\Cookies\beth@ads.pointroll[2].txt
C:\Documents and Settings\Beth\Cookies\beth@ads.vitalix[2].txt
C:\Documents and Settings\Beth\Cookies\beth@ads2.drivelinemedia[1].txt
C:\Documents and Settings\Beth\Cookies\beth@adsense[2].txt
C:\Documents and Settings\Beth\Cookies\beth@adserve.v-store.co[2].txt
C:\Documents and Settings\Beth\Cookies\beth@adtech[2].txt
C:\Documents and Settings\Beth\Cookies\beth@advertising[1].txt
C:\Documents and Settings\Beth\Cookies\beth@anad.tacoda[1].txt
C:\Documents and Settings\Beth\Cookies\beth@as1.falkag[1].txt
C:\Documents and Settings\Beth\Cookies\beth@atdmt[2].txt
C:\Documents and Settings\Beth\Cookies\beth@azjmp[2].txt
C:\Documents and Settings\Beth\Cookies\beth@banner.cdpoker[2].txt
C:\Documents and Settings\Beth\Cookies\beth@bs.serving-sys[2].txt
C:\Documents and Settings\Beth\Cookies\beth@burstnet[1].txt
C:\Documents and Settings\Beth\Cookies\beth@burstnet[2].txt
C:\Documents and Settings\Beth\Cookies\beth@burstnet[3].txt
C:\Documents and Settings\Beth\Cookies\beth@burstnet[4].txt
C:\Documents and Settings\Beth\Cookies\beth@burstnet[5].txt
C:\Documents and Settings\Beth\Cookies\beth@burstnet[6].txt
C:\Documents and Settings\Beth\Cookies\beth@casalemedia[2].txt
C:\Documents and Settings\Beth\Cookies\beth@citi.bridgetrack[2].txt
C:\Documents and Settings\Beth\Cookies\beth@clicksor[2].txt
C:\Documents and Settings\Beth\Cookies\beth@cs.hotbar[1].txt
C:\Documents and Settings\Beth\Cookies\beth@digitalclarity.112.2o7[1].txt
C:\Documents and Settings\Beth\Cookies\beth@doubleclick[1].txt
C:\Documents and Settings\Beth\Cookies\beth@fastclick[2].txt
C:\Documents and Settings\Beth\Cookies\beth@h.starware[1].txt
C:\Documents and Settings\Beth\Cookies\beth@http.edge.vru4[2].txt
C:\Documents and Settings\Beth\Cookies\beth@i.screensavers[2].txt
C:\Documents and Settings\Beth\Cookies\beth@ilead.itrack[2].txt
C:\Documents and Settings\Beth\Cookies\beth@image.masterstats[1].txt
C:\Documents and Settings\Beth\Cookies\beth@imrworldwide[2].txt
C:\Documents and Settings\Beth\Cookies\beth@indexstats[1].txt
C:\Documents and Settings\Beth\Cookies\beth@inteletrack[2].txt
C:\Documents and Settings\Beth\Cookies\beth@interclick[1].txt
C:\Documents and Settings\Beth\Cookies\beth@itxt.vibrantmedia[1].txt
C:\Documents and Settings\Beth\Cookies\beth@kanoodle[2].txt
C:\Documents and Settings\Beth\Cookies\beth@login.tracking101[2].txt
C:\Documents and Settings\Beth\Cookies\beth@m1.webstats4u[1].txt
C:\Documents and Settings\Beth\Cookies\beth@maxis.112.2o7[1].txt
C:\Documents and Settings\Beth\Cookies\beth@mediaplex[1].txt
C:\Documents and Settings\Beth\Cookies\beth@msnaccountservices.112.2o7[1].txt
C:\Documents and Settings\Beth\Cookies\beth@msnportal.112.2o7[1].txt
C:\Documents and Settings\Beth\Cookies\beth@nbcuniversal.122.2o7[1].txt
C:\Documents and Settings\Beth\Cookies\beth@overture[2].txt
C:\Documents and Settings\Beth\Cookies\beth@partygaming.122.2o7[2].txt
C:\Documents and Settings\Beth\Cookies\beth@partypoker[2].txt
C:\Documents and Settings\Beth\Cookies\beth@perf.overture[1].txt
C:\Documents and Settings\Beth\Cookies\beth@postclicktracking[1].txt
C:\Documents and Settings\Beth\Cookies\beth@qksrv[2].txt
C:\Documents and Settings\Beth\Cookies\beth@questionmarket[1].txt
C:\Documents and Settings\Beth\Cookies\beth@realmedia[1].txt
C:\Documents and Settings\Beth\Cookies\beth@revenue[2].txt
C:\Documents and Settings\Beth\Cookies\beth@revsci[1].txt
C:\Documents and Settings\Beth\Cookies\beth@rocku.adbureau[2].txt
C:\Documents and Settings\Beth\Cookies\beth@roiservice[2].txt
C:\Documents and Settings\Beth\Cookies\beth@screensavers[1].txt
C:\Documents and Settings\Beth\Cookies\beth@sel.as-us.falkag[1].txt
C:\Documents and Settings\Beth\Cookies\beth@serenataflowers.112.2o7[1].txt
C:\Documents and Settings\Beth\Cookies\beth@server.cpmstar[1].txt
C:\Documents and Settings\Beth\Cookies\beth@server.iad.liveperson[1].txt
C:\Documents and Settings\Beth\Cookies\beth@server.iad.liveperson[2].txt
C:\Documents and Settings\Beth\Cookies\beth@serving-sys[2].txt
C:\Documents and Settings\Beth\Cookies\beth@serving-sys[3].txt
C:\Documents and Settings\Beth\Cookies\beth@smiley.smileycentral[1].txt
C:\Documents and Settings\Beth\Cookies\beth@smileycentral[1].txt
C:\Documents and Settings\Beth\Cookies\beth@sonyeurope.112.2o7[1].txt
C:\Documents and Settings\Beth\Cookies\beth@stat.dealtime[1].txt
C:\Documents and Settings\Beth\Cookies\beth@statcounter[2].txt
C:\Documents and Settings\Beth\Cookies\beth@stats.privacyprotector[1].txt
C:\Documents and Settings\Beth\Cookies\beth@tacoda[1].txt
C:\Documents and Settings\Beth\Cookies\beth@toplist[1].txt
C:\Documents and Settings\Beth\Cookies\beth@tracker.netklix[2].txt
C:\Documents and Settings\Beth\Cookies\beth@tracker.roitesting[2].txt
C:\Documents and Settings\Beth\Cookies\beth@tradedoubler[1].txt
C:\Documents and Settings\Beth\Cookies\beth@trafficmp[2].txt
C:\Documents and Settings\Beth\Cookies\beth@tribalfusion[1].txt
C:\Documents and Settings\Beth\Cookies\beth@try.starware[1].txt
C:\Documents and Settings\Beth\Cookies\beth@videoegg.adbureau[2].txt
C:\Documents and Settings\Beth\Cookies\beth@weborama[1].txt
C:\Documents and Settings\Beth\Cookies\beth@www.3dstats[1].txt
C:\Documents and Settings\Beth\Cookies\beth@www.addfreestats[1].txt
C:\Documents and Settings\Beth\Cookies\beth@www.burstnet[1].txt
C:\Documents and Settings\Beth\Cookies\beth@www.clash-media[1].txt
C:\Documents and Settings\Beth\Cookies\beth@www.dgm2[1].txt
C:\Documents and Settings\Beth\Cookies\beth@www.free-counter.co[1].txt
C:\Documents and Settings\Beth\Cookies\beth@www.googleadservices[1].txt
C:\Documents and Settings\Beth\Cookies\beth@www.googleadservices[2].txt
C:\Documents and Settings\Beth\Cookies\beth@www.movieland[2].txt
C:\Documents and Settings\Beth\Cookies\beth@www.ppctracking[1].txt
C:\Documents and Settings\Beth\Cookies\beth@www.screensavers[1].txt
C:\Documents and Settings\Beth\Cookies\beth@www2.mystats[1].txt
C:\Documents and Settings\Beth\Cookies\beth@www2.mystats[3].txt
C:\Documents and Settings\Beth\Cookies\beth@x.gcapmedia[2].txt
C:\Documents and Settings\Beth\Cookies\beth@xml.bravenetmedianetwork[2].txt
C:\Documents and Settings\Beth\Cookies\beth@yieldmanager[2].txt
C:\Documents and Settings\Beth\Cookies\beth@yourmedia[1].txt
C:\Documents and Settings\Beth\Local Settings\Temp\Cookies\beth@2o7[2].txt
C:\Documents and Settings\Beth\Local Settings\Temp\Cookies\beth@accelerator-media[2].txt
C:\Documents and Settings\Beth\Local Settings\Temp\Cookies\beth@advertising[2].txt
C:\Documents and Settings\Beth\Local Settings\Temp\Cookies\beth@atdmt[2].txt
C:\Documents and Settings\Beth\Local Settings\Temp\Cookies\beth@data4.perf.overture[1].txt
C:\Documents and Settings\Beth\Local Settings\Temp\Cookies\beth@doubleclick[1].txt
C:\Documents and Settings\Beth\Local Settings\Temp\Cookies\beth@etype.adbureau[2].txt
C:\Documents and Settings\Beth\Local Settings\Temp\Cookies\beth@perf.overture[1].txt
C:\Documents and Settings\Beth\Local Settings\Temp\Cookies\beth@spylog[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@008.free-counter.co[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@122.2o7[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@247realmedia[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@2o7[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@4.adbrite[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@ad.zanox[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@adbrite[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@adopt.euroclick[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@adopt.hbmediapro[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@adrevenue[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@ads.adbrite[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@ads.addynamix[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@ads.adsag[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@ads.aol.co[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@ads.mediamayhemcorp[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@ads.monster[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@ads.pointroll[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@adserver.akqa[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@adserver.rozenbergads[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@adsrevenue[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@adtech[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@adv.surinter[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@as-eu.falkag[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@as1.falkag[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@atwola[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@azjmp[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@belnk[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@bs.serving-sys[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@burstnet[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@burstnet[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@burstnet[3].txt
C:\Documents and Settings\Ellie\Cookies\ellie@burstnet[4].txt
C:\Documents and Settings\Ellie\Cookies\ellie@burstnet[6].txt
C:\Documents and Settings\Ellie\Cookies\ellie@cassava[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@clicksor[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@data3.perf.overture[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@data4.perf.overture[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@digitalclarity.112.2o7[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@dist.belnk[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@e-2dj6wgkiwmazkap.stats.esomniture[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@edge.ru4[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@etype.adbureau[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@findwhat[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@fortunecity[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@gostats[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@h.starware[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@ilead.itrack[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@indexstats[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@inteletrack[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@interclick[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@login.tracking101[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@m1.webstats4u[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@metacafe.122.2o7[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@microsofteup.112.2o7[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@microsoftwlsearchcrm.112.2o7[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@msnaccountservices.112.2o7[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@msnportal.112.2o7[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@myticketmarket.112.2o7[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@mywebsearch[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@optimost[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@overture[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@partygaming.122.2o7[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@partypoker[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@perf.overture[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@qksrv[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@questionmarket[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@realmedia[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@reduxads.valuead[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@revsci[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@rocku.adbureau[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@roiservice[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@sales.liveperson[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@sel.as-eu.falkag[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@sel.as-us.falkag[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@server.cpmstar[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@serving-sys[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@serving-sys[3].txt
C:\Documents and Settings\Ellie\Cookies\ellie@smileycentral[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@stat.dealtime[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@stats.privacyprotector[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@tacoda[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@tracker.roitesting[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@tracking.dc-storm[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@tracking.summitmedia.co[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@trafficmp[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@tribalfusion[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@tripod[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@try.starware[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@videoegg.adbureau[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@weborama[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@www.burstbeacon[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@www.clash-media[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@www.dgm2[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@www.falkag[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@www.googleadservices[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@www.googleadservices[2].txt
C:\Documents and Settings\Ellie\Cookies\ellie@www.macromedia[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@www.ppctracking[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@www.w3counter[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@xiti[1].txt
C:\Documents and Settings\Ellie\Cookies\ellie@yieldmanager[2].txt
H:\Documents and Settings\Ian\Cookies\ian@247realmedia[1].txt
H:\Documents and Settings\Ian\Cookies\ian@ads.addynamix[1].txt
H:\Documents and Settings\Ian\Cookies\ian@ads.pointroll[2].txt
H:\Documents and Settings\Ian\Cookies\ian@advertising[2].txt
H:\Documents and Settings\Ian\Cookies\ian@atdmt[2].txt
H:\Documents and Settings\Ian\Cookies\ian@counter13.sextracker[1].txt
H:\Documents and Settings\Ian\Cookies\ian@cs.sexcounter[2].txt
H:\Documents and Settings\Ian\Cookies\ian@doubleclick[1].txt
H:\Documents and Settings\Ian\Cookies\ian@gallery.adultlocals[1].txt
H:\Documents and Settings\Ian\Cookies\ian@microsofteup.112.2o7[1].txt
H:\Documents and Settings\Ian\Cookies\ian@msnportal.112.2o7[1].txt
H:\Documents and Settings\Ian\Cookies\ian@questionmarket[1].txt
H:\Documents and Settings\Ian\Cookies\ian@servedby.advertising[1].txt
H:\Documents and Settings\Ian\Cookies\ian@sextracker[2].txt
H:\Documents and Settings\Ian\Cookies\ian@statse.webtrendslive[1].txt

Adware.HotBar (Low Risk)
C:\PROGRAM FILES\HBINST\HBINST.EXE

Malware.DriveCleaner
C:\RECYCLER\S-1-5-21-3377872066-836873440-2400570520-1006\DC226\INSTALLER.EXE

Adware.MovieLand/MediaPipe
C:\RECYCLER\S-1-5-21-3377872066-836873440-2400570520-1008\DC81.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B42518BA-188E-432B-914A-D2C198B52520}\RP452\A0100355.EXE

Adware.Jraun/WinEssential
D:\SYSTEM VOLUME INFORMATION\_RESTORE{530CE4CC-7AA4-472B-AB0A-C4A85E7EDA34}\RP25\A0003090.EXE

Cheers

Ian

 

[steamwiz]

HI

Did you turn off McAfee while you did the Pandascan ? it may be causing the conflict...

SUPERAntiSpyware may look as though it found a lot, but it was mostly cookies & nothing to be too concerned about ...

Please run this on-line scan :-

http://www.bitdefender.com/scan8/ie.html

Scan the whole computer & let it Disinfect/delete all it finds ...

copy & paste here its report here please.

steam

 

[IanMcS]

Hi Steam

Thanks for your response.

Yes I had turned off McAfee and Superantivirus. However I found that if I stopped the process right near the end it would allow me to save it, so that's what I've done.

Will run bitdefender next

So here's the panda log as far as it got ( i think it has picked up everything).


Incident Status Location

Potentially unwanted tool:Application/Messengerskinner Not disinfected C:\Program Files\MessengerSkinner\MessengerSkinner.exe
Potentially unwanted tool:Application/Messengerskinner Not disinfected C:\Program Files\MessengerSkinner\MessengerSkinnerDll.dll
Potentially unwanted tool:application/mywebsearch Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44cf-8957-5838F569A31D}
Dialerialer.Gen Not disinfected C:\1-2-3-AWM123.exe
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Beth\Cookies\beth@bravenet[1].txt
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\Beth\Cookies\beth@centrport[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Beth\Cookies\beth@com[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Beth\Cookies\beth@go[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Beth\Cookies\beth@searchportal.information[2].txt
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\Beth\Cookies\beth@xmts[1].txt
Spyware:Spyware/Overpro Not disinfected C:\Documents and Settings\Beth\Local Settings\Temp\APP3.tmp
Spyware:Spyware/Overpro Not disinfected C:\Documents and Settings\Beth\Local Settings\Temp\APPD.tmp
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\Beth\Local Settings\Temp\Cookies\beth@xmts[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Ellie\Cookies\ellie@888[2].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Ellie\Cookies\ellie@adtech[2].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Ellie\Cookies\ellie@bravenet[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Ellie\Cookies\ellie@com[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Ellie\Cookies\ellie@go[1].txt
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Ellie\Cookies\ellie@landing.domainsponsor[1].txt
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\Ellie\Cookies\ellie@xmts[2].txt
Adware:Adware/Comet Not disinfected C:\Documents and Settings\Ellie\Local Settings\Temporary Internet Files\Content.IE5\EUS712DT\jokes[1].exe[jokester.dll]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Ian\Cookies\ian@questionmarket[2].txt
Potentially unwanted tool:Application/Messengerskinner Not disinfected C:\Program Files\MessengerSkinner\uninst.exe
Spyware:Cookie/MediaTickets Not disinfected C:\RECYCLER\S-1-5-21-3377872066-836873440-2400570520-1006\Dc210\ian@kinghost[1].txt
Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\system32\stggjcepcq.exe
Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\system32\yohzsvt.exe
Potentially unwanted tool:Application/Messengerskinner Not disinfected C:\WINDOWS\Temp\install_msgskinner.exe

 

[IanMcS]

Hi Steam

I have tried bitdefender several times and it falls over with an explorer application error about half way through -same as the panda software. Not sure whether this is an IE7 problem - ive patched up to date.

I'm also getting disk errors in my event logs, so I'm wondering if ive got problems with the HDD.

So - I'm a bit stuck!

On the psotivie side, the chldren used the PC pretty intensively yesterday and no popups!

Ian