Options

Hijacked

Unknown
edited December 2005 in Spyware & Virus Removal
Crunchie wrote:
Cool :). I would still like to see the requested logs though.

Hae could you please help me like you helped Herfdude. please please this virus is starting to really be a problem. please see below. I have run Adware and tryed to run Spy Bot but it keeps crashing mid way. I am running AVG anti-virus on Windows Xp. please see me HyJack Log below.

I got a Virus and things have been running terrible since I have run Adware SE and AVG virus scanner but It says there is no Virus and one file in Windows/sytem32 seems to be currupt "yaemu" I can see this when I run AVG. Please help I am pulling my hair out.


Logfile of HijackThis v1.99.1
Scan saved at 17:10:15, on 10/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\TrojanHunter 4.2\TrojanHunter.exe
C:\HyJack\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/...gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonder.co.uk/dial
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.blueyonder.co.uk/dial
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/...gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [IPPDetect] IPP4Detect.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [yaemu.exe] C:\WINDOWS\system32\yaemu.exe
O4 - HKLM\..\Run: [THGuard] C:\Program Files\TrojanHunter 4.2\THGuard.exe
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.blueyonder.co.uk/dial
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/active...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{13FE3845-7CDE-42A2-AF31-CDB2479C01DD}: NameServer = 85.255.114.92,85.255.112.152
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D7E3473-E17E-4DD7-9941-9D620A795BBE}: NameServer = 85.255.114.92,85.255.112.152
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

Comments

  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited December 2005
    Can you please do the following.

    ===============

    Run HiJackThis, click "Scan", then check(tick) the following, if present:


    O4 - HKLM\..\Run: [yaemu.exe] C:\WINDOWS\system32\yaemu.exe
    O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"


    Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

    ===============

    Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

    folders...

    C:\Program Files\UnSpyPC

    files...

    C:\WINDOWS\system32\yaemu.exe

    -

    Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".

    -

    Reboot.

    ===============

    After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited December 2005
    Please read the big red letters at the top of the forum and thread :). I have split your post out to your own topic.
  • gregorsalvin
    edited December 2005
    I did as you said, had to go into safe mode to get rid of yaemu.exe and UnSpyPC wasn't there even with show hidden files on? and I still have an anoying pop up coming on my Desktop Screen when I re-start? below is new HyJack log.

    Logfile of HijackThis v1.99.1
    Scan saved at 21:23:20, on 10/12/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\DELLMMKB.EXE
    C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\Nhksrv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\Program Files\Netropa\OSD.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\HyJack\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonder.co.uk/dial
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.blueyonder.co.uk/dial
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    O4 - HKLM\..\Run: [IPPDetect] IPP4Detect.exe
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.blueyonder.co.uk/dial
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{13FE3845-7CDE-42A2-AF31-CDB2479C01DD}: NameServer = 85.255.114.92,85.255.112.152
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2D7E3473-E17E-4DD7-9941-9D620A795BBE}: NameServer = 85.255.114.92,85.255.112.152
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited December 2005
    gregorsalvin wrote:
    I still have an anoying pop up coming on my Desktop Screen when I re-start? below is new HyJack log.
    Your log is clean. Be nice to know what the pop up is? :).
  • gregorsalvin
    edited December 2005
    Crunchie wrote:
    Your log is clean. Be nice to know what the pop up is? :).

    Hi Here is my HyJack Log if I keep the pop-up open when I do the log will this help I also have a screen shot of the pop-up too how can I show you this would this help? have I attached it below?

    [IMG]C:\Documents and Settings\Gregor N Salvin\Desktop\popupmenu.jpg[/IMG]

    Logfile of HijackThis v1.99.1
    Scan saved at 11:04:42, on 11/12/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Nhksrv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\DELLMMKB.EXE
    C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Netropa\OSD.exe
    C:\Program Files\Adobe\Photoshop 7.0\Photoshop.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\HyJack\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonder.co.uk/dial
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.blueyonder.co.uk/dial
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
    O4 - HKLM\..\Run: [dflnl.exe] C:\WINDOWS\system32\dflnl.exe
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.blueyonder.co.uk/dial
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{13FE3845-7CDE-42A2-AF31-CDB2479C01DD}: NameServer = 85.255.114.92,85.255.112.152
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2D7E3473-E17E-4DD7-9941-9D620A795BBE}: NameServer = 85.255.114.92,85.255.112.152
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited December 2005
    When you post your reply there is an option to attach a file. You should attach your screenshot that way.

    ==

    Can you please do the following.

    ===============

    Run HiJackThis, click "Scan", then check(tick) the following, if present:


    O4 - HKLM\..\Run: [dflnl.exe] C:\WINDOWS\system32\dflnl.exe


    Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

    ===============

    Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

    files...

    C:\WINDOWS\system32\dflnl.exe

    -

    Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".

    -

    Reboot.

    ===============

    Please download the trial version of Ewido Security Suite here:
    http://www.ewido.net/en/download/
    Install it, and update the definitions to the newest files. Do NOT run a scan yet.
    Next, please reboot your computer in Safe Mode by doing the following:
    1) Restart your computer
    2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    3) Instead of Windows loading as normal, a menu should appear
    4) Select the first option, to run Windows in Safe Mode.

    For additional help in booting into Safe Mode, see the following site:
    http://www.pchell.com/support/safemode.shtml

    Once in Safe Mode, please run Ewido, and do a full scan. During the scan it will prompt you to clean files, click OK.

    Save the logfile from the scan. Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.
  • gregorsalvin
    edited December 2005
    http://file004.bebo.com/large/2005/12/11/12/6102964a90940058b44046648l.jpg

    for some reason it won't let me attach a file? I get an Explorer User prompt. when I click on Insert pic can you go to the above link?
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited December 2005
    I do not recognise that from that shot :(. Have you run Ewido yet? Try this too;

    Please visit at least two of the following sites for an online virus scan:

    Panda ActiveScan
    http://www.pandasoftware.com/activescan/com/activescan_principal.htm
    Post back the results from the scan.
  • gregorsalvin
    edited December 2005
    That's worrying, sorry took so long that ewido scan took an hour, found 56 things though that has to be good? here is the report and a Hyjack scan report done after ewido, Pop up still coming up took a litttle longer to load though so I think we must have at least upset it a little....little bugger it is... will do a online panda scan now and report back.
    ewido security suite - Scan report

    + Created on: 13:48:26, 11/12/2005
    + Report-Checksum: 69897A1

    + Scan result:

    HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
    [172] VM_00D60000 -> Downloader.Agent.uj : Error during cleaning
    [196] VM_00BF0000 -> Downloader.Agent.uj : Error during cleaning
    [828] VM_009D0000 -> Downloader.Agent.uj : Error during cleaning
    C:\Documents and Settings\Gregor N Salvin\Cookies\gregor n [email]salvin@112.2o7[1].txt[/email] -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Gregor N Salvin\Cookies\gregor n [email]salvin@247realmedia[1].txt[/email] -> Spyware.Cookie.247realmedia : Cleaned with backup
    C:\Documents and Settings\Gregor N Salvin\Cookies\gregor n [email]salvin@com[2].txt[/email] -> Spyware.Cookie.Com : Cleaned with backup
    C:\Documents and Settings\Gregor N Salvin\Cookies\gregor n [email]salvin@e-2dj6wjkyegdzocp.stats.esomniture[2].txt[/email] -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Gregor N Salvin\Cookies\gregor n [email]salvin@e-2dj6wjnyohc5kbp.stats.esomniture[2].txt[/email] -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Gregor N Salvin\Cookies\gregor n [email]salvin@www.myaffiliateprogram[2].txt[/email] -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
    C:\Documents and Settings\Gregor N Salvin\Local Settings\Temporary Internet Files\Content.IE5\6TZGPSZ6\00st[1].htm -> Downloader.Inor.a : Cleaned with backup
    C:\Documents and Settings\Gregor N Salvin\Local Settings\Temporary Internet Files\Content.IE5\7LGELX53\00st[1].htm -> Downloader.Inor.a : Cleaned with backup
    C:\Documents and Settings\Gregor N Salvin\Local Settings\Temporary Internet Files\Content.IE5\NVH7750S\000[1].jpg -> Downloader.Agent.tc : Cleaned with backup
    C:\Documents and Settings\Gregor N Salvin\Local Settings\Temporary Internet Files\Content.IE5\PKKFHH0L\00st[1].htm -> Downloader.Inor.a : Cleaned with backup
    C:\Documents and Settings\Gregor N Salvin\Local Settings\Temporary Internet Files\Content.IE5\PKKFHH0L\00st[2].htm -> Downloader.Inor.a : Cleaned with backup
    C:\Documents and Settings\Gregor N Salvin\Local Settings\Temporary Internet Files\Content.IE5\SDIFK96Z\00st[1].htm -> Downloader.Inor.a : Cleaned with backup
    C:\Documents and Settings\Gregor N Salvin\Local Settings\Temporary Internet Files\Content.IE5\SDIFK96Z\00st[2].htm -> Downloader.Inor.a : Cleaned with backup
    C:\Documents and Settings\Gregor N Salvin\Local Settings\Temporary Internet Files\Content.IE5\SDIFK96Z\00st[3].htm -> Downloader.Inor.a : Cleaned with backup
    C:\Documents and Settings\Gregor N Salvin\Local Settings\Temporary Internet Files\Content.IE5\SDIFK96Z\00st[4].htm -> Downloader.Inor.a : Cleaned with backup
    C:\Documents and Settings\Gregor N Salvin\Local Settings\Temporary Internet Files\Content.IE5\SH6ZKDMR\00st[1].htm -> Downloader.Inor.a : Cleaned with backup
    C:\Documents and Settings\Gregor N Salvin\Local Settings\Temporary Internet Files\Content.IE5\SH6ZKDMR\00st[2].htm -> Downloader.Inor.a : Cleaned with backup
    C:\RECYCLER\S-1-5-21-955046455-2020637620-97400744-1006\Dc16.exe -> Trojan.DNSChanger.R : Cleaned with backup
    C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0039746.exe -> Spyware.NewDotNet : Cleaned with backup
    C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0039757.exe -> Downloader.Small : Cleaned with backup
    C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0039764.exe -> Trojan.DNSChanger.R : Cleaned with backup
    C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0039768.exe -> Downloader.Small : Cleaned with backup
    C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0039774.exe -> Trojan.DNSChanger.R : Cleaned with backup
    C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0039779.exe -> Downloader.Small : Cleaned with backup
    C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0039785.exe -> Trojan.DNSChanger.R : Cleaned with backup
    C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0039820.exe -> Downloader.Small : Cleaned with backup
    C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0039826.exe -> Trojan.DNSChanger.R : Cleaned with backup
    C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0039837.exe -> Downloader.Small : Cleaned with backup
    C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0039847.exe -> Downloader.Small : Cleaned with backup
    C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0039857.exe -> Downloader.Small : Cleaned with backup
    C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0039867.exe -> Downloader.Small : Cleaned with backup
    C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0039871.exe -> Downloader.Small : Cleaned with backup
    C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0039882.exe -> Downloader.Small : Cleaned with backup
    C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0039892.exe -> Downloader.Small : Cleaned with backup
    C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0039896.exe -> Downloader.Small : Cleaned with backup
    C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0039912.exe -> Downloader.Small : Cleaned with backup
    C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0039922.exe -> Downloader.Small : Cleaned with backup
    C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0039971.dll -> Spyware.WildTangent : Cleaned with backup
    C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0039981.dll -> Spyware.WildTangent : Cleaned with backup
    C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0039984.dll -> Spyware.WildTangent : Cleaned with backup
    C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0039986.dll -> Spyware.WinAD : Cleaned with backup
    C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0039989.exe -> Downloader.Small : Cleaned with backup
    C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0039995.exe -> Trojan.DNSChanger.R : Cleaned with backup
    C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0040002.exe -> Downloader.Small : Cleaned with backup
    C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0040007.exe -> Trojan.DNSChanger.R : Cleaned with backup
    C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0040015.exe -> Downloader.Small : Cleaned with backup
    C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0040018.exe -> Trojan.DNSChanger.R : Cleaned with backup
    C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0040020.exe -> Downloader.Small : Cleaned with backup
    C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0040032.exe -> Downloader.Small : Cleaned with backup
    C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0040079.exe -> Downloader.Small : Cleaned with backup
    C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0040088.exe -> Downloader.Small : Cleaned with backup
    C:\WINDOWS\SYSTEM32\hgqhp.exe -> Trojan.DNSChanger.R : Cleaned with backup


    ::Report End


    Logfile of HijackThis v1.99.1
    Scan saved at 13:52:04, on 11/12/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Nhksrv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\WINDOWS\DELLMMKB.EXE
    C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    C:\Program Files\ewido\security suite\ewidoguard.exe
    C:\Program Files\Netropa\OSD.exe
    C:\Program Files\Real\RealOne Player\RealPlay.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\HyJack\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonder.co.uk/dial
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.blueyonder.co.uk/dial
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.blueyonder.co.uk/dial
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{13FE3845-7CDE-42A2-AF31-CDB2479C01DD}: NameServer = 85.255.114.92,85.255.112.152
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2D7E3473-E17E-4DD7-9941-9D620A795BBE}: NameServer = 85.255.114.92,85.255.112.152
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
  • gregorsalvin
    edited December 2005
    Incident Status Location

    Adware:Adware/IdeskBar Not desinfected C:\WINDOWS\SYSTEM32\IDEMLOG.EXE
    Adware:adware/sbsoft Not desinfected Windows Registry
    Virus:W32/Bagle.CA.worm Not desinfected Local Folders\dodgy[I_know_you.rar][123.exe]
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited December 2005
    Delete those files that Panda found. You may have to be in safe mode. If you do have to go to safe mode, do another scan with Ewido whilst still in safe mode as this may help further.

    ==

    Clear out your Temporary internet files and other temp files.
    Go to Start > Settings > Control Panel >Internet Options.
    Under the General tab click the Delete temporary internet files,
    delete all Offline content as well. Clear out Cookies.

    Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

    Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)

    C:\Documents and Settings\username\Local Settings\Temp\

    In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

    Empty the Recycle Bin.

    ==

    Go here and download then run Silent Runners.vbs. It generates a log. Please post the information back in this thread.
    If you have a script blocking program, please allow the file to run. It is not malicious.
  • gregorsalvin
    edited December 2005
    Here is some more gobbilty gook for you.... man I don't know how you do it. Thanks so much for this I feel we are getting closer to getting this little bugger.

    "Silent Runners.vbs", revision 41, http://www.silentrunners.org/
    Operating System: Windows XP SP2
    Output limited to non-default values, except where indicated by "{++}"


    Startup items buried in registry:

    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
    "WebCamRT.exe" = (empty string)
    "desktop" = "C:\WINDOWS\system32\idemlog.exe" [empty string]
    "Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
    "WorksFUD" = "C:\Program Files\Microsoft Works\wkfud.exe" ["Microsoft® Corporation"]
    "Microsoft Works Portfolio" = "C:\Program Files\Microsoft Works\WksSb.exe /AllUsers" ["Microsoft® Corporation"]
    "Microsoft Works Update Detection" = "C:\Program Files\Microsoft Works\WkDetect.exe" ["Microsoft® Corporation"]
    "DellTouch" = "C:\WINDOWS\DELLMMKB.EXE" ["Netropa Corp."]
    "LVCOMS" = "C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE" ["Logitech Inc."]
    "LXSUPMON" = "C:\WINDOWS\system32\LXSUPMON.EXE RUN" ["Lexmark International Inc."]
    "AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
    "TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
    "THGuard" = ""C:\Program Files\TrojanHunter 4.2\THGuard.exe"" ["Mischel Internet Security"]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
    "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
    -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
    "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
    "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
    -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
    "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealOne Player\rpshell.dll" ["RealNetworks, Inc."]
    "{C81DCBCA-8AE2-41FC-9C39-78B160393210}" = "RhinoShExt"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM32\RhinoShExt.dll" ["Robert McNeel & Associates"]
    "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
    "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
    "{46CC93AA-C322-42dd-AA3A-CF9FC71D9871}" = "DeepBurner shell extension"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Astonsoft\DeepBurner Pro\DeepBurnerShellEx.dll" [null data]
    "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
    "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
    "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}" = "TrojanHunter Menu Shell Extension"
    -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
    INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
    INFECTION WARNING! "System" = "csqnt.exe" [null data]

    HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
    AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
    DeepBurner\(Default) = "{46CC93AA-C322-42dd-AA3A-CF9FC71D9871}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Astonsoft\DeepBurner Pro\DeepBurnerShellEx.dll" [null data]
    ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
    RhinoShExt\(Default) = "{C81DCBCA-8AE2-41FC-9C39-78B160393210}"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM32\RhinoShExt.dll" ["Robert McNeel & Associates"]
    TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
    -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]

    HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
    DeepBurner\(Default) = "{46CC93AA-C322-42dd-AA3A-CF9FC71D9871}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Astonsoft\DeepBurner Pro\DeepBurnerShellEx.dll" [null data]
    ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
    TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
    -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]

    HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
    AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
    TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
    -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]


    Active Desktop and Wallpaper:

    Active Desktop is disabled at this entry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


    Startup items in "Gregor N Salvin" & "All Users" startup folders:

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    "Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]


    Enabled Scheduled Tasks:

    "Ad-aware" -> launches: "C:\PROGRA~1\LAVASO~1\Ad-aware.exe" [file not found]
    "Disk Cleanup" -> launches: "C:\WINDOWS\SYSTEM32\CLEANMGR.EXE" [MS]
    "Disk Defragmenter (2)" -> launches: "C:\Documents and Settings\Gregor N Salvin\Desktop\Disk Defragmenter (2).lnk" [file not found]


    Winsock2 Service Provider DLLs:

    Namespace Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
    000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
    000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
    000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

    Transport Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
    0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
    %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 23
    %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


    Toolbars, Explorer Bars, Extensions:

    Explorer Bars

    HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
    {9455301C-CF6B-11D3-A266-00C04F689C50}\ = "Encarta &Researcher" [from CLSID]
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll" [MS]

    Extensions (Tools menu items, main toolbar menu buttons)

    HKLM\Software\Microsoft\Internet Explorer\Extensions\
    {FB5F1910-F110-11D2-BB9E-00C04F795683}\
    "ButtonText" = "Messenger"
    "MenuText" = "Windows Messenger"
    "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


    Miscellaneous IE Hijack Points

    C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

    Added lines (compared with English-language version):
    [Strings]: START_PAGE_URL=http://www.blueyonder.co.uk/dial

    Missing lines (compared with English-language version):
    [Strings]: 1 line


    Running Services (Display Name, Service Name, Path {Service DLL}):

    AVG E-mail Scanner, AVGEMS, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
    AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
    AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
    C-DillaSrv, C-DillaSrv, "C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE" ["C-Dilla Ltd"]
    ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
    ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido\security suite\ewidoguard.exe" ["ewido networks"]
    LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
    Netropa NHK Server, Nhksrv, "C:\WINDOWS\Nhksrv.exe" [null data]
    NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
    Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


    Keyboard Driver Filters:

    HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
    "UpperFilters" = INFECTION WARNING! "msikbd2k" ["Netropa Corporation"]


    Print Monitors:

    HKLM\System\CurrentControlSet\Control\Print\Monitors\
    Canon BJ Language Monitor BJC-4200\Driver = "CNMLM0W.DLL" ["CANON INC."]
    Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]

    + This report excludes default entries except where indicated.
    + To see *everywhere* the script checks and *everything* it finds,
    launch it from a command prompt or a shortcut with the -all parameter.
    + The search for DESKTOP.INI DLL launch points on all local fixed drives
    took 221 seconds.
    + The search for all Registry CLSIDs containing dormant Explorer Bars
    took 29 seconds.
    (total run time: 308 seconds)
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited December 2005
    Download and run blacklite
    F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
    leave [X]scan through windows explorer checked,
    click > scan then > next,
    If any items show, have blacklite rename them except for "wbemtest.exe"
    Do not rename "wbemtest.exe" its a windows file.
    The tool will ask if you want to reboot, (restart) choose yes.

    After you have rebooted post back with blacklites log, it will be next to the program.
  • gregorsalvin
    edited December 2005
    Here is blacklight log. Couldn't find any option to scan though windows explorer, but ran it anyway and renamed all the files except wbemtest,,,Restarted and that pop-up didn't come up although computer still running sluggish. Seems like we injured it at least. thanks Gregor

    12/12/05 13:56:13 [Info]: BlackLight Engine 1.0.29 initialized
    12/12/05 13:56:13 [Info]: OS: 5.1 build 2600 (Service Pack 2)
    12/12/05 13:56:13 [Note]: 7019 4
    12/12/05 13:56:13 [Note]: 7005 0
    12/12/05 13:56:17 [Note]: 7006 0
    12/12/05 13:56:17 [Note]: 7011 1280
    12/12/05 13:56:18 [Note]: FSRAW library version 1.7.1013
    12/12/05 13:56:52 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\WBEM\wbemtest.exe
    12/12/05 13:56:52 [Note]: 10002 1
    12/12/05 13:56:57 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\filesafer23.exe
    12/12/05 13:56:57 [Note]: 10002 1
    12/12/05 13:56:58 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\favset.exe
    12/12/05 13:56:58 [Note]: 10002 1
    12/12/05 13:56:59 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\howiper.exe
    12/12/05 13:56:59 [Note]: 10002 1
    12/12/05 13:56:59 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\idemlog.exe
    12/12/05 13:56:59 [Note]: 10002 1
    12/12/05 13:57:02 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\pppcgm.exe
    12/12/05 13:57:02 [Note]: 10002 1
    12/12/05 13:57:03 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\sphlp32.exe
    12/12/05 13:57:03 [Note]: 7002 5
    12/12/05 13:57:03 [Note]: 7003 1
    12/12/05 13:57:03 [Note]: 10002 1
    12/12/05 13:57:11 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\csqnt.exe
    12/12/05 13:57:11 [Note]: 7002 32
    12/12/05 13:57:11 [Note]: 7003 1
    12/12/05 13:57:11 [Note]: 10002 1
    12/12/05 13:58:45 [Note]: 7007 0
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited December 2005
    Please delete the following files;

    C:\WINDOWS\SYSTEM32\filesafer23.exe.ren
    C:\WINDOWS\SYSTEM32\favset.exe.ren
    C:\WINDOWS\SYSTEM32\howiper.exe.ren
    C:\WINDOWS\SYSTEM32\idemlog.exe.ren
    C:\WINDOWS\SYSTEM32\pppcgm.exe.ren
    C:\WINDOWS\SYSTEM32\sphlp32.exe.ren
    C:\WINDOWS\SYSTEM32\csqnt.exe.ren

    Reboot when done and post another hijackthis log please.
  • gregorsalvin
    edited December 2005
    Thanks here is new log sorry it took so long was away on a break.

    Logfile of HijackThis v1.99.1
    Scan saved at 13:56:43, on 15/12/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\DELLMMKB.EXE
    C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Netropa\OSD.exe
    C:\WINDOWS\Nhksrv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    C:\Program Files\ewido\security suite\ewidoguard.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
    C:\HyJack\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonder.co.uk/dial
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.blueyonder.co.uk/dial
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
    F2 - REG:system.ini: UserInit=userinit.exe
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
    O4 - HKCU\..\Run: [desktop] C:\WINDOWS\system32\idemlog.exe
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.blueyonder.co.uk/dial
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{13FE3845-7CDE-42A2-AF31-CDB2479C01DD}: NameServer = 85.255.114.92,85.255.112.152
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2D7E3473-E17E-4DD7-9941-9D620A795BBE}: NameServer = 85.255.114.92,85.255.112.152
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited December 2005
    That brought the hidden file out :).

    Can you please do the following.

    ===============

    Run HiJackThis, click "Scan", then check(tick) the following, if present:


    O4 - HKCU\..\Run: [desktop] C:\WINDOWS\system32\idemlog.exe


    Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

    ===============

    Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

    files...

    C:\WINDOWS\system32\idemlog.exe

    -

    Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".

    -

    Reboot.

    ===============

    After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.
  • gregorsalvin
    edited December 2005
    Yea sounds like we are getting somewhere. here is new log, thanks so much mate. :):D

    Logfile of HijackThis v1.99.1
    Scan saved at 17:09:55, on 15/12/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\DELLMMKB.EXE
    C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\WINDOWS\Nhksrv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    C:\Program Files\ewido\security suite\ewidoguard.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\Program Files\Netropa\OSD.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\HyJack\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonder.co.uk/dial
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.blueyonder.co.uk/dial
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
    F2 - REG:system.ini: UserInit=userinit.exe
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.blueyonder.co.uk/dial
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{13FE3845-7CDE-42A2-AF31-CDB2479C01DD}: NameServer = 85.255.114.92,85.255.112.152
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2D7E3473-E17E-4DD7-9941-9D620A795BBE}: NameServer = 85.255.114.92,85.255.112.152
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited December 2005
    Congratulations! Your log looks clean - good work!

    ===============

    Now that your PC is clean you need to follow these easy steps to keeping it this way:

    Secure your Internet Explorer by going here and following the instructions there.

    Better yet, use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera which in my opinion, is better still.

    Use a firewall to help prevent your PC's control being usurped by undesireables. There is a link to a good, free firewall in my signature.

    Install and keep updated, Ad-Aware SE, and Spybot S&D.
    Run them both on a regular basis, following the manufacturer's recommendations.

    Install an anti-virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often.

    Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.


    Clear your Temp folders.
    Clear out your Temporary internet files and other temp files.
    Go to Start > Settings > Control Panel >Internet Options.
    Under the General tab click the Delete temporary internet files,
    delete all Offline content as well. Clear out Cookies.

    Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

    Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)

    C:\Documents and Settings\username\Local Settings\Temp\

    In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

    Empty the Recycle Bin.

    For XP users.
    After something like this it is a good idea to Flush the Restore Points and start fresh.
    To flush the XP system Restore Points.

    Go to Start>Run and type msconfig. Press enter.

    When msconfig opens, click the Launch System Restore Button.
    On the next page, click the System Restore Settings link on the left.

    Check the box labelled 'Turn off System restore'.

    Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.

    Note that all previous restore points will be lost.

    ===============

    If you have any more problems, post back.

    -

    Happy surfing,

    crunchie.
Sign In or Register to comment.