Hijacked

To talk on Icrontic, just register!

It only takes 30 seconds.

Have an account? Sign in:

To reopen your thread, send a Private Message (PM) to Trogan with a link to your thread.

If you are not the user who started this thread, you must start your own thread instead.

Reply to Discussion

Options

gregorsalvin

Icrontic Convert

11 Posts

10 Dec 2005, 8:58pm

Quoting Crunchie

Cool . I would still like to see the requested logs though.

Hae could you please help me like you helped Herfdude. please please this virus is starting to really be a problem. please see below. I have run Adware and tryed to run Spy Bot but it keeps crashing mid way. I am running AVG anti-virus on Windows Xp. please see me HyJack Log below.

I got a Virus and things have been running terrible since I have run Adware SE and AVG virus scanner but It says there is no Virus and one file in Windows/sytem32 seems to be currupt "yaemu" I can see this when I run AVG. Please help I am pulling my hair out.

Logfile of HijackThis v1.99.1
Scan saved at 17:10:15, on 10/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\TrojanHunter 4.2\TrojanHunter.exe
C:\HyJack\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/...gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonder.co.uk/dial
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.blueyonder.co.uk/dial
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/...gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [IPPDetect] IPP4Detect.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [yaemu.exe] C:\WINDOWS\system32\yaemu.exe
O4 - HKLM\..\Run: [THGuard] C:\Program Files\TrojanHunter 4.2\THGuard.exe
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.blueyonder.co.uk/dial
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/active...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{13FE3845-7CDE-42A2-AF31-CDB2479C01DD}: NameServer = 85.255.114.92,85.255.112.152
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D7E3473-E17E-4DD7-9941-9D620A795BBE}: NameServer = 85.255.114.92,85.255.112.152
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

Crunchie

Veteran Icrontian

2,542 Posts

10 Dec 2005, 9:10pm

Re: Herfdude has been Hijacked

Can you please do the following.

===============

Run HiJackThis, click "Scan", then check(tick) the following, if present:

O4 - HKLM\..\Run: [yaemu.exe] C:\WINDOWS\system32\yaemu.exe
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"

Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

folders...

C:\Program Files\UnSpyPC

files...

C:\WINDOWS\system32\yaemu.exe

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".

-

Reboot.

===============

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

__________________ Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster Browser settings for increased security.

If you think we have helped you, please consider using your computer for disease research - it's free and harmless, and it's a fun way to join our community. //(*_*)\\

DFI LanParty UT nF4 Ultra-D, Opteron 165 @ 2700, Zalman 9500LED, 2X512 OCZ PC4800 Platinum Elite, XFX 7900 GT Extreme @ 650/1600, VF900-cu, WD 250 Sata, Corsair HX 620, Thermaltake Xaser V5000D case,

Crunchie

Veteran Icrontian

2,542 Posts

10 Dec 2005, 9:11pm

Re: Herfdude has been Hijacked

Please read the big red letters at the top of the forum and thread

. I have split your post out to your own topic.

gregorsalvin

Icrontic Convert

11 Posts

10 Dec 2005, 9:41pm

Re: Herfdude has been Hijacked

I did as you said, had to go into safe mode to get rid of yaemu.exe and UnSpyPC wasn't there even with show hidden files on? and I still have an anoying pop up coming on my Desktop Screen when I re-start? below is new HyJack log.

Logfile of HijackThis v1.99.1
Scan saved at 21:23:20, on 10/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\Nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\HyJack\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/u...en/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonder.co.uk/dial
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.blueyonder.co.uk/dial
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/u...en/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [IPPDetect] IPP4Detect.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.blueyonder.co.uk/dial
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{13FE3845-7CDE-42A2-AF31-CDB2479C01DD}: NameServer = 85.255.114.92,85.255.112.152
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D7E3473-E17E-4DD7-9941-9D620A795BBE}: NameServer = 85.255.114.92,85.255.112.152
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

Crunchie

Veteran Icrontian

2,542 Posts

11 Dec 2005, 6:44am

Re: Herfdude has been Hijacked

Quoting gregorsalvin

I still have an anoying pop up coming on my Desktop Screen when I re-start? below is new HyJack log.

Your log is clean. Be nice to know what the pop up is?

gregorsalvin

Icrontic Convert

11 Posts

11 Dec 2005, 11:25am

Re: Herfdude has been Hijacked

Quoting Crunchie

Your log is clean. Be nice to know what the pop up is? .

Hi Here is my HyJack Log if I keep the pop-up open when I do the log will this help I also have a screen shot of the pop-up too how can I show you this would this help? have I attached it below?

[IMG]C:\Documents and Settings\Gregor N Salvin\Desktop\popupmenu.jpg[/IMG]

Logfile of HijackThis v1.99.1
Scan saved at 11:04:42, on 11/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Adobe\Photoshop 7.0\Photoshop.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HyJack\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/u...en/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonder.co.uk/dial
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.blueyonder.co.uk/dial
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/u...en/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [dflnl.exe] C:\WINDOWS\system32\dflnl.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.blueyonder.co.uk/dial
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{13FE3845-7CDE-42A2-AF31-CDB2479C01DD}: NameServer = 85.255.114.92,85.255.112.152
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D7E3473-E17E-4DD7-9941-9D620A795BBE}: NameServer = 85.255.114.92,85.255.112.152
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

Crunchie

Veteran Icrontian

2,542 Posts

11 Dec 2005, 12:06pm

When you post your reply there is an option to attach a file. You should attach your screenshot that way.

==

Can you please do the following.

===============

Run HiJackThis, click "Scan", then check(tick) the following, if present:

O4 - HKLM\..\Run: [dflnl.exe] C:\WINDOWS\system32\dflnl.exe

Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

files...

C:\WINDOWS\system32\dflnl.exe

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".

-

Reboot.

===============

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

Once in Safe Mode, please run Ewido, and do a full scan. During the scan it will prompt you to clean files, click OK.

Save the logfile from the scan. Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

gregorsalvin

Icrontic Convert

11 Posts

11 Dec 2005, 12:43pm

http://file004.bebo.com/large/2005/1...b44046648l.jpg

for some reason it won't let me attach a file? I get an Explorer User prompt. when I click on Insert pic can you go to the above link?

Crunchie

Veteran Icrontian

2,542 Posts

11 Dec 2005, 12:47pm

I do not recognise that from that shot

. Have you run Ewido yet? Try this too;

Please visit at least two of the following sites for an online virus scan:

Panda ActiveScan
http://www.pandasoftware.com/actives..._principal.htm
Post back the results from the scan.

gregorsalvin

Icrontic Convert

11 Posts

11 Dec 2005, 2:13pm

That's worrying, sorry took so long that ewido scan took an hour, found 56 things though that has to be good? here is the report and a Hyjack scan report done after ewido, Pop up still coming up took a litttle longer to load though so I think we must have at least upset it a little....little bugger it is... will do a online panda scan now and report back.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 13:48:26, 11/12/2005
+ Report-Checksum: 69897A1

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
[172] VM_00D60000 -> Downloader.Agent.uj : Error during cleaning
[196] VM_00BF0000 -> Downloader.Agent.uj : Error during cleaning
[828] VM_009D0000 -> Downloader.Agent.uj : Error during cleaning
C:\Documents and Settings\Gregor N Salvin\Cookies\gregor n salvin@112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Gregor N Salvin\Cookies\gregor n salvin@247realmedia[1].txt -> Spyware.Cookie.247realmedia : Cleaned with backup
C:\Documents and Settings\Gregor N Salvin\Cookies\gregor n salvin@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Gregor N Salvin\Cookies\gregor n salvin@e-2dj6wjkyegdzocp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Gregor N Salvin\Cookies\gregor n salvin@e-2dj6wjnyohc5kbp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Gregor N Salvin\Cookies\gregor n salvin@www.myaffiliateprogram[2].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Gregor N Salvin\Local Settings\Temporary Internet Files\Content.IE5\6TZGPSZ6\00st[1].htm -> Downloader.Inor.a : Cleaned with backup
C:\Documents and Settings\Gregor N Salvin\Local Settings\Temporary Internet Files\Content.IE5\7LGELX53\00st[1].htm -> Downloader.Inor.a : Cleaned with backup
C:\Documents and Settings\Gregor N Salvin\Local Settings\Temporary Internet Files\Content.IE5\NVH7750S\000[1].jpg -> Downloader.Agent.tc : Cleaned with backup
C:\Documents and Settings\Gregor N Salvin\Local Settings\Temporary Internet Files\Content.IE5\PKKFHH0L\00st[1].htm -> Downloader.Inor.a : Cleaned with backup
C:\Documents and Settings\Gregor N Salvin\Local Settings\Temporary Internet Files\Content.IE5\PKKFHH0L\00st[2].htm -> Downloader.Inor.a : Cleaned with backup
C:\Documents and Settings\Gregor N Salvin\Local Settings\Temporary Internet Files\Content.IE5\SDIFK96Z\00st[1].htm -> Downloader.Inor.a : Cleaned with backup
C:\Documents and Settings\Gregor N Salvin\Local Settings\Temporary Internet Files\Content.IE5\SDIFK96Z\00st[2].htm -> Downloader.Inor.a : Cleaned with backup
C:\Documents and Settings\Gregor N Salvin\Local Settings\Temporary Internet Files\Content.IE5\SDIFK96Z\00st[3].htm -> Downloader.Inor.a : Cleaned with backup
C:\Documents and Settings\Gregor N Salvin\Local Settings\Temporary Internet Files\Content.IE5\SDIFK96Z\00st[4].htm -> Downloader.Inor.a : Cleaned with backup
C:\Documents and Settings\Gregor N Salvin\Local Settings\Temporary Internet Files\Content.IE5\SH6ZKDMR\00st[1].htm -> Downloader.Inor.a : Cleaned with backup
C:\Documents and Settings\Gregor N Salvin\Local Settings\Temporary Internet Files\Content.IE5\SH6ZKDMR\00st[2].htm -> Downloader.Inor.a : Cleaned with backup
C:\RECYCLER\S-1-5-21-955046455-2020637620-97400744-1006\Dc16.exe -> Trojan.DNSChanger.R : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0039746.exe -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0039757.exe -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0039764.exe -> Trojan.DNSChanger.R : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0039768.exe -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0039774.exe -> Trojan.DNSChanger.R : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0039779.exe -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0039785.exe -> Trojan.DNSChanger.R : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0039820.exe -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0039826.exe -> Trojan.DNSChanger.R : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0039837.exe -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0039847.exe -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0039857.exe -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0039867.exe -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0039871.exe -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0039882.exe -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0039892.exe -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0039896.exe -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0039912.exe -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0039922.exe -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0039971.dll -> Spyware.WildTangent : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0039981.dll -> Spyware.WildTangent : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0039984.dll -> Spyware.WildTangent : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0039986.dll -> Spyware.WinAD : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0039989.exe -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0039995.exe -> Trojan.DNSChanger.R : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0040002.exe -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0040007.exe -> Trojan.DNSChanger.R : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0040015.exe -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0040018.exe -> Trojan.DNSChanger.R : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0040020.exe -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0040032.exe -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0040079.exe -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP370\A0040088.exe -> Downloader.Small : Cleaned with backup
C:\WINDOWS\SYSTEM32\hgqhp.exe -> Trojan.DNSChanger.R : Cleaned with backup

::Report End

Logfile of HijackThis v1.99.1
Scan saved at 13:52:04, on 11/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Real\RealOne Player\RealPlay.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HyJack\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/u...en/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonder.co.uk/dial
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.blueyonder.co.uk/dial
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/u...en/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.blueyonder.co.uk/dial
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{13FE3845-7CDE-42A2-AF31-CDB2479C01DD}: NameServer = 85.255.114.92,85.255.112.152
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D7E3473-E17E-4DD7-9941-9D620A795BBE}: NameServer = 85.255.114.92,85.255.112.152
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

gregorsalvin

Icrontic Convert

11 Posts

11 Dec 2005, 9:32pm

Incident Status Location

Adware:Adware/IdeskBar Not desinfected C:\WINDOWS\SYSTEM32\IDEMLOG.EXE
Adware:adware/sbsoft Not desinfected Windows Registry
Virus:W32/Bagle.CA.worm Not desinfected Local Folders\dodgy[I_know_you.rar][123.exe]

Crunchie

Veteran Icrontian

2,542 Posts

12 Dec 2005, 9:54am

Delete those files that Panda found. You may have to be in safe mode. If you do have to go to safe mode, do another scan with Ewido whilst still in safe mode as this may help further.

==

Clear out your Temporary internet files and other temp files.
Go to Start > Settings > Control Panel >Internet Options.
Under the General tab click the Delete temporary internet files,
delete all Offline content as well. Clear out Cookies.

Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)

C:\Documents and Settings\username\Local Settings\Temp\

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Empty the Recycle Bin.

==

Go here and download then run Silent Runners.vbs. It generates a log. Please post the information back in this thread.
If you have a script blocking program, please allow the file to run. It is not malicious.

gregorsalvin

Icrontic Convert

11 Posts

12 Dec 2005, 1:13pm

Here is some more gobbilty gook for you.... man I don't know how you do it. Thanks so much for this I feel we are getting closer to getting this little bugger.

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"WebCamRT.exe" = (empty string)
"desktop" = "C:\WINDOWS\system32\idemlog.exe" [empty string]
"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"WorksFUD" = "C:\Program Files\Microsoft Works\wkfud.exe" ["Microsoft� Corporation"]
"Microsoft Works Portfolio" = "C:\Program Files\Microsoft Works\WksSb.exe /AllUsers" ["Microsoft� Corporation"]
"Microsoft Works Update Detection" = "C:\Program Files\Microsoft Works\WkDetect.exe" ["Microsoft� Corporation"]
"DellTouch" = "C:\WINDOWS\DELLMMKB.EXE" ["Netropa Corp."]
"LVCOMS" = "C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE" ["Logitech Inc."]
"LXSUPMON" = "C:\WINDOWS\system32\LXSUPMON.EXE RUN" ["Lexmark International Inc."]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"THGuard" = ""C:\Program Files\TrojanHunter 4.2\THGuard.exe"" ["Mischel Internet Security"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealOne Player\rpshell.dll" ["RealNetworks, Inc."]
"{C81DCBCA-8AE2-41FC-9C39-78B160393210}" = "RhinoShExt"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM32\RhinoShExt.dll" ["Robert McNeel & Associates"]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{46CC93AA-C322-42dd-AA3A-CF9FC71D9871}" = "DeepBurner shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Astonsoft\DeepBurner Pro\DeepBurnerShellEx.dll" [null data]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}" = "TrojanHunter Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csqnt.exe" [null data]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
DeepBurner\(Default) = "{46CC93AA-C322-42dd-AA3A-CF9FC71D9871}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Astonsoft\DeepBurner Pro\DeepBurnerShellEx.dll" [null data]
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
RhinoShExt\(Default) = "{C81DCBCA-8AE2-41FC-9C39-78B160393210}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM32\RhinoShExt.dll" ["Robert McNeel & Associates"]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
DeepBurner\(Default) = "{46CC93AA-C322-42dd-AA3A-CF9FC71D9871}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Astonsoft\DeepBurner Pro\DeepBurnerShellEx.dll" [null data]
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Startup items in "Gregor N Salvin" & "All Users" startup folders:
-----------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]

Enabled Scheduled Tasks:
------------------------

"Ad-aware" -> launches: "C:\PROGRA~1\LAVASO~1\Ad-aware.exe" [file not found]
"Disk Cleanup" -> launches: "C:\WINDOWS\SYSTEM32\CLEANMGR.EXE" [MS]
"Disk Defragmenter (2)" -> launches: "C:\Documents and Settings\Gregor N Salvin\Desktop\Disk Defragmenter (2).lnk" [file not found]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 23
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{9455301C-CF6B-11D3-A266-00C04F689C50}\ = "Encarta &Researcher" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.blueyonder.co.uk/dial

Missing lines (compared with English-language version):
[Strings]: 1 line

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG E-mail Scanner, AVGEMS, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
C-DillaSrv, C-DillaSrv, "C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE" ["C-Dilla Ltd"]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido\security suite\ewidoguard.exe" ["ewido networks"]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
Netropa NHK Server, Nhksrv, "C:\WINDOWS\Nhksrv.exe" [null data]
NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]

Keyboard Driver Filters:
------------------------

HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = INFECTION WARNING! "msikbd2k" ["Netropa Corporation"]

Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Canon BJ Language Monitor BJC-4200\Driver = "CNMLM0W.DLL" ["CANON INC."]
Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 221 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 29 seconds.
---------- (total run time: 308 seconds)

Crunchie

Veteran Icrontian

2,542 Posts

12 Dec 2005, 1:32pm

Download and run blacklite
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
leave [X]scan through windows explorer checked,
click > scan then > next,
If any items show, have blacklite rename them except for "wbemtest.exe"
Do not rename "wbemtest.exe" its a windows file.
The tool will ask if you want to reboot, (restart) choose yes.

After you have rebooted post back with blacklites log, it will be next to the program.

gregorsalvin

Icrontic Convert

11 Posts

12 Dec 2005, 2:21pm

Here is blacklight log. Couldn't find any option to scan though windows explorer, but ran it anyway and renamed all the files except wbemtest,,,Restarted and that pop-up didn't come up although computer still running sluggish. Seems like we injured it at least. thanks Gregor

12/12/05 13:56:13 [Info]: BlackLight Engine 1.0.29 initialized
12/12/05 13:56:13 [Info]: OS: 5.1 build 2600 (Service Pack 2)
12/12/05 13:56:13 [Note]: 7019 4
12/12/05 13:56:13 [Note]: 7005 0
12/12/05 13:56:17 [Note]: 7006 0
12/12/05 13:56:17 [Note]: 7011 1280
12/12/05 13:56:18 [Note]: FSRAW library version 1.7.1013
12/12/05 13:56:52 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\WBEM\wbemtest.exe
12/12/05 13:56:52 [Note]: 10002 1
12/12/05 13:56:57 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\filesafer23.exe
12/12/05 13:56:57 [Note]: 10002 1
12/12/05 13:56:58 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\favset.exe
12/12/05 13:56:58 [Note]: 10002 1
12/12/05 13:56:59 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\howiper.exe
12/12/05 13:56:59 [Note]: 10002 1
12/12/05 13:56:59 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\idemlog.exe
12/12/05 13:56:59 [Note]: 10002 1
12/12/05 13:57:02 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\pppcgm.exe
12/12/05 13:57:02 [Note]: 10002 1
12/12/05 13:57:03 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\sphlp32.exe
12/12/05 13:57:03 [Note]: 7002 5
12/12/05 13:57:03 [Note]: 7003 1
12/12/05 13:57:03 [Note]: 10002 1
12/12/05 13:57:11 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\csqnt.exe
12/12/05 13:57:11 [Note]: 7002 32
12/12/05 13:57:11 [Note]: 7003 1
12/12/05 13:57:11 [Note]: 10002 1
12/12/05 13:58:45 [Note]: 7007 0

Crunchie

Veteran Icrontian

2,542 Posts

13 Dec 2005, 11:49am

Please delete the following files;

C:\WINDOWS\SYSTEM32\filesafer23.exe.ren
C:\WINDOWS\SYSTEM32\favset.exe.ren
C:\WINDOWS\SYSTEM32\howiper.exe.ren
C:\WINDOWS\SYSTEM32\idemlog.exe.ren
C:\WINDOWS\SYSTEM32\pppcgm.exe.ren
C:\WINDOWS\SYSTEM32\sphlp32.exe.ren
C:\WINDOWS\SYSTEM32\csqnt.exe.ren

Reboot when done and post another hijackthis log please.

gregorsalvin

Icrontic Convert

11 Posts

15 Dec 2005, 2:14pm

Thanks here is new log sorry it took so long was away on a break.

Logfile of HijackThis v1.99.1
Scan saved at 13:56:43, on 15/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\Nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\HyJack\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/u...en/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonder.co.uk/dial
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.blueyonder.co.uk/dial
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/u...en/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [desktop] C:\WINDOWS\system32\idemlog.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.blueyonder.co.uk/dial
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{13FE3845-7CDE-42A2-AF31-CDB2479C01DD}: NameServer = 85.255.114.92,85.255.112.152
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D7E3473-E17E-4DD7-9941-9D620A795BBE}: NameServer = 85.255.114.92,85.255.112.152
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

Crunchie

Veteran Icrontian

2,542 Posts

15 Dec 2005, 2:27pm

That brought the hidden file out

.

Can you please do the following.

===============

Run HiJackThis, click "Scan", then check(tick) the following, if present:

O4 - HKCU\..\Run: [desktop] C:\WINDOWS\system32\idemlog.exe

Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

files...

C:\WINDOWS\system32\idemlog.exe

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".

-

Reboot.

===============

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

gregorsalvin

Icrontic Convert

11 Posts

15 Dec 2005, 5:27pm

Yea sounds like we are getting somewhere. here is new log, thanks so much mate.

Logfile of HijackThis v1.99.1
Scan saved at 17:09:55, on 15/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\Nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HyJack\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/u...en/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonder.co.uk/dial
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.blueyonder.co.uk/dial
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/u...en/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.blueyonder.co.uk/dial
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{13FE3845-7CDE-42A2-AF31-CDB2479C01DD}: NameServer = 85.255.114.92,85.255.112.152
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D7E3473-E17E-4DD7-9941-9D620A795BBE}: NameServer = 85.255.114.92,85.255.112.152
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

Crunchie

Veteran Icrontian

2,542 Posts

15 Dec 2005, 9:16pm

Congratulations! Your log looks clean - good work!

===============

Now that your PC is clean you need to follow these easy steps to keeping it this way:

Secure your Internet Explorer by going here and following the instructions there.

Better yet, use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera which in my opinion, is better still.

Use a firewall to help prevent your PC's control being usurped by undesireables. There is a link to a good, free firewall in my signature.

Install and keep updated, Ad-Aware SE, and Spybot S&D.
Run them both on a regular basis, following the manufacturer's recommendations.

Install an anti-virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often.

Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.

Clear your Temp folders.
Clear out your Temporary internet files and other temp files.
Go to Start > Settings > Control Panel >Internet Options.
Under the General tab click the Delete temporary internet files,
delete all Offline content as well. Clear out Cookies.

Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)

C:\Documents and Settings\username\Local Settings\Temp\

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Empty the Recycle Bin.

For XP users.
After something like this it is a good idea to Flush the Restore Points and start fresh.
To flush the XP system Restore Points.

Go to Start>Run and type msconfig. Press enter.

When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings link on the left.

Check the box labelled 'Turn off System restore'.

Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.

Note that all previous restore points will be lost.

===============

If you have any more problems, post back.

-

Happy surfing,

crunchie.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
XP Professional hijacked with new.net	sonoma	Resolved / Inactive	5	25 Jul 2005 1:37pm
Hijacked homepage Win98	try2livehappy	Resolved / Inactive	4	31 Mar 2005 4:02pm
Hijacked internet access by new.net	jaybee	Resolved / Inactive	8	2 Mar 2005 2:49am
Browser Hijacked a-search.biz/?	sonya7118	Resolved / Inactive	1	18 Oct 2004 11:08pm
Help Omegasearch Hijacked 2nd Computer	TRU_AZN	Resolved / Inactive	2	3 May 2004 5:47am

		Icrontic Forums > Malware Help > Spyware & Virus Removal > Resolved / Inactive
Hijacked

Jump to

This Thread	Search this Thread
Print Email	Search this Thread: Advanced Search

Username
Password	Forgot?
Remember me