Another Trojan - new member !
Good day, and thanks in advance for any help you can give. My name is Iain Brown, and I have some computer knowledge, but obviously not enough, as on the WIN2K machine in question there is a persistant hi-jack by Win32:Trojan-gen.
I have run the current versions of Spybot and AdAware (both updated): the machine runs AVAST anti-virus and I have also downloaded and run STINGER. AVAST reports a Trojan and takes the instruction to move it to the chest, but it does not cure.
IE gets put to home page www.search-paga.com/payse but is the tools display `payse' is replaced by 10039.
I have applied Hijackthis and attach the report. I guess I will have to remove some of the items, but which? - that is where I hope some kind soul will come to my aid.
Thank-you!
Iain
Logfile of HijackThis v1.99.1
Scan saved at 11:26:23, on 16/04/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\inetdata\winlogon.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\DSentry.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\System32\dstart4.exe
C:\Program Files\Messenger\msmsgs.exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Downloads\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.dll/sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-paga.com/10039/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.virgin.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.dll/sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Virgin.net
F3 - REG:win.ini: run=C:\WINNT\inetdata\winlogon.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINNT\System32\DSentry.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [xp_system] C:\WINNT\inetdata\winlogon.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Service] C:\WINNT\System32\dstart4.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NoAdware] "C:\Program Files\NoAdware\NoAdware.exe" /s
O4 - HKCU\..\Run: [Windows Service] C:\WINNT\System32\dstart4.exe
O4 - HKCU\..\Run: [xp_system] C:\WINNT\inetdata\winlogon.exe
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {C78C0AAB-F405-4286-BC8B-6DA47C37DA91} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {C78C0AAB-F405-4286-BC8B-6DA47C37DA91} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net
O16 - DPF: {B5DD9A64-5C4B-4A48-BE56-97C1A8F85708} - http://66.232.129.61/sw/fvp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{59134978-45C2-4696-9B9E-7B19FDC9952B}: NameServer = 10.0.0.254
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
I have run the current versions of Spybot and AdAware (both updated): the machine runs AVAST anti-virus and I have also downloaded and run STINGER. AVAST reports a Trojan and takes the instruction to move it to the chest, but it does not cure.
IE gets put to home page www.search-paga.com/payse but is the tools display `payse' is replaced by 10039.
I have applied Hijackthis and attach the report. I guess I will have to remove some of the items, but which? - that is where I hope some kind soul will come to my aid.
Thank-you!
Iain
Logfile of HijackThis v1.99.1
Scan saved at 11:26:23, on 16/04/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\inetdata\winlogon.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\DSentry.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\System32\dstart4.exe
C:\Program Files\Messenger\msmsgs.exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Downloads\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.dll/sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-paga.com/10039/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.virgin.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.dll/sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Virgin.net
F3 - REG:win.ini: run=C:\WINNT\inetdata\winlogon.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINNT\System32\DSentry.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [xp_system] C:\WINNT\inetdata\winlogon.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Service] C:\WINNT\System32\dstart4.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NoAdware] "C:\Program Files\NoAdware\NoAdware.exe" /s
O4 - HKCU\..\Run: [Windows Service] C:\WINNT\System32\dstart4.exe
O4 - HKCU\..\Run: [xp_system] C:\WINNT\inetdata\winlogon.exe
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {C78C0AAB-F405-4286-BC8B-6DA47C37DA91} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {C78C0AAB-F405-4286-BC8B-6DA47C37DA91} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net
O16 - DPF: {B5DD9A64-5C4B-4A48-BE56-97C1A8F85708} - http://66.232.129.61/sw/fvp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{59134978-45C2-4696-9B9E-7B19FDC9952B}: NameServer = 10.0.0.254
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
0
Comments
===============
Download CWShredder 2.14 from here.
Download[/url] \'SpSeHjfix\' to the desktop and then
right click a blank part of the desktop and select new folder, call it spfix
unzip the file into that folder.
Disconnect from the net and Close ALL OPEN PROGRAMS.
Run 'SpSeHjfix'. and click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the folder.
If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage.
Run the shredder and press the *fix,* not scan and allow it to clean the infection. Close all browser and explorer windows before hitting the fix button.
===============
Run HiJackThis then:
1. Click "Config..."
2. Click "Misc Tools"
3. Click "Open Process manager"
-
Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:
C:\WINNT\inetdata\winlogon.exe
C:\WINNT\System32\dstart4.exe
Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.
===============
Run HiJackThis and click "Scan", then check(tick) the following, if present:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.dll/sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-paga.com/10039/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.dll/sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
F3 - REG:win.ini: run=C:\WINNT\inetdata\winlogon.exe
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O4 - HKLM\..\Run: [xp_system] C:\WINNT\inetdata\winlogon.exe
O4 - HKLM\..\Run: [Windows Service] C:\WINNT\System32\dstart4.exe
O4 - HKCU\..\Run: [Windows Service] C:\WINNT\System32\dstart4.exe
O4 - HKCU\..\Run: [xp_system] C:\WINNT\inetdata\winlogon.exe
O16 - DPF: {B5DD9A64-5C4B-4A48-BE56-97C1A8F85708} - http://66.232.129.61/sw/fvp.cab
Now, with all windows closed except HiJackThis, click "Fix checked".
===============
Locate and delete the following item(s), if present. Make sure your able to "view system and hidden files/ folders:"
files...
C:\WINNT\inetdata\winlogon.exe
C:\WINNT\System32\dstart4.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.dll
-
Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".
-
Reboot.
===============
To help protect your system from hostile ActiveX content, or special 'downloadable' files:
Download, install and keep updated, SpywareBlaster. If you've installed it for the first time:
1) Check for any available updates; if present, they'll be automatically downloaded and installed.
2) Next, "Enable all protection".
3) Exit the program.
-
Note: Remember to regularly check for updates.
===============
Reboot and post a fresh HJT log and the log that was created by 'SpSeHjfix'.
-
crunchie.
I have run the suggested actions, and the box seems to be behaving correctly now. I am very much obliged to you.
The "after" HJT log is attached, as is the one from SpSehjfix.
If there is anything else to do [I have installed Spywareblaster] please say.
Thanks again ...... Iain
Logfile of HijackThis v1.99.1
Scan saved at 16:00:38, on 16/04/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\DSentry.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Downloads\hijackthis.exe
C:\Downloads\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vivisimo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.virgin.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Virgin.net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINNT\System32\DSentry.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NoAdware] "C:\Program Files\NoAdware\NoAdware.exe" /s
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {C78C0AAB-F405-4286-BC8B-6DA47C37DA91} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {C78C0AAB-F405-4286-BC8B-6DA47C37DA91} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{59134978-45C2-4696-9B9E-7B19FDC9952B}: NameServer = 10.0.0.254
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
(4/16/05 15:02:50) SPSeHjFix started v1.1.2
(4/16/05 15:02:50) OS: Win2000 Service Pack 3 (5.0.2195)
(4/16/05 15:02:50) Language: english
(4/16/05 15:02:50) Win-Path: C:\WINNT
(4/16/05 15:02:50) System-Path: C:\WINNT\System32
(4/16/05 15:02:50) Temp-Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
(4/16/05 15:02:59) Disinfection started
(4/16/05 15:02:59) Bad-Dll(IEP): c:\docume~1\admini~1\locals~1\temp\sp.dll
(4/16/05 15:02:59) UBF: 4 - UBB: 2 - UBR: 12
(4/16/05 15:02:59) UBF: 4 - UBB: 2 - UBR: 12
(4/16/05 15:02:59) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\admini~1\locals~1\temp\sp.dll/sp.html
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\admini~1\locals~1\temp\sp.dll/sp.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page:
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(4/16/05 15:02:59) Stealth-String not found
(4/16/05 15:02:59) No locked Files to delete. End without Reboot
(4/16/05 15:03:16) Disinfection started
(4/16/05 15:03:16) Bad-Dll(IEP): c:\docume~1\admini~1\locals~1\temp\sp.dll
(4/16/05 15:03:16) UBF: 4 - UBB: 2 - UBR: 12
(4/16/05 15:03:16) UBF: 4 - UBB: 2 - UBR: 12
(4/16/05 15:03:16) Bad IE-pages: (none)
(4/16/05 15:03:16) Stealth-String not found
(4/16/05 15:03:16) No locked Files to delete. End without Reboot
(4/16/05 15:09:39) SPSeHjFix started v1.1.2
(4/16/05 15:09:39) OS: Win2000 Service Pack 3 (5.0.2195)
(4/16/05 15:09:39) Language: english
(4/16/05 15:09:39) Win-Path: C:\WINNT
(4/16/05 15:09:39) System-Path: C:\WINNT\System32
(4/16/05 15:09:39) Temp-Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
(4/16/05 15:09:42) Disinfection started
(4/16/05 15:09:42) Bad-Dll(IEP): (not found)
(4/16/05 15:09:42) Bad-Dll(IEP) in BHO: (not found)
(4/16/05 15:09:42) UBF: 4 - UBB: 2 - UBR: 12
(4/16/05 15:09:42) UBF: 4 - UBB: 2 - UBR: 12
(4/16/05 15:09:42) Bad IE-pages: (none)
(4/16/05 15:09:42) Stealth-String not found
(4/16/05 15:09:42) Not infected->END
===============
Run HiJackThis and click "Scan", then check(tick) the following, if present:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
Now, with all windows closed except HiJackThis, click "Fix checked".
===============
That should do you
-
crunchie.