Options

Request Some Help Please: Multiple IE & other Processes I Don't Recognize

Unknown
edited October 2005 in Spyware & Virus Removal
Hello to all

For a while now I've had multiple instances of IE opening at various times, as well as some other processes I don't recognize which will sometimes just change names as I try to close them. I've updated and run both Adaware & Spybot and my Hijackthis this log follows. 2 instance of IE even opened when I ran Hijackthis!

Thanks in advance for assistance anyone can offer

Logfile of HijackThis v1.99.0
Scan saved at 1:52:29 PM, on 17/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\D-Tools\daemon.exe
D:\WINDOWS\system32\wscntfy.exe
D:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R200 Series on MYCOMPUTER] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P49 "Auto EPSON Stylus Photo R200 Series on MYCOMPUTER" /O21 "\\MYCOMPUTER\EPSONSty" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [\\MYCOMPUTER\EPSON Stylus Photo R200 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P43 "\\MYCOMPUTER\EPSON Stylus Photo R200 Series" /O6 "USB002" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [winsnt] D:\WINDOWS\winsnt.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [WinMail32SpoolSrv] D:\WINDOWS\wmx_win.exe
O4 - HKCU\..\Run: [winsnt] D:\WINDOWS\winsnt.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.real.com
O15 - Trusted IP range: (HKLM)

Comments

  • TroganTrogan London, UK
    edited October 2005
    Please update your HJT log from here to version 1.99.1
    ===

    Scan your PC with the following:

    Panda Activescan

    Save a log and post it here along with a new HJT log :)
  • NJD
    edited October 2005
    Hi Trogan

    Pandascan didn't give me a log file and I couldn't find anywhere to generate one. This is all I ended up with:
    Detected Disinfected
    Virus 0 0
    Spyware 0 0
    Hacking Tools 0 0
    Dialers 0 0
    Security Risks 0 0
    Suspicious files 0 0

    The updated Hijackthis file is as follows:

    Logfile of HijackThis v1.99.1
    Scan saved at 5:56:06 PM, on 17/10/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\Explorer.EXE
    D:\WINDOWS\system32\spoolsv.exe
    D:\WINDOWS\System32\svchost.exe
    D:\Program Files\D-Tools\daemon.exe
    D:\WINDOWS\system32\wscntfy.exe
    D:\Documents and Settings\NJD\Application Data\Microsoft\Internet Explorer\Quick Launch\NOTEPAD.EXE
    D:\Program Files\Internet Explorer\iexplore.exe
    D:\Program Files\Internet Explorer\iexplore.exe
    D:\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R200 Series on MYCOMPUTER] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P49 "Auto EPSON Stylus Photo R200 Series on MYCOMPUTER" /O21 "\\MYCOMPUTER\EPSONSty" /M "Stylus Photo R200"
    O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [\\MYCOMPUTER\EPSON Stylus Photo R200 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P43 "\\MYCOMPUTER\EPSON Stylus Photo R200 Series" /O6 "USB002" /M "Stylus Photo R200"
    O4 - HKLM\..\Run: [winsnt] D:\WINDOWS\winsnt.exe
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    O4 - HKLM\..\Run: [WinMail32SpoolSrv] D:\WINDOWS\wmx_win.exe
    O4 - HKCU\..\Run: [winsnt] D:\WINDOWS\winsnt.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://www.real.com
    O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

    Thanks for your help
    NJD
  • TroganTrogan London, UK
    edited October 2005
    Did you copy and paste the whole log from HJT because your log looks incomplete.
    ===

    Go here and in the box provided, please type (or copy and paste) the following. The file will be scanned by various Anti-Virus scanners so let me know what the results are please.

    D:\WINDOWS\winsnt.exe
    ===

    Download Ewido Security Suite
    • Install ewido security suite
    • When installing, under "Additional Options" uncheck..
      • Install background guard
      • Install scan via context menu
    • Launch ewido, there should be an icon on your desktop, double-click it.
    • You will need to update ewido to the latest definition files.
      • On the left hand side of the main screen click update.
      • Then click on Start Update.
    • The update will start and a progress bar will show the updates being installed.
      (the status bar at the bottom will display "Update successful")
    • Now, scan with it by clicking 'Scanner' on the left and choosing 'Complete System Scan'
    ===

    Post a new HJT log :)
  • NJD
    edited October 2005
    Hey Trogan

    Yes, that was the whole log. Here's the new info (You didn't say that you wanted the ewido log, but it isn't that long so I've included it):

    Online Scan: File: winsnt.exe
    Status:
    POSSIBLY INFECTED/MALWARE (Note: this file was only flagged as malware by heuristic detection(s). This might be a false positive. Therefore, results of this scan will not be stored in the database)
    MD5 9ad1a7ec2d5300a0382a2e6db8e07818
    Packers detected:
    -
    Scanner results
    AntiVir
    Found nothing
    ArcaVir
    Found nothing
    Avast
    Found nothing
    AVG Antivirus
    Found nothing
    BitDefender
    Found nothing
    ClamAV
    Found nothing
    Dr.Web
    Found nothing
    F-Prot Antivirus
    Found unknown virus (probable variant)
    Fortinet
    Found nothing
    Kaspersky Anti-Virus
    Found nothing
    NOD32
    Found nothing
    Norman Virus Control
    Found nothing
    UNA
    Found nothing
    VBA32
    Found Downloader.Small.184 (probable variant)

    Ewido:
    ewido security suite - Scan report

    + Created on: 12:52:01 PM, 18/10/2005
    + Report-Checksum: 1FE4C2BC

    + Scan result:

    HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\D:/WINDOWS/Downloaded Program Files/AdmilliServX.dll\\.Owner -> Spyware.WinFavorites : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\D:/WINDOWS/Downloaded Program Files/AdmilliServX.dll\\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -> Spyware.WinFavorites : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\D:/WINDOWS/Downloaded Program Files/canada_ver4.ocx\\.Owner -> Dialer.Generic : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\D:/WINDOWS/Downloaded Program Files/canada_ver4.ocx\\{B1B7606A-D7B9-42A8-AFA2-476308413211} -> Dialer.Generic : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\D:/WINDOWS/Downloaded Program Files/CONFLICT.1/loader2.ocx\\.Owner -> Spyware.Crazywinnings : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\D:/WINDOWS/Downloaded Program Files/CONFLICT.1/loader2.ocx\\{79849612-A98F-45B8-95E9-4D13C7B6B35C} -> Spyware.Crazywinnings : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\D:/WINDOWS/Downloaded Program Files/loader2.ocx\\.Owner -> Spyware.Crazywinnings : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\D:/WINDOWS/Downloaded Program Files/loader2.ocx\\{79849612-A98F-45B8-95E9-4D13C7B6B35C} -> Spyware.Crazywinnings : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\D:/WINDOWS/Downloaded Program Files/MediaTicketsInstaller.ocx\\.Owner -> Spyware.PurityScan : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\D:/WINDOWS/Downloaded Program Files/MediaTicketsInstaller.ocx\\{9EB320CE-BE1D-4304-A081-4B4665414BEF} -> Spyware.PurityScan : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\D:/WINDOWS/Downloaded Program Files/WinServAdX.dll\\.Owner -> Spyware.WinFavorites : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\D:/WINDOWS/Downloaded Program Files/WinServAdX.dll\\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -> Spyware.WinFavorites : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\D:/WINDOWS/System32/mfc42.dll\\{9EB320CE-BE1D-4304-A081-4B4665414BEF} -> Spyware.PurityScan : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\D:/WINDOWS/System32/msvcrt.dll\\{9EB320CE-BE1D-4304-A081-4B4665414BEF} -> Spyware.PurityScan : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\D:/WINDOWS/System32/objsafe.tlb\\.Owner -> Dialer.Generic : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\D:/WINDOWS/System32/objsafe.tlb\\{B1B7606A-D7B9-42A8-AFA2-476308413211} -> Dialer.Generic : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\D:/WINDOWS/System32/OLEPRO32.DLL\\{9EB320CE-BE1D-4304-A081-4B4665414BEF} -> Spyware.PurityScan : Cleaned with backup
    HKLM\SOFTWARE\SearchRelevancy -> Spyware.SearchRelevancy : Cleaned with backup
    HKLM\SOFTWARE\SearchRelevancy\Update -> Spyware.SearchRelevancy : Cleaned with backup
    HKLM\SOFTWARE\Windows ServeAd -> Spyware.BlazeFind : Cleaned with backup
    HKU\S-1-5-21-2052111302-113007714-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000097-7C67-4BA6-8B42-05128941688A} -> Spyware.BetterInternet : Cleaned with backup
    [1316] D:\WINDOWS\itmdyvsf.dll -> TrojanDropper.Small.nz : Cleaned with backup
    C:\_Restore\ARCHIVE\FS1.CAB/A0122944.CPY -> Backdoor.MoSucker : Cleaned with backup
    C:\_Restore\ARCHIVE\FS1.CAB/A0122946.CPY -> Backdoor.MoSucker : Cleaned with backup
    C:\Program Files\Common Files\CMEII\CMEIIAPI.dll -> Adware.Gator : Cleaned with backup
    C:\Program Files\Common Files\CMEII\CMEUpd.exe -> Adware.Gator : Cleaned with backup
    C:\Program Files\Common Files\CMEII\GController.dll -> Adware.Gator : Cleaned with backup
    C:\Program Files\Common Files\CMEII\GDwldEng.dll -> Adware.Gator : Cleaned with backup
    C:\Program Files\Common Files\CMEII\GFormCTM.dll -> Adware.Gator : Cleaned with backup
    C:\Program Files\Common Files\CMEII\GIoclClient.dll -> Adware.Gator : Cleaned with backup
    C:\Program Files\Common Files\CMEII\GStore.dll -> Adware.Gator : Cleaned with backup
    C:\Program Files\Common Files\CMEII\GStoreServer.dll -> Adware.Gator : Cleaned with backup
    C:\Program Files\Common Files\CMEII\GSvcMgr.dll -> Adware.Gator : Cleaned with backup
    C:\Program Files\Common Files\CMEII\GSvcSAP.dll -> Adware.Gator : Cleaned with backup
    C:\Program Files\Common Files\CMEII\CMESys.exe -> Adware.Gator : Cleaned with backup
    C:\Program Files\Common Files\GMT\egIEEngine.dll -> Adware.Gator : Cleaned with backup
    C:\Program Files\Common Files\GMT\EGNSEngine.dll -> Adware.Gator : Cleaned with backup
    C:\Program Files\Common Files\GMT\GatorStubSetup.exe -> Adware.Gator : Cleaned with backup
    :mozilla.51:D:\Documents and Settings\NJD\Application Data\Mozilla\Firefox\Profiles\273u9p9q.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    :mozilla.52:D:\Documents and Settings\NJD\Application Data\Mozilla\Firefox\Profiles\273u9p9q.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    :mozilla.53:D:\Documents and Settings\NJD\Application Data\Mozilla\Firefox\Profiles\273u9p9q.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    :mozilla.54:D:\Documents and Settings\NJD\Application Data\Mozilla\Firefox\Profiles\273u9p9q.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    :mozilla.55:D:\Documents and Settings\NJD\Application Data\Mozilla\Firefox\Profiles\273u9p9q.default\cookies.txt -> Spyware.Cookie.Clickhype : Cleaned with backup
    :mozilla.76:D:\Documents and Settings\NJD\Application Data\Mozilla\Firefox\Profiles\273u9p9q.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
    :mozilla.82:D:\Documents and Settings\NJD\Application Data\Mozilla\Firefox\Profiles\273u9p9q.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
    :mozilla.83:D:\Documents and Settings\NJD\Application Data\Mozilla\Firefox\Profiles\273u9p9q.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
    :mozilla.159:D:\Documents and Settings\NJD\Application Data\Mozilla\Firefox\Profiles\273u9p9q.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
    :mozilla.160:D:\Documents and Settings\NJD\Application Data\Mozilla\Firefox\Profiles\273u9p9q.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
    :mozilla.171:D:\Documents and Settings\NJD\Application Data\Mozilla\Firefox\Profiles\273u9p9q.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
    D:\Documents and Settings\NJD\Application Data\spoa.exe -> Spyware.PurityScan : Cleaned with backup
    D:\Documents and Settings\NJD\Cookies\njd@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    D:\Documents and Settings\NJD\Cookies\njd@ad1.clickhype[1].txt -> Spyware.Cookie.Clickhype : Cleaned with backup
    D:\Documents and Settings\NJD\Cookies\njd@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
    D:\Documents and Settings\NJD\Cookies\njd@com[1].txt -> Spyware.Cookie.Com : Cleaned with backup
    D:\Documents and Settings\NJD\Local Settings\Temp\Cookies\njd@adopt.specificclick[1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
    D:\Documents and Settings\NJD\Local Settings\Temp\Cookies\njd@www.burstbeacon[2].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
    D:\Documents and Settings\NJD\Local Settings\Temp\GLF582GLF582.EXE -> TrojanDownloader.TSUpdate.f : Cleaned with backup
    D:\Documents and Settings\NJD\Local Settings\Temp\ICD1.tmp\istactivex.dll -> TrojanDownloader.IstBar.gq : Cleaned with backup
    D:\Documents and Settings\NJD\Local Settings\Temp\ICD2.tmp\WinServAdX.dll -> Spyware.WinAD : Cleaned with backup
    D:\Documents and Settings\NJD\Local Settings\Temp\ICD3.tmp\WinServAdX.dll -> Spyware.WinAD : Cleaned with backup
    D:\Documents and Settings\NJD\Local Settings\Temp\ICD4.tmp\canada_ver4.ocx -> Spyware.AdPowerZone : Cleaned with backup
    D:\Documents and Settings\NJD\Local Settings\Temp\ICD5.tmp\canada_ver4.ocx -> Spyware.AdPowerZone : Cleaned with backup
    D:\Documents and Settings\NJD\Local Settings\Temp\sa75.tmp.exe -> TrojanDownloader.Small.uf : Cleaned with backup
    D:\Documents and Settings\NJD\Local Settings\Temp\targetsaver.exe -> TrojanDownloader.TSUpdate.f : Cleaned with backup
    D:\Documents and Settings\NJD\Local Settings\Temp\temp.fr8A5F\common.dll -> Spyware.WebSearch : Cleaned with backup
    D:\Documents and Settings\NJD\Local Settings\Temp\temp.fr8A5F\gykhxlmu.rmr -> Spyware.IBIS : Cleaned with backup
    D:\Documents and Settings\NJD\Local Settings\Temp\temp.fr8A5F\PIB.exe -> Spyware.WebSearch : Cleaned with backup
    D:\Documents and Settings\NJD\Local Settings\Temp\temp.fr8A5F\xlmurin.wzg -> Spyware.IBIS : Cleaned with backup
    D:\Documents and Settings\NJD\Local Settings\Temp\temp.frFF01\common.dll -> Spyware.WebSearch : Cleaned with backup
    D:\Documents and Settings\NJD\Local Settings\Temp\temp.frFF01\gykhxlmu.rmr -> Spyware.IBIS : Cleaned with backup
    D:\Documents and Settings\NJD\Local Settings\Temp\temp.frFF01\TBPS.exe -> Spyware.WebSearch : Cleaned with backup
    D:\Documents and Settings\NJD\Local Settings\Temp\temp.frFF01\toolbar.dll -> Spyware.WebSearch : Cleaned with backup
    D:\Documents and Settings\NJD\Local Settings\Temp\temp.frFF01\xlmurin.wzg -> Spyware.IBIS : Cleaned with backup
    D:\hijackthis\backups\backup-20041223-113914-607.dll -> Spyware.AdPowerZone : Cleaned with backup
    D:\Program Files\Norton SystemWorks\Norton CleanSweep\Backup\xtow6870.BUD/WINDOWS/xtowyfop.exe -> TrojanDownloader.IstBar.go : Cleaned with backup
    D:\System Volume Information\_restore{CDB4C9F1-0DBC-41D1-BED5-EE99B002774B}\RP528\A0086647.exe -> TrojanDownloader.Small.adq : Cleaned with backup
    D:\System Volume Information\_restore{CDB4C9F1-0DBC-41D1-BED5-EE99B002774B}\RP528\A0086648.exe -> Backdoor.Banger.b : Cleaned with backup
    D:\WINDOWS\Downloaded Program Files\CONFLICT.1\loader2.ocx -> TrojanDownloader.Agent.ex : Cleaned with backup
    D:\WINDOWS\Downloaded Program Files\CONFLICT.1\rdgCA10.exe -> Dialer.Generic : Cleaned with backup
    D:\WINDOWS\Downloaded Program Files\rdgCA10.exe -> Dialer.Generic : Cleaned with backup
    D:\WINDOWS\Downloaded Program Files\WinServAdX.dll -> Spyware.WinAD : Cleaned with backup
    D:\WINDOWS\itmdyvsf.dll -> TrojanDropper.Small.nz : Cleaned with backup
    D:\WINDOWS\logon.exe -> Not-A-Virus.Pornware.Downloader.Tibsystems.a : Cleaned with backup
    D:\WINDOWS\mstasks2.exe -> Trojan.Favadd.c : Cleaned with backup
    D:\WINDOWS\nsserv.exe -> Not-A-Virus.Pornware.Downloader.Tibsystems.a : Cleaned with backup
    D:\WINDOWS\sideb.exe -> Spyware.EliteBar : Cleaned with backup
    D:\WINDOWS\speer.dll -> Adware.BetterInternet : Cleaned with backup
    D:\WINDOWS\system32\ghhagve.dll -> Spyware.PurityScan : Cleaned with backup
    D:\WINDOWS\system32\spoolsrv32.exe -> Trojan.Small.cr : Cleaned with backup
    D:\WINDOWS\winlogos.exe -> Trojan.Favadd.c : Cleaned with backup
    D:\WINDOWS\ydupsnwj.dll -> TrojanDropper.Small.nz : Cleaned with backup


    ::Report End

    HJK:
    Logfile of HijackThis v1.99.1
    Scan saved at 12:54:23 PM, on 18/10/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\Explorer.EXE
    D:\WINDOWS\system32\spoolsv.exe
    D:\WINDOWS\System32\svchost.exe
    D:\Program Files\D-Tools\daemon.exe
    D:\WINDOWS\system32\wscntfy.exe
    D:\Documents and Settings\NJD\Application Data\Microsoft\Internet Explorer\Quick Launch\NOTEPAD.EXE
    D:\Program Files\ewido\security suite\ewidoctrl.exe
    D:\WINDOWS\system32\NOTEPAD.EXE
    D:\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R200 Series on MYCOMPUTER] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P49 "Auto EPSON Stylus Photo R200 Series on MYCOMPUTER" /O21 "\\MYCOMPUTER\EPSONSty" /M "Stylus Photo R200"
    O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [\\MYCOMPUTER\EPSON Stylus Photo R200 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P43 "\\MYCOMPUTER\EPSON Stylus Photo R200 Series" /O6 "USB002" /M "Stylus Photo R200"
    O4 - HKLM\..\Run: [winsnt] D:\WINDOWS\winsnt.exe
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    O4 - HKLM\..\Run: [WinMail32SpoolSrv] D:\WINDOWS\wmx_win.exe
    O4 - HKCU\..\Run: [winsnt] D:\WINDOWS\winsnt.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://www.real.com
    O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe

    Thanks again!
    NJD
  • NJD
    edited October 2005
    Incidentally, the Epson print utility is no longer installed on the system and that process is one of the ones that I've suspected something was masquerading as because there would be 2 instances of it sometimes and it seemed to change names occasionally. Don't know whether that helps or not...

    NJD
  • TroganTrogan London, UK
    edited October 2005
    Thanks for doing what I asked :)
    ===

    OK, Download CWShredder 2.15 from here. Check for updates first and then Run it and press the *fix,* not scan and allow it to clean the infection. Close all browser and explorer windows before hitting the fix button.
    ===


    Disable System Restore - explained here

    Vidden hidden files and folders - explained here

    YOU MAY WANT TO PRINT OUT (OR SAVE) THE FOLLOWING INSTRUCTONS AS YOU'LL HAVE NO INTERNET CONNECTION

    Go in Safe Mode - explained here
    ===


    Find and Delete the highlighted file:


    D:\WINDOWS\winsnt.exe
    ===

    Do another scan with CWShredder and Ewido in Safe Mode
    ===

    Reboot into Normal Mode, enable System Restore (See same link as disabling) and post a new HJT log :)
  • NJD
    edited October 2005
    Ok, done, done & done, except that I didn't re-enable System Restore, so I hope that doesn't matter. CWShredder didn't find anything on either scan. There seem to be some things running in the background now that weren't there before, but winsnt.exe is still gone. Here's the HJT log:

    Logfile of HijackThis v1.99.1
    Scan saved at 11:32:06 AM, on 19/10/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\Explorer.EXE
    D:\WINDOWS\system32\spoolsv.exe
    D:\Program Files\ewido\security suite\ewidoctrl.exe
    D:\Program Files\D-Tools\daemon.exe
    D:\Program Files\Common Files\Real\Update_OB\realsched.exe
    D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
    D:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    D:\WINDOWS\wmx_win.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\system32\wscntfy.exe
    D:\WINDOWS\system32\wuauclt.exe
    D:\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R200 Series on MYCOMPUTER] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P49 "Auto EPSON Stylus Photo R200 Series on MYCOMPUTER" /O21 "\\MYCOMPUTER\EPSONSty" /M "Stylus Photo R200"
    O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [\\MYCOMPUTER\EPSON Stylus Photo R200 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P43 "\\MYCOMPUTER\EPSON Stylus Photo R200 Series" /O6 "USB002" /M "Stylus Photo R200"
    O4 - HKLM\..\Run: [winsnt] D:\WINDOWS\winsnt.exe
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    O4 - HKLM\..\Run: [WinMail32SpoolSrv] D:\WINDOWS\wmx_win.exe
    O4 - HKCU\..\Run: [winsnt] D:\WINDOWS\winsnt.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://www.real.com
    O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe

    Thanks
    NJD
  • TroganTrogan London, UK
    edited October 2005
    Remove these with HJT:

    O4 - HKLM\..\Run: [winsnt] D:\WINDOWS\winsnt.exe
    O4 - HKLM\..\Run: [WinMail32SpoolSrv] D:\WINDOWS\wmx_win.exe
    O4 - HKCU\..\Run: [winsnt] D:\WINDOWS\winsnt.exe

    O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)


    Post a new HJT log :)
  • NJD
    edited October 2005
    Ok, done. Here's the new log. Incidentally, will it hurt anything if I take out those things that are for apps not on the system?

    Thanks
    NJD

    Logfile of HijackThis v1.99.1
    Scan saved at 10:39:59 PM, on 19/10/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\Explorer.EXE
    D:\WINDOWS\system32\spoolsv.exe
    D:\Program Files\D-Tools\daemon.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Agent\agent.exe
    D:\Program Files\WinRAR\WinRAR.exe
    D:\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R200 Series on MYCOMPUTER] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P49 "Auto EPSON Stylus Photo R200 Series on MYCOMPUTER" /O21 "\\MYCOMPUTER\EPSONSty" /M "Stylus Photo R200"
    O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [\\MYCOMPUTER\EPSON Stylus Photo R200 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P43 "\\MYCOMPUTER\EPSON Stylus Photo R200 Series" /O6 "USB002" /M "Stylus Photo R200"
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://www.real.com
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
  • TroganTrogan London, UK
    edited October 2005
    NJD wrote:
    Ok, done. Here's the new log. Incidentally, will it hurt anything if I take out those things that are for apps not on the system?
    What sort of apps?
    ===

    Your log is clean :thumbsup:

    Are you still having problems?
    ===

    I forgot to say but you need to re-enable System Restore.
    ===

    Also, you need to get an Anti-Virus and Firewall on your system.

    If you need help with this then ask :)
  • NJD
    edited October 2005
    Specifically, the printer utility (Epson-whatever), and also the things like the realplayer bootloader, etc. I'm ok for firewall & av though, thanks.

    NJD
  • TroganTrogan London, UK
    edited October 2005
    If you dont have the apps on your system then it should be OK to remove them. For example, if you don't have Epson as your printer anymore than you can remove apps associated with it.

    Are you going to use Add/Remove programs to do it?
Sign In or Register to comment.