Tech Support Forum - View Single Post

P Caftdunt · 01-08-2006, 08:41 AM

Hi,
thanks for the swift reply and the easy to follow instructions (i thought my pc was fairly clean! I run adaware and spybot and never find owt!).

I ran the initial HJT in safe mode.

I followed your instructions, the only thing is i could not find
C:\WINDOWS\system32\msupdate.exe
C:\PROGRA~1\MYWEBS~1\
to delete them- i'm pretty certain i have checked thoroughly.

Here are the current logs:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 15:13:18, 08/01/2006
+ Report-Checksum: 781C6F7

+ Scan result:

C:\RECYCLER\S-1-5-21-606747145-2025429265-725345543-1003\Dc798\bar\1.bin\F3CJPEG.DLL -> Spyware.FunWeb : Cleaned with backup
C:\RECYCLER\S-1-5-21-606747145-2025429265-725345543-1003\Dc798\bar\1.bin\F3DTACTL.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\RECYCLER\S-1-5-21-606747145-2025429265-725345543-1003\Dc798\bar\1.bin\F3HISTSW.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\RECYCLER\S-1-5-21-606747145-2025429265-725345543-1003\Dc798\bar\1.bin\F3HTMLMU.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\RECYCLER\S-1-5-21-606747145-2025429265-725345543-1003\Dc798\bar\1.bin\F3HTTPCT.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\RECYCLER\S-1-5-21-606747145-2025429265-725345543-1003\Dc798\bar\1.bin\F3POPSWT.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\RECYCLER\S-1-5-21-606747145-2025429265-725345543-1003\Dc798\bar\1.bin\F3PSSAVR.SCR -> Spyware.MyWebSearch : Cleaned with backup
C:\RECYCLER\S-1-5-21-606747145-2025429265-725345543-1003\Dc798\bar\1.bin\F3REPROX.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\RECYCLER\S-1-5-21-606747145-2025429265-725345543-1003\Dc798\bar\1.bin\F3RESTUB.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\RECYCLER\S-1-5-21-606747145-2025429265-725345543-1003\Dc798\bar\1.bin\F3SCHMON.EXE -> Spyware.MyWebSearch : Cleaned with backup
C:\RECYCLER\S-1-5-21-606747145-2025429265-725345543-1003\Dc798\bar\1.bin\F3SCRCTR.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\RECYCLER\S-1-5-21-606747145-2025429265-725345543-1003\Dc798\bar\1.bin\F3WPHOOK.DLL -> Spyware.Wesbar : Cleaned with backup
C:\RECYCLER\S-1-5-21-606747145-2025429265-725345543-1003\Dc798\bar\1.bin\M3HTML.DLL -> Adware.MyWebSearch : Cleaned with backup
C:\RECYCLER\S-1-5-21-606747145-2025429265-725345543-1003\Dc798\bar\1.bin\M3IDLE.DLL -> Adware.IWon : Cleaned with backup
C:\RECYCLER\S-1-5-21-606747145-2025429265-725345543-1003\Dc798\bar\1.bin\M3OUTLCN.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\RECYCLER\S-1-5-21-606747145-2025429265-725345543-1003\Dc798\bar\1.bin\M3PLUGIN.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\RECYCLER\S-1-5-21-606747145-2025429265-725345543-1003\Dc798\bar\1.bin\M3SKIN.DLL -> Adware.MyWebSearch : Cleaned with backup
C:\RECYCLER\S-1-5-21-606747145-2025429265-725345543-1003\Dc798\bar\1.bin\MWSOEMON.EXE -> Spyware.Wesbar : Cleaned with backup
C:\RECYCLER\S-1-5-21-606747145-2025429265-725345543-1003\Dc798\bar\1.bin\MWSOESTB.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\RECYCLER\S-1-5-21-606747145-2025429265-725345543-1003\Dc798\bar\1.bin\NPMYWEBS.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\dba2106.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\nat3.exe -> Downloader.Small.bci : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWFX5_0001_N56M0311NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.c : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWFX5_0001_N56M0311NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.c : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\dba1878.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\dba2106.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\gba2106.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\gba851.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\gsa0932.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\nat3.exe -> Downloader.Small.bci : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\UWFX5_0001_N53L1025NetInstaller.exe -> Not-A-Virus.Downloader.Agent.f : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\UWFX5_0001_N56M0311NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.c : Cleaned with backup
C:\WINDOWS\mdkiaf.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\system32\f3PSSavr.scr -> Spyware.MyWebSearch : Cleaned with backup
C:\WINDOWS\system32\fvp.dll -> Downloader.Agent.oc : Cleaned with backup
C:\WINDOWS\system32\wuamgrd.exe -> Backdoor.SdBot.ig : Cleaned with backup

::Report End

Logfile of HijackThis v1.99.1
Scan saved at 15

41, on 08/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-malware\SecuritySuite.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/radio/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct2_x.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O17 - HKLM\System\CS2\Services\Tcpip\..\{4174B9D4-AB39-4BB6-A2BA-0BC76B8A60DB}: NameServer = 194.72.0.114 62.6.40.162
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

cheers.

01-08-2006, 08:41 AM	#3 (permalink)
P Caftdunt Registered User Join Date: Jan 2006 Posts: 17 OS: XP	Hi, thanks for the swift reply and the easy to follow instructions (i thought my pc was fairly clean! I run adaware and spybot and never find owt!). I ran the initial HJT in safe mode. I followed your instructions, the only thing is i could not find C:\WINDOWS\system32\msupdate.exe C:\PROGRA~1\MYWEBS~1\ to delete them- i'm pretty certain i have checked thoroughly. Here are the current logs: --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 15:13:18, 08/01/2006 + Report-Checksum: 781C6F7 + Scan result: C:\RECYCLER\S-1-5-21-606747145-2025429265-725345543-1003\Dc798\bar\1.bin\F3CJPEG.DLL -> Spyware.FunWeb : Cleaned with backup C:\RECYCLER\S-1-5-21-606747145-2025429265-725345543-1003\Dc798\bar\1.bin\F3DTACTL.DLL -> Spyware.MyWebSearch : Cleaned with backup C:\RECYCLER\S-1-5-21-606747145-2025429265-725345543-1003\Dc798\bar\1.bin\F3HISTSW.DLL -> Spyware.MyWebSearch : Cleaned with backup C:\RECYCLER\S-1-5-21-606747145-2025429265-725345543-1003\Dc798\bar\1.bin\F3HTMLMU.DLL -> Spyware.MyWebSearch : Cleaned with backup C:\RECYCLER\S-1-5-21-606747145-2025429265-725345543-1003\Dc798\bar\1.bin\F3HTTPCT.DLL -> Spyware.MyWebSearch : Cleaned with backup C:\RECYCLER\S-1-5-21-606747145-2025429265-725345543-1003\Dc798\bar\1.bin\F3POPSWT.DLL -> Spyware.MyWebSearch : Cleaned with backup C:\RECYCLER\S-1-5-21-606747145-2025429265-725345543-1003\Dc798\bar\1.bin\F3PSSAVR.SCR -> Spyware.MyWebSearch : Cleaned with backup C:\RECYCLER\S-1-5-21-606747145-2025429265-725345543-1003\Dc798\bar\1.bin\F3REPROX.DLL -> Spyware.MyWebSearch : Cleaned with backup C:\RECYCLER\S-1-5-21-606747145-2025429265-725345543-1003\Dc798\bar\1.bin\F3RESTUB.DLL -> Spyware.MyWebSearch : Cleaned with backup C:\RECYCLER\S-1-5-21-606747145-2025429265-725345543-1003\Dc798\bar\1.bin\F3SCHMON.EXE -> Spyware.MyWebSearch : Cleaned with backup C:\RECYCLER\S-1-5-21-606747145-2025429265-725345543-1003\Dc798\bar\1.bin\F3SCRCTR.DLL -> Spyware.MyWebSearch : Cleaned with backup C:\RECYCLER\S-1-5-21-606747145-2025429265-725345543-1003\Dc798\bar\1.bin\F3WPHOOK.DLL -> Spyware.Wesbar : Cleaned with backup C:\RECYCLER\S-1-5-21-606747145-2025429265-725345543-1003\Dc798\bar\1.bin\M3HTML.DLL -> Adware.MyWebSearch : Cleaned with backup C:\RECYCLER\S-1-5-21-606747145-2025429265-725345543-1003\Dc798\bar\1.bin\M3IDLE.DLL -> Adware.IWon : Cleaned with backup C:\RECYCLER\S-1-5-21-606747145-2025429265-725345543-1003\Dc798\bar\1.bin\M3OUTLCN.DLL -> Spyware.MyWebSearch : Cleaned with backup C:\RECYCLER\S-1-5-21-606747145-2025429265-725345543-1003\Dc798\bar\1.bin\M3PLUGIN.DLL -> Spyware.MyWebSearch : Cleaned with backup C:\RECYCLER\S-1-5-21-606747145-2025429265-725345543-1003\Dc798\bar\1.bin\M3SKIN.DLL -> Adware.MyWebSearch : Cleaned with backup C:\RECYCLER\S-1-5-21-606747145-2025429265-725345543-1003\Dc798\bar\1.bin\MWSOEMON.EXE -> Spyware.Wesbar : Cleaned with backup C:\RECYCLER\S-1-5-21-606747145-2025429265-725345543-1003\Dc798\bar\1.bin\MWSOESTB.DLL -> Spyware.MyWebSearch : Cleaned with backup C:\RECYCLER\S-1-5-21-606747145-2025429265-725345543-1003\Dc798\bar\1.bin\NPMYWEBS.DLL -> Spyware.MyWebSearch : Cleaned with backup C:\WINDOWS\Downloaded Program Files\CONFLICT.1\dba2106.exe -> Dialer.Generic : Cleaned with backup C:\WINDOWS\Downloaded Program Files\CONFLICT.1\nat3.exe -> Downloader.Small.bci : Cleaned with backup C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWFX5_0001_N56M0311NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.c : Cleaned with backup C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWFX5_0001_N56M0311NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.c : Cleaned with backup C:\WINDOWS\Downloaded Program Files\dba1878.exe -> Dialer.Generic : Cleaned with backup C:\WINDOWS\Downloaded Program Files\dba2106.exe -> Dialer.Generic : Cleaned with backup C:\WINDOWS\Downloaded Program Files\gba2106.exe -> Dialer.Generic : Cleaned with backup C:\WINDOWS\Downloaded Program Files\gba851.exe -> Dialer.Generic : Cleaned with backup C:\WINDOWS\Downloaded Program Files\gsa0932.exe -> Dialer.Generic : Cleaned with backup C:\WINDOWS\Downloaded Program Files\nat3.exe -> Downloader.Small.bci : Cleaned with backup C:\WINDOWS\Downloaded Program Files\UWFX5_0001_N53L1025NetInstaller.exe -> Not-A-Virus.Downloader.Agent.f : Cleaned with backup C:\WINDOWS\Downloaded Program Files\UWFX5_0001_N56M0311NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.c : Cleaned with backup C:\WINDOWS\mdkiaf.exe -> Dialer.Generic : Cleaned with backup C:\WINDOWS\system32\f3PSSavr.scr -> Spyware.MyWebSearch : Cleaned with backup C:\WINDOWS\system32\fvp.dll -> Downloader.Agent.oc : Cleaned with backup C:\WINDOWS\system32\wuamgrd.exe -> Backdoor.SdBot.ig : Cleaned with backup ::Report End Logfile of HijackThis v1.99.1 Scan saved at 1541, on 08/01/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ewido anti-malware\SecuritySuite.exe C:\HJT\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/radio/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct2_x.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O17 - HKLM\System\CS2\Services\Tcpip\..\{4174B9D4-AB39-4BB6-A2BA-0BC76B8A60DB}: NameServer = 194.72.0.114 62.6.40.162 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe cheers.