Mystery modem hi jack - msnmsn32.exe - dialer

stevo999 · 09-16-2004, 01:30 AM

Hi all,

My PC seems to have been infected with some kind of dialer that disconnects my adsl connection and then attempts to dial out through my old 56K modem.

Before this happens, my firewall software detects that the file msnmns32.exe is trying to run. If I let it run, the adsl connection is disconnected, and the 56k modem starts trying to dial.

I have not found any reference on the web to msnmns32.exe. Does anyone know what this file is?

I have tried fixing this with adaware, and my usual virus software, but the problem remains.

Can anyone help?

Thanks in advance,

Stevo.

**Horse** · 09-16-2004, 03:39 AM

Hi and welcome to TSF

Please go into Windows Explorer, click on C:\ > File > New Folder and call it HJK, or another name of your choice. Go to this site and download Hijack This. Install the program into the folder you created then run it. Click Scan. Save the log file to Notepad, then copy and post it back here. Make sure to include the System information at the top of the log as well.

stevo999 · 09-16-2004, 11:59 AM

Thanks very much...

Here is the log:
-----------------------------------------

Logfile of HijackThis v1.98.2
Scan saved at 19:47:27, on 16/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\PFShared\UmxCfg.exe
C:\Program Files\Common Files\PFShared\UmxPol.exe
C:\Program Files\Tiny Personal Firewall\UmxAgent.exe
C:\Program Files\Tiny Personal Firewall\UmxTray.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\WINDOWS\system32\ge****c.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\PFShared\umxlu.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iRiver\HSeries\iHPDetect.exe
C:\Program Files\ZyXEL\ADSL USB Modem\CnxDslTb.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Default\Desktop\security\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R3 - Default URLSearchHook is missing
O1 - Hosts: musiccity.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {BF55256A-3B3B-11D2-B05B-000001145917} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\PINNACLE\PPE\ppe.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\HSeries\iHPDetect.exe
O4 - HKLM\..\Run: [Update] C:\WINDOWS\csrss.exe /i
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\ZyXEL\ADSL USB Modem\CnxDslTb.exe"
O4 - HKLM\..\Run: [StartMenu] C:\WINDOWS\deamon.exe /i
O4 - HKLM\..\Run: [SchedulerMgr] C:\WINDOWS\msocfg.exe /i
O4 - HKLM\..\Run: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [SvcH0st] C:\WINDOWS\shch.exe /i
O4 - HKLM\..\RunServices: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKCU\..\Run: [AMonitor] C:\Program Files\Tiny Personal Firewall\amon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra button: AOL Instant Messenger (TM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe (file missing)
O12 - Plugin for .moa: C:\Program Files\Internet Explorer\PLUGINS\NPMOBILE.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O15 - Trusted Zone: *.line6.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{620E05E7-78B7-4372-957F-5294DA5665BF}: NameServer = 213.208.106.213 213.208.106.212

-------------------------------------------

Cheers,

Stevo.

**Horse** · 09-16-2004, 12:52 PM

Hi Stevo

I am working on your reply and I will post it shortly. Thanks for your patience.

**Horse** · 09-17-2004, 02:15 AM

Hello and welcome to TSF

Turn off system restore by doing the following:

Right click My Computer > Click on Properties > Click on the System Restore tab > Check the box for Turn Off System Restore > Click Apply then OK. After we are finished with your log file and verified that it is clean, you may turn it back on and create a new restore point.

Open Hijack This and click on Scan. Check the following entries (make sure you do not to miss any)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R3 - Default URLSearchHook is missing

O1 - Hosts: musiccity.com

O2 - BHO: (no name) - {BF55256A-3B3B-11D2-B05B-000001145917} - (no file)

O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
O4 - HKLM\..\Run: [Update] C:\WINDOWS\csrss.exe /i
O4 - HKLM\..\Run: [StartMenu] C:\WINDOWS\deamon.exe /i
O4 - HKLM\..\Run: [SchedulerMgr] C:\WINDOWS\msocfg.exe /i
O4 - HKLM\..\Run: [SvcH0st] C:\WINDOWS\shch.exe /i

O9 - Extra button: AOL Instant Messenger (TM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe (file missing)

Please remember to close any open windows and browsers before fixing any entries.

In Hijack This, hit the Fix checked button.

Reboot into Safe Mode (hit F8 key until menu shows). Delete the following Files/Folders if they still exist:

C:\WINDOWS\csrss.exe<<< This File
C:\WINDOWS\deamon.exe<<< This File
C:\WINDOWS\msocfg.exe<<< This File
C:\WINDOWS\shch.exe<<< This File

NB!!! Please ensure when you delete the above files, you delete them in C:\WINDOWS and NOT C:\WINDOWS\system32.

Reboot into Normal Mode.

Run an online scan at Trend Micro.
Please select the “autoclean” option when prompted to do so.

Please post a fresh Hijack This log so that we can check if your system is clean.

stevo999 · 09-17-2004, 03:01 AM

Thanks loads for all your help.

I'm not going to be able to get to my PC until Monday, but will post the new log then.

Cheers,

Stevo.

stevo999 · 09-20-2004, 12:38 PM

Right... I have done the above mentioned steps, and here is the new log.

Thanks again for your help...

Logfile of HijackThis v1.98.2
Scan saved at 20:34:29, on 20/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\PFShared\UmxCfg.exe
C:\Program Files\Common Files\PFShared\UmxPol.exe
C:\Program Files\Tiny Personal Firewall\UmxAgent.exe
C:\Program Files\Tiny Personal Firewall\UmxTray.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\PFShared\umxlu.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iRiver\HSeries\iHPDetect.exe
C:\Program Files\ZyXEL\ADSL USB Modem\CnxDslTb.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Documents and Settings\Default\Desktop\security\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\PINNACLE\PPE\ppe.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\HSeries\iHPDetect.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\ZyXEL\ADSL USB Modem\CnxDslTb.exe"
O4 - HKLM\..\Run: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\RunServices: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ATI VIDEO REGKEY] ati2vid.exe
O4 - HKCU\..\Run: [AMonitor] C:\Program Files\Tiny Personal Firewall\amon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O12 - Plugin for .moa: C:\Program Files\Internet Explorer\PLUGINS\NPMOBILE.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O15 - Trusted Zone: *.line6.net
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab

Cheers,

Stevo.

**Horse** · 09-20-2004, 10:49 PM

Hi Stevo

Your log is clean. Good job! How is your system running now?

stevo999 · 09-21-2004, 12:17 AM

Loads better thanks! The Dialler has gone and the machine seems to be a lot less sluggish...

Stevo.

09-16-2004, 01:30 AM	#1 (permalink)
stevo999 Registered User Join Date: Sep 2004 Posts: 5 OS: XP	Mystery modem hi jack - msnmsn32.exe - dialer Hi all, My PC seems to have been infected with some kind of dialer that disconnects my adsl connection and then attempts to dial out through my old 56K modem. Before this happens, my firewall software detects that the file msnmns32.exe is trying to run. If I let it run, the adsl connection is disconnected, and the 56k modem starts trying to dial. I have not found any reference on the web to msnmns32.exe. Does anyone know what this file is? I have tried fixing this with adaware, and my usual virus software, but the problem remains. Can anyone help? Thanks in advance, Stevo.

09-16-2004, 03:39 AM	#2 (permalink)
Horse General Manager (Administrator) Join Date: Oct 2003 Location: Durban South Africa Posts: 4,128 OS: WIN XP PRO My System Blog Entries: 1	Hi and welcome to TSF Please go into Windows Explorer, click on C:\ > File > New Folder and call it HJK, or another name of your choice. Go to this site and download Hijack This. Install the program into the folder you created then run it. Click Scan. Save the log file to Notepad, then copy and post it back here. Make sure to include the System information at the top of the log as well. __________________ Please Read The 5 Step Process Before You post A Log Hijack This v2.02 :: Adaware SE :: Spybot Search & Destroy :: SpywareBlaster :: CWShredder To Donate :: Please Click Here :: PROUD MEMBER OF ASAP SINCE NOVEMBER 2004

09-16-2004, 12:52 PM	#4 (permalink)
Horse General Manager (Administrator) Join Date: Oct 2003 Location: Durban South Africa Posts: 4,128 OS: WIN XP PRO My System Blog Entries: 1	Hi Stevo I am working on your reply and I will post it shortly. Thanks for your patience. __________________ Please Read The 5 Step Process Before You post A Log Hijack This v2.02 :: Adaware SE :: Spybot Search & Destroy :: SpywareBlaster :: CWShredder To Donate :: Please Click Here :: PROUD MEMBER OF ASAP SINCE NOVEMBER 2004

09-17-2004, 02:15 AM	#5 (permalink)
Horse General Manager (Administrator) Join Date: Oct 2003 Location: Durban South Africa Posts: 4,128 OS: WIN XP PRO My System Blog Entries: 1	Hello and welcome to TSF Turn off system restore by doing the following: Right click My Computer > Click on Properties > Click on the System Restore tab > Check the box for Turn Off System Restore > Click Apply then OK. After we are finished with your log file and verified that it is clean, you may turn it back on and create a new restore point. Open Hijack This and click on Scan. Check the following entries (make sure you do not to miss any) R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R3 - Default URLSearchHook is missing O1 - Hosts: musiccity.com O2 - BHO: (no name) - {BF55256A-3B3B-11D2-B05B-000001145917} - (no file) O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe O4 - HKLM\..\Run: [Update] C:\WINDOWS\csrss.exe /i O4 - HKLM\..\Run: [StartMenu] C:\WINDOWS\deamon.exe /i O4 - HKLM\..\Run: [SchedulerMgr] C:\WINDOWS\msocfg.exe /i O4 - HKLM\..\Run: [SvcH0st] C:\WINDOWS\shch.exe /i O9 - Extra button: AOL Instant Messenger (TM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe (file missing) *Please remember to close any open windows and browsers before fixing any entries. In Hijack This, hit the Fix checked button. Reboot into Safe Mode (hit F8 key until menu shows). Delete the following Files/Folders if they still exist:* C:\WINDOWS\csrss.exe<<< This File C:\WINDOWS\deamon.exe<<< This File C:\WINDOWS\msocfg.exe<<< This File C:\WINDOWS\shch.exe<<< This File NB!!! Please ensure when you delete the above files, you delete them in C:\WINDOWS and NOT C:\WINDOWS\system32. Reboot into Normal Mode. Run an online scan at Trend Micro. Please select the “autoclean” option when prompted to do so. Please post a fresh Hijack This log so that we can check if your system is clean. __________________ Please Read The 5 Step Process Before You post A Log Hijack This v2.02 :: Adaware SE :: Spybot Search & Destroy :: SpywareBlaster :: CWShredder To Donate :: Please Click Here :: PROUD MEMBER OF ASAP SINCE NOVEMBER 2004

09-20-2004, 10:49 PM	#8 (permalink)
Horse General Manager (Administrator) Join Date: Oct 2003 Location: Durban South Africa Posts: 4,128 OS: WIN XP PRO My System Blog Entries: 1	Hi Stevo Your log is clean. Good job! How is your system running now? __________________ Please Read The 5 Step Process Before You post A Log Hijack This v2.02 :: Adaware SE :: Spybot Search & Destroy :: SpywareBlaster :: CWShredder To Donate :: Please Click Here :: PROUD MEMBER OF ASAP SINCE NOVEMBER 2004

09-16-2004, 11:59 AM	#3 (permalink)
stevo999 Registered User Join Date: Sep 2004 Posts: 5 OS: XP	Thanks very much... Here is the log: ----------------------------------------- Logfile of HijackThis v1.98.2 Scan saved at 19:47:27, on 16/09/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\PFShared\UmxCfg.exe C:\Program Files\Common Files\PFShared\UmxPol.exe C:\Program Files\Tiny Personal Firewall\UmxAgent.exe C:\Program Files\Tiny Personal Firewall\UmxTray.exe C:\WINDOWS\System32\CTSvcCDA.exe C:\WINDOWS\system32\ge***c.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\Program Files\Common Files\PFShared\umxlu.exe C:\WINDOWS\Explorer.EXE C:\Program Files\iRiver\HSeries\iHPDetect.exe C:\Program Files\ZyXEL\ADSL USB Modem\CnxDslTb.exe C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe C:\PROGRA~1\WINZIP\winzip32.exe C:\Documents and Settings\Default\Desktop\security\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve R3 - Default URLSearchHook is missing O1 - Hosts: musiccity.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: (no name) - {BF55256A-3B3B-11D2-B05B-000001145917} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [SystemTray] SysTray.ExE O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\PINNACLE\PPE\ppe.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\HSeries\iHPDetect.exe O4 - HKLM\..\Run: [Update] C:\WINDOWS\csrss.exe /i O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\ZyXEL\ADSL USB Modem\CnxDslTb.exe" O4 - HKLM\..\Run: [StartMenu] C:\WINDOWS\deamon.exe /i O4 - HKLM\..\Run: [SchedulerMgr] C:\WINDOWS\msocfg.exe /i O4 - HKLM\..\Run: [ATI VIDEO REGKEY] ati2vid.exe O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe O4 - HKLM\..\Run: [SvcH0st] C:\WINDOWS\shch.exe /i O4 - HKLM\..\RunServices: [ATI VIDEO REGKEY] ati2vid.exe O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [ATI VIDEO REGKEY] ati2vid.exe O4 - HKCU\..\Run: [AMonitor] C:\Program Files\Tiny Personal Firewall\amon.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL O9 - Extra button: AOL Instant Messenger (TM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe (file missing) O12 - Plugin for .moa: C:\Program Files\Internet Explorer\PLUGINS\NPMOBILE.DLL O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/ O15 - Trusted Zone: .line6.net O17 - HKLM\System\CCS\Services\Tcpip\..\{620E05E7-78B7-4372-957F-5294DA5665BF}: NameServer = 213.208.106.213 213.208.106.212 ------------------------------------------- Cheers, Stevo.

09-17-2004, 03:01 AM	#6 (permalink)
stevo999 Registered User Join Date: Sep 2004 Posts: 5 OS: XP	Thanks loads for all your help. I'm not going to be able to get to my PC until Monday, but will post the new log then. Cheers, Stevo.

09-20-2004, 12:38 PM	#7 (permalink)
stevo999 Registered User Join Date: Sep 2004 Posts: 5 OS: XP	Right... I have done the above mentioned steps, and here is the new log. Thanks again for your help... Logfile of HijackThis v1.98.2 Scan saved at 20:34:29, on 20/09/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\PFShared\UmxCfg.exe C:\Program Files\Common Files\PFShared\UmxPol.exe C:\Program Files\Tiny Personal Firewall\UmxAgent.exe C:\Program Files\Tiny Personal Firewall\UmxTray.exe C:\WINDOWS\System32\CTSvcCDA.exe C:\WINDOWS\system32\gearsec.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\Program Files\Common Files\PFShared\umxlu.exe C:\WINDOWS\Explorer.EXE C:\Program Files\iRiver\HSeries\iHPDetect.exe C:\Program Files\ZyXEL\ADSL USB Modem\CnxDslTb.exe C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe C:\Documents and Settings\Default\Desktop\security\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [SystemTray] SysTray.ExE O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\PINNACLE\PPE\ppe.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\HSeries\iHPDetect.exe O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\ZyXEL\ADSL USB Modem\CnxDslTb.exe" O4 - HKLM\..\Run: [ATI VIDEO REGKEY] ati2vid.exe O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe O4 - HKLM\..\RunServices: [ATI VIDEO REGKEY] ati2vid.exe O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [ATI VIDEO REGKEY] ati2vid.exe O4 - HKCU\..\Run: [AMonitor] C:\Program Files\Tiny Personal Firewall\amon.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL O12 - Plugin for .moa: C:\Program Files\Internet Explorer\PLUGINS\NPMOBILE.DLL O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/ O15 - Trusted Zone: *.line6.net O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab Cheers, Stevo.

09-21-2004, 12:17 AM	#9 (permalink)
stevo999 Registered User Join Date: Sep 2004 Posts: 5 OS: XP	Loads better thanks! The Dialler has gone and the machine seems to be a lot less sluggish... Stevo.