Help needed with dialer.instantaccess and HDplugin 1019

kipper · 05-14-2005, 01:04 AM

Hi - hoping someone out there can please help me with this -

I have a dialer.instantaccess on my system and Norton also detects 3 files - HDplugin1019.dll.

Norton detects the dialer file and sometimes removes its - on rebooting the system the file reappears. Norton also detects the HD file but is unable to remove. I cannot manually see this file (show hidden files is on) in the directory where it is should be.

Xoftspy / Spybot - detect all of the files and fixes them - again on reboot the files reappear.

The system is running slowly and when connecting online a pop up appears - on exiting the popup explorer shuts down all other internet windows.

On finding this site I have followed the instructions before posting -

On running Ad-aware SE - it found the dialer file and fixed - on reboot the file reappears only this time I also received a rundll error message for this file. However on logging back on the popups are back. Downloaded and ran HJT this is the new log for the hijack analyser program

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 06:47:49, on 14/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Djinn Numéris USB\vstartx.exe
C:\Program Files\Djinn Numéris USB\gisdnlog.exe
C:\Program Files\Djinn Numéris USB\gsyno.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Documents and Settings\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/uk/index.html?cp=hom08i17"); (C:\Program Files\Netscape\Users\prefs.js)
O4 - HKLM\..\Run: [GazelDisplay] "C:\Program Files\Djinn Numéris USB\gsyno.exe" -h
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1058.dll,InstantAccess
O4 - Global Startup: Reminder-hpc41201.lnk = C:\WINDOWS\HPOnLReg\Remind32.exe
O9 - Extra button: Wanadoo - {1462651F-F4BA-4C76-A001-C4284D0FE16E} - http://www.wanadoo.fr (file missing) (HKCU)
O16 - DPF: Win32 Classes -
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O23 - Service: Djinn start up (Gazel Startup) - Unknown owner - C:\Program Files\Djinn Numéris USB\vstartx.exe" /s (file missing)
O23 - Service: ISDN connection log (GisdnLog) - Unknown owner - C:\Program Files\Djinn Numéris USB\gisdnlog.exe" -s (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\smagent.exe

End of KRC HijackThis Analyzer Log.
====================================================================

Any idea how to permanently remove these files from the system?

Many thanks

MicroBell · 05-15-2005, 01:21 AM

Hi and Welcome to TSF

Before attacking an adware/spyware problem with hijackthis make sure you have already run ad-aware SE with VX2 add-on cleaner, Spybot Search & Destroy (with updated database) and CWShredder as these programs will clean a lot of the crap out first. All links to programs are in my signature.

I only see one file in the log. Lets try to uncover the others...

Download Silent runners.Vbs http://www.silentrunners.org/
1. Make sure you have any script blocking software disabled
2. Run the program. It will take a few minutes to complete.
3. Once complete it will produce a log named “StartupPrograms” with Your user and date in the filename. Open that txt file and posts it contents in your next post.

Please empty any Quarantine folder in your antivirus and purge all recovery items in the spybot program if you use it before running this tool.

Download this virus checker and tool from eScan Mwav.exe (Use Link 3)

1. Save it to a folder.
2. Reboot into safe mode
3. Double click the Mwav.exe file.(This is a stand alone tool and NOT just a virus checker......so it won't install anything)
4.Select all local drives, scan all files, press SCAN and when it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and Highlight all the info in the Lower pane--- Use "CTRL C" on your Keyboard to copy all found in the lower pane and save it to a notepad file

*Note* If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning.

We are not going to use this to remove anything..but to ID the bad guys.

Once you copy that to a notepad file...highlight the text and copy it here.

kipper · 05-16-2005, 06:11 AM

Many thanks for replying so quickly.

I have followed through everything you suggested - had a few problems running through it but eventually got sorted out.

ad-aware SE with VX2 add on came back clean.
Spybot search and destroy found the usual files and fixed them
CWShredder - not present.

Silent runners log

"Silent Runners.vbs", revision 36, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"msnmsgr" = ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background" [file not found]
"Instant Access" = "rundll32.exe EGDACCESS_1058.dll,InstantAccess" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SystemTray" = "SysTray.Exe" [MS]
"Smapp" = "C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" ["Analog Devices, Inc."]
"GazelDisplay" = ""C:\Program Files\Djinn Numéris USB\gsyno.exe" -h" ["F.H.L.P. "]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"HPDJ Taskbar Utility" = "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" ["HP"]
"HPHmon04" = "C:\WINDOWS\System32\hphmon04.exe" ["Hewlett-Packard"]
"HPHUPD04" = ""C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"" ["Hewlett-Packard"]
"HP Software Update" = ""C:\Program Files\HP\HP Software Update\HPWuSchd.exe"" ["Hewlett-Packard"]
"HP Component Manager" = ""C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"" ["Hewlett-Packard Company"]
"pmzxfjoaw" = "c:\windows\system32\pmzxfjoaw.exe -start" [null data]
"AcctMgr" = "C:\Program Files\Norton Password Manager\AcctMgr.exe /startup" ["Symantec Corporation"]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX" [empty string]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
{9ECB9560-04F9-4bbc-943D-298DDF1699E1}\(Default) = "Norton Internet Security"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{5b4dae26-b807-11d0-9815-00c04fd91972}" = "Menu Band"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{8278F931-2A3E-11d2-838F-00C04FD918D0}" = "Tracking Shell Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}" = "Menu Site"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}" = "Menu Desk Bar"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}" = "IShellFolderBand"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}" = "&Links"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{7487cd30-f71a-11d0-9ea7-00805f714772}" = "Thumbnail Image"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\REAL\REALPLAYER\RPSHELL.DLL" ["RealNetworks, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM32\nvshell.dll" ["NVIDIA Corporation"]

Enabled Wallpaper and Active Desktop:
-------------------------------------

Active Desktop is disabled.

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Louise\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Startup items in "Louise" & "All Users" startup folders:
--------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Reminder-hpc41201" -> shortcut to: "C:\Windows\HPOnLReg\Remind32.exe" [file not found]
"Utility Tray" -> shortcut to: "C:\WINDOWS\SYSTEM32\sistray.exe" ["Silicon Integrated Systems Corporation"]
"HP Digital Imaging Monitor" -> shortcut to: "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Co."]

Enabled Scheduled Tasks:
------------------------

"Tune-up Application Start" -> launches: "walign" [file not found]
"Symantec Drmc" -> launches: "C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe /CUSTOM /SCHEDULE" [null data]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
"Norton AntiVirus - Scan my computer - Louise" -> launches: "C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"XoftSpy" -> launches: "C:\Program Files\XoftSpy\XoftSpy.exe -t" ["ParetoLogic Inc."]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"
-> {CLSID}\(Default) = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"
-> {CLSID}\(Default) = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}"
-> {CLSID}\(Default) = "Norton Internet Security"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}"
-> {CLSID}\(Default) = "Norton Internet Security"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]

"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"
-> {CLSID}\(Default) = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}\
(Default) = "Volet Wanadoo"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\PROGRAM FILES\WANADOO\AUDIENCE\AUDIENCE.DLL" [empty string]

HKLM\Software\Classes\CLSID\{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}\
(Default) = "ToolBand Class"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\PROGRAM FILES\WANADOO\AUDIENCE\AUDIENCE.DLL" [empty string]

HKLM\Software\Classes\CLSID\{5BF498C0-931E-4A4F-B33F-456D07137EAA}\
(Default) = "Volet Wanadoo"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\PROGRAM FILES\WANADOO\AUDIENCE\AUDIENCE.DLL" [empty string]

Extensions (Tools menu items, main toolbar menu buttons)

HKCU\Software\Microsoft\Internet Explorer\Extensions\
{1462651F-F4BA-4C76-A001-C4284D0FE16E}\
"ButtonText" = "Wanadoo"
"Exec" = "http://www.wanadoo.fr" [file not found]

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Djinn start up, Gazel Startup, ""C:\Program Files\Djinn Numéris USB\vstartx.exe" /s" ["F.H.L.P. "]
ISDN connection log, GisdnLog, ""C:\Program Files\Djinn Numéris USB\gisdnlog.exe" -s" ["F.H.L.P. "]
ISSvc, ISSVC, "C:\Program Files\Norton Internet Security\ISSVC.exe" ["Symantec Corporation"]
Norton AntiVirus Auto-Protect Service, navapsvc, ""C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\System32\HPZipm12.exe" ["HP"]
SAVScan, SAVScan, "C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe" ["Symantec Corporation"]
SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\smagent.exe" ["Analog Devices, Inc."]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe" ["Symantec Corporation"]
Symantec Network Proxy, ccProxy, ""C:\Program Files\Common Files\Symantec Shared\ccProxy.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Symantec SPBBCSvc, SPBBCSvc, "C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe" ["Symantec Corporation"]

----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

Emptied quarantine folders and purged in spybot - ran Mwav.exe in safe mode - I see there is a cws file here but when running the shredder it came back clean? - I think most of the other files are related to the instantaccess dialer???

File System Found infected by "gator Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "cws.smartsearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Louise\LOCALS~1\Temp\temp.frBCB1 infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Louise\LOCALS~1\TEMPOR~1\Content.IE5\PW5BTOK8\EGDACCESS_1058_XP[1].cab infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\OPTIONS\CABS\WIN98_66.CAB tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\SYSTEM\prdznqn.dll infected by "Email-Worm.Win32.Tanatos.b.dam2" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\hpxscq.dll infected by "Email-Worm.Win32.Tanatos.b.dam2" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\COMMAND\EBD\EBD.CAB tagged as not-a-virus:Tool.DOS.Restart. No Action Taken.
File C:\WINDOWS\Downloaded Program Files\HDPlugin1019.dll infected by "not-a-virus:AdWare.Gator.1019" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\HDPlugin1101.dll infected by "not-a-virus:AdWare.Gator.1101" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1101.dll infected by "not-a-virus:AdWare.Gator.1101" Virus. Action Taken: No Action Taken.
File C:\Program Files\archivesgaleries\archivesgaleries.exe tagged as not-a-virus:RiskWare.Dialer.Allotick. No Action Taken.
File C:\Documents and Settings\Louise\Local Settings\Temp\temp.frBCB1 infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Louise\Local Settings\Temporary Internet Files\Content.IE5\PW5BTOK8\EGDACCESS_1058_XP[1].cab infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP321\A0052030.EXE infected by "not-a-virus:AdWare.NaviPromo.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP322\A0052563.dll infected by "Trojan-Downloader.Win32.Small.afm" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP322\A0052565.dll tagged as not-a-virus:RiskWare.Dialer.E-Group.q. No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP322\A0052631.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP322\A0052632.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP322\A0052642.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP322\A0052671.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP323\A0052727.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP340\A0057500.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP340\A0057503.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP343\A0057665.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP343\A0058651.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0058663.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0058664.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0061743.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0061744.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0061745.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0061746.dll infected by "Trojan-Downloader.Win32.Small.afm" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0061747.dll tagged as not-a-virus:RiskWare.Dialer.E-Group.q. No Action Taken.
File C:\ArchivesGaleries.exe tagged as not-a-virus:RiskWare.Dialer.Allotick. No Action Taken.
Mon May 16 07:57:22 2005 => **********************************************************

Thanks very much
Louise

MicroBell · 05-16-2005, 06:42 PM

Download KillBox http://www.atribune.org/downloads/KillBox.exe
Download and install CleanUp http://cleanup.stevengould.org/

Run the cleanup utility and reboot/logoff when prompted. Then reboot into safe mode.

**Note** That porn dialer is hidding in the TEMP folder..here..C:\Documents and Settings\Louise\Local Settings\Temporary Internet Files

Make sure your logged in as Louise. If you have more then one user...run the utility under each.

Click START…RUN…Type in regedit. Make sure just “My Computer” is showing in the left pane and click..FILE….EXPORT…and save a copy some were in case you make a mistake. Now navigate to each of the following keys and delete the file/folder/entry I highlighted in RED.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Instant Access" = "rundll32.exe EGDACCESS_1058.dll,InstantAccess" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"pmzxfjoaw" = "c:\windows\system32\pmzxfjoaw.exe -start" [null data]

Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregistered DLL" (If available) Click the RED X and it will ask to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

If you get a “Pending FileRename Operations Registry Data has been Removed by External Process!" message then just restart manually.

c:\windows\system32\pmzxfjoaw.exe
C:\WINDOWS\SYSTEM\prdznqn.dll
C:\WINDOWS\SYSTEM\hpxscq.dll
C:\WINDOWS\Downloaded Program Files\HDPlugin1019.dll C:\WINDOWS\Downloaded Program Files\HDPlugin1101.dll C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1101.dll
C:\ArchivesGaleries.exe

Once rebooted...run hijackthis again and fix these entrys IF they are still there...

O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1058.dll,InstantAccess
O16 - DPF: Win32 Classes -

EGDACCESS_1058.dll <--locate and delete that file if you find it.

Run the cleanup utility again...and reboot/logoff. Then post another hijackthis log and mwav log.

kipper · 05-17-2005, 04:16 AM

I have followed all instructions through as suggested.

On re-running hijackthis after kill box the EDGACCESS_1058.dll file was not present however a file named
016 - DPF: WIN32 Classes -
BFC9677B-8006-4336-9D49-2C797AEFCB9E http:\\akamai.downloadv3.com/binaries/EDGACCESS/EGDACCESS_1058_XP_CAB

I have deleted this????

Here is the new hijackthis log - it appears the previous files are not there. The Mwav log is also here - it lists 31 virus with 3 errors including the dialers.

Logfile of HijackThis v1.99.1
Scan saved at 10:26:32, on 17/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Djinn Numéris USB\vstartx.exe
C:\Program Files\Djinn Numéris USB\gisdnlog.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Djinn Numéris USB\gsyno.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\Program Files\Analog Devices\SoundMAX\smagent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\SYSTEM32\sistray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Documents and Settings\Louise\Desktop\HijackThis.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\HPZipm12.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/uk/index.html?cp=hom08i17"); (C:\Program Files\Netscape\Users\edelston\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [GazelDisplay] "C:\Program Files\Djinn Numéris USB\gsyno.exe" -h
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - Global Startup: Reminder-hpc41201.lnk = C:\WINDOWS\HPOnLReg\Remind32.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Wanadoo - {1462651F-F4BA-4C76-A001-C4284D0FE16E} - http://www.wanadoo.fr (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: Win32 Classes -
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Djinn start up (Gazel Startup) - Unknown owner - C:\Program Files\Djinn Numéris USB\vstartx.exe" /s (file missing)
O23 - Service: ISDN connection log (GisdnLog) - Unknown owner - C:\Program Files\Djinn Numéris USB\gisdnlog.exe" -s (file missing)
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\smagent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

File System Found infected by "cws.smartsearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\EGDACCESS.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\OPTIONS\CABS\WIN98_66.CAB tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\COMMAND\EBD\EBD.CAB tagged as not-a-virus:Tool.DOS.Restart. No Action Taken.
File C:\WINDOWS\SYSTEM32\EGDACCESS.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\Program Files\archivesgaleries\archivesgaleries.exe tagged as not-a-virus:RiskWare.Dialer.Allotick. No Action Taken.
File C:\Documents and Settings\Louise\Desktop\backups\backup-20050517-095703-340.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP321\A0052030.EXE infected by "not-a-virus:AdWare.NaviPromo.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP322\A0052563.dll infected by "Trojan-Downloader.Win32.Small.afm" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP322\A0052565.dll tagged as not-a-virus:RiskWare.Dialer.E-Group.q. No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP322\A0052631.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP322\A0052632.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP322\A0052642.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP322\A0052671.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP323\A0052727.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP340\A0057500.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP340\A0057503.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP343\A0057665.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP343\A0058651.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0058663.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0058664.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0061743.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0061744.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0061745.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0061746.dll infected by "Trojan-Downloader.Win32.Small.afm" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0061747.dll tagged as not-a-virus:RiskWare.Dialer.E-Group.q. No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0062803.exe infected by "not-a-virus:AdWare.NaviPromo.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0062804.dll infected by "Email-Worm.Win32.Tanatos.b.dam2" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0062805.dll infected by "Email-Worm.Win32.Tanatos.b.dam2" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0062806.exe tagged as not-a-virus:RiskWare.Dialer.Allotick. No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0062813.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.

During this process Norton is now not working properly with some files missing so I need to uninstall and reinstall Norton.

Any more suggestions???

Many thanks
Louise

MicroBell · 05-18-2005, 01:14 AM

Louise:

The mwav scan is showing that file in the system32 folder..

C:\WINDOWS\system32\EGDACCESS.dll <--KILLBOX that file.

I need you to also search for these and KILL THEM also if found....

EGDACCESS_1044.dll
EGDACCESS_0063.dll
EGLIVECAM.dll
EGLIVECAM_1028.DLL

EDGACCESS/EGDACCESS_1058_XP_CAB <--delete that cab file and it's folder werever you find it.

Have hijackthis fix this entry...

016 - DPF: WIN32 Classes -
BFC9677B-8006-4336-9D49-2C797AEFCB9E http:\\akamai.downloadv3.com/binaries/EDGACCESS/EGDACCESS_1058_XP_CAB

If it can't...run a search in the registry using BFC9677B-8006-4336-9D49-2C797AEFCB9E as the search term and delete that CLSID folder anywere it's found. Back up your registry before the attempt.

As for Norton..we did not remove any files associated with it. You can reinstall..but lets wait until this spyware is gone. Post another Mwav log..and silentrunners log..when you complete the steps above.

C:\Program Files\archivesgaleries <--is this a legit program? Something you installed?

kipper · 05-18-2005, 06:47 AM

Hi

Many thanks for the reply and things seem a little better. I have followed the instructions above -

c:\windows\system32\edgaccess.dll - killbox
I couldn't find any of these four files
edgaccess_1044.dll
edgaccess_0063.dll
eglivecam.dll
eglivecam_1028.dll
anywhere on the computer.

edgaccess/edgacess_1058_xp_cab - was deleted last time. I checked again for it this time and couldn't find it.

BFC9677B-8006-4336-9D49-2C797AEFCB9E - not present anywhere on the computer and not on hijackthis.

c:\program files\archivesgaleries - this is not a legit program, not installed by me and I have no idea where it came from - I have deleted it.

The new silent runners log is below with the mwav log.

"Silent Runners.vbs", revision 36, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SystemTray" = "SysTray.Exe" [MS]
"Smapp" = "C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" ["Analog Devices, Inc."]
"GazelDisplay" = ""C:\Program Files\Djinn Numéris USB\gsyno.exe" -h" ["F.H.L.P. "]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"HPDJ Taskbar Utility" = "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" ["HP"]
"HPHmon04" = "C:\WINDOWS\System32\hphmon04.exe" ["Hewlett-Packard"]
"HPHUPD04" = ""C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"" ["Hewlett-Packard"]
"HP Software Update" = ""C:\Program Files\HP\HP Software Update\HPWuSchd.exe"" ["Hewlett-Packard"]
"HP Component Manager" = ""C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"" ["Hewlett-Packard Company"]
"AcctMgr" = "C:\Program Files\Norton Password Manager\AcctMgr.exe /startup" ["Symantec Corporation"]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX" [empty string]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
{9ECB9560-04F9-4bbc-943D-298DDF1699E1}\(Default) = "Norton Internet Security"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{5b4dae26-b807-11d0-9815-00c04fd91972}" = "Menu Band"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{8278F931-2A3E-11d2-838F-00C04FD918D0}" = "Tracking Shell Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}" = "Menu Site"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}" = "Menu Desk Bar"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}" = "IShellFolderBand"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}" = "&Links"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{7487cd30-f71a-11d0-9ea7-00805f714772}" = "Thumbnail Image"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\REAL\REALPLAYER\RPSHELL.DLL" ["RealNetworks, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM32\nvshell.dll" ["NVIDIA Corporation"]

Enabled Wallpaper and Active Desktop:
-------------------------------------

Active Desktop is disabled.

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Louise\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Startup items in "Louise" & "All Users" startup folders:
--------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Reminder-hpc41201" -> shortcut to: "C:\Windows\HPOnLReg\Remind32.exe" [file not found]
"Utility Tray" -> shortcut to: "C:\WINDOWS\SYSTEM32\sistray.exe" ["Silicon Integrated Systems Corporation"]
"HP Digital Imaging Monitor" -> shortcut to: "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Co."]

Enabled Scheduled Tasks:
------------------------

"Tune-up Application Start" -> launches: "walign" [file not found]
"Symantec Drmc" -> launches: "C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe /CUSTOM /SCHEDULE" [null data]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
"XoftSpy" -> launches: "C:\Program Files\XoftSpy\XoftSpy.exe -t" ["ParetoLogic Inc."]
"Norton AntiVirus - Scan my computer - Louise" -> launches: "C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"
-> {CLSID}\(Default) = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"
-> {CLSID}\(Default) = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}"
-> {CLSID}\(Default) = "Norton Internet Security"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}"
-> {CLSID}\(Default) = "Norton Internet Security"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]

"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"
-> {CLSID}\(Default) = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}\
(Default) = "Volet Wanadoo"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\PROGRAM FILES\WANADOO\AUDIENCE\AUDIENCE.DLL" [empty string]

HKLM\Software\Classes\CLSID\{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}\
(Default) = "ToolBand Class"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\PROGRAM FILES\WANADOO\AUDIENCE\AUDIENCE.DLL" [empty string]

HKLM\Software\Classes\CLSID\{5BF498C0-931E-4A4F-B33F-456D07137EAA}\
(Default) = "Volet Wanadoo"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\PROGRAM FILES\WANADOO\AUDIENCE\AUDIENCE.DLL" [empty string]

Extensions (Tools menu items, main toolbar menu buttons)

HKCU\Software\Microsoft\Internet Explorer\Extensions\
{1462651F-F4BA-4C76-A001-C4284D0FE16E}\
"ButtonText" = "Wanadoo"
"Exec" = "http://www.wanadoo.fr" [file not found]

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Djinn start up, Gazel Startup, ""C:\Program Files\Djinn Numéris USB\vstartx.exe" /s" ["F.H.L.P. "]
ISDN connection log, GisdnLog, ""C:\Program Files\Djinn Numéris USB\gisdnlog.exe" -s" ["F.H.L.P. "]
ISSvc, ISSVC, ""C:\Program Files\Norton Internet Security\ISSVC.exe"" ["Symantec Corporation"]
Norton AntiVirus Auto-Protect Service, navapsvc, ""C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\System32\HPZipm12.exe" ["HP"]
SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\smagent.exe" ["Analog Devices, Inc."]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, ""C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"" ["Symantec Corporation"]
Symantec Network Proxy, ccProxy, ""C:\Program Files\Common Files\Symantec Shared\ccProxy.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Symantec SPBBCSvc, SPBBCSvc, ""C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe"" ["Symantec Corporation"]

----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

mwav log

File System Found infected by "cws.smartsearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\OPTIONS\CABS\WIN98_66.CAB tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\COMMAND\EBD\EBD.CAB tagged as not-a-virus:Tool.DOS.Restart. No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP321\A0052030.EXE infected by "not-a-virus:AdWare.NaviPromo.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP322\A0052563.dll infected by "Trojan-Downloader.Win32.Small.afm" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP322\A0052565.dll tagged as not-a-virus:RiskWare.Dialer.E-Group.q. No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP322\A0052631.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP322\A0052632.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP322\A0052642.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP322\A0052671.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP323\A0052727.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP340\A0057500.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP340\A0057503.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP343\A0057665.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP343\A0058651.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0058663.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0058664.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0061743.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0061744.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0061745.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0061746.dll infected by "Trojan-Downloader.Win32.Small.afm" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0061747.dll tagged as not-a-virus:RiskWare.Dialer.E-Group.q. No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0062803.exe infected by "not-a-virus:AdWare.NaviPromo.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0062804.dll infected by "Email-Worm.Win32.Tanatos.b.dam2" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0062805.dll infected by "Email-Worm.Win32.Tanatos.b.dam2" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0062806.exe tagged as not-a-virus:RiskWare.Dialer.Allotick. No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0062813.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP346\A0063432.exe tagged as not-a-virus:RiskWare.Dialer.Allotick. No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP346\A0063433.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP346\A0063434.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken.

mwav was running through fine - it picked up the first 3 items and ran almost to the end until it came to the system volume information when it picked up everything else - what is this file, and does it mean the dialer is still present?

I am probably a little paranoid but my entire business is internet based and computer engineers that understand this kind of stuff in France are few and far between so I have also

ran Spybot again and this constantly picks up 4 DSO Exploit entries
HKEY_Users\S-1-5-18\software\microsoft\windows\currentversion\internetsettings\zones\0\1004!=w=3 - registry change
also S-1-5-20, S-1-5-19, Default.
Spybot fixes them but on rerunning Spybot it picks them up again.
ran Norton again and it picked up nothing.
ran Xoftspy again and it picked up nothing.

I have also recently noticed that I am getting "postmaster unable to deliver your mail" email messages for mail that I have not sent. I can see these 2 entries in the mwav log is this related??
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0062804.dll infected by "Email-Worm.Win32.Tanatos.b.dam2" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0062805.dll infected by "Email-Worm.Win32.Tanatos.b.dam2" Virus. Action Taken: No Action Taken.

Norton is now running again as I reinstalled yesterday - I did notice that when running CleanUp yesterday some Norton files were listed, and on reinstalling there are Norton files in one of the temp folders. It would appear that after running CleanUp, Norton seemed unable to work.

Its taken me a few minutes to write, cut and paste this message and for the first time in a week I am using the same explorer window (it hasn't shut itself down) and not a single pop up has appeared - has to be good news!

Please let me know if you can see any problems or is the computer now as it appears - running much better.

many thanks
Louise

MicroBell · 05-19-2005, 01:39 AM

Your logs are clean. Mwav is picking up the virus in your restore folder...which we are going to deal with right now. Disable system restore..and then re-enable it. This will clear and clean that folder and give you a clean restore point.

As for spybot and the DSO stuff...thats a fault of spybot. Make sure you installed the patch that fixs that... http://www.majorgeeks.com/download4392.html

After you complete those steps...you should be good to go. Please read through the spyware prevention section on how to protect yourself from spyware/adware Here and use the recommend programs and methods to protect yourself!

kipper · 05-20-2005, 12:56 AM

Hi

Have changed the system restore and rerun mwav - everything now appears to be fine and the log is just picking up 3 entries

File System Found infected by "cws.smartsearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\OPTIONS\CABS\WIN98_66.CAB tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\COMMAND\EBD\EBD.CAB tagged as not-a-virus:Tool.DOS.Restart. No Action Taken.

Any idea what they are?

Have downloaded the patch for Spybot and that is also now fine.

Have also installed Spyware guard and Spyblaster and changed the browser to Firefox - which is much better.

Many thanks for your help

Louise

MicroBell · 05-20-2005, 01:39 AM

One is a left over registry entry. No Harm there. Run a registry cleaner and see if it picks up the unused entry.

The other 2 in the CAB files..are a reboot/restart files plus a few others. It looks like you upgraded from 98 to XP instead of doing a clean install. No need to delete them. Neither were tagged "Virus" in the scans.

kipper · 05-20-2005, 02:19 AM

Okay - thank you for all the help and support - great website.
Hopefully I'm now well protected

Louise

05-14-2005, 01:04 AM	#1 (permalink)
kipper Registered User Join Date: May 2005 Posts: 20 OS: xp	Help needed with dialer.instantaccess and HDplugin 1019 Hi - hoping someone out there can please help me with this - I have a dialer.instantaccess on my system and Norton also detects 3 files - HDplugin1019.dll. Norton detects the dialer file and sometimes removes its - on rebooting the system the file reappears. Norton also detects the HD file but is unable to remove. I cannot manually see this file (show hidden files is on) in the directory where it is should be. Xoftspy / Spybot - detect all of the files and fixes them - again on reboot the files reappear. The system is running slowly and when connecting online a pop up appears - on exiting the popup explorer shuts down all other internet windows. On finding this site I have followed the instructions before posting - On running Ad-aware SE - it found the dialer file and fixed - on reboot the file reappears only this time I also received a rundll error message for this file. However on logging back on the popups are back. Downloaded and ran HJT this is the new log for the hijack analyser program ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Norton Internet Security\ISSVC.exe C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe C:\Program Files\Norton Password Manager\AcctMgr.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 06:47:49, on 14/05/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\Program Files\Djinn Numéris USB\vstartx.exe C:\Program Files\Djinn Numéris USB\gisdnlog.exe C:\Program Files\Djinn Numéris USB\gsyno.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe C:\Documents and Settings\Desktop\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/uk/index.html?cp=hom08i17"); (C:\Program Files\Netscape\Users\prefs.js) O4 - HKLM\..\Run: [GazelDisplay] "C:\Program Files\Djinn Numéris USB\gsyno.exe" -h O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1058.dll,InstantAccess O4 - Global Startup: Reminder-hpc41201.lnk = C:\WINDOWS\HPOnLReg\Remind32.exe O9 - Extra button: Wanadoo - {1462651F-F4BA-4C76-A001-C4284D0FE16E} - http://www.wanadoo.fr (file missing) (HKCU) O16 - DPF: Win32 Classes - O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab O23 - Service: Djinn start up (Gazel Startup) - Unknown owner - C:\Program Files\Djinn Numéris USB\vstartx.exe" /s (file missing) O23 - Service: ISDN connection log (GisdnLog) - Unknown owner - C:\Program Files\Djinn Numéris USB\gisdnlog.exe" -s (file missing) O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\smagent.exe End of KRC HijackThis Analyzer Log. ==================================================================== Any idea how to permanently remove these files from the system? Many thanks

05-15-2005, 01:21 AM	#2 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,963 OS: Windows 7	Hi and Welcome to TSF Before attacking an adware/spyware problem with hijackthis make sure you have already run ad-aware SE with VX2 add-on cleaner, Spybot Search & Destroy (with updated database) and CWShredder as these programs will clean a lot of the crap out first. All links to programs are in my signature. I only see one file in the log. Lets try to uncover the others... Download Silent runners.Vbs http://www.silentrunners.org/ 1. Make sure you have any script blocking software disabled 2. Run the program. It will take a few minutes to complete. 3. Once complete it will produce a log named “StartupPrograms” with Your user and date in the filename. Open that txt file and posts it contents in your next post. Please empty any Quarantine folder in your antivirus and purge all recovery items in the spybot program if you use it before running this tool. Download this virus checker and tool from eScan Mwav.exe (Use Link 3) 1. Save it to a folder. 2. Reboot into safe mode 3. Double click the Mwav.exe file.(This is a stand alone tool and NOT just a virus checker......so it won't install anything) 4.Select all local drives, scan all files, press SCAN and when it is completed, anything found will be displayed in the lower pane. 5. In the Virus Log Information Pane...... Left click and Highlight all the info in the Lower pane--- Use "CTRL C" on your Keyboard to copy all found in the lower pane and save it to a notepad file Note If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything..but to ID the bad guys. Once you copy that to a notepad file...highlight the text and copy it here. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

05-16-2005, 06:42 PM	#4 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,963 OS: Windows 7	Download KillBox http://www.atribune.org/downloads/KillBox.exe Download and install CleanUp http://cleanup.stevengould.org/ Run the cleanup utility and reboot/logoff when prompted. Then reboot into safe mode. Note That porn dialer is hidding in the TEMP folder..here..C:\Documents and Settings\Louise\Local Settings\Temporary Internet Files Make sure your logged in as Louise. If you have more then one user...run the utility under each. Click START…RUN…Type in regedit. Make sure just “My Computer” is showing in the left pane and click..FILE….EXPORT…and save a copy some were in case you make a mistake. Now navigate to each of the following keys and delete the file/folder/entry I highlighted in RED. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Instant Access" = "rundll32.exe EGDACCESS_1058.dll,InstantAccess" [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "pmzxfjoaw" = "c:\windows\system32\pmzxfjoaw.exe -start" [null data] Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregistered DLL" (If available) Click the RED X and it will ask to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. If you get a “Pending FileRename Operations Registry Data has been Removed by External Process!" message then just restart manually. c:\windows\system32\pmzxfjoaw.exe C:\WINDOWS\SYSTEM\prdznqn.dll C:\WINDOWS\SYSTEM\hpxscq.dll C:\WINDOWS\Downloaded Program Files\HDPlugin1019.dll C:\WINDOWS\Downloaded Program Files\HDPlugin1101.dll C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1101.dll C:\ArchivesGaleries.exe Once rebooted...run hijackthis again and fix these entrys IF they are still there... O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1058.dll,InstantAccess O16 - DPF: Win32 Classes - EGDACCESS_1058.dll <--locate and delete that file if you find it. Run the cleanup utility again...and reboot/logoff. Then post another hijackthis log and mwav log. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

05-18-2005, 01:14 AM	#6 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,963 OS: Windows 7	Louise: The mwav scan is showing that file in the system32 folder.. C:\WINDOWS\system32\EGDACCESS.dll <--KILLBOX that file. I need you to also search for these and KILL THEM also if found.... EGDACCESS_1044.dll EGDACCESS_0063.dll EGLIVECAM.dll EGLIVECAM_1028.DLL EDGACCESS/EGDACCESS_1058_XP_CAB <--delete that cab file and it's folder werever you find it. Have hijackthis fix this entry... 016 - DPF: WIN32 Classes - BFC9677B-8006-4336-9D49-2C797AEFCB9E http:\\akamai.downloadv3.com/binaries/EDGACCESS/EGDACCESS_1058_XP_CAB If it can't...run a search in the registry using BFC9677B-8006-4336-9D49-2C797AEFCB9E as the search term and delete that CLSID folder anywere it's found. Back up your registry before the attempt. As for Norton..we did not remove any files associated with it. You can reinstall..but lets wait until this spyware is gone. Post another Mwav log..and silentrunners log..when you complete the steps above. C:\Program Files\archivesgaleries <--is this a legit program? Something you installed? __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

05-19-2005, 01:39 AM	#8 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,963 OS: Windows 7	Your logs are clean. Mwav is picking up the virus in your restore folder...which we are going to deal with right now. Disable system restore..and then re-enable it. This will clear and clean that folder and give you a clean restore point. As for spybot and the DSO stuff...thats a fault of spybot. Make sure you installed the patch that fixs that... http://www.majorgeeks.com/download4392.html After you complete those steps...you should be good to go. Please read through the spyware prevention section on how to protect yourself from spyware/adware Here and use the recommend programs and methods to protect yourself! __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

05-16-2005, 06:11 AM	#3 (permalink)
kipper Registered User Join Date: May 2005 Posts: 20 OS: xp	Many thanks for replying so quickly. I have followed through everything you suggested - had a few problems running through it but eventually got sorted out. ad-aware SE with VX2 add on came back clean. Spybot search and destroy found the usual files and fixed them CWShredder - not present. Silent runners log "Silent Runners.vbs", revision 36, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "msnmsgr" = ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background" [file not found] "Instant Access" = "rundll32.exe EGDACCESS_1058.dll,InstantAccess" [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "SystemTray" = "SysTray.Exe" [MS] "Smapp" = "C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" ["Analog Devices, Inc."] "GazelDisplay" = ""C:\Program Files\Djinn Numéris USB\gsyno.exe" -h" ["F.H.L.P. "] "TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."] "HPDJ Taskbar Utility" = "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" ["HP"] "HPHmon04" = "C:\WINDOWS\System32\hphmon04.exe" ["Hewlett-Packard"] "HPHUPD04" = ""C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"" ["Hewlett-Packard"] "HP Software Update" = ""C:\Program Files\HP\HP Software Update\HPWuSchd.exe"" ["Hewlett-Packard"] "HP Component Manager" = ""C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"" ["Hewlett-Packard Company"] "pmzxfjoaw" = "c:\windows\system32\pmzxfjoaw.exe -start" [null data] "AcctMgr" = "C:\Program Files\Norton Password Manager\AcctMgr.exe /startup" ["Symantec Corporation"] "ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"] "Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX" [empty string] {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided) -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"] {9ECB9560-04F9-4bbc-943D-298DDF1699E1}\(Default) = "Norton Internet Security" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"] {BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension" -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{5b4dae26-b807-11d0-9815-00c04fd91972}" = "Menu Band" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS] "{8278F931-2A3E-11d2-838F-00C04FD918D0}" = "Tracking Shell Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS] "{E13EF4E4-D2F2-11d0-9816-00C04FD91972}" = "Menu Site" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS] "{ECD4FC4F-521C-11D0-B792-00A0C90312E1}" = "Menu Desk Bar" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS] "{D82BE2B0-5764-11D0-A96E-00C04FD705A2}" = "IShellFolderBand" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS] "{0E5CBF21-D15F-11d0-8301-00AA005B4383}" = "&Links" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS] "{7487cd30-f71a-11d0-9ea7-00805f714772}" = "Thumbnail Image" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\REAL\REALPLAYER\RPSHELL.DLL" ["RealNetworks, Inc."] "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM32\nvcpl.dll" ["NVIDIA Corporation"] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM32\nvshell.dll" ["NVIDIA Corporation"] Enabled Wallpaper and Active Desktop: ------------------------------------- Active Desktop is disabled. HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Documents and Settings\Louise\Local Settings\Application Data\Microsoft\Wallpaper1.bmp" Startup items in "Louise" & "All Users" startup folders: -------------------------------------------------------- C:\Documents and Settings\All Users\Start Menu\Programs\Startup "Reminder-hpc41201" -> shortcut to: "C:\Windows\HPOnLReg\Remind32.exe" [file not found] "Utility Tray" -> shortcut to: "C:\WINDOWS\SYSTEM32\sistray.exe" ["Silicon Integrated Systems Corporation"] "HP Digital Imaging Monitor" -> shortcut to: "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Co."] Enabled Scheduled Tasks: ------------------------ "Tune-up Application Start" -> launches: "walign" [file not found] "Symantec Drmc" -> launches: "C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe /CUSTOM /SCHEDULE" [null data] "Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"] "Norton AntiVirus - Scan my computer - Louise" -> launches: "C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"] "XoftSpy" -> launches: "C:\Program Files\XoftSpy\XoftSpy.exe -t" ["ParetoLogic Inc."] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" -> {CLSID}\(Default) = "Norton AntiVirus" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" -> {CLSID}\(Default) = "Norton AntiVirus" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] "{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" -> {CLSID}\(Default) = "Norton Internet Security" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" -> {CLSID}\(Default) = "Norton Internet Security" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"] "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" -> {CLSID}\(Default) = "Norton AntiVirus" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] Dormant Explorer Bars in "View, Explorer Bar" menu HKLM\Software\Classes\CLSID\{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}\ (Default) = "Volet Wanadoo" Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32\(Default) = "C:\PROGRAM FILES\WANADOO\AUDIENCE\AUDIENCE.DLL" [empty string] HKLM\Software\Classes\CLSID\{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}\ (Default) = "ToolBand Class" Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32\(Default) = "C:\PROGRAM FILES\WANADOO\AUDIENCE\AUDIENCE.DLL" [empty string] HKLM\Software\Classes\CLSID\{5BF498C0-931E-4A4F-B33F-456D07137EAA}\ (Default) = "Volet Wanadoo" Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32\(Default) = "C:\PROGRAM FILES\WANADOO\AUDIENCE\AUDIENCE.DLL" [empty string] Extensions (Tools menu items, main toolbar menu buttons) HKCU\Software\Microsoft\Internet Explorer\Extensions\ {1462651F-F4BA-4C76-A001-C4284D0FE16E}\ "ButtonText" = "Wanadoo" "Exec" = "http://www.wanadoo.fr" [file not found] HKLM\Software\Microsoft\Internet Explorer\Extensions\ {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Djinn start up, Gazel Startup, ""C:\Program Files\Djinn Numéris USB\vstartx.exe" /s" ["F.H.L.P. "] ISDN connection log, GisdnLog, ""C:\Program Files\Djinn Numéris USB\gisdnlog.exe" -s" ["F.H.L.P. "] ISSvc, ISSVC, "C:\Program Files\Norton Internet Security\ISSVC.exe" ["Symantec Corporation"] Norton AntiVirus Auto-Protect Service, navapsvc, ""C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"] Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\System32\HPZipm12.exe" ["HP"] SAVScan, SAVScan, "C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe" ["Symantec Corporation"] SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\smagent.exe" ["Analog Devices, Inc."] Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"] Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"] Symantec Network Drivers Service, SNDSrvc, "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe" ["Symantec Corporation"] Symantec Network Proxy, ccProxy, ""C:\Program Files\Common Files\Symantec Shared\ccProxy.exe"" ["Symantec Corporation"] Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"] Symantec SPBBCSvc, SPBBCSvc, "C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe" ["Symantec Corporation"] ---------- This report excludes default entries except where indicated. To see everywhere the script checks and everything it finds, launch it from a command prompt or a shortcut with the -all parameter. ---------- Emptied quarantine folders and purged in spybot - ran Mwav.exe in safe mode - I see there is a cws file here but when running the shredder it came back clean? - I think most of the other files are related to the instantaccess dialer??? File System Found infected by "gator Spyware/Adware" Virus. Action Taken: No Action Taken. File System Found infected by "cws.smartsearch Spyware/Adware" Virus. Action Taken: No Action Taken. File C:\DOCUME~1\Louise\LOCALS~1\Temp\temp.frBCB1 infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. File C:\DOCUME~1\Louise\LOCALS~1\TEMPOR~1\Content.IE5\PW5BTOK8\EGDACCESS_1058_XP[1].cab infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. File C:\WINDOWS\OPTIONS\CABS\WIN98_66.CAB tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken. File C:\WINDOWS\SYSTEM\prdznqn.dll infected by "Email-Worm.Win32.Tanatos.b.dam2" Virus. Action Taken: No Action Taken. File C:\WINDOWS\SYSTEM\hpxscq.dll infected by "Email-Worm.Win32.Tanatos.b.dam2" Virus. Action Taken: No Action Taken. File C:\WINDOWS\COMMAND\EBD\EBD.CAB tagged as not-a-virus:Tool.DOS.Restart. No Action Taken. File C:\WINDOWS\Downloaded Program Files\HDPlugin1019.dll infected by "not-a-virus:AdWare.Gator.1019" Virus. Action Taken: No Action Taken. File C:\WINDOWS\Downloaded Program Files\HDPlugin1101.dll infected by "not-a-virus:AdWare.Gator.1101" Virus. Action Taken: No Action Taken. File C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1101.dll infected by "not-a-virus:AdWare.Gator.1101" Virus. Action Taken: No Action Taken. File C:\Program Files\archivesgaleries\archivesgaleries.exe tagged as not-a-virus:RiskWare.Dialer.Allotick. No Action Taken. File C:\Documents and Settings\Louise\Local Settings\Temp\temp.frBCB1 infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. File C:\Documents and Settings\Louise\Local Settings\Temporary Internet Files\Content.IE5\PW5BTOK8\EGDACCESS_1058_XP[1].cab infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP321\A0052030.EXE infected by "not-a-virus:AdWare.NaviPromo.c" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP322\A0052563.dll infected by "Trojan-Downloader.Win32.Small.afm" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP322\A0052565.dll tagged as not-a-virus:RiskWare.Dialer.E-Group.q. No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP322\A0052631.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP322\A0052632.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP322\A0052642.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP322\A0052671.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP323\A0052727.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP340\A0057500.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP340\A0057503.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP343\A0057665.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP343\A0058651.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0058663.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0058664.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0061743.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0061744.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0061745.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0061746.dll infected by "Trojan-Downloader.Win32.Small.afm" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0061747.dll tagged as not-a-virus:RiskWare.Dialer.E-Group.q. No Action Taken. File C:\ArchivesGaleries.exe tagged as not-a-virus:RiskWare.Dialer.Allotick. No Action Taken. Mon May 16 07:57:22 2005 => ********************************************************** Thanks very much Louise

05-17-2005, 04:16 AM	#5 (permalink)
kipper Registered User Join Date: May 2005 Posts: 20 OS: xp	I have followed all instructions through as suggested. On re-running hijackthis after kill box the EDGACCESS_1058.dll file was not present however a file named 016 - DPF: WIN32 Classes - BFC9677B-8006-4336-9D49-2C797AEFCB9E http:\\akamai.downloadv3.com/binaries/EDGACCESS/EGDACCESS_1058_XP_CAB I have deleted this???? Here is the new hijackthis log - it appears the previous files are not there. The Mwav log is also here - it lists 31 virus with 3 errors including the dialers. Logfile of HijackThis v1.99.1 Scan saved at 10:26:32, on 17/05/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Djinn Numéris USB\vstartx.exe C:\Program Files\Djinn Numéris USB\gisdnlog.exe C:\Program Files\Norton Internet Security\ISSVC.exe C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe C:\Program Files\Analog Devices\SoundMAX\SMTray.exe C:\Program Files\Djinn Numéris USB\gsyno.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe C:\WINDOWS\System32\hphmon04.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\HP\HP Software Update\HPWuSchd.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Norton Password Manager\AcctMgr.exe C:\Program Files\Analog Devices\SoundMAX\smagent.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\SYSTEM32\sistray.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe C:\Documents and Settings\Louise\Desktop\HijackThis.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\WINDOWS\System32\HPZipm12.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/uk/index.html?cp=hom08i17"); (C:\Program Files\Netscape\Users\edelston\prefs.js) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe O4 - HKLM\..\Run: [GazelDisplay] "C:\Program Files\Djinn Numéris USB\gsyno.exe" -h O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - Global Startup: Reminder-hpc41201.lnk = C:\WINDOWS\HPOnLReg\Remind32.exe O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: Wanadoo - {1462651F-F4BA-4C76-A001-C4284D0FE16E} - http://www.wanadoo.fr (file missing) (HKCU) O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O16 - DPF: Win32 Classes - O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Djinn start up (Gazel Startup) - Unknown owner - C:\Program Files\Djinn Numéris USB\vstartx.exe" /s (file missing) O23 - Service: ISDN connection log (GisdnLog) - Unknown owner - C:\Program Files\Djinn Numéris USB\gisdnlog.exe" -s (file missing) O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\smagent.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe File System Found infected by "cws.smartsearch Spyware/Adware" Virus. Action Taken: No Action Taken. File C:\WINDOWS\system32\EGDACCESS.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. File C:\WINDOWS\OPTIONS\CABS\WIN98_66.CAB tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken. File C:\WINDOWS\COMMAND\EBD\EBD.CAB tagged as not-a-virus:Tool.DOS.Restart. No Action Taken. File C:\WINDOWS\SYSTEM32\EGDACCESS.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. File C:\Program Files\archivesgaleries\archivesgaleries.exe tagged as not-a-virus:RiskWare.Dialer.Allotick. No Action Taken. File C:\Documents and Settings\Louise\Desktop\backups\backup-20050517-095703-340.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP321\A0052030.EXE infected by "not-a-virus:AdWare.NaviPromo.c" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP322\A0052563.dll infected by "Trojan-Downloader.Win32.Small.afm" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP322\A0052565.dll tagged as not-a-virus:RiskWare.Dialer.E-Group.q. No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP322\A0052631.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP322\A0052632.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP322\A0052642.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP322\A0052671.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP323\A0052727.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP340\A0057500.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP340\A0057503.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP343\A0057665.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP343\A0058651.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0058663.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0058664.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0061743.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0061744.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0061745.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0061746.dll infected by "Trojan-Downloader.Win32.Small.afm" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0061747.dll tagged as not-a-virus:RiskWare.Dialer.E-Group.q. No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0062803.exe infected by "not-a-virus:AdWare.NaviPromo.c" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0062804.dll infected by "Email-Worm.Win32.Tanatos.b.dam2" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0062805.dll infected by "Email-Worm.Win32.Tanatos.b.dam2" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0062806.exe tagged as not-a-virus:RiskWare.Dialer.Allotick. No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0062813.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. During this process Norton is now not working properly with some files missing so I need to uninstall and reinstall Norton. Any more suggestions??? Many thanks Louise

05-18-2005, 06:47 AM	#7 (permalink)
kipper Registered User Join Date: May 2005 Posts: 20 OS: xp	Hi Many thanks for the reply and things seem a little better. I have followed the instructions above - c:\windows\system32\edgaccess.dll - killbox I couldn't find any of these four files edgaccess_1044.dll edgaccess_0063.dll eglivecam.dll eglivecam_1028.dll anywhere on the computer. edgaccess/edgacess_1058_xp_cab - was deleted last time. I checked again for it this time and couldn't find it. BFC9677B-8006-4336-9D49-2C797AEFCB9E - not present anywhere on the computer and not on hijackthis. c:\program files\archivesgaleries - this is not a legit program, not installed by me and I have no idea where it came from - I have deleted it. The new silent runners log is below with the mwav log. "Silent Runners.vbs", revision 36, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "SystemTray" = "SysTray.Exe" [MS] "Smapp" = "C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" ["Analog Devices, Inc."] "GazelDisplay" = ""C:\Program Files\Djinn Numéris USB\gsyno.exe" -h" ["F.H.L.P. "] "TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."] "HPDJ Taskbar Utility" = "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" ["HP"] "HPHmon04" = "C:\WINDOWS\System32\hphmon04.exe" ["Hewlett-Packard"] "HPHUPD04" = ""C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"" ["Hewlett-Packard"] "HP Software Update" = ""C:\Program Files\HP\HP Software Update\HPWuSchd.exe"" ["Hewlett-Packard"] "HP Component Manager" = ""C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"" ["Hewlett-Packard Company"] "AcctMgr" = "C:\Program Files\Norton Password Manager\AcctMgr.exe /startup" ["Symantec Corporation"] "ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"] "Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX" [empty string] {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided) -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"] {9ECB9560-04F9-4bbc-943D-298DDF1699E1}\(Default) = "Norton Internet Security" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"] {BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension" -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{5b4dae26-b807-11d0-9815-00c04fd91972}" = "Menu Band" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS] "{8278F931-2A3E-11d2-838F-00C04FD918D0}" = "Tracking Shell Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS] "{E13EF4E4-D2F2-11d0-9816-00C04FD91972}" = "Menu Site" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS] "{ECD4FC4F-521C-11D0-B792-00A0C90312E1}" = "Menu Desk Bar" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS] "{D82BE2B0-5764-11D0-A96E-00C04FD705A2}" = "IShellFolderBand" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS] "{0E5CBF21-D15F-11d0-8301-00AA005B4383}" = "&Links" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS] "{7487cd30-f71a-11d0-9ea7-00805f714772}" = "Thumbnail Image" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\REAL\REALPLAYER\RPSHELL.DLL" ["RealNetworks, Inc."] "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM32\nvcpl.dll" ["NVIDIA Corporation"] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM32\nvshell.dll" ["NVIDIA Corporation"] Enabled Wallpaper and Active Desktop: ------------------------------------- Active Desktop is disabled. HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Documents and Settings\Louise\Local Settings\Application Data\Microsoft\Wallpaper1.bmp" Startup items in "Louise" & "All Users" startup folders: -------------------------------------------------------- C:\Documents and Settings\All Users\Start Menu\Programs\Startup "Reminder-hpc41201" -> shortcut to: "C:\Windows\HPOnLReg\Remind32.exe" [file not found] "Utility Tray" -> shortcut to: "C:\WINDOWS\SYSTEM32\sistray.exe" ["Silicon Integrated Systems Corporation"] "HP Digital Imaging Monitor" -> shortcut to: "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Co."] Enabled Scheduled Tasks: ------------------------ "Tune-up Application Start" -> launches: "walign" [file not found] "Symantec Drmc" -> launches: "C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe /CUSTOM /SCHEDULE" [null data] "Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"] "XoftSpy" -> launches: "C:\Program Files\XoftSpy\XoftSpy.exe -t" ["ParetoLogic Inc."] "Norton AntiVirus - Scan my computer - Louise" -> launches: "C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" -> {CLSID}\(Default) = "Norton AntiVirus" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" -> {CLSID}\(Default) = "Norton AntiVirus" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] "{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" -> {CLSID}\(Default) = "Norton Internet Security" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" -> {CLSID}\(Default) = "Norton Internet Security" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"] "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" -> {CLSID}\(Default) = "Norton AntiVirus" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] Dormant Explorer Bars in "View, Explorer Bar" menu HKLM\Software\Classes\CLSID\{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}\ (Default) = "Volet Wanadoo" Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32\(Default) = "C:\PROGRAM FILES\WANADOO\AUDIENCE\AUDIENCE.DLL" [empty string] HKLM\Software\Classes\CLSID\{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}\ (Default) = "ToolBand Class" Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32\(Default) = "C:\PROGRAM FILES\WANADOO\AUDIENCE\AUDIENCE.DLL" [empty string] HKLM\Software\Classes\CLSID\{5BF498C0-931E-4A4F-B33F-456D07137EAA}\ (Default) = "Volet Wanadoo" Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32\(Default) = "C:\PROGRAM FILES\WANADOO\AUDIENCE\AUDIENCE.DLL" [empty string] Extensions (Tools menu items, main toolbar menu buttons) HKCU\Software\Microsoft\Internet Explorer\Extensions\ {1462651F-F4BA-4C76-A001-C4284D0FE16E}\ "ButtonText" = "Wanadoo" "Exec" = "http://www.wanadoo.fr" [file not found] HKLM\Software\Microsoft\Internet Explorer\Extensions\ {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Djinn start up, Gazel Startup, ""C:\Program Files\Djinn Numéris USB\vstartx.exe" /s" ["F.H.L.P. "] ISDN connection log, GisdnLog, ""C:\Program Files\Djinn Numéris USB\gisdnlog.exe" -s" ["F.H.L.P. "] ISSvc, ISSVC, ""C:\Program Files\Norton Internet Security\ISSVC.exe"" ["Symantec Corporation"] Norton AntiVirus Auto-Protect Service, navapsvc, ""C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"] Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\System32\HPZipm12.exe" ["HP"] SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\smagent.exe" ["Analog Devices, Inc."] Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"] Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"] Symantec Network Drivers Service, SNDSrvc, ""C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"" ["Symantec Corporation"] Symantec Network Proxy, ccProxy, ""C:\Program Files\Common Files\Symantec Shared\ccProxy.exe"" ["Symantec Corporation"] Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"] Symantec SPBBCSvc, SPBBCSvc, ""C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe"" ["Symantec Corporation"] ---------- This report excludes default entries except where indicated. To see everywhere the script checks and everything it finds, launch it from a command prompt or a shortcut with the -all parameter. ---------- mwav log File System Found infected by "cws.smartsearch Spyware/Adware" Virus. Action Taken: No Action Taken. File C:\WINDOWS\OPTIONS\CABS\WIN98_66.CAB tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken. File C:\WINDOWS\COMMAND\EBD\EBD.CAB tagged as not-a-virus:Tool.DOS.Restart. No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP321\A0052030.EXE infected by "not-a-virus:AdWare.NaviPromo.c" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP322\A0052563.dll infected by "Trojan-Downloader.Win32.Small.afm" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP322\A0052565.dll tagged as not-a-virus:RiskWare.Dialer.E-Group.q. No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP322\A0052631.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP322\A0052632.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP322\A0052642.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP322\A0052671.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP323\A0052727.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP340\A0057500.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP340\A0057503.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP343\A0057665.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP343\A0058651.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0058663.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0058664.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0061743.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0061744.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0061745.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0061746.dll infected by "Trojan-Downloader.Win32.Small.afm" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0061747.dll tagged as not-a-virus:RiskWare.Dialer.E-Group.q. No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0062803.exe infected by "not-a-virus:AdWare.NaviPromo.c" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0062804.dll infected by "Email-Worm.Win32.Tanatos.b.dam2" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0062805.dll infected by "Email-Worm.Win32.Tanatos.b.dam2" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0062806.exe tagged as not-a-virus:RiskWare.Dialer.Allotick. No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0062813.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP346\A0063432.exe tagged as not-a-virus:RiskWare.Dialer.Allotick. No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP346\A0063433.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP346\A0063434.dll infected by "not-a-virus:Porn-Dialer.Win32.InstantAccess" Virus. Action Taken: No Action Taken. mwav was running through fine - it picked up the first 3 items and ran almost to the end until it came to the system volume information when it picked up everything else - what is this file, and does it mean the dialer is still present? I am probably a little paranoid but my entire business is internet based and computer engineers that understand this kind of stuff in France are few and far between so I have also ran Spybot again and this constantly picks up 4 DSO Exploit entries HKEY_Users\S-1-5-18\software\microsoft\windows\currentversion\internetsettings\zones\0\1004!=w=3 - registry change also S-1-5-20, S-1-5-19, Default. Spybot fixes them but on rerunning Spybot it picks them up again. ran Norton again and it picked up nothing. ran Xoftspy again and it picked up nothing. I have also recently noticed that I am getting "postmaster unable to deliver your mail" email messages for mail that I have not sent. I can see these 2 entries in the mwav log is this related?? File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0062804.dll infected by "Email-Worm.Win32.Tanatos.b.dam2" Virus. Action Taken: No Action Taken. File C:\System Volume Information\_restore{E65E44C9-D122-4841-86F6-49A5E0BB92C2}\RP345\A0062805.dll infected by "Email-Worm.Win32.Tanatos.b.dam2" Virus. Action Taken: No Action Taken. Norton is now running again as I reinstalled yesterday - I did notice that when running CleanUp yesterday some Norton files were listed, and on reinstalling there are Norton files in one of the temp folders. It would appear that after running CleanUp, Norton seemed unable to work. Its taken me a few minutes to write, cut and paste this message and for the first time in a week I am using the same explorer window (it hasn't shut itself down) and not a single pop up has appeared - has to be good news! Please let me know if you can see any problems or is the computer now as it appears - running much better. many thanks Louise

05-20-2005, 12:56 AM	#9 (permalink)
kipper Registered User Join Date: May 2005 Posts: 20 OS: xp	Hi Have changed the system restore and rerun mwav - everything now appears to be fine and the log is just picking up 3 entries File System Found infected by "cws.smartsearch Spyware/Adware" Virus. Action Taken: No Action Taken. File C:\WINDOWS\OPTIONS\CABS\WIN98_66.CAB tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken. File C:\WINDOWS\COMMAND\EBD\EBD.CAB tagged as not-a-virus:Tool.DOS.Restart. No Action Taken. Any idea what they are? Have downloaded the patch for Spybot and that is also now fine. Have also installed Spyware guard and Spyblaster and changed the browser to Firefox - which is much better. Many thanks for your help Louise

05-20-2005, 01:39 AM	#10 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,963 OS: Windows 7	One is a left over registry entry. No Harm there. Run a registry cleaner and see if it picks up the unused entry. The other 2 in the CAB files..are a reboot/restart files plus a few others. It looks like you upgraded from 98 to XP instead of doing a clean install. No need to delete them. Neither were tagged "Virus" in the scans. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

05-20-2005, 02:19 AM	#11 (permalink)
kipper Registered User Join Date: May 2005 Posts: 20 OS: xp	Okay - thank you for all the help and support - great website. Hopefully I'm now well protected Louise