Help please!

Ladyjan · 05-18-2005, 02:05 PM

My PC is running at a snails pace. I have done the usual, Spybot search & destroy, Ad-Aware, Microsoft Antispyware, AVG, Norton and HJTAnalyzer. Here are my results.

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-Watch.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.98.2
Scan saved at 01:33:30, on 18/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\SCUSAPI.exe
C:\Program Files\SAMSUNG\RF KeyboardMouse\mmkbd.exe
C:\WINDOWS\vsnpt513.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [SCUSAPI] SCUSAPI.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: RF Keyboard&Mouse Program.lnk = ?
O4 - Global Startup: VSNPT513.lnk = C:\WINDOWS\vsnpt513.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Freeserve - {AA829EA0-FCDC-11D6-9108-D07482C76F75} - http://www.freeserve.net/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://chat-c3.freeserve.com/Java/cfs31229.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab
O16 - DPF: {D68217F4-1DF9-45C1-BFA6-61DBD5464527} (Genealogy Browser) - http://66.119.139.74/cabs/zinst.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

End of KRC HijackThis Analyzer Log.
====================================================================

I also ran TDS-3 here are the results.

09:50:49 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
09:50:49 [Init] Started 18-05-05 09:50:49 GMT Standard Time (UTC: 0), Internet Time @410.29
09:50:49 [Init] Loading TDS-3 Systems ...
09:50:49 [Init] Token successfully adjusted.
09:50:49 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
09:50:51 [Init] • Plugins : OK. Loaded 13
09:50:51 [Init] • Exec Protection : Not Installed
09:50:51 [Init] WARNING: Your Radius.TD3 database needs to be updated!
09:50:51 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
09:50:51 [Init] Licensed users can use the Update facility from the TDS menu
09:50:52 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
09:51:23 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
09:51:23 [Init] • Systems Initialised [39471 references - 16560 primaries/10873 traces/12038 variants/other]
09:51:23 [Init] Radius Systems loaded. <Databases updated 14-10-2004>
09:51:23 [Init] TDS-3 Ready.
09:51:23 [Tip Of The Day] The Target Host menu is dedicated to finding out information about remote computers, from backdoors to system information to network positioning.
09:51:23 [TDS] Good morning
09:51:48 [Mutex Memory Scan] Started...
09:51:51 [Mutex Memory Scan] Finished (no trojan mutexes found).
09:51:51 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
09:53:46 [Quit] Unloading ...
09:56:10 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
09:56:10 [Init] Started 18-05-05 09:56:10 GMT Standard Time (UTC: 0), Internet Time @414.00
09:56:10 [Init] Loading TDS-3 Systems ...
09:56:10 [Init] Token successfully adjusted.
09:56:10 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
09:56:10 [Init] • Plugins : OK. Loaded 13
09:56:10 [Init] • Exec Protection : Not Installed
09:56:10 [Init] WARNING: Your Radius.TD3 database needs to be updated!
09:56:10 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
09:56:10 [Init] Licensed users can use the Update facility from the TDS menu
09:56:11 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
09:56:48 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
09:56:49 [Init] • Systems Initialised [55446 references - 28817 primaries/14368 traces/12261 variants/other]
09:56:49 [Init] Radius Systems loaded. <Databases updated 18-05-2005>
09:56:49 [Tip Of The Day] Don't eat food at the keyboard!
09:57:16 [Mutex Memory Scan] Started...
09:57:18 [Mutex Memory Scan] Finished (no trojan mutexes found).
09:57:18 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
09:58:35 [CRC32] Started - verifying 29 files ...
09:59:00 [CRC32] Test finished.
10:12:22 [Memory Scan] Memory scan started, please wait a moment ...
10:12:27 [Memory Scan] Memory scan complete.
10:12:27 [Mutex Memory Scan] Started...
10:12:30 [Mutex Memory Scan] Finished (no trojan mutexes found).
10:12:30 [Trace Scan] Started...
10:14:39 [Trace Scan] Finished.
10:14:39 [Service\Driver Scan] Scanning for services and drivers ...
10:15:24 [Service\Driver Scan] Scanned 341 services and drivers.
10:15:24 [File Scan] Scanning in A:\ ...
10:15:25 [File Scan] Scanned 0 files: 0 alarms in 1.070313 seconds (Avg 1. files/sec)
10:15:25 [File Scan] Scanning in C:\ ...
15:11:13 [File Scan] Scanned 65592 files: 3 alarms in 17748.15 seconds (Avg 4.7 files/sec)
15:11:14 [File Scan] Scanning in D:\ ...
15:11:14 [File Scan] Scanned 0 files: 3 alarms in 0.3710938 seconds (Avg 1. files/sec)
15:11:14 [File Scan] Scanning in E:\ ...
15:11:14 [File Scan] Scanned 0 files: 3 alarms in 0 seconds (Avg -1.#IND files/sec)
15:11:14 [Scan] Finished.
16:50:33 [Screen Text] Saved to C:\Program Files\TDS3\scr0.txt
16:51:18 [Text Dump] Saved to C:\Program Files\TDS3\scandump.txt

Scan Control Dumped @ 20:33:55 18-05-05
Suspicious Filename: Dual extensions
File: c:\downloads\nero-6[1].6.0.8.exe

Suspicious Filename: Dual extensions
File: c:\documents and settings\jan colter\my documents\word\for .n.g.doc

Positive identification: Riskware.Downloader.ImLoader.b
File: c:\system volume information\_restore{54ce8306-184d-44c4-93a5-17cf0e090027}\rp784\a0086243.exe

Any help is gratefully accepted. Many thanks in advance.

Jan

MicroBell · 05-19-2005, 03:17 AM

Please update your version of hijackthis and post another log. The log is mostly clean.

O4 - Global Startup: VSNPT513.lnk = C:\WINDOWS\vsnpt513.exe

Do you have Snapshot Viewer installed??

C:\WINDOWS\System32\SCUSAPI.exe <--upload that file to http://www.kaspersky.com/scanforvirus and scan it. Report your findings when you post the new log.

Ladyjan · 05-19-2005, 05:08 AM

Sorry but I don't know if I have snapshot viewer (or what it would be used for!)
I have updated HJT. Ran the virus check on SCUSAPI = Clean. I think I got rid of the - O4 - Global Startup: VSNPT513.lnk = C:\WINDOWS\vsnpt513.exe somehow! I was unable to update SBS&D & Ad-Aware before today but now I have managed to update everything this morning.
Here's my new log.

Thanks for your help.

Ladyjan · 05-19-2005, 08:55 AM

Had probs getting the log. ---------> here it is....

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-Watch.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 15:51:12, on 19/05/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\SCUSAPI.exe
C:\Program Files\SAMSUNG\RF KeyboardMouse\MMKbd.exe
C:\Downloads\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O4 - HKLM\..\Run: [SCUSAPI] SCUSAPI.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: RF Keyboard&Mouse Program.lnk = C:\Program Files\SAMSUNG\RF KeyboardMouse\MMKbd.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/f...trol_en_US.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-24.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.co...p/PhtPkMSN.cab
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.co...p/DigWXMSN.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} - https://www-secure.symantec.com/tech...ActiveData.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents...r/imloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - http://fdl.msn.com/public/chat/msnchat45.cab
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe

End of KRC HijackThis Analyzer Log.
====================================================================

greyknight17 · 05-19-2005, 10:56 AM

Your log is clean.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

Make sure to get the latest updates for Windows and Internet Explorer at http://v5.windowsupdate.microsoft.co....aspx?ln=en-us.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.

Ladyjan · 05-25-2005, 07:41 AM

Hi there,

Sorry for taking so long getting back to you.

PC is running OK now THANKS

Many thanks xx Ladyjan

BTW: SCUSAPI is needed by my printer

05-18-2005, 02:05 PM	#1 (permalink)
Ladyjan Registered User Join Date: May 2005 Posts: 4 OS: WINXP	Help please! My PC is running at a snails pace. I have done the usual, Spybot search & destroy, Ad-Aware, Microsoft Antispyware, AVG, Norton and HJTAnalyzer. Here are my results. ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-Watch.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton Utilities\NPROTECT.EXE O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-Watch.exe" O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.98.2 Scan saved at 01:33:30, on 18/12/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\SCUSAPI.exe C:\Program Files\SAMSUNG\RF KeyboardMouse\mmkbd.exe C:\WINDOWS\vsnpt513.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O4 - HKLM\..\Run: [SCUSAPI] SCUSAPI.exe O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe" O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE O4 - Global Startup: RF Keyboard&Mouse Program.lnk = ? O4 - Global Startup: VSNPT513.lnk = C:\WINDOWS\vsnpt513.exe O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Freeserve - {AA829EA0-FCDC-11D6-9108-D07482C76F75} - http://www.freeserve.net/ (file missing) (HKCU) O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/ O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://chat-c3.freeserve.com/Java/cfs31229.cab O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.co...s/MsnPUpld.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab O16 - DPF: {D68217F4-1DF9-45C1-BFA6-61DBD5464527} (Genealogy Browser) - http://66.119.139.74/cabs/zinst.cab O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab End of KRC HijackThis Analyzer Log. ==================================================================== I also ran TDS-3 here are the results. 09:50:49 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED) 09:50:49 [Init] Started 18-05-05 09:50:49 GMT Standard Time (UTC: 0), Internet Time @410.29 09:50:49 [Init] Loading TDS-3 Systems ... 09:50:49 [Init] Token successfully adjusted. 09:50:49 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum 09:50:51 [Init] • Plugins : OK. Loaded 13 09:50:51 [Init] • Exec Protection : Not Installed 09:50:51 [Init] WARNING: Your Radius.TD3 database needs to be updated! 09:50:51 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3 09:50:51 [Init] Licensed users can use the Update facility from the TDS menu 09:50:52 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs> 09:51:23 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families 09:51:23 [Init] • Systems Initialised [39471 references - 16560 primaries/10873 traces/12038 variants/other] 09:51:23 [Init] Radius Systems loaded. <Databases updated 14-10-2004> 09:51:23 [Init] TDS-3 Ready. 09:51:23 [Tip Of The Day] The Target Host menu is dedicated to finding out information about remote computers, from backdoors to system information to network positioning. 09:51:23 [TDS] Good morning 09:51:48 [Mutex Memory Scan] Started... 09:51:51 [Mutex Memory Scan] Finished (no trojan mutexes found). 09:51:51 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering. 09:53:46 [Quit] Unloading ... 09:56:10 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED) 09:56:10 [Init] Started 18-05-05 09:56:10 GMT Standard Time (UTC: 0), Internet Time @414.00 09:56:10 [Init] Loading TDS-3 Systems ... 09:56:10 [Init] Token successfully adjusted. 09:56:10 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum 09:56:10 [Init] • Plugins : OK. Loaded 13 09:56:10 [Init] • Exec Protection : Not Installed 09:56:10 [Init] WARNING: Your Radius.TD3 database needs to be updated! 09:56:10 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3 09:56:10 [Init] Licensed users can use the Update facility from the TDS menu 09:56:11 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs> 09:56:48 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families 09:56:49 [Init] • Systems Initialised [55446 references - 28817 primaries/14368 traces/12261 variants/other] 09:56:49 [Init] Radius Systems loaded. <Databases updated 18-05-2005> 09:56:49 [Tip Of The Day] Don't eat food at the keyboard! 09:57:16 [Mutex Memory Scan] Started... 09:57:18 [Mutex Memory Scan] Finished (no trojan mutexes found). 09:57:18 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering. 09:58:35 [CRC32] Started - verifying 29 files ... 09:59:00 [CRC32] Test finished. 10:12:22 [Memory Scan] Memory scan started, please wait a moment ... 10:12:27 [Memory Scan] Memory scan complete. 10:12:27 [Mutex Memory Scan] Started... 10:12:30 [Mutex Memory Scan] Finished (no trojan mutexes found). 10:12:30 [Trace Scan] Started... 10:14:39 [Trace Scan] Finished. 10:14:39 [Service\Driver Scan] Scanning for services and drivers ... 10:15:24 [Service\Driver Scan] Scanned 341 services and drivers. 10:15:24 [File Scan] Scanning in A:\ ... 10:15:25 [File Scan] Scanned 0 files: 0 alarms in 1.070313 seconds (Avg 1. files/sec) 10:15:25 [File Scan] Scanning in C:\ ... 15:11:13 [File Scan] Scanned 65592 files: 3 alarms in 17748.15 seconds (Avg 4.7 files/sec) 15:11:14 [File Scan] Scanning in D:\ ... 15:11:14 [File Scan] Scanned 0 files: 3 alarms in 0.3710938 seconds (Avg 1. files/sec) 15:11:14 [File Scan] Scanning in E:\ ... 15:11:14 [File Scan] Scanned 0 files: 3 alarms in 0 seconds (Avg -1.#IND files/sec) 15:11:14 [Scan] Finished. 16:50:33 [Screen Text] Saved to C:\Program Files\TDS3\scr0.txt 16:51:18 [Text Dump] Saved to C:\Program Files\TDS3\scandump.txt Scan Control Dumped @ 20:33:55 18-05-05 Suspicious Filename: Dual extensions File: c:\downloads\nero-6[1].6.0.8.exe Suspicious Filename: Dual extensions File: c:\documents and settings\jan colter\my documents\word\for .n.g.doc Positive identification: Riskware.Downloader.ImLoader.b File: c:\system volume information\_restore{54ce8306-184d-44c4-93a5-17cf0e090027}\rp784\a0086243.exe Any help is gratefully accepted. Many thanks in advance. Jan Last edited by Ladyjan; 05-18-2005 at 02:13 PM.

05-19-2005, 03:17 AM	#2 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,963 OS: Windows 7	Please update your version of hijackthis and post another log. The log is mostly clean. O4 - Global Startup: VSNPT513.lnk = C:\WINDOWS\vsnpt513.exe Do you have Snapshot Viewer installed?? C:\WINDOWS\System32\SCUSAPI.exe <--upload that file to http://www.kaspersky.com/scanforvirus and scan it. Report your findings when you post the new log. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

05-19-2005, 08:55 AM	#4 (permalink)
Ladyjan Registered User Join Date: May 2005 Posts: 4 OS: WINXP	OOOps forgot to post log Had probs getting the log. ---------> here it is.... ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-Watch.exe C:\Program Files\Norton Utilities\SYSDOC32.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton Utilities\NPROTECT.EXE O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-Watch.exe" O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 15:51:12, on 19/05/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\SCUSAPI.exe C:\Program Files\SAMSUNG\RF KeyboardMouse\MMKbd.exe C:\Downloads\hijackthis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm O4 - HKLM\..\Run: [SCUSAPI] SCUSAPI.exe O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe" O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE O4 - Global Startup: RF Keyboard&Mouse Program.lnk = C:\Program Files\SAMSUNG\RF KeyboardMouse\MMKbd.exe O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/f...trol_en_US.cab O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-24.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.co...p/PhtPkMSN.cab O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.co...p/DigWXMSN.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} - https://www-secure.symantec.com/tech...ActiveData.cab O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents...r/imloader.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - http://fdl.msn.com/public/chat/msnchat45.cab O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe End of KRC HijackThis Analyzer Log. ====================================================================

05-19-2005, 10:56 AM	#5 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	Your log is clean. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore. Make sure to get the latest updates for Windows and Internet Explorer at http://v5.windowsupdate.microsoft.co....aspx?ln=en-us. To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided. Are there any problems now? If not, you should be set to go. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

05-19-2005, 05:08 AM	#3 (permalink)
Ladyjan Registered User Join Date: May 2005 Posts: 4 OS: WINXP	Sorry but I don't know if I have snapshot viewer (or what it would be used for!) I have updated HJT. Ran the virus check on SCUSAPI = Clean. I think I got rid of the - O4 - Global Startup: VSNPT513.lnk = C:\WINDOWS\vsnpt513.exe somehow! I was unable to update SBS&D & Ad-Aware before today but now I have managed to update everything this morning. Here's my new log. Thanks for your help.

05-25-2005, 07:41 AM	#6 (permalink)
Ladyjan Registered User Join Date: May 2005 Posts: 4 OS: WINXP	Hi there, Sorry for taking so long getting back to you. PC is running OK now THANKS Many thanks xx Ladyjan BTW: SCUSAPI is needed by my printer