Tech Support banner

Status
Not open for further replies.
1 - 17 of 17 Posts

·
Registered
Joined
·
21 Posts
Discussion Starter #1
Hi there

I have tried posting this elsewhere and have had no replies so I thought I would post my hijackthis logs and see if anyone can help me here.

Symptoms I am trying to overcome:

About twice a day my computer (connected to NTL broadband via a router) ceases to gain access to ftp, https:// pages, Remote desktop (unless already connected when it continues to work) and non-NTL pop3 email, though the NTL accounts continue to check fine. Normal browsing of the internet is not affected. This phenomenon is not repeated on the other PCs on the network so it seems it is specific to this one - my main one. This lasts about 20 minutes when it happens.

I did a Hijackthis log while everything was running smoothly, and I have done another while the problem was presenting. As you will see, different programs were running, but otherwise as far as I can see they are identical. I am hoping someone can help, if there is anything here that might cause the problem described above.


Here is the log from when everything was OK

Logfile of HijackThis v1.99.1
Scan saved at 14:41:19, on 12/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\SkypeMate\SkypeMate.exe
C:\PROGRA~1\Novosoft\HANDYB~1\hbagent.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
c:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\mRouterRuntime.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CapMan.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\ElogErr.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\BROADC~1.EXE
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\SCRFS.exe
C:\PROGRA~1\SONYER~1\Mobile\AUFILE~1.EXE
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\Ecfmserv.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe
C:\DOCUME~1\PETERC~1\LOCALS~1\Temp\~e5d141.tmp
C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
C:\DOCUME~1\PETERC~1\LOCALS~1\Temp\~e5d141.tmp
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WS_FTP Pro\wsftppro.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Microsoft Visual Studio\Common\IDE\IDE98\devenv.exe
C:\WINDOWS\system32\mstsc.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Peter Cresswell\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pcwebservices.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.club-vaio.sony-europe.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SkypeMate] C:\Program Files\SkypeMate\SkypeMate.exe
O4 - HKCU\..\Run: [Handy Backup 4.0] "C:\PROGRA~1\Novosoft\HANDYB~1\hbagent.exe" -logon
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Phone Connection Monitor.lnk = ?
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: {4B1A4A31-8845-11D5-9769-00B0D071D434} (Avaya ICM Client) - http://indianapolis.dataforce.co.uk/icm/caller.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093292310519
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

Here is the log taken during a problem time

Logfile of HijackThis v1.99.1
Scan saved at 09:23:44, on 13/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\SkypeMate\SkypeMate.exe
C:\PROGRA~1\Novosoft\HANDYB~1\hbagent.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
c:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\mRouterRuntime.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CapMan.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\ElogErr.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\BROADC~1.EXE
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\SCRFS.exe
C:\PROGRA~1\SONYER~1\Mobile\AUFILE~1.EXE
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\Ecfmserv.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Peter Cresswell\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pcwebservices.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.club-vaio.sony-europe.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SkypeMate] C:\Program Files\SkypeMate\SkypeMate.exe
O4 - HKCU\..\Run: [Handy Backup 4.0] "C:\PROGRA~1\Novosoft\HANDYB~1\hbagent.exe" -logon
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Phone Connection Monitor.lnk = ?
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: {4B1A4A31-8845-11D5-9769-00B0D071D434} (Avaya ICM Client) - http://indianapolis.dataforce.co.uk/icm/caller.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093292310519
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
 

·
Registered
Joined
·
199 Posts
Hi there and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p

Please be patient with me during this time.

We also suggest that you Subscribe to this thread to be notified of fixes as soon as they are posted by our Team. You can do this simply by clicking the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".
 

·
Registered
Joined
·
199 Posts
Hi there, your log appears clean...but lets take a further scanning to ensure your system is completely clean and safe.

Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool.

Download the Mwav virus checker at http://www.mwti.net/antivirus/mwav.asp (Use Link 3)

1. Save it to a folder.
2. Reboot into Safe Mode.
3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything.
4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and highlight all the information in the Lower pane --- Use CTRL C on your keyboard to copy everything found in the lower pane and save it to a notepad file
*Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files.

Once you copy that to a Notepad file...highlight the text and copy it here.

Do an online scan at Panda . This will locate other hidden trojans/worms in your machine
 

·
Registered
Joined
·
21 Posts
Discussion Starter #5
Thanks Ricvai

I will have a go at this in the morning (bedtime now!) and let you know the result

Thanks for taking the time to try to help
 

·
Registered
Joined
·
21 Posts
Discussion Starter #6
Am I glad I decided to run this overnight in the end! It ran for over 8 hours and was still running when I got up this morning, but has finally stopped.

Plenty of results. When I copied them to Notepad it made them into a continuous paragraph so I have been through and put in the line breaks in the hopes this will make it easier for you.

No results from the Panda Scan, a load of zeros though it was very quick so I don't know if I did it right. I did click the 'drives' icon after it had finished to see if this would make it do the drives, but it just gave a javascipt error about an unfound object.

Here are the results from mwav:

Object "searchexe Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "redv Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "surfassistant Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "media tickets Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "linkgrabber 99 Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "linkgrabber 99 Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "media tickets Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "media tickets Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "media tickets Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "linkgrabber 99 Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "linkgrabber 99 Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "media tickets Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "linkgrabber 99 Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "linkgrabber 99 Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "ezula toptext Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "media tickets Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "media tickets Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "media tickets Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "media tickets Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "linkgrabber 99 Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "linkgrabber 99 Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "linkgrabber 99 Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "linkgrabber 99 Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "media tickets Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "media tickets Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "media tickets Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "linkgrabber 99 Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "linkgrabber 99 Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "media tickets Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "linkgrabber 99 Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "linkgrabber 99 Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "redv Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "redv Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "redv Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "redv Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "redv Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "redv Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "redv Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "purityscan Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "ezula toptext Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "media tickets Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "media tickets Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "media tickets Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "media tickets Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "media tickets Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "media tickets Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "specialoffers Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "media tickets Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "linkgrabber 99 Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "surfassistant Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "weathercast Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "surfassistant Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "linkgrabber 99 Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "media tickets Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "media tickets Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "linkgrabber 99 Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "linkgrabber 99 Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "linkgrabber 99 Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "media tickets Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "media tickets Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "surfassistant Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "media tickets Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "linkgrabber 99 Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "linkgrabber 99 Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "media tickets Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "media tickets Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "media tickets Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "linkgrabber 99 Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "linkgrabber 99 Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "media tickets Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "linkgrabber 99 Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "linkgrabber 99 Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "ezula toptext Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "media tickets Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "media tickets Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "media tickets Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "media tickets Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "linkgrabber 99 Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "linkgrabber 99 Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "linkgrabber 99 Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "linkgrabber 99 Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "media tickets Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "media tickets Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "media tickets Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "linkgrabber 99 Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "linkgrabber 99 Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "media tickets Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "linkgrabber 99 Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "linkgrabber 99 Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Real\GToolbar\BarControl.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\system32\DIMM.DLL". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\cmmgr32.exe" refers to invalid object "C:\WINDOWS\System32
\cmmgr32.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\ML1510_700set.exe" refers to invalid object "C:\WINDOWS\Samsung\ML1510_700\AddPrint\ML1510_700set.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\ORUN32.EXE" refers to invalid object "C:\WINDOWS\ORUN32.EXE".
Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\Sony DV Shared Library" refers to invalid object "C:\Program Files\Common Files\Sony Shared\DVLib\Sony DV Shared Library". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\Sony MPEG Decoder Library" refers to invalid object
"C:\Program Files\Sony Corporation\Sony MPEG Decoder Library\Sony MPEG Decoder Library". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\Sony Shared Library for XP" refers to invalid object
"C:\Program Files\Sony Corporation\Sony Shared Library for XP\Sony Shared Library for XP". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\VAIO Edit Components LE" refers to invalid object "C:\Program Files\Adobe\Premiere 6 LE\VAIO Edit Components LE". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\yourapp.Exe" refers to invalid object "C:\Program Files\sony\VAIO Serenus Wallpaper\yourapp.Exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Microsoft Office\Office10\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Microsoft Office\Office10\1033\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Adobe\Acrobat 6.0\Reader\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".104". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".110/Daily%20BUP/". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".125/in/". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".125/out/". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".131/wwwroot/". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".131/wwwroot/inta/". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".131/wwwroot/inta/images/". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".131/wwwroot/inta/imagesBalloons/". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".186/testsystem/". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".186/testsystem/pcweb/". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".44/Alun%20Smith/". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".44/BATS/". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".44/Default/". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".44/Lightwave/". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".cf". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".config". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".dbx". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".dmb". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".DS_Store". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".dtd". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".iaf". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".iss". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".sng". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".sxw". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".TPS". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".uk/". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".uk/htdocs/". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".uk/htdocs/preview/". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".uk/htdocs/preview/Micom/". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".uk/htdocs/preview/Micom/images/". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".wks". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".wps". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".XLR". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".zlp". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object "._old5asp". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Ad-aware 6 Personal". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{22AE7312-F90A-49CE-A12D-91BC7905055D}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{4E9C3F2D-C654-453E-B1AD-9F231905A50D}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{7BF7B688-4A95-4003-BA98-EA8A79DA0ABA}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{90190409-6000-11D3-8CFE-0050048383C9}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{91110409-6000-11D3-8CFE-0050048383C9}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{9C2EDC9C-EF3B-443A-BB2C-3488DAC7247E}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{A27F2A64-3D23-4449-B395-75335CED458E}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{ABEB838C-A1A7-4C5D-B7E1-8B4314600137}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{AC76BA86-7AD7-1033-7B44-A00000000001}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{FB015BB0-5518-4767-9DE4-F9A5C7C62E46}". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{2C296FFF-6969-11D6-B9F3-00D0B717718C}" refers to invalid object "F:\AppInstall.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{35778CA8-47E8-4005-935C-EC88E8CAAFE5}" refers to invalid object "C:\Program Files\Microsoft Office\Office10\MSPUB.EXE /IMG_STI /StiDevice:%1 /StiEvent:%2". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{83D4679F-B6D7-11D2-BF36-00C04FB90A03}" refers to invalid object "C:\Program Files\Messenger\rtcimsp.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{BC5F1E50-5110-11D1-AFF5-006097C9A284}" refers to invalid object "C:\PROGRA~1\MICROS~3\Office10\BLNMGRPS.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{BC5F1E51-5110-11D1-AFF5-006097C9A284}" refers to invalid object "C:\PROGRA~1\MICROS~3\Office10\BLNMGRPS.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{BC5F1E53-5110-11D1-AFF5-006097C9A284}" refers to invalid object "C:\PROGRA~1\MICROS~3\Office10\BLNMGRPS.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E987AE21-82E2-4D89-8A6B-F3308B5CB172}" refers to invalid object "C:\Program Files\Microsoft Office\Office10\WINWORD.EXE /IMG_WIA". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F27CE930-4CA3-11D1-AFF2-006097C9A284}" refers to invalid object "C:\PROGRA~1\MICROS~3\Office10\BLNMGRPS.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F9CA0E4E-3A88-4993-8161-398FDEF8E4BE}" refers to invalid object "C:\Program Files\Microsoft Office\Office10\MSPUB.EXE /IMG_WIA". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{2C296FF2-6969-11D6-B9F3-00D0B717718C}" refers to invalid object "F:\AppInstall.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{8F6C7660-E8A1-11D0-B9B3-2A92D0000000}" refers to invalid object "C:\PROGRA~1\MICROS~3\Office10\SQLPARSE.DLL". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{DCB43485-19FB-4D6D-BB3D-73C7F48D5F00}" refers to invalid object "C:\Program Files\Messenger\rtcimsp.dll". Action Taken: No Action Taken.
Entry "HKCR\.col" refers to invalid object "COLFile". Action Taken: No Action Taken.
Entry "HKCR\.tuw" refers to invalid object "TUWFile". Action Taken: No Action Taken.
Entry "HKCR\Alg.AlgSetup" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken.
Entry "HKCR\Alg.AlgSetup.1" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken.
Entry "HKCR\Connection Manager Profile\shell\open\command" refers to invalid object "C:\WINDOWS\System32\CMMGR32.EXE "%1"". Action Taken: No Action Taken.
Entry "HKCR\Microsoft.DAVector2" refers to invalid object "{E01C55ED-C7E4-4935-3803-1EDB92987FFC}". Action Taken: No Action Taken.
Entry "HKCR\msbackupfile\shell\open\command" refers to invalid object "%SystemRoot%\system32\ntbackup.exe". Action Taken: No Action Taken.
Entry "HKCR\Msohelp.HtmlHelp.1" refers to invalid object "{31E0DFD7-2621-11D2-AFD7-006097C9A284}". Action Taken: No Action Taken.
Entry "HKCR\MsoHelpAWDlg.1" refers to invalid object "{B58C2441-A1A3-11D2-B024-006097C9A284}". Action Taken: No Action Taken.
Entry "HKCR\MsoHelpKeyDlg.1" refers to invalid object "{B58C2440-A1A3-11D2-B024-006097C9A284}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic.1" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\ppifile\shell\open\command" refers to invalid object "%SystemRoot%\System32\msppcnfg.exe /Config %1". Action Taken: No Action Taken.
Entry "HKCR\RTCCore.RTCClient" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken.
Entry "HKCR\RTCCore.RTCClient.1" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken.
Entry "HKCR\VSEditorFactory.VsEditorFactory.1" refers to invalid object "{CB3FCF01-03DF-11D1-81D2-00A0C91BBEE3}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr.1" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKCR\WMPShell.HWEventHandler" refers to invalid object "{9B186A8F-F520-4eeb-B553-118304AC46C5}". Action Taken: No Action Taken.
Entry "HKCR\WMPShell.HWEventHandler.1" refers to invalid object "{9B186A8F-F520-4eeb-B553-118304AC46C5}". Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Documents\pcanywhere 10.5\Full.Cab tagged as "not-a-virus:porn-Dialer.Win32.CDUpdater.g". Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Documents\to server\pcanywhere 10.5\Full.Cab tagged as "not-a-virus:porn-Dialer.Win32.CDUpdater.g". Action Taken: No Action Taken.
File C:\Documents and Settings\Peter Cresswell\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-3cbf8b76-1bd40a76.zip infected by "Exploit.Java.ByteVerify" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\Peter Cresswell\My Documents\Downloads\Clickatell API\COM-API_Installer.exe tagged as "not-a-virus:porn-Dialer.Win32.CDUpdater.g". Action Taken: No Action Taken.
File C:\Documents and Settings\Peter Cresswell\My Documents\Downloads\pcanywhere 10.5\Full.Cab tagged as "not-a-virus:porn-Dialer.Win32.CDUpdater.g". Action Taken: No Action Taken.
File C:\Program Files\Common Files\Sony Shared\Visualizer\ExlGen.dll tagged as "not-a-virus:porn-Dialer.Win32.CDUpdater.g". Action Taken: No Action Taken.
File C:\Program Files\Common Files\Sony Shared\Visualizer\IkDots.dll tagged as "not-a-virus:porn-Dialer.Win32.CDUpdater.g". Action Taken: No Action Taken.
File C:\Program Files\Common Files\Sony Shared\Visualizer\IkFace.dll tagged as "not-a-virus:porn-Dialer.Win32.CDUpdater.g". Action Taken: No Action Taken.
File C:\Program Files\Common Files\Sony Shared\Visualizer\IkGen.dll tagged as "not-a-virus:porn-Dialer.Win32.CDUpdater.g". Action Taken: No Action Taken.
File C:\Program Files\Common Files\Sony Shared\Visualizer\IkRainbow.dll tagged as "not-a-virus:porn-Dialer.Win32.CDUpdater.g". Action Taken: No Action Taken.
File C:\Program Files\Common Files\Sony Shared\Visualizer\LunacyCore.dll tagged as "not-a-virus:porn-Dialer.Win32.CDUpdater.g". Action Taken: No Action Taken.
File C:\Program Files\Common Files\Sony Shared\Visualizer\TsmDSCap2.dll tagged as "not-a-virus:porn-Dialer.Win32.CDUpdater.g". Action Taken: No Action Taken.
File C:\Program Files\Symantec\pcAnywhere\WinNTAuth.dll tagged as "not-a-virus:porn-Dialer.Win32.CDUpdater.g". Action Taken: No Action Taken.
File D:\Backup\components\Clickatell API\COM-API_Installer.exe tagged as "not-a-virus:porn-Dialer.Win32.CDUpdater.g". Action Taken: No Action Taken.
File D:\Backup\components\pcanywhere 10.5\Full.Cab tagged as "not-a-virus:porn-Dialer.Win32.CDUpdater.g". Action Taken: No Action Taken.
File D:\Backup\components.zip tagged as "not-a-virus:porn-Dialer.Win32.CDUpdater.g". Action Taken: No Action Taken.
File D:\Backup\MailEnable\Store\05-01-31\ME_Store.zip infected by "Email-Worm.Win32.Mydoom.l" Virus! Action Taken: No Action Taken.
File D:\Backup\MailEnable\Store\05-01-31\Postoffices\healthspaherbs.com\MAILROOT\rachel\Inbox\1B08BC86D4B94094ABA056D2D8DCC8.MAI infected by "Email-Worm.Win32.Mydoom.l" Virus! Action Taken: No Action Taken.
File D:\Backup\MailEnable\Store\05-01-31\Postoffices\healthspaherbs.com\MAILROOT\rachel\Inbox\37E29305977449E591C343C4DC9A72.MAI infected by "Email-Worm.Win32.Mydoom.l" Virus! Action Taken: No Action Taken.
File D:\Backup\MailEnable\Store\05-01-31\Postoffices\herbs4health.co.uk\MAILROOT\alan\Inbox\457C6AF93D1943A1B3585A69867994.MAI infected by "Email-Worm.Win32.Mydoom.m" Virus! Action Taken: No Action Taken.
File D:\from Mydocs\from servit server 1\COM-API_Installer.exe tagged as "not-a-virus:porn-Dialer.Win32.CDUpdater.g". Action Taken: No Action Taken.
File D:\from Mydocs\richbitch\library\band_38.jpg infected by "Backdoor.ASP.Ace.q" Virus! Action Taken: No Action Taken.
File D:\from Mydocs\richbitch\library\Zehir.asp infected by "Backdoor.ASP.Ace.ai" Virus! Action Taken: No Action Taken.
File D:\from Mydocs\richbitch\library\zehir3.asp infected by "Backdoor.ASP.Ace.q" Virus! Action Taken: No Action Taken.
 

·
Registered
Joined
·
199 Posts
===============================================================

Download Killbox

Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard.

C:\Documents and Settings\All Users\Documents\pcanywhere 10.5\Full.Cab
C:\Documents and Settings\All Users\Documents\to server\pcanywhere 10.5\Full.Cab
C:\Documents and Settings\Peter Cresswell\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cou nt.jar-3cbf8b76-1bd40a76.zip
C:\Documents and Settings\Peter Cresswell\My Documents\Downloads\Clickatell API\COM-API_Installer.exe
C:\Documents and Settings\Peter Cresswell\My Documents\Downloads\pcanywhere 10.5\Full.Cab
C:\Program Files\Common Files\Sony Shared\Visualizer\ExlGen.dll
C:\Program Files\Common Files\Sony Shared\Visualizer\IkDots.dll
C:\Program Files\Common Files\Sony Shared\Visualizer\IkFace.dll
C:\Program Files\Common Files\Sony Shared\Visualizer\IkGen.dll
C:\Program Files\Common Files\Sony Shared\Visualizer\IkRainbow.dll
C:\Program Files\Common Files\Sony Shared\Visualizer\LunacyCore.dll
C:\Program Files\Common Files\Sony Shared\Visualizer\TsmDSCap2.dll
C:\Program Files\Symantec\pcAnywhere\WinNTAuth.dll
D:\Backup\components\Clickatell API\COM-API_Installer.exe
D:\Backup\components\pcanywhere 10.5\Full.Cab
D:\Backup\components.zip
D:\Backup\MailEnable\Store\05-01-31\ME_Store.zip
D:\Backup\MailEnable\Store\05-01-31\Postoffices\healthspaherbs.com\MAILROOT\rachel\ Inbox\1B08BC86D4B94094ABA056D2D8DCC8.MAI
D:\Backup\MailEnable\Store\05-01-31\Postoffices\healthspaherbs.com\MAILROOT\rachel\ Inbox\37E29305977449E591C343C4DC9A72.MAI
D:\Backup\MailEnable\Store\05-01-31\Postoffices\herbs4health.co.uk\MAILROOT\alan\In box\457C6AF93D1943A1B3585A69867994.MAI
D:\from Mydocs\from servit server 1\COM-API_Installer.exe
D:\from Mydocs\richbitch\library\band_38.jpg
D:\from Mydocs\richbitch\library\Zehir.asp
D:\from Mydocs\richbitch\library\zehir3.asp


Start KillBox

  • Go to the File menu, and choose Paste from Clipboard.
  • Select/tick the following:
    • "Delete on Reboot"
    • "End Explorer Shell While Killing File"
    • "Unregister.dll Before Deleting" if it's not grayed out.
  • Click the RED X button.
  • Click [Yes] at the 'Delete on Reboot' prompt. Click [Yes] at the Pending Operations prompt.

Downloads
Ewido Security Suite

  • Install Ewido Security Suite
  • When installing, under "Additional Options" uncheck..
  • Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

  • On the left hand side of the main screen click update.
  • Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).


Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

  • Click Scanner
  • Click Complete System Scan to begin scanning.
  • Click OK when prompted to clean files
With the first file it prompts to clean, select the option:

  • "Perform action on all infections"
  • Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** This scan may take over an hour, after choosing the action for the first item you do not need to stay at the PC.

Reboot your system in Normal Mode.

Online Scans

Please open IE and go to
Kaspersky WebScanner
 

·
Registered
Joined
·
21 Posts
Discussion Starter #8 (Edited)
Oh Wow - Thanks for this, but this is very scary. I have not heard of any of this software

I do hope it doesn't stop my PC functioning - I rely on it a lot. Can you offer any assurance?

I don't have time to do this today, but will try to do it tomorrow.

Won't deleting C:\Program Files\Symantec\pcAnywhere\WinNTAuth.dll stop PC Anywhere working? Of all the programs I can see represented here this is the only one I use regularly.

Why has my AntiVirus (AVG SOHO edition) and my Adaware SE (including AdWatch Monitoring) not found and stopped all these things?

Thanks so much for your help. How do I pay you?
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Kilbox is a utility used for deleting those hard-to-kill files. You can find many references to this tool if you do a keyword search on google.

Kaspersky, Panda & Ewido are well respected names in the antivirus community. There really shouldnt be any cause for concern. Try googling around & see if there's any bad reports about them.

If you're worried about deleting WinNTAuth.dll, I suggest that you visit this website - http://virusscan.jotti.org

Submit those files for a comprehensive scan & see what it brings back.
 

·
Registered
Joined
·
21 Posts
Discussion Starter #10
Hi there and thanks again for all the help

Seems I am not out of woods yet.

Done everything you asked. The ewido report looked like this:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 08:25:15, 16/10/2005
+ Report-Checksum: 958FB85C

+ Scan result:

HKU\S-1-5-21-869750193-720897496-4103935507-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -> Spyware.PopularScreensavers : Cleaned with backup
HKU\S-1-5-21-869750193-720897496-4103935507-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{706F3805-27D7-478D-80E5-E25D2BB030B3} -> Spyware.RoingsSearch : Cleaned with backup
HKU\S-1-5-21-869750193-720897496-4103935507-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{79849612-A98F-45B8-95E9-4D13C7B6B35C} -> Spyware.Crazywinnings : Cleaned with backup
C:\!Submit\components.zip/components/pcanywhere 10.5/Full.Cab/F6762_WinNTAuth.dll -> Dialer.Generic : Cleaned with backup
C:\!Submit\ExlGen.dll -> Dialer.Generic : Cleaned with backup
C:\!Submit\Full.Cab/F6762_WinNTAuth.dll -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Peter Cresswell\Cookies\peter [email protected][2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Peter Cresswell\Cookies\peter [email protected][2].txt -> Spyware.Cookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Peter Cresswell\Cookies\peter [email protected][1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Peter Cresswell\Cookies\peter [email protected][2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Peter Cresswell\Cookies\peter [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Peter Cresswell\Cookies\peter [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Peter Cresswell\Cookies\peter [email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Peter Cresswell\Cookies\peter [email protected][2].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Program Files\Symantec\pcAnywhere\WinNTAuth.dll -> Dialer.Generic : Cleaned with backup


::Report End


BUT the kaspersky report shows these files are still infected:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, October 16, 2005 15:43:03
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 16/10/2005
Kaspersky Anti-Virus database records: 145067
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 548173
Number of viruses found: 8
Number of infected objects: 51
Number of suspicious objects: 0
Duration of the scan process: 18396 sec

Infected Object Name - Virus Name
C:\!Submit\band_38.jpg Infected: Backdoor.ASP.Ace.q
C:\!Submit\ME_Store.zip/Postoffices/healthspaherbs.com/MAILROOT/rachel/Inbox/1B08BC86D4B94094ABA056D2D8DCC8.MAI/[From "Automatic Email Delivery Software" <[email protected]>][Date Tue, 25 Jan 2005 17:56:00 +0000]/document.zip/document.scr Infected: Email-Worm.Win32.Mydoom.l
C:\!Submit\ME_Store.zip/Postoffices/healthspaherbs.com/MAILROOT/rachel/Inbox/1B08BC86D4B94094ABA056D2D8DCC8.MAI/[From "Automatic Email Delivery Software" <[email protected]>][Date Tue, 25 Jan 2005 17:56:00 +0000]/document.zip Infected: Email-Worm.Win32.Mydoom.l
C:\!Submit\ME_Store.zip/Postoffices/healthspaherbs.com/MAILROOT/rachel/Inbox/1B08BC86D4B94094ABA056D2D8DCC8.MAI Infected: Email-Worm.Win32.Mydoom.l
C:\!Submit\ME_Store.zip/Postoffices/healthspaherbs.com/MAILROOT/rachel/Inbox/27CAC58D9E324480BB9C194A7B86F7.MAI/[From "Bounced mail" <[email protected]>][Date Fri, 21 Jan 2005 23:52:47 +0000]/file.bat Infected: Email-Worm.Win32.Mydoom.l
C:\!Submit\ME_Store.zip/Postoffices/healthspaherbs.com/MAILROOT/rachel/Inbox/27CAC58D9E324480BB9C194A7B86F7.MAI Infected: Email-Worm.Win32.Mydoom.l
C:\!Submit\ME_Store.zip/Postoffices/healthspaherbs.com/MAILROOT/rachel/Inbox/37E29305977449E591C343C4DC9A72.MAI/[From "Mail Administrator" <[email protected]>][Date Fri, 28 Jan 2005 21:18:55 +0000]/cfnjr.zip/cfnjr.htm .exe Infected: Email-Worm.Win32.Mydoom.l
C:\!Submit\ME_Store.zip/Postoffices/healthspaherbs.com/MAILROOT/rachel/Inbox/37E29305977449E591C343C4DC9A72.MAI/[From "Mail Administrator" <[email protected]>][Date Fri, 28 Jan 2005 21:18:55 +0000]/cfnjr.zip Infected: Email-Worm.Win32.Mydoom.l
C:\!Submit\ME_Store.zip/Postoffices/healthspaherbs.com/MAILROOT/rachel/Inbox/37E29305977449E591C343C4DC9A72.MAI Infected: Email-Worm.Win32.Mydoom.l
C:\!Submit\ME_Store.zip/Postoffices/healthspaherbs.com/MAILROOT/rachel/Inbox/86A36BF971DC4894B8C22EA95BB273.MAI/[From "Bounced mail" <[email protected]>][Date Wed, 12 Jan 2005 19:38:27 +0000]/vim.zip/vim.exe Infected: Email-Worm.Win32.Mydoom.l
C:\!Submit\ME_Store.zip/Postoffices/healthspaherbs.com/MAILROOT/rachel/Inbox/86A36BF971DC4894B8C22EA95BB273.MAI/[From "Bounced mail" <[email protected]>][Date Wed, 12 Jan 2005 19:38:27 +0000]/vim.zip Infected: Email-Worm.Win32.Mydoom.l
C:\!Submit\ME_Store.zip/Postoffices/healthspaherbs.com/MAILROOT/rachel/Inbox/86A36BF971DC4894B8C22EA95BB273.MAI Infected: Email-Worm.Win32.Mydoom.l
C:\!Submit\ME_Store.zip/Postoffices/healthspaherbs.com/MAILROOT/rachel/Inbox/A0EBFFD3903749A18E1CB0128116FA.MAI/[From [email protected]][Date Sun, 9 Jan 2005 20:59:01 +0000]/[email protected] Infected: Email-Worm.Win32.Mydoom.l
C:\!Submit\ME_Store.zip/Postoffices/healthspaherbs.com/MAILROOT/rachel/Inbox/A0EBFFD3903749A18E1CB0128116FA.MAI Infected: Email-Worm.Win32.Mydoom.l
C:\!Submit\ME_Store.zip/Postoffices/herbs4health.co.uk/MAILROOT/alan/Inbox/457C6AF93D1943A1B3585A69867994.MAI/[From "Post Office" <[email protected]>][Date Thu, 27 Jan 2005 19:09:25 +0000]/instruction.zip/instruction.zip/INSTRUCTION.EXE Infected: Email-Worm.Win32.Mydoom.m
C:\!Submit\ME_Store.zip/Postoffices/herbs4health.co.uk/MAILROOT/alan/Inbox/457C6AF93D1943A1B3585A69867994.MAI/[From "Post Office" <[email protected]>][Date Thu, 27 Jan 2005 19:09:25 +0000]/instruction.zip/instruction.zip Infected: Email-Worm.Win32.Mydoom.m
C:\!Submit\ME_Store.zip/Postoffices/herbs4health.co.uk/MAILROOT/alan/Inbox/457C6AF93D1943A1B3585A69867994.MAI/[From "Post Office" <[email protected]>][Date Thu, 27 Jan 2005 19:09:25 +0000]/instruction.zip Infected: Email-Worm.Win32.Mydoom.m
C:\!Submit\ME_Store.zip/Postoffices/herbs4health.co.uk/MAILROOT/alan/Inbox/457C6AF93D1943A1B3585A69867994.MAI Infected: Email-Worm.Win32.Mydoom.m
C:\!Submit\ME_Store.zip/Postoffices/uk-portals.com/MAILROOT/petrofit/Inbox/206F4C9294848E58D12ADAB252D1A.MAI/[From PCS <[email protected]>][Date mer, 15 dic 2004]/link.postcard.christmas.php0700.zip/giftcard.id5770.pif Infected: Email-Worm.Win32.Zafi.d
C:\!Submit\ME_Store.zip/Postoffices/uk-portals.com/MAILROOT/petrofit/Inbox/206F4C9294848E58D12ADAB252D1A.MAI/[From PCS <[email protected]>][Date mer, 15 dic 2004]/link.postcard.christmas.php0700.zip Infected: Email-Worm.Win32.Zafi.d
C:\!Submit\ME_Store.zip/Postoffices/uk-portals.com/MAILROOT/petrofit/Inbox/206F4C9294848E58D12ADAB252D1A.MAI Infected: Email-Worm.Win32.Zafi.d
C:\!Submit\ME_Store.zip Infected: Email-Worm.Win32.Zafi.d
C:\!Submit\Zehir.asp Infected: Backdoor.ASP.Ace.ai
C:\!Submit\zehir3.asp Infected: Backdoor.ASP.Ace.q
C:\Documents and Settings\Peter Cresswell\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-3cbf8b76-1bd40a76.zip/BlackBox.class Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\Peter Cresswell\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-3cbf8b76-1bd40a76.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\Peter Cresswell\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-3cbf8b76-1bd40a76.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Documents and Settings\Peter Cresswell\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-3cbf8b76-1bd40a76.zip Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Documents and Settings\Peter Cresswell\Local Settings\Application Data\Identities\{82ECB565-61DA-4EC1-A96D-CCA0534EB13D}\Microsoft\Outlook Express\keynections.dbx/[From "Post Office" <[email protected]>][Date Fri, 30 Jul 2004 15:48:58 +0100]/document.zip/document.pif Infected: Email-Worm.Win32.Mydoom.m
C:\Documents and Settings\Peter Cresswell\Local Settings\Application Data\Identities\{82ECB565-61DA-4EC1-A96D-CCA0534EB13D}\Microsoft\Outlook Express\keynections.dbx/[From "Post Office" <[email protected]>][Date Fri, 30 Jul 2004 15:48:58 +0100]/document.zip Infected: Email-Worm.Win32.Mydoom.m
C:\Documents and Settings\Peter Cresswell\Local Settings\Application Data\Identities\{82ECB565-61DA-4EC1-A96D-CCA0534EB13D}\Microsoft\Outlook Express\keynections.dbx Infected: Email-Worm.Win32.Mydoom.m
C:\Documents and Settings\Peter Cresswell\Local Settings\Application Data\Identities\{82ECB565-61DA-4EC1-A96D-CCA0534EB13D}\Microsoft\Outlook Express\PureSport.dbx/[From "Pure Sport Sales" <[email protected]>][Date Wed, 8 Dec 2004 12:13:50 -0000]/UNNAMED/puresport.com.zip/puresport.com.txt .com Infected: Email-Worm.Win32.Mydoom.m
C:\Documents and Settings\Peter Cresswell\Local Settings\Application Data\Identities\{82ECB565-61DA-4EC1-A96D-CCA0534EB13D}\Microsoft\Outlook Express\PureSport.dbx/[From "Pure Sport Sales" <[email protected]>][Date Wed, 8 Dec 2004 12:13:50 -0000]/UNNAMED/puresport.com.zip Infected: Email-Worm.Win32.Mydoom.m
C:\Documents and Settings\Peter Cresswell\Local Settings\Application Data\Identities\{82ECB565-61DA-4EC1-A96D-CCA0534EB13D}\Microsoft\Outlook Express\PureSport.dbx/[From "Pure Sport Sales" <[email protected]>][Date Wed, 8 Dec 2004 12:13:50 -0000]/UNNAMED Infected: Email-Worm.Win32.Mydoom.m
C:\Documents and Settings\Peter Cresswell\Local Settings\Application Data\Identities\{82ECB565-61DA-4EC1-A96D-CCA0534EB13D}\Microsoft\Outlook Express\PureSport.dbx Infected: Email-Worm.Win32.Mydoom.m
C:\Documents and Settings\Peter Cresswell\Local Settings\Application Data\Identities\{82ECB565-61DA-4EC1-A96D-CCA0534EB13D}\Microsoft\Outlook Express\sloggi.dbx/[From [email protected] [mailto:[email protected]]][Date Thu, 2 Jun 2005 15:05:47 +0100]/document.zip/document.htm .scr Infected: Net-Worm.Win32.Mytob.bf
C:\Documents and Settings\Peter Cresswell\Local Settings\Application Data\Identities\{82ECB565-61DA-4EC1-A96D-CCA0534EB13D}\Microsoft\Outlook Express\sloggi.dbx/[From [email protected] [mailto:[email protected]]][Date Thu, 2 Jun 2005 15:05:47 +0100]/document.zip Infected: Net-Worm.Win32.Mytob.bf
C:\Documents and Settings\Peter Cresswell\Local Settings\Application Data\Identities\{82ECB565-61DA-4EC1-A96D-CCA0534EB13D}\Microsoft\Outlook Express\sloggi.dbx/[From "Just Sloggi" <[email protected]>][Date Thu, 2 Jun 2005 15:08:00 +0100]/UNNAMED/instructions.zip/instructions.doc .scr Infected: Net-Worm.Win32.Mytob.bf
C:\Documents and Settings\Peter Cresswell\Local Settings\Application Data\Identities\{82ECB565-61DA-4EC1-A96D-CCA0534EB13D}\Microsoft\Outlook Express\sloggi.dbx/[From "Just Sloggi" <[email protected]>][Date Thu, 2 Jun 2005 15:08:00 +0100]/UNNAMED/instructions.zip Infected: Net-Worm.Win32.Mytob.bf
C:\Documents and Settings\Peter Cresswell\Local Settings\Application Data\Identities\{82ECB565-61DA-4EC1-A96D-CCA0534EB13D}\Microsoft\Outlook Express\sloggi.dbx/[From "Just Sloggi" <[email protected]>][Date Thu, 2 Jun 2005 15:08:00 +0100]/UNNAMED Infected: Net-Worm.Win32.Mytob.bf
C:\Documents and Settings\Peter Cresswell\Local Settings\Application Data\Identities\{82ECB565-61DA-4EC1-A96D-CCA0534EB13D}\Microsoft\Outlook Express\sloggi.dbx Infected: Net-Worm.Win32.Mytob.bf
D:\Backup\MailEnable\Store\05-01-31\Postoffices\healthspaherbs.com\MAILROOT\rachel\Inbox\1B08BC86D4B94094ABA056D2D8DCC8.MAI/[From "Automatic Email Delivery Software" <[email protected]>][Date Tue, 25 Jan 2005 17:56:00 +0000]/document.zip/document.scr Infected: Email-Worm.Win32.Mydoom.l
D:\Backup\MailEnable\Store\05-01-31\Postoffices\healthspaherbs.com\MAILROOT\rachel\Inbox\1B08BC86D4B94094ABA056D2D8DCC8.MAI/[From "Automatic Email Delivery Software" <[email protected]>][Date Tue, 25 Jan 2005 17:56:00 +0000]/document.zip Infected: Email-Worm.Win32.Mydoom.l
D:\Backup\MailEnable\Store\05-01-31\Postoffices\healthspaherbs.com\MAILROOT\rachel\Inbox\1B08BC86D4B94094ABA056D2D8DCC8.MAI Infected: Email-Worm.Win32.Mydoom.l
D:\Backup\MailEnable\Store\05-01-31\Postoffices\healthspaherbs.com\MAILROOT\rachel\Inbox\37E29305977449E591C343C4DC9A72.MAI/[From "Mail Administrator" <[email protected]>][Date Fri, 28 Jan 2005 21:18:55 +0000]/cfnjr.zip/cfnjr.htm .exe Infected: Email-Worm.Win32.Mydoom.l
D:\Backup\MailEnable\Store\05-01-31\Postoffices\healthspaherbs.com\MAILROOT\rachel\Inbox\37E29305977449E591C343C4DC9A72.MAI/[From "Mail Administrator" <[email protected]>][Date Fri, 28 Jan 2005 21:18:55 +0000]/cfnjr.zip Infected: Email-Worm.Win32.Mydoom.l
D:\Backup\MailEnable\Store\05-01-31\Postoffices\healthspaherbs.com\MAILROOT\rachel\Inbox\37E29305977449E591C343C4DC9A72.MAI Infected: Email-Worm.Win32.Mydoom.l
D:\Backup\MailEnable\Store\05-01-31\Postoffices\herbs4health.co.uk\MAILROOT\alan\Inbox\457C6AF93D1943A1B3585A69867994.MAI/[From "Post Office" <[email protected]>][Date Thu, 27 Jan 2005 19:09:25 +0000]/instruction.zip/instruction.zip/INSTRUCTION.EXE Infected: Email-Worm.Win32.Mydoom.m
D:\Backup\MailEnable\Store\05-01-31\Postoffices\herbs4health.co.uk\MAILROOT\alan\Inbox\457C6AF93D1943A1B3585A69867994.MAI/[From "Post Office" <[email protected]>][Date Thu, 27 Jan 2005 19:09:25 +0000]/instruction.zip/instruction.zip Infected: Email-Worm.Win32.Mydoom.m
D:\Backup\MailEnable\Store\05-01-31\Postoffices\herbs4health.co.uk\MAILROOT\alan\Inbox\457C6AF93D1943A1B3585A69867994.MAI/[From "Post Office" <[email protected]>][Date Thu, 27 Jan 2005 19:09:25 +0000]/instruction.zip Infected: Email-Worm.Win32.Mydoom.m
D:\Backup\MailEnable\Store\05-01-31\Postoffices\herbs4health.co.uk\MAILROOT\alan\Inbox\457C6AF93D1943A1B3585A69867994.MAI Infected: Email-Worm.Win32.Mydoom.m

Scan process completed.


Please could you continue to advise me on what to do now. I could see nothing at the end of the scan to tell it to clean the files. I seek your advice. Do I use killbox again on these files?

Also, what is this folder C:!Submit? I really don't remember it ever being there before, but maybe it was. I don't know
 

·
Registered
Joined
·
199 Posts
Also, what is this folder C:!Submit? I really don't remember it ever being there before, but maybe it was. I don't know
Yes you're right, it wasn't there before because it is a folder created by Killbox to keep backups of the files it deleted. ;)

=================================================================

Download & Save on Desktop - KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175)

Because of the sheer length of their file paths\names, some files will not be deleted by Killbox. You'll have to do that manually.

Locate & delete these files/folders:

C:\Documents and Settings\Peter Cresswell\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-3cbf8b76-1bd40a76.zip

D:\Backup\MailEnable\Store\05-01-31\Postoffices\healthspaherbs.com\MAILROOT\rachel\Inbox\1B08BC86D4B94094ABA056D2D8DCC8.MAI

D:\Backup\MailEnable\Store\05-01-31\Postoffices\healthspaherbs.com\MAILROOT\rachel\Inbox\37E29305977449E591C343C4DC9A72.MAI

D:\Backup\MailEnable\Store\05-01-31\Postoffices\herbs4health.co.uk\MAILROOT\alan\Inbox\457C6AF93D1943A1B3585A69867994.MAI



Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard.

C:\Documents and Settings\Peter Cresswell\Local Settings\Application Data\Identities\{82ECB565-61DA-4EC1-A96D-CCA0534EB13D}\Microsoft\Outlook Express\keynections.dbx
C:\Documents and Settings\Peter Cresswell\Local Settings\Application Data\Identities\{82ECB565-61DA-4EC1-A96D-CCA0534EB13D}\Microsoft\Outlook Express\PureSport.dbx
C:\Documents and Settings\Peter Cresswell\Local Settings\Application Data\Identities\{82ECB565-61DA-4EC1-A96D-CCA0534EB13D}\Microsoft\Outlook Express\sloggi.dbx


Start KillBox

  • Go to the File menu, and choose Paste from Clipboard
  • Select/tick the following:
    1. "Delete on Reboot"
    2. "End Explorer Shell While Killing File"
    3. "Unregister.dll Before Deleting" if it's not grayed out
  • Click the RED X button.
  • Click [Yes] at the 'Delete on Reboot' prompt. Click [Yes] at the Pending Operations prompt.




Upon reboot, repeat the Kaspersky scan & post the resultant report & a new HJT log.
 

·
Registered
Joined
·
21 Posts
Discussion Starter #12 (Edited)
Well, thanks to you, things are looking good. Thanks so much for your invaluable help.

I did all you said and ran KasperSky with a 'Clean' result - ie no log file to save - sounds good! I suppose it remains to be seen whether it has cured the problem or not!

Just popped back to edit this to report that sadly the problem is still here - stopping email and ftp but not this time SSL or Remote desktop connection.
Also another problem has appeared. If I leave this window, to try something out, it disappears - is that normal?

I closed all the programs I had open before running this (hopefully final) HJT report, as I assumed that would make things easier for you:

Here is what it says now:

Logfile of HijackThis v1.99.1
Scan saved at 14:25:15, on 17/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\SkypeMate\SkypeMate.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Novosoft\HANDYB~1\hbagent.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
c:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CapMan.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\ElogErr.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\BROADC~1.EXE
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\SCRFS.exe
C:\PROGRA~1\SONYER~1\Mobile\AUFILE~1.EXE
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\Ecfmserv.exe
C:\Documents and Settings\Peter Cresswell\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pcwebservices.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.club-vaio.sony-europe.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe"
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SkypeMate] C:\Program Files\SkypeMate\SkypeMate.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Handy Backup 4.0] "C:\PROGRA~1\Novosoft\HANDYB~1\hbagent.exe" -logon
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Phone Connection Monitor.lnk = ?
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {4B1A4A31-8845-11D5-9769-00B0D071D434} (Avaya ICM Client) - http://indianapolis.dataforce.co.uk/icm/caller.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093292310519
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
 

·
Registered
Joined
·
199 Posts
Congratularions Struggling_Here, :) your system is clean now.

Go to Start> Run - type cleanmgr (this starts Windows DiskCleanup)

  1. Select Drive C: & click the 'OK' button
  2. Select the following options:
    • Temporary Internet Files
    • Recycle Bin
    • Temporary Files
  3. Click the 'OK' button


If there's nothing you need to ask and the problem doesn't occure anymore, you'll set to go.


This is a good time to set up protection against further attacks. Read How Did I Get Infected In The First Place?. You need an antivirus that is continually updated, a good firewall, a spyware blocker such as Spyware Blaster, and a real time spyware program such as Spyware Guard, to prevent spyware intrusions. IE-Spyad is another excellent program that places over 4000 websites and domains in the IE Restricted list, which will help prevent attempts to infect your system. All of the above have good free versions available. However, be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.



More information and downloads are available at the following links:

Spyware Blaster
Spyware Guard
IE-Spyad
 

·
Registered
Joined
·
21 Posts
Discussion Starter #14
I would like to thank you for all of your help - I have sent a donation

However, for what it is worth, the problem, it seems, still exists.

When I have finished today's work I will restart the PC, which I haven't yet done since I finished all your instructions.

If after doing that I get another incident I will get to you again if you think there is anything you might be likely to do about it. You will get a day's grace, as I am out tomorrow, so won't be observing my PC's behaviour (!! LOL).

Thanks for your advice about software to use. I currently run AVG AntiVirus - fully updated daily - and Adaware SE which I run periodically, updating first, also Adwatch monitoring, which stops many things a day, and since implementing which Adaware has never found anything at all.

I paid money for both of these in good faith (and on recommendation from people like yourself who run internet forums and offer sound advice) and run AVG on all my equipment. You have made further suggestions. Should I run these as well as or instead of what I do at the moment?

Also - this problem (which alas, I fear still exists) is of old - I have posted it on so many places, on and off, over the last months and you are first to take it up. It has been around far longer than I have been running the AdWatch monitor. Might it be that if I can finally eradicate it, the AdWatch monitor might prevent reocurrence?
 

·
Registered
Joined
·
199 Posts
Bear this in mind: Earlier this year, fully updated Windows was more secure than pretty much all Linux distros (both with no 3rd party protection). It might still be that way. So, don't forget to get your system fully updated from Microsoft site.

I paid money for both of these in good faith (and on recommendation from people like yourself who run internet forums and offer sound advice) and run AVG on all my equipment. You have made further suggestions. Should I run these as well as or instead of what I do at the moment?
Yes, please follow the given steps above to secure your pc. I would like you to read this article if you have not yet to optimize your Internet Security.

The last step will be flushing your system restore function.

Turn off System Restore by Clicking Start > right-click My Computer and then click Properties. Click the System Restore tab > Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this. Click OK.

Reboot your System.

To turn on System Restore by Clicking Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK.

If you think your system is clean, please acknowledge so we can mark this thread as resolved. Thanks!
 

·
Registered
Joined
·
21 Posts
Discussion Starter #16
Hi there

I am very sad to say that the things you told me to do, whilst cleaning my PC, did not cure the problem. I have no idea if you will be able to think of anything else. After all I have lived with this problem for months, and it is not that bad to cope with, but obviously it can be a nuisance. I suppose the biggest worry was that it was in some way infected but we seem to have shown that it isn't.

Just in case you can think of anything else, here are a few observations which I may not already have made.

1. I am in UK and my ISP is NTL. This comes to my house by cable, and I then send it through a Netgear router which is designed for cable rather than DSL input. This router provides wired and wireless connections for PCs. I currently have 3 PCs connected by wires and 2 laptops wirelessly.

When this problem occurs it stops all email EXCEPT that from NTL itself. I have 2 ntl email addreses and they still check OK. For a long time I assumed this was therefore an NTL problem until it transpired one day that the other PCs on the network were not similarly affected. Then I concluded it was a problem specific to my PC.

FTP to all servers that I have tried also stops working, though I admit I have not tried ftp to an NTL server, as I don't have any cause to use their free webspace and I am not sure of the details but I guess I could set this up so that I could try it next time it goes down (It has just come back up)

2. This does not happen at any particular time of day, though it seems to come around lunch time more than any other time. The latest occurrence just now was around 8.30 am

3. My PC is a SONY VAIO PCV-RX4 series with an INTEL Pentium 4 2.4Ghz processor and 1.25 Gb RAM. I know that SONY do have some strange little quirky security settings of their own about which I know nothing, but wonder if this might give you a line of enquiry?

4. As far as I am aware, this phenomenon didn't start coincidentally with the addition of any software or any change to the network structure etc., though I apprecite it could have done and I just didn't notice.

5. Sometimes when it happens it eliminates email (non-NTL), ftp, remote desktop connection and SSL sites, other times it only eliminates the email and ftp and the other 2 seem to carry on working.

6. Normal http:// browsing has never been affected.

7. I can still send email

8. (Not likely relevant) I run 3 monitors on this PC with desktop shared across them

Please let me know if there is anything else I can tell you that might help.
 
1 - 17 of 17 Posts
Status
Not open for further replies.
Top