Tech Support banner

Status
Not open for further replies.
1 - 10 of 10 Posts

·
Registered
Joined
·
50 Posts
Discussion Starter #1
Hi

Getting above problems...also drastically slowing media player and other media programmes.

Have gone through process with virus scan etc as required.

Following is Hijackthis analyser results: Thanks


====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 16:02:45, on 10/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\freeserve\freeserveconnectionkit\atdialler1.exe
C:\HJT21\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O4 - Global Startup: Freeserve Connection Kit.lnk = C:\freeserve\freeserveconnectionkit\atdialler1.exe
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128883863843
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8A6744F-E629-4BD0-81DE-3FDB1B5C7831}: NameServer = 195.92.195.95 195.92.195.94
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)


End of KRC HijackThis Analyzer Log.
====================================================================
 

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
Hello mossie,

I'm not seeing anything in this log. Please do the following:

Perform an online scan using Internet Explorer with Panda ActiveScan - requires Internet Explorer

  1. Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
  2. Click On 'Scan Now'
  3. Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB
  4. Begin the scan by selecting My Computer
    * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
  5. If it finds any malware, it will offer you a report. Click on see report
  6. Then click Save report
  7. Post the contents of the report in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan
 

·
Registered
Joined
·
50 Posts
Discussion Starter #3
Tried but active x won't download

It said due to poor internet connection or lack of space ...hardrive has loads of space.

Any ideas??
 

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
Let's try another tool:

Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool.

Download the Mwav virus checker at http://www.mwti.net/products/mwav/mwav.asp (Use Link 3)

1. Save it to a folder.
2. Reboot into Safe Mode.
3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything.
4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and highlight all the information in the Lower pane --- Use CTRL C on your keyboard to copy everything found in the lower pane and save it to a notepad file
*Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files.

Once you copy that to a Notepad file...highlight the text and copy it here.
 

·
Registered
Joined
·
50 Posts
Discussion Starter #5
Have run Mwav virus checker

Found 40 problems !!!

following is notepad copy..many thanks

File C:\Documents and Settings\mark lovett\Desktop\setup_ares.exe tagged as "not-a-virus:AdWare.Win32.NavExcel.d". Action Taken: No Action Taken.
File C:\WINDOWS\System32\fastcl.exe infected by "Backdoor.Win32.Masteseq.gen" Virus! Action Taken: No Action Taken.
Object "ares Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "ares Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "limewire Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "ares Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imesh Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "180solutions Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imesh Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "ares Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "ares Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imesh Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "ares Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imesh Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "cydoor.topicks.a Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imesh Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "imesh Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\xscan53.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\System32\iuctl.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Documents and Settings\Owner\My Documents\InstantCDDVD\Projects\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Documents and Settings\Owner\My Documents\InstantCDDVD\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Documents and Settings\Owner\My Documents\InstantCDDVD\Labels\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Documents and Settings\Owner\My Documents\InstantCDDVD\Audio\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Documents and Settings\Owner\My Documents\Pinnacle Expression\Captured Video\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Documents and Settings\Owner\My Documents\Pinnacle Expression\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Documents and Settings\mark lovett\Favorites\Financial Links\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\LimeWire\3.8.6\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\LimeWire\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\LimeWire\LimeWire 4.0.8\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\LimeWire\LimeWire 4.0.8\root\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\LimeWire\LimeWire 4.0.8\root\magnet10\". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Documents and Settings\All Users\Start Menu\Programs\LimeWire\". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".db:encryptable". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".icw". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".NJB". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".plf". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".rm". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".rpm". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".smi". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".uk/education/schoolsinfo/H_S/hshandbookdocs/hsmodule18c". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Ad-aware 6 Personal". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Beach Head - Desert War". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Beach Head 2002". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Crimsonland_is1". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "eZula". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "IEFeatSL_Uninstall". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "ieupdate". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "iMesh". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "InstallShield_{69654736-1026-4728-A78E-BA45DF993BAE}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB810243". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB820291". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB821253". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB821557". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB823182". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB823559". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB824105". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB824141". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB824146". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB825119". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB826939". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB828035". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB828741". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB835732". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB837001". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB839643-DirectX9". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB839645". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB840315". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB840374". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB841873". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB842773". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "limeshop.xml". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Mcafee SecurityCenter". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "MoodLogic DeviceLink". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "MSNEXT". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "My Way Speedbar Uninstall". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "NavExcel Search Toolbar". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "NavHelper". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "New.net". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "NoAdware_is1". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "oeupdate". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "PC MightyMax v1". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q327979". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q329048". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q329115". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q329170". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q329390". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q329441". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q329834". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q810565". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q810577". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q810833". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q814033". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q814995". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q815021". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q817287". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q817606". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Q828026". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "RadLight". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "SearchHook". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "ShopAtHomeSelect Agent". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "ShowSearch". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Submit URL". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Uninstall Plus! 2004 v2.1_is1". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "VideoLive Mail". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "VirusScan Online". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "VX2 Cleaner plug-in for Ad-Aware SE". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Yahoo! Companion". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Yahoo! Customizations". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Yahoo! Messenger". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Yahoo! Messenger Explorer Bar". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{21BCE515-D5A3-11D4-8E33-0010B53EC668}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{69654736-1026-4728-A78E-BA45DF993BAE}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{7B802DE5-84E5-4503-965B-2ABFFC78506A}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{82C36957-D2B8-4EF2-B88C-5FA03AA848C7}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{9DE006A5-B384-4EDE-A760-0F217136B9EA}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{ABEB838C-A1A7-4C5D-B7E1-8B4314600133}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{ABEB838C-A1A7-4C5D-B7E1-8B4314600137}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{ABEB838C-A1A7-4C5D-B7E1-8B4314600425}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{ABEB838C-A1A7-4C5D-B7E1-8B4314600429}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{DBA8B9E1-C6FF-4624-9598-73D3B41A0903}". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{9BE8D7B2-329C-442A-A4AC-ABA9D7572602}" refers to invalid object "c:\program files\mcafee.com\agent\submgr\4,3,0,10\mcsubmgr.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{3A78B247-8014-4A8B-A9B6-9A2C5F13FFEB}" refers to invalid object "c:\program files\mcafee.com\agent\submgr\4,3,0,10\mcsubmgr.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{96AB08A1-3B19-48E5-8146-A6FDE9CB06E4}" refers to invalid object "C:\DOCUME~1\MARKLO~1\LOCALS~1\Temp\Word8.0\MSForms.exd". Action Taken: No Action Taken.
Entry "HKCR\Alg.AlgSetup" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken.
Entry "HKCR\Alg.AlgSetup.1" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken.
Entry "HKCR\Automap.Map.EU" refers to invalid object "{A49EEA01-9231-4C77-AA9E-2F89D72B4804}". Action Taken: No Action Taken.
Entry "HKCR\Automap.Template.EU.11" refers to invalid object "{A49EEA01-9231-4C77-AA9E-2F89D72B4804}". Action Taken: No Action Taken.
Entry "HKCR\btmsgr\shell\open\command" refers to invalid object ""C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" %1". Action Taken: No Action Taken.
Entry "HKCR\Connection Manager Profile\shell\open\command" refers to invalid object "C:\WINDOWS\System32\CMMGR32.EXE "%1"". Action Taken: No Action Taken.
Entry "HKCR\DSP.DSP" refers to invalid object "{9C123EA9-AEC9-4f75-BBC0-7565FA1398966}". Action Taken: No Action Taken.
Entry "HKCR\DSP.DSPDMOProp_Chorus.1" refers to invalid object "{6F63B172-5543-4593-91CE-EDBA65B9FACDB}". Action Taken: No Action Taken.
Entry "HKCR\EDisk2.MgEdisk" refers to invalid object "{340A0150-9DC7-11D3-9A01-005004677EF4}". Action Taken: No Action Taken.
Entry "HKCR\EDisk2.MgEdisk.1" refers to invalid object "{340A0150-9DC7-11D3-9A01-005004677EF4}". Action Taken: No Action Taken.
Entry "HKCR\McAfee.com.Agent.PingObj" refers to invalid object "{A30C94ED-ED1D-4cd9-931B-032481FED884}". Action Taken: No Action Taken.
Entry "HKCR\McAfee.com.MCVSQTColl.1" refers to invalid object "{7DC23152-6B5E-4A65-B42E-AE5AC4199577}". Action Taken: No Action Taken.
Entry "HKCR\McAfee.com.MCVSScan.1" refers to invalid object "{B793DE5F-29C9-440c-A9E2-4644145DDD3D}". Action Taken: No Action Taken.
Entry "HKCR\Mccomctl.McDrives" refers to invalid object "{28E74E8D-7B99-4486-AE32-11B67F93B54B}". Action Taken: No Action Taken.
Entry "HKCR\Mccomctl.McDrives.1" refers to invalid object "{28E74E8D-7B99-4486-AE32-11B67F93B54B}". Action Taken: No Action Taken.
Entry "HKCR\McComCtlLib.CheckedItems" refers to invalid object "{0025F2F6-5458-478E-997C-76BBB056B3D6}". Action Taken: No Action Taken.
Entry "HKCR\McComCtlLib.CheckedItems.1" refers to invalid object "{0025F2F6-5458-478E-997C-76BBB056B3D6}". Action Taken: No Action Taken.
Entry "HKCR\McComCtlLib.ColumnHeader" refers to invalid object "{C657669A-754D-4E13-BB96-B7269F2078F0}". Action Taken: No Action Taken.
Entry "HKCR\McComCtlLib.ColumnHeader.1" refers to invalid object "{C657669A-754D-4E13-BB96-B7269F2078F0}". Action Taken: No Action Taken.
Entry "HKCR\McComCtlLib.ColumnHeaders" refers to invalid object "{BF4C25B5-CD0A-4770-B2F5-750A4407957F}". Action Taken: No Action Taken.
Entry "HKCR\McComCtlLib.ColumnHeaders.1" refers to invalid object "{BF4C25B5-CD0A-4770-B2F5-750A4407957F}". Action Taken: No Action Taken.
Entry "HKCR\McComCtlLib.ListItem" refers to invalid object "{21DB24D5-9DD7-4F6F-993A-5FB0980EC5DB}". Action Taken: No Action Taken.
Entry "HKCR\McComCtlLib.ListItem.1" refers to invalid object "{21DB24D5-9DD7-4F6F-993A-5FB0980EC5DB}". Action Taken: No Action Taken.
Entry "HKCR\McComCtlLib.ListItems" refers to invalid object "{3ED232B4-0346-4A74-A883-B85B69ADA6A4}". Action Taken: No Action Taken.
Entry "HKCR\McComCtlLib.ListItems.1" refers to invalid object "{3ED232B4-0346-4A74-A883-B85B69ADA6A4}". Action Taken: No Action Taken.
Entry "HKCR\McComCtlLib.ListItemsEnum" refers to invalid object "{78D0C657-22F0-4E19-A34A-757B14A30344}". Action Taken: No Action Taken.
Entry "HKCR\McComCtlLib.ListItemsEnum.1" refers to invalid object "{78D0C657-22F0-4E19-A34A-757B14A30344}". Action Taken: No Action Taken.
Entry "HKCR\McComCtlLib.ListView" refers to invalid object "{B02F4EEB-78D3-414D-8814-7E88F4828C28}". Action Taken: No Action Taken.
Entry "HKCR\McComCtlLib.ListView.1" refers to invalid object "{B02F4EEB-78D3-414D-8814-7E88F4828C28}". Action Taken: No Action Taken.
Entry "HKCR\MediaPlayer.MediaPlayer.1" refers to invalid object "{22D6F312-B0F6-11D0-94AB-0080C74C7E95}". Action Taken: No Action Taken.
Entry "HKCR\MMVDE" refers to invalid object "{8C27AD03-783F-4A44-8D43-80C480D01D81}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic.1" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\RTCCore.RTCClient" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken.
Entry "HKCR\RTCCore.RTCClient.1" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken.
Entry "HKCR\Vsoupd.MCVSProperties" refers to invalid object "{510C5313-D85C-4307-95FB-AC87A2D3743F}". Action Taken: No Action Taken.
Entry "HKCR\Vsoupd.MCVSProperties.1" refers to invalid object "{510C5313-D85C-4307-95FB-AC87A2D3743F}". Action Taken: No Action Taken.
Entry "HKCR\Vsoupd.MCVSPropNotify" refers to invalid object "{55F94612-19DD-4C2E-9E1F-E26624933DAD}". Action Taken: No Action Taken.
Entry "HKCR\Vsoupd.MCVSPropNotify.1" refers to invalid object "{55F94612-19DD-4C2E-9E1F-E26624933DAD}". Action Taken: No Action Taken.
Entry "HKCR\Vsoupd.MCVSUpdate" refers to invalid object "{6950611A-E2CF-421f-88C3-61C27A3832C5}". Action Taken: No Action Taken.
Entry "HKCR\Vsoupd.MCVSUpdate.1" refers to invalid object "{6950611A-E2CF-421f-88C3-61C27A3832C5}". Action Taken: No Action Taken.
Entry "HKCR\Vsoupd.VSOInfoObject" refers to invalid object "{1BCD38AE-A539-40D6-B448-04F20D47433F}". Action Taken: No Action Taken.
Entry "HKCR\Vsoupd.VSOInfoObject.1" refers to invalid object "{1BCD38AE-A539-40D6-B448-04F20D47433F}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr.1" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKCR\Yahoo.MessengerCompanionControl.3" refers to invalid object "{977046B0-A87F-11d5-8FEA-FFFFFF000000}". Action Taken: No Action Taken.
Entry "HKCR\YMMAPI.YMailAttach" refers to invalid object "{AA218328-0EA8-4D70-8972-E987A9190FF4}". Action Taken: No Action Taken.
Entry "HKCR\YMMAPI.YMailAttach.1" refers to invalid object "{AA218328-0EA8-4D70-8972-E987A9190FF4}". Action Taken: No Action Taken.
Entry "HKCR\YMMAPI.YMailShellExt" refers to invalid object "{5464D816-CF16-4784-B9F3-75C0DB52B499}". Action Taken: No Action Taken.
Entry "HKCR\YMMAPI.YMailShellExt.1" refers to invalid object "{5464D816-CF16-4784-B9F3-75C0DB52B499}". Action Taken: No Action Taken.
Entry "HKCR\YMMAPI.YMailTo" refers to invalid object "{A17E30C4-A9BA-11D4-8673-60DB54C10000}". Action Taken: No Action Taken.
Entry "HKCR\YMMAPI.YMailTo.1" refers to invalid object "{A17E30C4-A9BA-11D4-8673-60DB54C10000}". Action Taken: No Action Taken.
Entry "HKCR\ymsgr\shell\open\command" refers to invalid object ""C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" %1". Action Taken: No Action Taken.
Entry "HKCR\Ypager.Messenger" refers to invalid object "{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}". Action Taken: No Action Taken.
File C:\WINDOWS\system32\topsys.exe tagged as "not-a-virus:AdWare.Win32.EZula.w". Action Taken: No Action Taken.
File C:\Documents and Settings\mark lovett\.jpi_cache\file\1.0\BlackBox.class-6b558204-62ce2f49.class infected by "Trojan.Java.ClassLoader.f" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\mark lovett\.jpi_cache\jar\1.0\archive.jar-6f0e205-48f7a309.zip infected by "Trojan.Java.Binny.a" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\mark lovett\Application Data\Mozilla\Firefox\Profiles\756hyi6l.default\Cache\DFBC5676d01 infected by "Trojan-Clicker.JS.Linker.h" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\mark lovett\Desktop\setup_ares.exe tagged as "not-a-virus:AdWare.Win32.NavExcel.d". Action Taken: No Action Taken.
File C:\Downloads\moisdne-dm[1].exe tagged as "not-a-virus:AdWare.Win32.Trymedia.a". Action Taken: No Action Taken.
File C:\My Downloads\HotRodASD.exe tagged as "not-a-virus:AdWare.Win32.Trymedia.a". Action Taken: No Action Taken.
File C:\WINDOWS\system32\drivers\etc\hosts.20040314-180649.backup tagged as "not-a-virus:AdWare.Win32.XmlMimeFilter.a". Action Taken: No Action Taken.
File C:\WINDOWS\system32\drivers\etc\hosts.20040314-212314.backup tagged as "not-a-virus:AdWare.Win32.XmlMimeFilter.a". Action Taken: No Action Taken.
File C:\WINDOWS\system32\drivers\etc\hosts.20040315-214306.backup tagged as "not-a-virus:AdWare.Win32.XmlMimeFilter.a". Action Taken: No Action Taken.
File C:\WINDOWS\system32\drivers\etc\hosts.20040316-200217.backup tagged as "not-a-virus:AdWare.Win32.XmlMimeFilter.a". Action Taken: No Action Taken.
File C:\WINDOWS\system32\drivers\etc\hosts.20040318-013159.backup tagged as "not-a-virus:AdWare.Win32.XmlMimeFilter.a". Action Taken: No Action Taken.
File C:\WINDOWS\system32\drivers\etc\hosts.20040321-144758.backup tagged as "not-a-virus:AdWare.Win32.XmlMimeFilter.a". Action Taken: No Action Taken.
File C:\WINDOWS\system32\topsys.exe tagged as "not-a-virus:AdWare.Win32.EZula.w". Action Taken: No Action Taken.
 

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
Hi,

To clean out those orphaned registry entries showing in Mwav, please download Ccleaner www.ccleaner.com. Do not run it yet.

Download KillBox http://www.greyknight17.com/spy/KillBox.exe. Do not run it yet.

Download Host.zip
Extract the file & overwrite the existing copy located at C:\WINDOWS\SYSTEM32\DRIVERS\ETC\host

Reboot into Safe Mode.

Copy the file names below to the clipboard by highlighting them and pressing Ctrl-C:

C:\WINDOWS\System32\fastcl.exe
C:\WINDOWS\system32\topsys.exe
C:\Downloads\moisdne-dm[1].exe
C:\My Downloads\HotRodASD.exe
C:\Documents and Settings\mark lovett\.jpi_cache\file\1.0\BlackBox.class-6b558204-62ce2f49.class


Start KillBox.
Go to the File menu, and choose Paste from Clipboard.
Verify that you've done this properly by clicking the dropdown-arrow next to the Full Path of File to Delete field. The filenames you pasted will be found in there.
Select/tick the following:
* Delete on Reboot
* End Explorer Shell While Killing File
* Unregister.dll Before Deleting" if it's not grayed out.
Click the RED X button.

Click [Yes] at the 'Delete on Reboot' prompt. Click [No] at the Pending Operations prompt.

Follow the instructions here to clean out your Java cache...
http://www.java.com/en/download/help/cache_virus.xml

Clear your Mozilla cache:
Open Mozilla>Tools>Options>Privacy
Click on Cache
Click the Clear button.
Click OK

To clean out those orphaned registry entries showing in Mwav, please download Ccleaner www.ccleaner.com Do not run it yet.

Run Ccleaner.
Click on the 'Issues' tab to clean registry. Be sure that box is checked to 'prompt to backup registry' in the Options>Advanced section.

Click 'Analyze', then 'Fix Issues'

Reboot into Normal Mode. Let's try this online scanner:

Perform an online scan with Internet Explorer with Kaspersky WebScanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
*The program will launch and then begin downloading the latest definition files:
*Once the files have been downloaded click on NEXT
*Now click on Scan Settings
*In the scan settings make that the following are selected:
*Scan using the following Anti-Virus database:
*Standard
*Scan Options:
*Scan Archives
*Scan Mail Bases
*Click OK
*Now under select a target to scan:
*Select My Computer
*This will program will start and scan your system.
*The scan will take a while so be patient and let it run.
*Once the scan is complete it will display if your system has been infected.
*Now click on the Save as Text button:
*Save the file to your desktop.
*Copy and paste that information in your next post along with a new HijackThis log.

How are things running now?
 

·
Registered
Joined
·
50 Posts
Discussion Starter #7
Kapersky results

Sorry for delay IE6 wasn't working but ok now.

Thanks seems to be a bit better but looking at the results there may still be something lurking???!!!


-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, October 15, 2005 14:40:27
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 15/10/2005
Kaspersky Anti-Virus database records: 144925
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 59382
Number of viruses found: 2
Number of infected objects: 7
Number of suspicious objects: 0
Duration of the scan process: 2114 sec

Infected Object Name - Virus Name
C:\Documents and Settings\mark lovett\Application Data\Mozilla\Firefox\Profiles\756hyi6l.default\Cache\DFBC5676d01 Infected: Trojan-Clicker.JS.Linker.h
C:\Documents and Settings\mark lovett\Local Settings\Application Data\Identities\{BA10AF44-CE7C-4CBC-808A-54331B74212F}\Microsoft\Outlook Express\Sent Items.dbx/[From "mark lovett" <[email protected]>][Date Thu, 21 Oct 2004 23:03:24 +0100]/UNNAMED/fastcl.exe Infected: Backdoor.Win32.Masteseq.gen
C:\Documents and Settings\mark lovett\Local Settings\Application Data\Identities\{BA10AF44-CE7C-4CBC-808A-54331B74212F}\Microsoft\Outlook Express\Sent Items.dbx/[From "mark lovett" <[email protected]>][Date Thu, 21 Oct 2004 23:03:24 +0100]/UNNAMED/lanlulo.exe Infected: Backdoor.Win32.Masteseq.gen
C:\Documents and Settings\mark lovett\Local Settings\Application Data\Identities\{BA10AF44-CE7C-4CBC-808A-54331B74212F}\Microsoft\Outlook Express\Sent Items.dbx/[From "mark lovett" <[email protected]>][Date Thu, 21 Oct 2004 23:03:24 +0100]/UNNAMED Infected: Backdoor.Win32.Masteseq.gen
C:\Documents and Settings\mark lovett\Local Settings\Application Data\Identities\{BA10AF44-CE7C-4CBC-808A-54331B74212F}\Microsoft\Outlook Express\Sent Items.dbx Infected: Backdoor.Win32.Masteseq.gen
C:\System Volume Information\_restore{62FFCE82-38A2-480D-AAD1-DDDEAF923286}\RP55\A0028990.exe Infected: Backdoor.Win32.Masteseq.gen
C:\System Volume Information\_restore{62FFCE82-38A2-480D-AAD1-DDDEAF923286}\RP55\A0029991.exe Infected: Backdoor.Win32.Masteseq.gen

Scan process completed.



and HJT results:


====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 16:54:07, on 15/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\freeserve\freeserveconnectionkit\atdialler1.exe
C:\HJT21\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O4 - Global Startup: Freeserve Connection Kit.lnk = C:\freeserve\freeserveconnectionkit\atdialler1.exe
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128883863843
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8A6744F-E629-4BD0-81DE-3FDB1B5C7831}: NameServer = 195.92.195.95 195.92.195.94
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)


End of KRC HijackThis Analyzer Log.
====================================================================
 

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
C:\Documents and Settings\mark lovett\Application Data\Mozilla\Firefox\Profiles\756hyi6l.default\Cac he\DFBC5676d01 <<Delete this folder

Empty your Sent Mail in Outlook Express.

Run another scan with Kaspersky and post it here again please.
 

·
Registered
Joined
·
50 Posts
Discussion Starter #9
Kapersy scan results

Hi...as requested another scan....still appears to be viruses?? :sad:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, October 16, 2005 11:06:02
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 16/10/2005
Kaspersky Anti-Virus database records: 145074
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 59467
Number of viruses found: 1
Number of infected objects: 6
Number of suspicious objects: 0
Duration of the scan process: 2308 sec

Infected Object Name - Virus Name
C:\Documents and Settings\mark lovett\Local Settings\Application Data\Identities\{BA10AF44-CE7C-4CBC-808A-54331B74212F}\Microsoft\Outlook Express\Deleted Items.dbx/[From "mark lovett" <[email protected]>][Date Thu, 21 Oct 2004 23:03:24 +0100]/UNNAMED/fastcl.exe Infected: Backdoor.Win32.Masteseq.gen
C:\Documents and Settings\mark lovett\Local Settings\Application Data\Identities\{BA10AF44-CE7C-4CBC-808A-54331B74212F}\Microsoft\Outlook Express\Deleted Items.dbx/[From "mark lovett" <[email protected]>][Date Thu, 21 Oct 2004 23:03:24 +0100]/UNNAMED/lanlulo.exe Infected: Backdoor.Win32.Masteseq.gen
C:\Documents and Settings\mark lovett\Local Settings\Application Data\Identities\{BA10AF44-CE7C-4CBC-808A-54331B74212F}\Microsoft\Outlook Express\Deleted Items.dbx/[From "mark lovett" <[email protected]>][Date Thu, 21 Oct 2004 23:03:24 +0100]/UNNAMED Infected: Backdoor.Win32.Masteseq.gen
C:\Documents and Settings\mark lovett\Local Settings\Application Data\Identities\{BA10AF44-CE7C-4CBC-808A-54331B74212F}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Backdoor.Win32.Masteseq.gen
C:\System Volume Information\_restore{62FFCE82-38A2-480D-AAD1-DDDEAF923286}\RP55\A0028990.exe Infected: Backdoor.Win32.Masteseq.gen
C:\System Volume Information\_restore{62FFCE82-38A2-480D-AAD1-DDDEAF923286}\RP55\A0029991.exe Infected: Backdoor.Win32.Masteseq.gen

Scan process completed.
 

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
It's located in your Outlook deleted items. :smile: Go into Outlook and empty the deleted items folder:

C:\Documents and Settings\mark lovett\Local Settings\Application Data\Identities\{BA10AF44-CE7C-4CBC-808A-54331B74212F}\Microsoft\Outlook Express\Deleted Items.dbx [B]<<Leave the folder, just empty the contents.[/B]

Run another scan with Kaspersky. How is your system running?
 
1 - 10 of 10 Posts
Status
Not open for further replies.
Top