0

New poster, hope you can help. Thanks Crunchie for previous advice.
Have had problems the first time for a year or so. Friends have had lots of probs and I've always managed to sort them, but this is beyond me.
I run Windows xp,sp2,have Panda Titanium virus killer up to date,firewall on and regularly run xoftspy and ad-aware.
However, 6 days ago whilst Panda was awaiting renewal,(been away on hols) I got the 'Alcan.A worm on my machine, managed to remove it and also renewed Panda.
But since then I've been plagued by spyware and virus's, slow machine, keyboard stopping working after 15-20 mins, mouse not highlighting and opening desktop icons, I've had to right click and 'open'. I tried to start in safe mode by pressing f8 as always,no joy, tried to do a non destructive restore as well as a system restore, but was unable too.
Here is my Hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 20:58:08, on 21/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\PavProt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SmartM\BlueOpal\Utilities\BlueTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\WinTV\Ir.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\PavFnSvr.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\Pavkre.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\pavsrv51.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\Prevsrv.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\psimsvc.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Phil C\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [OemReset] %systemroot%\OPTIONS\OEMRESET.EXE /AUDIT
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BlueTray] C:\Program Files\SmartM\BlueOpal\Utilities\BlueTray.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binar...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binar...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/04a58d2...ip/RdxIE601.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/pr...ctor/WebAAS.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/M...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binar...ro.cab32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binar...wn.cab31267.cab
O20 - AppInit_DLLs: PAVWAIT.DLL
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\Firewall\PavFires.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\PavFnSvr.exe
O23 - Service: Panda Pavkre (Pavkre) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\Pavkre.exe
O23 - Service: Panda PavProt (PavProt) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\PavProt.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\pavsrv51.exe
O23 - Service: Panda Preventium+ Service (PREVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\Prevsrv.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\psimsvc.exe

Hope you can help.....please :rolleyes:

2
Contributors
8
Replies
9
Views
12 Years
Discussion Span
Last Post by DMR
0

Hi santfekuss,

1. There's nothing suspicious in your HJT log. That being the case, can you give specific information about the symptoms you're seeing, error message you may be getting, etc.?

2. Please download and install the free trial version of ewido Security Suite.

* Run the program (the first time you do, you will receive a warning message saying "Database not found". Just click "OK"; this is normal.

* In the main screen, click "Update" and click "Start Update". This will install the detection database that the error message above refers to.

* Once the update is complete, run a full system scan. Post the resulting scan report after that; the report may tell us some things that HijackThis can't.

0

Thanksfor your reply, have had a bit of luck since last post.
Managed to start it in safe mode and deleted a couple of virus's/spyware, just ran eiwido for the 2nd time and it cleaned 2 files, here is the report:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------


+ Created on:           17:18:49, 22/07/2005
+ Report-Checksum:      633E9A34


+ Scan result:


:mozilla.12:C:\Documents and Settings\Phil C\Application Data\Mozilla\Firefox\Profiles\3o6fdlqa.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Phil C\Cookies\phil [email]c@doubleclick[1].txt[/email] -> Spyware.Cookie.Doubleclick : Cleaned with backup



::Report End


Ran the first scan early hours of the morning and this is the report from then:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------


+ Created on:           07:20:00, 22/07/2005
+ Report-Checksum:      60BED862


+ Scan result:


HKU\S-1-5-21-3137500025-516116760-269536213-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} -> Spyware.MyWebSearch : Cleaned with backup
HKU\S-1-5-21-3137500025-516116760-269536213-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA} -> Spyware.MyWebSearch : Cleaned with backup
HKU\S-1-5-21-3137500025-516116760-269536213-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -> Spyware.PopularScreensavers : Cleaned with backup
HKU\S-1-5-21-3137500025-516116760-269536213-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{79849612-A98F-45B8-95E9-4D13C7B6B35C} -> Spyware.Crazywinnings : Cleaned with backup
:mozilla.113:C:\Documents and Settings\Phil C\Application Data\Mozilla\Firefox\Profiles\3o6fdlqa.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.114:C:\Documents and Settings\Phil C\Application Data\Mozilla\Firefox\Profiles\3o6fdlqa.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.132:C:\Documents and Settings\Phil C\Application Data\Mozilla\Firefox\Profiles\3o6fdlqa.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.133:C:\Documents and Settings\Phil C\Application Data\Mozilla\Firefox\Profiles\3o6fdlqa.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.134:C:\Documents and Settings\Phil C\Application Data\Mozilla\Firefox\Profiles\3o6fdlqa.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.135:C:\Documents and Settings\Phil C\Application Data\Mozilla\Firefox\Profiles\3o6fdlqa.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.137:C:\Documents and Settings\Phil C\Application Data\Mozilla\Firefox\Profiles\3o6fdlqa.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.164:C:\Documents and Settings\Phil C\Application Data\Mozilla\Firefox\Profiles\3o6fdlqa.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.211:C:\Documents and Settings\Phil C\Application Data\Mozilla\Firefox\Profiles\3o6fdlqa.default\cookies.txt -> Spyware.Cookie.Adviva : Cleaned with backup
:mozilla.212:C:\Documents and Settings\Phil C\Application Data\Mozilla\Firefox\Profiles\3o6fdlqa.default\cookies.txt -> Spyware.Cookie.Adviva : Cleaned with backup
:mozilla.213:C:\Documents and Settings\Phil C\Application Data\Mozilla\Firefox\Profiles\3o6fdlqa.default\cookies.txt -> Spyware.Cookie.Adviva : Cleaned with backup
:mozilla.214:C:\Documents and Settings\Phil C\Application Data\Mozilla\Firefox\Profiles\3o6fdlqa.default\cookies.txt -> Spyware.Cookie.Adviva : Cleaned with backup
:mozilla.288:C:\Documents and Settings\Phil C\Application Data\Mozilla\Firefox\Profiles\3o6fdlqa.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.471:C:\Documents and Settings\Phil C\Application Data\Mozilla\Firefox\Profiles\3o6fdlqa.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.597:C:\Documents and Settings\Phil C\Application Data\Mozilla\Firefox\Profiles\3o6fdlqa.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Phil C\Cookies\phil [email]c@doubleclick[1].txt[/email] -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\My old Disk Structure -- 04-11-02 1012PM\Documents and Settings\Phil C\Cookies\phil [email]c@1800search.com.19522.fb.dbbsrv[1].txt[/email] -> Spyware.Cookie.Dbbsrv : Cleaned with backup
C:\My old Disk Structure -- 05-03-19 0433PM\Documents and Settings\Phil C\Cookies\phil [email]c@112.2o7[2].txt[/email] -> Spyware.Cookie.2o7 : Cleaned with backup
C:\My old Disk Structure -- 05-03-19 0433PM\Documents and Settings\Phil C\Local Settings\Temporary Internet Files\Content.IE5\S1IJ8HMV\loader7[1].htm -> TrojanDownloader.VBS.Psyme.ap : Cleaned with backup



::Report End

I have'nt restarted the PC since then, so whether these will re-install them selves I don't know. The only trouble I seem to be having now is the amount of spyware I seem to be getting, and slow start and shutdowns of programs.

I'm guessing they've altered my registry and are creating these on each startup

Edited by happygeek: fixed formatting

0

I have'nt restarted the PC since then, so whether these will re-install them selves I don't know... I'm guessing they've altered my registry and are creating these on each startup

Yes- it's possible that some of the nasties might "respawn", and it's also possible that there are still registry changes which would contribute to that.

To best eliminate the chance of the infections returning, you might want to run a few more utilities such as Microsoft's Antispyware beta and CCleaner, and also do a few other online scans as well.

Our member dlh6213 has posted a lot of good information on general cleaning procedures in his thread here.

0

Ran CCleaner, I cannot believe the amount of stuff that it deleted.

Big thanks for your help, PC seems to be running fine (typing this from my Apple iBook)..............now just to sort out a friends PC, Windows ME will not even start ,looking for boot disk

BIG thanks again.

0

Glad we could help, and I'm glad the 'puter seems better now :)

Hopefully, the problems won't return, but if they do- just let us know.


In terms of your friend's ME system; good luck with that.
Although- ME being the clunky beast that is was to begin with, combined with the fact that ME is an "end of life" operating system, you might want to try installing your friend's hard drive as a slave/secondary drive in another (and healthy, obviously) computer just to rescue any data that he/she might want to save. Once done, wipe (totally reformat) the original drive after that and install a more current version of Windows.

0

Thanks DMR, regarding my friends hard drive, I'm thinking its dead. I done what you said, disconnected my slave drive, connected his as the slave and my PC will not even boot-up, its as if his is wanting to be the master. I have jumper pins in correctly but am mystified. He did used to get lots of pop-ups and stuff so maybe he got a really bad virus.
He really wants the pics of his kids taken off there as well.

Any ideas ?

0

Managed to start my PC with the drive attached,but its not seeing the drive at all.
Have popped it in the freezer for awhile, see if it has any effect.

PS........... sorry its in the wrong forum, just realised and did'nt want to double post.
Could we move it ?

0

No problem. You've already started a thread for the new problem in the right forum, so all is cool.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.