Help Got haywire computer

Question

pete25 0 Light Poster

18 Years Ago

Please could someone help as computer going haywire did normal scans but still its not propery working. Here is Hijackthis log

C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\PETER\Local Settings\Temporary Internet Files\Content.IE5\GTORK5WN\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {20D57A66-F7DF-467d-907B-9B7F4A118AB7} - C:\WINDOWS\system32\awtqn.dll
O2 - BHO: DosSpecFolder Object - {3E1BEA96-02D9-4992-B508-9B51819D9D86} - C:\WINDOWS\System32\ssqpo.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [NavRegReminder] "C:\WINDOWS\temp\NavBrowser.exe" /r /i "C:\WINDOWS\temp\NavLoad.ini"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [libmm] rundll32.exe C:\WINDOWS\System32\libmm.dll,start
O4 - HKLM\..\Run: [Microsoft Telecoms Center] telcoms.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard5.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad5.exe
O4 - HKLM\..\Run: [Microsoft Incroporate] mffs.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [newname] c:\windows\newname5.exe
O4 - HKLM\..\RunServices: [Microsoft Telecoms Center] telcoms.exe
O4 - HKLM\..\RunServices: [Microsoft Incroporate] mffs.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Microsoft Telecoms Center] telcoms.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.co.uk
O15 - Trusted Zone: http://*.billingnow.com
O15 - Trusted Zone: http://*.reliablestats.com
O15 - Trusted Zone: http://*.winantispyware.com
O15 - Trusted Zone: http://*.winantivirus.com
O15 - Trusted Zone: http://*.winantiviruspro.com
O15 - Trusted Zone: http://*.winfixer.com
O15 - Trusted Zone: http://*.winnanny.com
O15 - Trusted Zone: http://*.winsoftware.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1143110853873
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A36C72A-B29C-43B8-928D-8BCA6A98D135}: NameServer = 212.74.114.129 212.74.112.67
O20 - Winlogon Notify: awtqn - C:\WINDOWS\SYSTEM32\awtqn.dll
O20 - Winlogon Notify: awtqq - awtqq.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ssqpo - C:\WINDOWS\System32\ssqpo.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\UEVURVIg\command.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

I don't know what ones to check or uncheck as got popups an all

Pete25

windows-virus

4 Contributors
22 Replies
336 Views
1 Week Discussion Span
Latest Post 18 Years Ago Latest Post by pete25

All 22 Replies

tayspen 28 <Insert title here>

18 Years Ago

Hi, and welcome to DaniWeb!

This line of your log

C:\Documents and Settings\PETER\Local Settings\Temporary Internet Files\Content.IE5\GTORK5WN\hijackthis[1]\HijackThis.exe

Shows that HJT was run from a Temporary file. This is an "unsafe" location, as it may not scan everything.

Please do the following. Re-Downoad HJT, and save it your desktop. Then make a new folder on your desktop (Right click your desktop go to >New>Fold), Name the folder HJT. Now double click the Hijackthis.zip you download and right click Hijackthis.exe, select cut then double click the HJT fodler on your desktop you just made. Right clck in the white space and click paste. Then scan again, and post a new log.

Thanks

tayspen 28 <Insert title here>

18 Years Ago

Cool, now were ready to proceed. Your pretty loaded with nasties. Lets download a few tools and run them before we try this maunally, hopefully they will knock alot of it out.

Please download the following:

Ewido (Trial) – http://www.download.com/Ewido-Secur...tml?tag=lst-0-1

SpySweeper (Trial) - http://www.webroot.com/consumer/products/spysweeper?acode=af1&rc=3599

Install them both. Update them both. Then run them Both. Remvoe anything they find.

Post a new HJT log, and the ewido log

DMR 152 Wombat At Large

18 Years Ago

Hi pete25,

Your latest log still shows signs of infections, but the following info in your HJT log's header also shows that you are running a totally "virgin" version of Windows XP (no Service Packs, Security/Bug Fixes, etc. appear have been installed):

Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

If you are running such an outdated, unpatched version of Windows, your system will almost certainly get reinfected in no time. You should use the Windows Update feature to bring your system up to a fully-patched version of Service Pack 1 (note that upgrading to Service Pack 2 on an infected system is not recommended!). Once you've done that, the info in your log's header should read as follows:

Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

In all honesty, my bet is that your version of XP will probably fail validation at the Windows Update site, as the most common reason that people are still running such an outdated version of XP is that their installation of XP is, whether they know it or not, not a fully legal copy. Give the update a try though, and let us know the results.

DMR 152 Wombat At Large

18 Years Ago

I updated Windows XP...

Not according to the header information in your new HijackThis log; it still reports that you are running the same (and outdated) versions of XP and Internet Explorer as before:

Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

DMR 152 Wombat At Large

18 Years Ago

OK- that looks better :)

1. Open ewido and SpySweeper and use their online update features to make sure you have the absolutely most current updates installed for both programs. Do not run scans with the programs yet, just close them once they finish the update process.

2. Create a new folder on your desktop (or in some other convenient location) and name it VundoFix. Download the VundoFix.exe utility and save it in the new folder.

* Run vundofix.exe
- Click the Scan for Vundo button.
- Once it's done scanning, click the Remove Vundo button.
- You will receive a prompt asking if you want to remove the files, click YES.
- Click yes; your desktop will then go blank as it starts removing Vundo.
- When the removal is complete, you will be prompted to shutdown your computer; do so.
- Start the computer again and let it boot normally.

3. Run HijackThis again, put a check mark in the box to the left of the following entries, and then click the Fix Checked button:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=
O2 - BHO: (no name) - {20D57A66-F7DF-467d-907B-9B7F4A118AB7} - (no file)
O4 - HKLM\..\Run: [Microsoft Telecoms Center] telcoms.exe
O4 - HKCU\..\Run: [Microsoft Telecoms Center] telcoms.exe
O15 - Trusted Zone: http://*.billingnow.com
O15 - Trusted Zone: http://*.reliablestats.com
O15 - Trusted Zone: http://*.winantispyware.com
O15 - Trusted Zone: http://*.winantivirus.com
O15 - Trusted Zone: http://*.winantiviruspro.com
O15 - Trusted Zone: http://*.winfixer.com
O15 - Trusted Zone: http://*.winnanny.com
O15 - Trusted Zone: http://*.winsoftware.com
O20 - Winlogon Notify: awtqn - awtqn.dll (file missing)
O20 - Winlogon Notify: awtqq - awtqq.dll (file missing)

4. Reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up) and:

* Run ewido. When ewido finds the first malicious object on your system, it will ask you if it should clean it. When it asks this, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.
Save the log file that ewido will create after it finishes scanning; you'll be including that log in your next post here.

* Run Spy Sweeper.
- Under the Sweep Options tab, select ALL options under 'What to Sweep'.
- Click the "Sweep" icon and then "Start" to begin scanning.
- When the scan completes, click Next to automatically quarantine all detected items.
- Click the Results icon, select Session Log, and then click Save to File. - Save the scan results to your desktop and close Spy Sweeper.

* Open Windows Explorer, and in the Folder Options->View settings under the Tools menu; check "Show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types". Look for the following files and delete them if found:
C:\WINDOWS\System32\telcoms.exe
C:\WINDOWS\system32\awtqn.dll
C:\WINDOWS\system32\awtqq.dll

* Empty your Recycle Bin and then reboot normally.

5. Once rebooted, run HijackThis again, and post the new log. Also post the logs that ewido and Spy Sweeper generated, as well as the vundofix.txt file (found in the VundoFix folder you created) that VundoFix generated.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

pete25 0 Light Poster · Answer 1 · 2006-03-24T07:38:11+00:00

here is my new log followedyour instructions

Logfile of HijackThis v1.99.1
Scan saved at 01:33:46, on 24/03/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\telcoms.exe
C:\windows\mousepad5.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\drsmartload1.exe
C:\Documents and Settings\PETER\Desktop\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {20D57A66-F7DF-467d-907B-9B7F4A118AB7} - C:\WINDOWS\system32\awtqn.dll
O2 - BHO: DosSpecFolder Object - {3E1BEA96-02D9-4992-B508-9B51819D9D86} - C:\WINDOWS\System32\ssqpo.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Telecoms Center] telcoms.exe
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard5.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad5.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NavRegReminder] "C:\WINDOWS\temp\NavBrowser.exe" /r /i "C:\WINDOWS\temp\NavLoad.ini"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\RunServices: [Microsoft Telecoms Center] telcoms.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Microsoft Telecoms Center] telcoms.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.co.uk
O15 - Trusted Zone: http://*.billingnow.com
O15 - Trusted Zone: http://*.reliablestats.com
O15 - Trusted Zone: http://*.winantispyware.com
O15 - Trusted Zone: http://*.winantivirus.com
O15 - Trusted Zone: http://*.winantiviruspro.com
O15 - Trusted Zone: http://*.winfixer.com
O15 - Trusted Zone: http://*.winnanny.com
O15 - Trusted Zone: http://*.winsoftware.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1143110853873
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A36C72A-B29C-43B8-928D-8BCA6A98D135}: NameServer = 212.74.114.129 212.74.112.66
O20 - Winlogon Notify: awtqn - C:\WINDOWS\SYSTEM32\awtqn.dll
O20 - Winlogon Notify: awtqq - awtqq.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ssqpo - C:\WINDOWS\System32\ssqpo.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

tanks

pete25 0 Light Poster · Answer 2 · 2006-03-25T08:33:40+00:00

Here is the reports after scan

ewido anti-malware - Scan report
---------------------------------------------------------

 + Created on:          02:25:01, 25/03/2006
 + Report-Checksum:     EAD8AB7

 + Scan result:

    C:\Documents and Settings\PETER\Cookies\peter@adrevolver[3].txt -> TrackingCookie.Adrevolver : Cleaned with backup
    C:\Documents and Settings\PETER\Cookies\peter@ads1.revenue[2].txt -> TrackingCookie.Revenue : Cleaned with backup
    C:\Documents and Settings\PETER\Cookies\peter@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
    C:\Documents and Settings\PETER\Cookies\peter@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
    C:\Documents and Settings\PETER\Cookies\peter@com[1].txt -> TrackingCookie.Com : Cleaned with backup
    C:\Documents and Settings\PETER\Cookies\peter@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
    C:\Documents and Settings\PETER\Cookies\peter@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
    C:\Documents and Settings\PETER\Cookies\peter@paypopup[1].txt -> TrackingCookie.Paypopup : Cleaned with backup
    C:\Documents and Settings\PETER\Cookies\peter@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned with backup
    C:\Documents and Settings\PETER\Cookies\peter@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup
    C:\Documents and Settings\PETER\Cookies\peter@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
    C:\Documents and Settings\PETER\cz32.exe/rm32.dll -> Downloader.ConHook.y : Cleaned with backup
    C:\Documents and Settings\PETER\Local Settings\Temp\Temporary Internet Files\Content.IE5\QGW1E7YR\drsmartload_js[1].htm -> Downloader.IstBar.j : Cleaned with backup
    C:\Documents and Settings\PETER\Local Settings\Temp\tmp0001bd9e -> Downloader.ConHook.y : Cleaned with backup
    C:\Documents and Settings\PETER\Local Settings\Temp\tmp0001d0f7 -> Downloader.ConHook.y : Cleaned with backup
    C:\Documents and Settings\PETER\Local Settings\Temp\tmp0001e191 -> Downloader.ConHook.y : Cleaned with backup
    C:\Documents and Settings\PETER\Local Settings\Temp\tmp0001e2ba -> Downloader.ConHook.y : Cleaned with backup
    C:\Documents and Settings\PETER\Local Settings\Temp\tmp00024a0f -> Downloader.ConHook.y : Cleaned with backup
    C:\Documents and Settings\PETER\Local Settings\Temp\tmp000288ae -> Downloader.ConHook.y : Cleaned with backup
    C:\Documents and Settings\PETER\Local Settings\Temp\tmp00036af0 -> Downloader.ConHook.y : Cleaned with backup
    C:\Documents and Settings\PETER\Local Settings\Temp\tmp0008ec0e -> Downloader.ConHook.y : Cleaned with backup
    C:\Documents and Settings\PETER\Local Settings\Temp\tmp000c0797 -> Downloader.ConHook.y : Cleaned with backup
    C:\Documents and Settings\PETER\Local Settings\Temp\tmp00c85362 -> Downloader.ConHook.y : Cleaned with backup
    C:\Documents and Settings\PETER\Local Settings\Temporary Internet Files\Content.IE5\S50H2RAT\dwn[1].exe -> Downloader.Adload.t : Cleaned with backup
    C:\WINDOWS\Downloaded Program Files\UWA6P_0001_N68M2301NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.d : Cleaned with backup
    C:\WINDOWS\system32\ad.html -> Hijacker.Agent.e : Cleaned with backup
    C:\WINDOWS\system32\awvtq.dll -> Downloader.ConHook.y : Cleaned with backup
    C:\WINDOWS\system32\awvvu.dll -> Downloader.ConHook.y : Cleaned with backup
    C:\WINDOWS\system32\gebyx.dll -> Downloader.ConHook.y : Cleaned with backup
    C:\WINDOWS\system32\jkkjj.dll -> Downloader.ConHook.y : Cleaned with backup
    C:\WINDOWS\system32\jkklk.dll -> Downloader.ConHook.y : Cleaned with backup
    C:\WINDOWS\system32\mljjk.dll -> Downloader.ConHook.y : Cleaned with backup
    C:\WINDOWS\system32\mllml.dll -> Downloader.ConHook.y : Cleaned with backup
    C:\WINDOWS\system32\ssqpq.dll -> Downloader.ConHook.y : Cleaned with backup

New hijack this report

Logfile of HijackThis v1.99.1
Scan saved at 02:31:59, on 25/03/2006
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\telcoms.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\PETER\Desktop\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.tiscali.co.uk/broadband[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {20D57A66-F7DF-467d-907B-9B7F4A118AB7} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Telecoms Center] telcoms.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NavRegReminder] "C:\WINDOWS\temp\NavBrowser.exe" /r /i "C:\WINDOWS\temp\NavLoad.ini"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunServices: [Microsoft Telecoms Center] telcoms.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Microsoft Telecoms Center] telcoms.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.co.uk
O15 - Trusted Zone: [url]http://*.billingnow.com[/url]
O15 - Trusted Zone: [url]http://*.reliablestats.com[/url]
O15 - Trusted Zone: [url]http://*.winantispyware.com[/url]
O15 - Trusted Zone: [url]http://*.winantivirus.com[/url]
O15 - Trusted Zone: [url]http://*.winantiviruspro.com[/url]
O15 - Trusted Zone: [url]http://*.winfixer.com[/url]
O15 - Trusted Zone: [url]http://*.winnanny.com[/url]
O15 - Trusted Zone: [url]http://*.winsoftware.com[/url]
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - [url]http://housecall60.trendmicro.com/housecall/xscan60.cab[/url]
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - [url]http://download.bitdefender.com/resources/scan8/oscan8.cab[/url]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1143110853873[/url]
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - [url]http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab[/url]
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - [url]http://www3.ca.com/securityadvisor/virusinfo/webscan.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A36C72A-B29C-43B8-928D-8BCA6A98D135}: NameServer = 212.74.114.129 212.74.112.67
O20 - Winlogon Notify: awtqn - awtqn.dll (file missing)
O20 - Winlogon Notify: awtqq - awtqq.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Thanks

pete25 0 Light Poster · Answer 3 · 2006-03-27T06:58:36+00:00

I updated Windows XP and redid the Hijack this log here it is

Logfile of HijackThis v1.99.1
Scan saved at 01:53:53, on 27/03/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\telcoms.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\Documents and Settings\PETER\Desktop\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {20D57A66-F7DF-467d-907B-9B7F4A118AB7} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Telecoms Center] telcoms.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NavRegReminder] "C:\WINDOWS\temp\NavBrowser.exe" /r /i "C:\WINDOWS\temp\NavLoad.ini"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunServices: [Microsoft Telecoms Center] telcoms.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Microsoft Telecoms Center] telcoms.exe
O4 - Startup: Resume Windows Update Installation.lnk = C:\WINDOWS\Windows Update Setup Files\ie6setup.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.billingnow.com
O15 - Trusted Zone: http://*.reliablestats.com
O15 - Trusted Zone: http://*.winantispyware.com
O15 - Trusted Zone: http://*.winantivirus.com
O15 - Trusted Zone: http://*.winantiviruspro.com
O15 - Trusted Zone: http://*.winfixer.com
O15 - Trusted Zone: http://*.winnanny.com
O15 - Trusted Zone: http://*.winsoftware.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1143110853873
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143367774389
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A36C72A-B29C-43B8-928D-8BCA6A98D135}: NameServer = 212.74.114.129 212.74.112.67
O20 - Winlogon Notify: awtqn - awtqn.dll (file missing)
O20 - Winlogon Notify: awtqq - awtqq.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

What will I do now

pete25 0 Light Poster · Answer 4 · 2006-03-27T09:07:42+00:00

Sorry I have been able to dowloa the right version now I hope

What is my next move

Logfile of HijackThis v1.99.1
Scan saved at 04:03:07, on 27/03/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\telcoms.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\Documents and Settings\PETER\Desktop\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {20D57A66-F7DF-467d-907B-9B7F4A118AB7} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Telecoms Center] telcoms.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NavRegReminder] "C:\WINDOWS\temp\NavBrowser.exe" /r /i "C:\WINDOWS\temp\NavLoad.ini"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunServices: [Microsoft Telecoms Center] telcoms.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Microsoft Telecoms Center] telcoms.exe
O4 - Startup: Resume Windows Update Installation.lnk = C:\WINDOWS\Windows Update Setup Files\ie6setup.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.billingnow.com
O15 - Trusted Zone: http://*.reliablestats.com
O15 - Trusted Zone: http://*.winantispyware.com
O15 - Trusted Zone: http://*.winantivirus.com
O15 - Trusted Zone: http://*.winantiviruspro.com
O15 - Trusted Zone: http://*.winfixer.com
O15 - Trusted Zone: http://*.winnanny.com
O15 - Trusted Zone: http://*.winsoftware.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1143110853873
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143367774389
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A36C72A-B29C-43B8-928D-8BCA6A98D135}: NameServer = 212.74.114.129 212.74.112.66
O20 - Winlogon Notify: awtqn - awtqn.dll (file missing)
O20 - Winlogon Notify: awtqq - awtqq.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

pete25 0 Light Poster · Answer 5 · 2006-03-28T03:51:09+00:00

Here is the log for Hijack this

Unable to delete C:\WINDOWS\System32\telcoms.exe

Also computer has slowed down

Logfile of HijackThis v1.99.1
Scan saved at 22:38:34, on 27/03/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe :eek: 
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\telcoms.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\Documents and Settings\PETER\Desktop\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.tiscali.co.uk/broadband[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NavRegReminder] "C:\WINDOWS\temp\NavBrowser.exe" /r /i "C:\WINDOWS\temp\NavLoad.ini"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [Microsoft Telecoms Center] telcoms.exe
O4 - HKLM\..\RunServices: [Microsoft Telecoms Center] telcoms.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Microsoft Telecoms Center] telcoms.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: [url]http://*.winsoftware.com[/url]
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - [url]http://housecall60.trendmicro.com/housecall/xscan60.cab[/url]
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - [url]http://download.bitdefender.com/resources/scan8/oscan8.cab[/url]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1143110853873[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143367774389[/url]
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - [url]http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab[/url]
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - [url]http://www3.ca.com/securityadvisor/virusinfo/webscan.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A36C72A-B29C-43B8-928D-8BCA6A98D135}: NameServer = 212.74.114.129 212.74.112.67
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Here is ewido log

ewido anti-malware - Scan report
---------------------------------------------------------

 + Created on:          11:20:17, 27/03/2006
 + Report-Checksum:     8ACA0F23

 + Scan result:

    C:\Documents and Settings\PETER\Cookies\peter@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
    C:\Documents and Settings\PETER\Cookies\peter@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
    C:\Documents and Settings\PETER\Cookies\peter@ehg-techtarget.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\PETER\Cookies\peter@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
    C:\Documents and Settings\PETER\Cookies\peter@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\PETER\Cookies\peter@media.fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
    C:\Documents and Settings\PETER\Cookies\peter@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
    C:\Documents and Settings\PETER\Cookies\peter@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
    C:\Documents and Settings\PETER\Cookies\peter@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned with backup
    C:\Documents and Settings\PETER\Cookies\peter@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup
    C:\Documents and Settings\PETER\Cookies\peter@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned with backup
    C:\Documents and Settings\PETER\Cookies\peter@www.myaffiliateprogram[2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup

Here is Spy Sweeper log

11:22: |       Start of Session, 27 March 2006       |
11:22: Spy Sweeper started
11:22: Sweep initiated using definitions version 641
11:22: Starting Memory Sweep
11:29: Memory Sweep Complete, Elapsed Time: 00:06:55
11:29: Starting Registry Sweep
11:30: Registry Sweep Complete, Elapsed Time:00:00:54
11:30: Starting Cookie Sweep
11:30:   Found Spy Cookie: 888 cookie
11:30:   [email]peter@888[1].txt[/email] (ID = 2019)
11:30:   [email]peter@888[2].txt[/email] (ID = 2019)
11:30:   Found Spy Cookie: about cookie
11:30:   [email]peter@about[2].txt[/email] (ID = 2037)
11:30:   Found Spy Cookie: adrevolver cookie
11:30:   [email]peter@adrevolver[2].txt[/email] (ID = 2088)
11:30:   Found Spy Cookie: a cookie
11:30:   [email]peter@a[1].txt[/email] (ID = 2027)
11:30:   Found Spy Cookie: cassava cookie
11:30:   [email]peter@cassava[1].txt[/email] (ID = 2362)
11:30:   Found Spy Cookie: screensavers.com cookie
11:30:   [email]peter@i.screensavers[1].txt[/email] (ID = 3298)
11:30:   Found Spy Cookie: techtarget cookie
11:30:   [email]peter@labmice.techtarget[1].txt[/email] (ID = 3500)
11:30:   [email]peter@nutrition.about[2].txt[/email] (ID = 2038)
11:30:   [email]peter@pediatrics.about[1].txt[/email] (ID = 2038)
11:30:   [email]peter@www.888[1].txt[/email] (ID = 2020)
11:30:   [email]peter@www.screensavers[1].txt[/email] (ID = 3298)
11:30: Cookie Sweep Complete, Elapsed Time: 00:00:02
11:30: Starting File Sweep
11:53: File Sweep Complete, Elapsed Time: 00:22:28
11:53: Full Sweep has completed.  Elapsed time 00:30:45
11:53: Traces Found: 12
11:54: Removal process initiated
11:54:   Quarantining All Traces: 888 cookie
11:54:   Quarantining All Traces: a cookie
11:54:   Quarantining All Traces: about cookie
11:54:   Quarantining All Traces: adrevolver cookie
11:54:   Quarantining All Traces: cassava cookie
11:54:   Quarantining All Traces: screensavers.com cookie
11:54:   Quarantining All Traces: techtarget cookie
11:54: Removal process completed.  Elapsed time 00:00:07
********
02:45: |       Start of Session, 26 March 2006       |
02:45: Spy Sweeper started
02:45: Sweep initiated using definitions version 641
02:45: Starting Memory Sweep
02:45:   Sweep Canceled
02:45: Memory Sweep Complete, Elapsed Time: 00:00:06
02:45: Traces Found: 0
11:41: Processing Startup Alerts
11:41:   Allowed Startup entry: wextract_cleanup0
23:52: The Spy Communication shield has blocked access to: promo.dollarrevenue.com
23:53: The Spy Communication shield has blocked access to: promo.dollarrevenue.com
00:03: Processing Startup Alerts
00:03:   Allowed Startup entry: wextract_cleanup0
00:22: The Spy Communication shield has blocked access to: promo.dollarrevenue.com
00:23: The Spy Communication shield has blocked access to: promo.dollarrevenue.com
01:01: Processing Startup Alerts
01:01:   Allowed Startup entry: wextract_cleanup0
01:01:   Allowed Startup entry: Resume Windows Update Installation.lnk
01:02: Processing Startup Alerts
01:02:   Allowed Startup entry: BrandClearStubs
01:11: Processing Startup Alerts
01:11:   Allowed Startup entry: wextract_cleanup0
01:11: The Spy Communication shield has blocked access to: promo.dollarrevenue.com
01:11: The Spy Communication shield has blocked access to: promo.dollarrevenue.com
02:08: Processing Startup Alerts
02:08:   Allowed Startup entry: wextract_cleanup0
02:16: Processing Startup Alerts
02:16:   Allowed Startup entry: wextract_cleanup0
02:49: The Spy Communication shield has blocked access to: promo.dollarrevenue.com
02:49: The Spy Communication shield has blocked access to: promo.dollarrevenue.com
04:01: The Spy Communication shield has blocked access to: promo.dollarrevenue.com
04:01: The Spy Communication shield has blocked access to: promo.dollarrevenue.com
09:11: The Spy Communication shield has blocked access to: promo.dollarrevenue.com
09:11: The Spy Communication shield has blocked access to: promo.dollarrevenue.com
09:53: The Spy Communication shield has blocked access to: promo.dollarrevenue.com
09:53: The Spy Communication shield has blocked access to: promo.dollarrevenue.com
09:57: Updating spyware definitions
09:57: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
09:57: Updating spyware definitions
09:57: Your definitions are up to date.
10:16: The Spy Communication shield has blocked access to: promo.dollarrevenue.com
10:16: The Spy Communication shield has blocked access to: promo.dollarrevenue.com
10:21: IE Security Shield:  found: C:\DOCUMENTS AND SETTINGS\PETER\DESKTOP\HJT\HIJACKTHIS.EXE -- IE Security modification allowed at user request
10:33: Processing Startup Alerts
10:33:   Allowed Startup entry: Microsoft Telecoms Center
11:22: |       End of Session, 27 March 2006       |
********
00:28: |       Start of Session, 25 March 2006       |
00:28: Spy Sweeper started
00:28: Sweep initiated using definitions version 641
00:28: Found Trojan Horse: trojan-downloader-conhook
00:28: HKCR\clsid\{20d57a66-f7df-467d-907b-9b7f4a118ab7}\inprocserver32\  (2 subtraces) (ID = 1190600)
00:28: awtqn.dll (ID = 1190600)
00:28: Starting Memory Sweep
00:34:   Found Adware: virtumonde
00:34:   Detected running threat: C:\WINDOWS\system32\ssqpo.dll (ID = 77)
00:34:   Found Adware: dollarrevenue
00:34:   Detected running threat: C:\WINDOWS\mousepad5.exe (ID = 270020)
00:34:   HKLM\Software\Microsoft\Windows\CurrentVersion\Run || mousepad (ID = 0)
00:43:   Detected running threat: c:\drsmartload1.exe (ID = 245972)
00:44: Memory Sweep Complete, Elapsed Time: 00:16:17
00:44: Starting Registry Sweep
00:46:   Found Adware: findthewebsiteyouneed hijack
00:46:   HKLM\software\microsoft\internet explorer\main\ || search page (ID = 125241)
00:46:   HKLM\software\microsoft\internet explorer\search\ || searchassistant (ID = 125242)
00:46:   Found Adware: command
00:46:   HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ (ID = 892523)
00:46:   HKLM\software\policies\ || {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} (ID = 916803)
00:46:   HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\ssqpo\  (5 subtraces) (ID = 954600)
00:46:   HKLM\software\policies\ || {6bf52a52-394a-11d3-b153-00c04f79faa6} (ID = 967836)
00:46:   HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\  (6 subtraces) (ID = 1016064)
00:46:   HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\  (8 subtraces) (ID = 1016072)
00:46:   HKLM\software\policies\ || {645ff040-5081-101b-9f08-00aa002f954e} (ID = 1036890)
00:46:   HKLM\software\microsoft\windows\currentversion\uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be}\  (7 subtraces) (ID = 1110756)
00:46:   HKCR\clsid\{20d57a66-f7df-467d-907b-9b7f4a118ab7}\  (3 subtraces) (ID = 1190599)
00:46:   HKLM\software\classes\clsid\{20d57a66-f7df-467d-907b-9b7f4a118ab7}\  (3 subtraces) (ID = 1190601)
00:46:   HKLM\software\microsoft\windows\currentversion\explorer\shellexecutehooks\ || {20d57a66-f7df-467d-907b-9b7f4a118ab7} (ID = 1190602)
00:46:   HKLM\software\microsoft\windows\currentversion\run\ || mousepad (ID = 1191795)
00:46:   Found Adware: winantispyware 2005
00:46:   HKLM\software\winfixer_free\ (ID = 1201404)
00:46:   HKU\S-1-5-21-3410288154-3689853989-222395546-1005\software\microsoft\internet explorer\main\ || default_search_url (ID = 125236)
00:46:   HKU\S-1-5-21-3410288154-3689853989-222395546-1005\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
00:46:   HKU\S-1-5-21-3410288154-3689853989-222395546-1005\software\microsoft\internet explorer\main\ || default_search_url (ID = 790269)
00:46:   Found Adware: zquest
00:46:   HKU\S-1-5-21-3410288154-3689853989-222395546-1005\software\microsoft\internet explorer\desktop\components\0\ || source (ID = 1140816)
00:47: Registry Sweep Complete, Elapsed Time:00:02:40
00:47: Starting Cookie Sweep
00:47:   Found Spy Cookie: yieldmanager cookie
00:47:   [email]peter@ad.yieldmanager[1].txt[/email] (ID = 3751)
00:47:   Found Spy Cookie: hbmediapro cookie
00:47:   [email]peter@adopt.hbmediapro[2].txt[/email] (ID = 2768)
00:47:   Found Spy Cookie: hotbar cookie
00:47:   [email]peter@adopt.hotbar[2].txt[/email] (ID = 4207)
00:47:   Found Spy Cookie: adrevolver cookie
00:47:   [email]peter@adrevolver[1].txt[/email] (ID = 2088)
00:47:   [email]peter@adrevolver[3].txt[/email] (ID = 2088)
00:47:   Found Spy Cookie: revenue.net cookie
00:47:   [email]peter@ads1.revenue[1].txt[/email] (ID = 3258)
00:47:   Found Spy Cookie: advertising cookie
00:47:   [email]peter@advertising[2].txt[/email] (ID = 2175)
00:47:   Found Spy Cookie: aff504 cookie
00:47:   [email]peter@aff504[1].txt[/email] (ID = 2187)
00:47:   Found Spy Cookie: aff506 cookie
00:47:   [email]peter@aff506[1].txt[/email] (ID = 2189)
00:47:   Found Spy Cookie: aff6001 cookie
00:47:   [email]peter@aff6001[1].txt[/email] (ID = 2191)
00:47:   Found Spy Cookie: apmebf cookie
00:47:   [email]peter@apmebf[2].txt[/email] (ID = 2229)
00:47:   Found Spy Cookie: falkag cookie
00:47:   [email]peter@as-eu.falkag[2].txt[/email] (ID = 2650)
00:47:   Found Spy Cookie: atlas dmt cookie
00:47:   [email]peter@atdmt[2].txt[/email] (ID = 2253)
00:47:   Found Spy Cookie: a cookie
00:47:   [email]peter@a[1].txt[/email] (ID = 2027)
00:47:   Found Spy Cookie: searchingbooth cookie
00:47:   [email]peter@banners.searchingbooth[1].txt[/email] (ID = 3322)
00:47:   Found Spy Cookie: bassman cookie
00:47:   [email]peter@BassMan[1].txt[/email] (ID = 2290)
00:47:   Found Spy Cookie: belnk cookie
00:47:   [email]peter@belnk[1].txt[/email] (ID = 2292)
00:47:   Found Spy Cookie: bluestreak cookie
00:47:   [email]peter@bluestreak[1].txt[/email] (ID = 2314)
00:47:   Found Spy Cookie: casalemedia cookie
00:47:   [email]peter@casalemedia[2].txt[/email] (ID = 2354)
00:47:   [email]peter@dist.belnk[2].txt[/email] (ID = 2293)
00:47:   Found Spy Cookie: dutchmen cookie
00:47:   [email]peter@Dutchmen[1].txt[/email] (ID = 2545)
00:47:   Found Spy Cookie: fastclick cookie
00:47:   [email]peter@fastclick[2].txt[/email] (ID = 2651)
00:47:   Found Spy Cookie: starware.com cookie
00:47:   [email]peter@h.starware[2].txt[/email] (ID = 3442)
00:47:   [email]peter@hotbar[2].txt[/email] (ID = 2797)
00:47:   Found Spy Cookie: screensavers.com cookie
00:47:   [email]peter@i.screensavers[2].txt[/email] (ID = 3298)
00:47:   Found Spy Cookie: top-banners cookie
00:47:   [email]peter@media.top-banners[1].txt[/email] (ID = 3548)
00:47:   Found Spy Cookie: mediaplex cookie
00:47:   [email]peter@mediaplex[1].txt[/email] (ID = 6442)
00:47:   Found Spy Cookie: nuker cookie
00:47:   [email]peter@nuker[1].txt[/email] (ID = 3085)
00:47:   Found Spy Cookie: valuead cookie
00:47:   [email]peter@reduxads.valuead[1].txt[/email] (ID = 3627)
00:47:   [email]peter@revenue[2].txt[/email] (ID = 3257)
00:47:   Found Spy Cookie: rn11 cookie
00:47:   [email]peter@rn11[2].txt[/email] (ID = 3261)
00:47:   Found Spy Cookie: adjuggler cookie
00:47:   [email]peter@rotator.adjuggler[1].txt[/email] (ID = 2071)
00:47:   Found Spy Cookie: servlet cookie
00:47:   [email]peter@servlet[1].txt[/email] (ID = 3345)
00:47:   Found Spy Cookie: reliablestats cookie
00:47:   [email]peter@stats1.reliablestats[1].txt[/email] (ID = 3254)
00:47:   Found Spy Cookie: targetnet cookie
00:47:   [email]peter@targetnet[1].txt[/email] (ID = 3489)
00:47:   Found Spy Cookie: toplist cookie
00:47:   [email]peter@toplist[1].txt[/email] (ID = 3557)
00:47:   Found Spy Cookie: trafficmp cookie
00:47:   [email]peter@trafficmp[1].txt[/email] (ID = 3581)
00:47:   Found Spy Cookie: tribalfusion cookie
00:47:   [email]peter@tribalfusion[1].txt[/email] (ID = 3589)
00:47:   Found Spy Cookie: videodome cookie
00:47:   [email]peter@videodome[1].txt[/email] (ID = 3638)
00:47:   Found Spy Cookie: wizzle cookie
00:47:   [email]peter@wizzle[2].txt[/email] (ID = 3695)
00:47:   Found Spy Cookie: epilot cookie
00:47:   [email]peter@www.epilot[1].txt[/email] (ID = 2622)
00:47:   Found Spy Cookie: jumptothat cookie
00:47:   [email]peter@www.jumptothat[1].txt[/email] (ID = 2894)
00:47:   Found Spy Cookie: myaffiliateprogram.com cookie
00:47:   [email]peter@www.myaffiliateprogram[1].txt[/email] (ID = 3032)
00:47:   [email]peter@www.screensavers[2].txt[/email] (ID = 3298)
00:47:   Found Spy Cookie: seek-media cookie
00:47:   [email]peter@www.seek-media[2].txt[/email] (ID = 3328)
00:47:   [email]peter@www.starware[1].txt[/email] (ID = 3442)
00:47:   Found Spy Cookie: winantiviruspro cookie
00:47:   [email]peter@www.winantiviruspro[1].txt[/email] (ID = 3690)
00:47:   [email]peter@yieldmanager[1].txt[/email] (ID = 3749)
00:47:   Found Spy Cookie: adserver cookie
00:47:   [email]peter@z1.adserver[1].txt[/email] (ID = 2142)
00:47:   Found Spy Cookie: zedo cookie
00:47:   [email]peter@zedo[1].txt[/email] (ID = 3762)
00:47:   Found Spy Cookie: findwhat cookie
00:47:   [email]system@findwhat[1].txt[/email] (ID = 2674)
00:47: Cookie Sweep Complete, Elapsed Time: 00:00:07
00:47: Starting File Sweep
00:47:   Found Trojan Horse: trojan downloader matcash
00:47:   c:\program files\common files\inetget (ID = -2147477182)
00:49:   Found Adware: targetsaver
00:49:   class-barrel (ID = 78229)
00:49:   vocabulary (ID = 78283)
00:49:   newname5[1].exe (ID = 270021)
00:49:   newname5.exe (ID = 270021)
00:49:   drsmartload46a[1].exe (ID = 270017)
00:49:   drsmartload46a.exe (ID = 270017)
00:49:   mousepad5.exe (ID = 270020)
00:49:   HKLM\Software\Microsoft\Windows\CurrentVersion\Run || mousepad (ID = 0)
00:50:   The Spy Communication shield has blocked access to: e.rn11.com
00:50:   The Spy Communication shield has blocked access to: e.rn11.com
00:51:   The Spy Communication shield has blocked access to: e.rn11.com
00:51:   The Spy Communication shield has blocked access to: e.rn11.com
00:53:   uwfx6_0001_n69m1503netinstaller.exe (ID = 269738)
00:53:   keyboard5.exe (ID = 270019)
00:53:   HKLM\Software\Microsoft\Windows\CurrentVersion\Run || keyboard (ID = 0)
00:54:   dr140306.exe (ID = 267188)
00:54:   drsmartload[1].exe (ID = 270018)
00:58:   keyboard4.exe (ID = 268841)
00:58:   mousepad4.exe (ID = 268843)
00:59:   Found Adware: deskwizz
00:59:   wallpap.exe (ID = 240959)
01:03:   Found Adware: maxifiles
01:03:   autoit3.exe (ID = 185254)
01:04:   drsmartload1.exe (ID = 245972)
01:06:   uninstall_nmon.vbs (ID = 231442)
01:08:   Found Adware: ist surf accuracy
01:08:   istdialog[1].dll (ID = 266604)
01:13:   mte3ndi6odoxng.exe (ID = 185985)
01:13:   dh.ini (ID = 268430)
01:13:   Found Trojan Horse: sdbot
01:13:   adiras.ini (ID = 74768)
01:13:   ohpolpk0.vbs (ID = 185675)
01:14: File Sweep Complete, Elapsed Time: 00:26:31
01:14: Full Sweep has completed.  Elapsed time 00:45:48
01:14: Traces Found: 135
01:15: Removal process initiated
01:16:   Quarantining All Traces: sdbot
01:16:   Quarantining All Traces: trojan downloader matcash
01:16:   Quarantining All Traces: virtumonde
01:17:   virtumonde is in use.  It will be removed on reboot.
01:17:     C:\WINDOWS\system32\ssqpo.dll is in use.  It will be removed on reboot.
01:17:   Quarantining All Traces: dollarrevenue
01:17:   dollarrevenue is in use.  It will be removed on reboot.
01:17:     mousepad5.exe is in use.  It will be removed on reboot.
01:17:     drsmartload1.exe is in use.  It will be removed on reboot.
01:17:   Quarantining All Traces: maxifiles
01:17:   Quarantining All Traces: trojan-downloader-conhook
01:17:   trojan-downloader-conhook is in use.  It will be removed on reboot.
01:17:     awtqn.dll is in use.  It will be removed on reboot.
01:17:   Quarantining All Traces: zquest
01:17:   Quarantining All Traces: command
01:17:   Quarantining All Traces: deskwizz
01:17:   Quarantining All Traces: findthewebsiteyouneed hijack
01:17:   Quarantining All Traces: ist surf accuracy
01:17:   Quarantining All Traces: targetsaver
01:18:   Quarantining All Traces: a cookie
01:18:   Quarantining All Traces: adjuggler cookie
01:18:   Quarantining All Traces: adrevolver cookie
01:18:   Quarantining All Traces: adserver cookie
01:18:   Quarantining All Traces: advertising cookie
01:18:   Quarantining All Traces: aff504 cookie
01:18:   Quarantining All Traces: aff506 cookie
01:18:   Quarantining All Traces: aff6001 cookie
01:18:   Quarantining All Traces: apmebf cookie
01:18:   Quarantining All Traces: atlas dmt cookie
01:18:   Quarantining All Traces: bassman cookie
01:18:   Quarantining All Traces: belnk cookie
01:18:   Quarantining All Traces: bluestreak cookie
01:18:   Quarantining All Traces: casalemedia cookie
01:18:   Quarantining All Traces: dutchmen cookie
01:18:   Quarantining All Traces: epilot cookie
01:18:   Quarantining All Traces: falkag cookie
01:18:   Quarantining All Traces: fastclick cookie
01:18:   Quarantining All Traces: findwhat cookie
01:18:   Quarantining All Traces: hbmediapro cookie
01:18:   Quarantining All Traces: hotbar cookie
01:18:   Quarantining All Traces: jumptothat cookie
01:18:   Quarantining All Traces: mediaplex cookie
01:18:   Quarantining All Traces: myaffiliateprogram.com cookie
01:18:   Quarantining All Traces: nuker cookie
01:18:   Quarantining All Traces: reliablestats cookie
01:18:   Quarantining All Traces: revenue.net cookie
01:18:   Quarantining All Traces: rn11 cookie
01:18:   Quarantining All Traces: screensavers.com cookie
01:18:   Quarantining All Traces: searchingbooth cookie
01:18:   Quarantining All Traces: seek-media cookie
01:18:   Quarantining All Traces: servlet cookie
01:18:   Quarantining All Traces: starware.com cookie
01:18:   Quarantining All Traces: targetnet cookie
01:18:   Quarantining All Traces: top-banners cookie
01:18:   Quarantining All Traces: toplist cookie
01:18:   Quarantining All Traces: trafficmp cookie
01:18:   Quarantining All Traces: tribalfusion cookie
01:18:   Quarantining All Traces: valuead cookie
01:18:   Quarantining All Traces: videodome cookie
01:18:   Quarantining All Traces: winantispyware 2005
01:18:   Quarantining All Traces: winantiviruspro cookie
01:18:   Quarantining All Traces: wizzle cookie
01:18:   Quarantining All Traces: yieldmanager cookie
01:18:   Quarantining All Traces: zedo cookie
01:20:   Preparing to restart your computer. Please wait...
01:20: Removal process completed.  Elapsed time 00:04:28
01:23: The Spy Communication shield has blocked access to: promo.dollarrevenue.com
01:23: The Spy Communication shield has blocked access to: promo.dollarrevenue.com
01:25: Deletion from quarantine initiated
01:25: Processing: a cookie
01:25: Processing: adjuggler cookie
01:25: Processing: adrevolver cookie
01:25: Processing: adserver cookie
01:25: Processing: aff504 cookie
01:25: Processing: aff506 cookie
01:25: Processing: aff6001 cookie
01:25: Processing: apmebf cookie
01:25: Processing: atlas dmt cookie
01:25: Processing: bassman cookie
01:25: Processing: belnk cookie
01:25: Processing: bluestreak cookie
01:25: Processing: casalemedia cookie
01:25: Processing: command
01:25: Processing: deskwizz
01:25: Processing: dollarrevenue
01:25: Processing: dutchmen cookie
01:25: Processing: epilot cookie
01:25: Processing: falkag cookie
01:25: Processing: fastclick cookie
01:25: Processing: findthewebsiteyouneed hijack
01:25: Processing: findwhat cookie
01:25: Processing: hbmediapro cookie
01:25: Processing: hotbar cookie
01:25: Processing: ist surf accuracy
01:25: Processing: jumptothat cookie
01:25: Processing: maxifiles
01:25: Processing: mediaplex cookie
01:25: Processing: myaffiliateprogram.com cookie
01:25: Processing: nuker cookie
01:25: Processing: revenue.net cookie
01:25: Processing: rn11 cookie
01:25: Processing: sdbot
01:25: Processing: searchingbooth cookie
01:25: Processing: seek-media cookie
01:25: Processing: servlet cookie
01:25: Processing: starware.com cookie
01:25: Processing: targetnet cookie
01:25: Processing: targetsaver
01:25: Processing: top-banners cookie
01:25: Processing: toplist cookie
01:25: Processing: trafficmp cookie
01:25: Processing: tribalfusion cookie
01:25: Processing: trojan downloader matcash
01:25: Processing: trojan-downloader-conhook
01:25: Processing: valuead cookie
01:25: Processing: videodome cookie
01:25: Processing: virtumonde
01:25: Processing: winantispyware 2005
01:25: Processing: winantiviruspro cookie
01:25: Processing: wizzle cookie
01:25: Processing: yieldmanager cookie
01:25: Processing: zedo cookie
01:25: Processing: zquest
01:25: Deletion from quarantine completed.  Elapsed time 00:00:09
********
00:24: |       Start of Session, 25 March 2006       |
00:24: Spy Sweeper started
00:26: Your spyware definitions have been updated.
00:26: Your definitions are up to date.
00:28: |       End of Session, 25 March 2006       |

Here is VundoFix log

[LocalizedFileNames]
Windows Media Player.lnk=@C:\WINDOWS\inf\unregmp2.exe,-4

Whats the next step to sort PC

tayspen 28 <Insert title here> Team Colleague · Answer 6 · 2006-03-28T04:44:57+00:00

Ok, so that telcoms.exe file is back :-|, and since it seems to be malicious we are going to take em out once and for all.

Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

Now Start killbox Copy the list of files below to the clipboard by selecting all of them with your mouse (Left click the start of the list and drag the mouse to the bottom of the list) and when they are all selected ( highlighted in blue) right click on any part of the blue area and say copy

In the Killbox, Go to the toolbar press file and select Paste from clipboard. The first file name will appear in the window and if the file exists it will appear in blue under that window then select standard file kill, press the red X button, say yes to the prompt and once the file deleted message comes up then press the red X again and continue to press untill the last file on the list appears in the window & it says deleted.

C:\WINDOWS\System32\telcoms.exe

-----------------------------------------------

Then run HJT and check the following.

O4 - HKLM\..\Run: [Microsoft Telecoms Center] telcoms.exe

O4 - HKLM\..\RunServices: [Microsoft Telecoms Center] telcoms.exe

O4 - HKCU\..\Run: [Microsoft Telecoms Center] telcoms.exe

O15 - Trusted Zone: http://*.winsoftware.com

Click Fix Checked.

Post a new HJT log.

pete25 0 Light Poster · Answer 7 · 2006-03-28T05:38:02+00:00

Don't know if its away yet as pocket killbox does not recognise it

What's next step please

Logfile of HijackThis v1.99.1
Scan saved at 00:29:06, on 28/03/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 4.0\Reader\AcroRd32.exe
C:\Documents and Settings\PETER\Desktop\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NavRegReminder] "C:\WINDOWS\temp\NavBrowser.exe" /r /i "C:\WINDOWS\temp\NavLoad.ini"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1143110853873
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143367774389
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A36C72A-B29C-43B8-928D-8BCA6A98D135}: NameServer = 212.74.114.129 212.74.112.67
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

tayspen 28 <Insert title here> Team Colleague · Answer 8 · 2006-03-28T06:21:43+00:00

Good news. It seems taht the file is gone, your looking clean now, just a few more things. If you dont reconize this IP, or itsnot your ISP, check it.

O17 - HKLM\System\CCS\Services\Tcpip\..\{8A36C72A-B29C-43B8-928D-8BCA6A98D135}: NameServer = 212.74.114.129 212.74.112.67

Click Fix Checked.

Post a new log, and hopefully the last.

pete25 0 Light Poster · Answer 9 · 2006-03-28T06:42:59+00:00

It was not my IP address so I checked it

Is there anything else that requires my attention

Logfile of HijackThis v1.99.1
Scan saved at 01:39:07, on 28/03/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\PETER\Desktop\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NavRegReminder] "C:\WINDOWS\temp\NavBrowser.exe" /r /i "C:\WINDOWS\temp\NavLoad.ini"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1143110853873
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143367774389
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

DMR 152 Wombat At Large Team Colleague · Answer 10 · 2006-03-28T07:04:43+00:00

It was not my IP address so I checked it

:eek: Those weren't your IP addresses, they were the DNS server IPs assigned by your ISP (Tiscali). If your ISP automatically assigns you the IP/Gateway/DNS IP addresses, don't sweat it; your computer will re-acquire the info. If you manually enter your IP settings into your network card's Property pages, re-enter those addresses in the DNS server section of the Properties window.

pete25 0 Light Poster · Answer 11 · 2006-03-30T01:17:20+00:00

I am still having problems now the computer is going dead slow and windows woul not load up I had to restore it to ysterday for it to work

Here's my log please could I get help

Logfile of HijackThis v1.99.1
Scan saved at 20:04:11, on 29/03/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\Documents and Settings\PETER\Desktop\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NavRegReminder] "C:\WINDOWS\temp\NavBrowser.exe" /r /i "C:\WINDOWS\temp\NavLoad.ini"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1143110853873
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143367774389
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

tayspen 28 <Insert title here> Team Colleague · Answer 12 · 2006-03-30T01:35:23+00:00

Looks like netmon.exe is a trojan.

Chack it in HJT, then click fix checked.

O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)

Then do this.

Start>Run type Services.msc
-Right click Network Monitor
and choose Stop
-Now choose Properties and change Startup Type to disabled

Open HijackThis
-Choose Open Misc Tools
-Choose Delete an NT Service
-Copy and Paste - Network Monitor
into the box and delete it.

Then ensure this file is gone.

C:\Program Files\Network Monitor\netmon.exe

Post a new log

Source saying it was bad-- http://www.bleepingcomputer.com/startups/NETMON.EXE-8861.html

D3m3nt3d 1 Posting Whiz in Training · Answer 13 · 2006-03-30T03:36:46+00:00

Looks like netmon.exe is a trojan.
Chack it in HJT, then click fix checked.

O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)

Then do this.
Start>Run type Services.msc
-Right click Network Monitor
and choose Stop
-Now choose Properties and change Startup Type to disabled

Open HijackThis
-Choose Open Misc Tools
-Choose Delete an NT Service
-Copy and Paste - Network Monitor
into the box and delete it.
Then ensure this file is gone.
C:\Program Files\Network Monitor\netmon.exe
Post a new log
Source saying it was bad-- http://www.bleepingcomputer.com/startups/NETMON.EXE-8861.html

No - what they are referring to is located in the System32 folder, not in C:\Program Files

Also the name is Network Monitoring Service and not Network Monitor :)

pete25 0 Light Poster · Answer 14 · 2006-03-30T06:11:08+00:00

Here's the log

Logfile of HijackThis v1.99.1
Scan saved at 01:00:30, on 30/03/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\Documents and Settings\PETER\Desktop\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NavRegReminder] "C:\WINDOWS\temp\NavBrowser.exe" /r /i "C:\WINDOWS\temp\NavLoad.ini"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1143110853873
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143367774389
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A36C72A-B29C-43B8-928D-8BCA6A98D135}: NameServer = 80.225.252.58 80.225.252.50
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

I keep getting win32:Trojano-2873 [trj] virus with spy sweeper and I delete it but it seems to keep coming back. Its found in my volume information file. Is there any way of permanently getting rid of this

D3m3nt3d 1 Posting Whiz in Training · Answer 15 · 2006-03-30T09:05:37+00:00

Yes by flushing your System Restore whenever Tayspen confirms he is thru with the fix. :)

tayspen 28 <Insert title here> Team Colleague · Answer 16 · 2006-03-30T09:11:22+00:00

Yes by flushing your System Restore whenever Tayspen confirms he is thru with the fix. :)

Well it looks clean to me. Just hope that wasn't a test, and there is really a tricky entry in there ;).

As far as flushing (deleting) out your resotre points,

http://www.bleepingcomputer.com/tutorials/tutorial56.html

look under the "Deleting Restore Points" part...

-T

pete25 0 Light Poster · Answer 17 · 2006-04-06T00:18:11+00:00

pete25 0 Light Poster

18 Years Ago

thanks for the help

solved

Help Got haywire computer

Recommended Answers Collapse Answers

All 22 Replies

Recommended Answers