Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

trojan.agent.cs, others? [RESOLVED]


  • This topic is locked This topic is locked

#1
nigellajune

nigellajune

    Member

  • Member
  • PipPip
  • 10 posts
I'm having a nightmare, hope somebody can advise. I see that somebody else had a recent problem with this one too.
For some time my machine has been very slow, periodically crashes, explorer.exe churning and using 50% of CPU until rebooted and I've had pop-ups appearing. I already had SpyBot (which keeps telling me there's nothing wrong), Norton AV(which said it had found adware but couldn't do anything about it), Mcafee antispyware (which again says nothing wrong), Microsoft Antispyware (picks up nothing). I was running Zonealarm as my firewall but having installed Norton Internet Security I've started using that instead.
I've now followed the instructions for before posting a HJT log. Ad-Aware picks up trojan.agent.cs, says it's deleted six items but then finds them again if I rerun immediately afterwards. Norton is still picking up adware and also suddenly says it's found two more infected files which I've quarantined. explorer.exe is still going nuts fairly regularly.
Housecall was more encouraging, it picked up smallfry, dropper, small and agent files and seems to have deleted all except the agent.fz stuff.
TDS, Spybot and CWShredder found nothing.
As some of my pop-ups are search42, I suspected Vundo but Norton's Vundo removal tool didn't find it.

I'm posting the log here, I'd also love to know whether I'm running the right programs to protect my PC (no idea how it got in) and whether I could actually be running too much so that they're interfering with each other.

Many thanks to anybody who can help, hope the above makes sense!


Logfile of HijackThis v1.99.1
Scan saved at 21:44:19, on 27/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\BTYAHO~3\SMARTB~1\BTHelpNotifier.exe
C:\progra~1\mcafee\MCAFEE~1\MssCli.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\BT Yahoo! Help\bin\mpbtn.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\HJT\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell...gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thisislondon.co.uk/news
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thisislondon.co.uk/news
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\assembly\temp\waveip.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTYAHO~3\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\MssCli.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O4 - Global Startup: BT Yahoo! Help.lnk = C:\Program Files\BT Yahoo! Help\bin\matcli.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} (EPSON Web Printer-SelfTest Control Class) - http://support.epson...rg/ESTPTest.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zone...ctor/WebSWK.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btop...bcontrol012.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D8DB783A-7807-4EA2-899E-3BC599D905FD}: NameServer = 194.74.65.68 194.72.9.39
O20 - Winlogon Notify: req - C:\WINDOWS\system32\req.dat (file missing)
O20 - Winlogon Notify: waveip - C:\WINDOWS\assembly\temp\waveip.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - McAfee, Inc. - c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE
  • 0

Advertisements


#2
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi nigellajune,

If you are still requiring help with this issue,please post a fresh HijackThis log!
  • 0

#3
nigellajune

nigellajune

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Yes please - I still need help!!
I did try reading the log myself while I was waiting, found a couple of things but not sure of the best way to remove them.

Logfile of HijackThis v1.99.1
Scan saved at 22:07:17, on 03/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\PROGRA~1\BTYAHO~3\SMARTB~1\BTHelpNotifier.exe
C:\progra~1\mcafee\MCAFEE~1\MssCli.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\BT Yahoo! Help\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\HJT\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell...gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thisislondon.co.uk/news
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thisislondon.co.uk/news
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\assembly\temp\waveip.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTYAHO~3\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\MssCli.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O4 - Global Startup: BT Yahoo! Help.lnk = C:\Program Files\BT Yahoo! Help\bin\matcli.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} (EPSON Web Printer-SelfTest Control Class) - http://support.epson...rg/ESTPTest.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zone...ctor/WebSWK.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btop...bcontrol012.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D8DB783A-7807-4EA2-899E-3BC599D905FD}: NameServer = 194.74.65.68 194.72.9.39
O20 - Winlogon Notify: req - C:\WINDOWS\system32\req.dat (file missing)
O20 - Winlogon Notify: waveip - C:\WINDOWS\assembly\temp\waveip.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - McAfee, Inc. - c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE
  • 0

#4
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,Lets start by having a look where these bugs are at!

Download Atribunes Look.Zip from Here
http://www.atribune....nloads/Look.zip

Right Click and "Extract All"

Double Click Look.bat and Give it time to run

Copy&Paste the Contents of the Report it produces back into this thread!

Edited by Cretemonster, 03 July 2005 - 08:15 PM.

  • 0

#5
nigellajune

nigellajune

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
************************************
**These are the hidden files found**
************************************
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS\addins

Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS\AppPatch

Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS\assembly

08/01/2004 13:13 227 Desktop.ini
1 File(s) 227 bytes
0 Dir(s) 87,063,269,376 bytes free
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS\Config

Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS\Cursors

Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS

Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS\System32\Drivers

Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS\Fonts

29/08/2002 06:00 10,976 8514FIX.FON
29/08/2002 06:00 10,976 8514FIXE.FON
29/08/2002 06:00 11,520 8514FIXG.FON
29/08/2002 06:00 10,976 8514FIXR.FON
29/08/2002 06:00 11,488 8514FIXT.FON
29/08/2002 06:00 12,288 8514OEM.FON
29/08/2002 06:00 13,248 8514OEME.FON
29/08/2002 06:00 12,800 8514OEMG.FON
29/08/2002 06:00 13,200 8514OEMR.FON
29/08/2002 06:00 12,720 8514OEMT.FON
29/08/2002 06:00 9,280 8514SYS.FON
29/08/2002 06:00 9,504 8514SYSE.FON
29/08/2002 06:00 9,856 8514SYSG.FON
29/08/2002 06:00 10,064 8514SYSR.FON
29/08/2002 06:00 9,792 8514SYST.FON
29/08/2002 06:00 12,304 85775.FON
29/08/2002 06:00 12,256 85855.FON
29/08/2002 06:00 10,976 85F1257.FON
29/08/2002 06:00 9,472 85S1257.FON
29/08/2002 06:00 35,808 APP775.FON
29/08/2002 06:00 36,672 APP850.FON
29/08/2002 06:00 36,656 APP852.FON
29/08/2002 06:00 37,296 APP855.FON
29/08/2002 06:00 36,672 APP857.FON
29/08/2002 06:00 37,472 APP866.FON
29/08/2002 06:00 7,216 CGA40737.FON
29/08/2002 06:00 6,352 CGA40850.FON
29/08/2002 06:00 6,672 CGA40852.FON
29/08/2002 06:00 6,672 CGA40857.FON
29/08/2002 06:00 7,232 CGA40866.FON
29/08/2002 06:00 7,216 CGA40869.FON
29/08/2002 06:00 6,336 CGA40WOA.FON
29/08/2002 06:00 5,168 CGA80737.FON
29/08/2002 06:00 4,320 CGA80850.FON
29/08/2002 06:00 5,200 CGA80852.FON
29/08/2002 06:00 4,640 CGA80857.FON
29/08/2002 06:00 5,168 CGA80866.FON
29/08/2002 06:00 5,168 CGA80869.FON
29/08/2002 06:00 4,304 CGA80WOA.FON
29/08/2002 06:00 23,440 COUE1257.FON
29/08/2002 06:00 31,760 COUF1257.FON
29/08/2002 06:00 23,408 COURE.FON
29/08/2002 06:00 23,440 COUREE.FON
29/08/2002 06:00 25,024 COUREG.FON
29/08/2002 06:00 23,440 COURER.FON
29/08/2002 06:00 25,024 COURET.FON
29/08/2002 06:00 31,712 COURF.FON
29/08/2002 06:00 31,776 COURFE.FON
29/08/2002 06:00 33,344 COURFG.FON
29/08/2002 06:00 31,808 COURFR.FON
29/08/2002 06:00 33,360 COURFT.FON
03/09/2002 09:59 67 DESKTOP.INI
29/08/2002 06:00 36,336 DOS737.FON
29/08/2002 06:00 36,656 DOSAPP.FON
29/08/2002 06:00 9,248 EGA40737.FON
29/08/2002 06:00 8,384 EGA40850.FON
29/08/2002 06:00 8,368 EGA40852.FON
29/08/2002 06:00 8,704 EGA40857.FON
29/08/2002 06:00 9,232 EGA40866.FON
29/08/2002 06:00 9,248 EGA40869.FON
29/08/2002 06:00 8,368 EGA40WOA.FON
29/08/2002 06:00 6,192 EGA80737.FON
29/08/2002 06:00 5,328 EGA80850.FON
29/08/2002 06:00 5,344 EGA80852.FON
29/08/2002 06:00 5,648 EGA80857.FON
29/08/2002 06:00 5,280 EGA80866.FON
29/08/2002 06:00 6,192 EGA80869.FON
29/08/2002 06:00 5,312 EGA80WOA.FON
29/08/2002 06:00 24,124 MARLETT.TTF
29/08/2002 06:00 59,024 SERE1257.FON
29/08/2002 06:00 84,080 SERF1257.FON
29/08/2002 06:00 57,936 SERIFE.FON
29/08/2002 06:00 59,952 SERIFEE.FON
29/08/2002 06:00 60,752 SERIFEG.FON
29/08/2002 06:00 63,296 SERIFER.FON
29/08/2002 06:00 61,024 SERIFET.FON
29/08/2002 06:00 81,728 SERIFF.FON
29/08/2002 06:00 85,360 SERIFFE.FON
29/08/2002 06:00 86,256 SERIFFG.FON
29/08/2002 06:00 90,736 SERIFFR.FON
29/08/2002 06:00 84,848 SERIFFT.FON
29/08/2002 06:00 24,672 SMAE1257.FON
29/08/2002 06:00 19,904 SMAF1257.FON
29/08/2002 06:00 26,112 SMALLE.FON
29/08/2002 06:00 24,784 SMALLEE.FON
29/08/2002 06:00 28,912 SMALLEG.FON
29/08/2002 06:00 24,832 SMALLER.FON
29/08/2002 06:00 29,200 SMALLET.FON
29/08/2002 06:00 21,504 SMALLF.FON
29/08/2002 06:00 19,600 SMALLFE.FON
29/08/2002 06:00 23,120 SMALLFG.FON
29/08/2002 06:00 19,760 SMALLFR.FON
29/08/2002 06:00 23,008 SMALLFT.FON
29/08/2002 06:00 65,456 SSEE1257.FON
29/08/2002 06:00 90,336 SSEF1257.FON
29/08/2002 06:00 64,656 SSERIFE.FON
29/08/2002 06:00 66,464 SSERIFEE.FON
29/08/2002 06:00 65,328 SSERIFEG.FON
29/08/2002 06:00 68,848 SSERIFER.FON
29/08/2002 06:00 64,400 SSERIFET.FON
29/08/2002 06:00 89,856 SSERIFF.FON
29/08/2002 06:00 92,032 SSERIFFE.FON
29/08/2002 06:00 90,288 SSERIFFG.FON
29/08/2002 06:00 98,256 SSERIFFR.FON
29/08/2002 06:00 89,456 SSERIFFT.FON
29/08/2002 06:00 56,336 SYMBOLE.FON
29/08/2002 06:00 5,168 VGA737.FON
29/08/2002 06:00 5,168 VGA775.FON
29/08/2002 06:00 5,232 VGA850.FON
29/08/2002 06:00 6,160 VGA852.FON
29/08/2002 06:00 5,120 VGA855.FON
29/08/2002 06:00 5,552 VGA857.FON
29/08/2002 06:00 5,184 VGA860.FON
29/08/2002 06:00 5,200 VGA863.FON
29/08/2002 06:00 5,184 VGA865.FON
29/08/2002 06:00 6,128 VGA866.FON
29/08/2002 06:00 5,184 VGA869.FON
29/08/2002 06:00 5,376 VGAF1257.FON
29/08/2002 06:00 5,360 VGAFIX.FON
29/08/2002 06:00 5,376 VGAFIXE.FON
29/08/2002 06:00 6,112 VGAFIXG.FON
29/08/2002 06:00 5,600 VGAFIXR.FON
29/08/2002 06:00 6,112 VGAFIXT.FON
29/08/2002 06:00 5,168 VGAOEM.FON
29/08/2002 06:00 6,656 VGAS1257.FON
29/08/2002 06:00 7,280 VGASYS.FON
29/08/2002 06:00 6,608 VGASYSE.FON
29/08/2002 06:00 7,008 VGASYSG.FON
29/08/2002 06:00 6,912 VGASYSR.FON
29/08/2002 06:00 6,912 VGASYST.FON
130 File(s) 3,353,375 bytes
0 Dir(s) 87,063,261,184 bytes free
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS\Help

08/04/2005 19:47 8,628 netcfg.GID
20/02/2004 19:04 10,820 nocontnt.GID
2 File(s) 19,448 bytes
0 Dir(s) 87,063,261,184 bytes free
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS\inf

01/07/2005 13:08 <DIR> .
01/07/2005 13:08 <DIR> ..
19/01/2004 12:47 0 oem10.inf
01/02/2004 14:21 0 oem15.inf
16/08/2004 06:06 0 oem24.inf
01/07/2005 13:07 0 oem27.inf
17/01/2004 01:59 0 oem9.inf
5 File(s) 0 bytes
2 Dir(s) 87,063,257,088 bytes free
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS\java

Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS\Microsoft.NET

Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS\msagent

Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS\Registration

Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS\repair

10/01/2005 23:55 <DIR> Backup
03/09/2002 10:00 229,376 NTUSER.DAT
1 File(s) 229,376 bytes
1 Dir(s) 87,063,257,088 bytes free
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS\security

Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS\ServicePackFiles

Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS

Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS\system

Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS\system32

03/09/2002 09:57 749 cdplayer.exe.manifest
03/07/2005 21:51 <DIR> DLLCACHE
03/09/2002 09:57 488 logonui.exe.manifest
03/09/2002 09:57 749 ncpa.cpl.manifest
03/09/2002 09:57 749 nwc.cpl.manifest
03/09/2002 09:57 749 sapi.cpl.manifest
27/06/2005 14:28 905 vsconfig.xml
03/09/2002 09:57 488 WindowsLogon.manifest
03/09/2002 09:57 749 wuaucpl.cpl.manifest
31/05/2005 07:13 4,212 zllictbl.dat
9 File(s) 9,838 bytes
1 Dir(s) 87,063,257,088 bytes free
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS\Web

Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS

Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS

************************************
**These are the system files found**
************************************
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS\addins

Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS\AppPatch

Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS\assembly

13/01/2005 13:58 <DIR> .
13/01/2005 13:58 <DIR> ..
08/01/2004 13:13 227 Desktop.ini
1 File(s) 227 bytes
2 Dir(s) 87,063,257,088 bytes free
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS\Config

Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS\Cursors

Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS

Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS\System32\Drivers

Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS\Fonts

07/03/2005 12:06 <DIR> .
07/03/2005 12:06 <DIR> ..
03/09/2002 09:59 67 DESKTOP.INI
1 File(s) 67 bytes
2 Dir(s) 87,063,257,088 bytes free
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS\Help

Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS\inf

Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS\java

Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS\Microsoft.NET

Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS\msagent

Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS\Registration

Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS\repair

10/01/2005 23:55 <DIR> Backup
0 File(s) 0 bytes
1 Dir(s) 87,063,252,992 bytes free
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS\security

Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS\ServicePackFiles

Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS

Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS\system

Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS\system32

03/07/2005 21:51 <DIR> DLLCACHE
08/01/2004 12:37 <DIR> Microsoft
0 File(s) 0 bytes
2 Dir(s) 87,063,252,992 bytes free
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS\Web

Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS

Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS
  • 0

#6
nigellajune

nigellajune

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Logfile of HijackThis v1.99.1
Scan saved at 21:29:43, on 04/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\PROGRA~1\BTYAHO~3\SMARTB~1\BTHelpNotifier.exe
C:\progra~1\mcafee\MCAFEE~1\MssCli.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\BT Yahoo! Help\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\HJT\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell...gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thisislondon.co.uk/news
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thisislondon.co.uk/news
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\assembly\temp\waveip.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTYAHO~3\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\MssCli.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O4 - Global Startup: BT Yahoo! Help.lnk = C:\Program Files\BT Yahoo! Help\bin\matcli.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} (EPSON Web Printer-SelfTest Control Class) - http://support.epson...rg/ESTPTest.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zone...ctor/WebSWK.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btop...bcontrol012.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D8DB783A-7807-4EA2-899E-3BC599D905FD}: NameServer = 194.74.65.68 194.72.9.39
O20 - Winlogon Notify: req - C:\WINDOWS\system32\req.dat (file missing)
O20 - Winlogon Notify: waveip - C:\WINDOWS\assembly\temp\waveip.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - McAfee, Inc. - c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE
  • 0

#7
Atribune

Atribune

    HijackThis Expert

  • Visiting Consultant
  • 956 posts
  • MVP
nigellajune,
Can you repeat the last instructions by Cretemonster please I have updated Look.bat so please delete the old one and download the new one from the same link
  • 0

#8
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Go for it Atri!!!

Nigellajune go ahead with Atribunes Instructions,something tells me he has put some time into this!

You are in excellent hands! :tazz:

Edited by Cretemonster, 04 July 2005 - 04:20 PM.

  • 0

#9
nigellajune

nigellajune

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Logfile of HijackThis v1.99.1
Scan saved at 00:33:57, on 05/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\PROGRA~1\BTYAHO~3\SMARTB~1\BTHelpNotifier.exe
C:\progra~1\mcafee\MCAFEE~1\MssCli.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\BT Yahoo! Help\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\Program Files\HJT\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell...gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thisislondon.co.uk/news
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thisislondon.co.uk/news
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\assembly\temp\waveip.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTYAHO~3\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\MssCli.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O4 - Global Startup: BT Yahoo! Help.lnk = C:\Program Files\BT Yahoo! Help\bin\matcli.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} (EPSON Web Printer-SelfTest Control Class) - http://support.epson...rg/ESTPTest.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zone...ctor/WebSWK.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btop...bcontrol012.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D8DB783A-7807-4EA2-899E-3BC599D905FD}: NameServer = 194.74.65.68 194.72.9.39
O20 - Winlogon Notify: req - C:\WINDOWS\system32\req.dat (file missing)
O20 - Winlogon Notify: waveip - C:\WINDOWS\assembly\temp\waveip.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - McAfee, Inc. - c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE
  • 0

#10
nigellajune

nigellajune

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
New run of look.bat

Looking for req.dat
req.dat not found
************************************
**These are the hidden files found**
**Not all files found are bad **
************************************
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS\assembly\temp

20/04/2005 23:09 419,348 waveip.dll
1 File(s) 419,348 bytes

Total Files Listed:
1 File(s) 419,348 bytes
0 Dir(s) 87,033,462,784 bytes free
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS\assembly

08/01/2004 13:13 227 Desktop.ini
1 File(s) 227 bytes

Directory of C:\WINDOWS\assembly\temp

05/07/2005 00:41 605,625 pievaw.ini
27/06/2005 11:56 601,901 pievaw.ini2
2 File(s) 1,207,526 bytes

Total Files Listed:
3 File(s) 1,207,753 bytes
0 Dir(s) 87,033,458,688 bytes free
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS\Fonts

03/09/2002 09:59 67 DESKTOP.INI
1 File(s) 67 bytes

Total Files Listed:
1 File(s) 67 bytes
0 Dir(s) 87,033,458,688 bytes free
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS\system32\CONFIG\systemprofile\Application Data

03/09/2002 09:50 62 DESKTOP.INI
1 File(s) 62 bytes

Directory of C:\WINDOWS\system32\CONFIG\systemprofile\Application Data\Microsoft\Internet Explorer\Quick Launch

03/09/2002 03:06 139 DESKTOP.INI
1 File(s) 139 bytes

Directory of C:\WINDOWS\system32\CONFIG\systemprofile\Favorites

03/09/2002 03:06 122 Desktop.ini
1 File(s) 122 bytes

Directory of C:\WINDOWS\system32\CONFIG\systemprofile\Local Settings

08/01/2004 13:35 62 DESKTOP.INI
1 File(s) 62 bytes

Directory of C:\WINDOWS\system32\CONFIG\systemprofile\Local Settings\History

03/09/2002 09:58 113 DESKTOP.INI
1 File(s) 113 bytes

Directory of C:\WINDOWS\system32\CONFIG\systemprofile\Local Settings\History\History.IE5

03/09/2002 09:58 113 DESKTOP.INI
1 File(s) 113 bytes

Directory of C:\WINDOWS\system32\CONFIG\systemprofile\Local Settings\Temporary Internet Files

03/09/2002 09:58 67 DESKTOP.INI
1 File(s) 67 bytes

Directory of C:\WINDOWS\system32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5

03/09/2002 09:58 67 DESKTOP.INI
1 File(s) 67 bytes

Directory of C:\WINDOWS\system32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\3YW73ILA

27/06/2005 15:03 67 desktop.ini
1 File(s) 67 bytes

Directory of C:\WINDOWS\system32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ID2LGNIP

27/06/2005 15:03 67 desktop.ini
1 File(s) 67 bytes

Directory of C:\WINDOWS\system32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\J4MJV2TG

27/06/2005 15:03 67 desktop.ini
1 File(s) 67 bytes

Directory of C:\WINDOWS\system32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\X2U3VH2Z

27/06/2005 15:03 67 desktop.ini
1 File(s) 67 bytes

Directory of C:\WINDOWS\system32\CONFIG\systemprofile\My Documents

03/09/2002 03:06 76 DESKTOP.INI
1 File(s) 76 bytes

Directory of C:\WINDOWS\system32\CONFIG\systemprofile\My Documents\My Music

03/09/2002 03:06 181 Desktop.ini
1 File(s) 181 bytes

Directory of C:\WINDOWS\system32\CONFIG\systemprofile\My Documents\My Pictures

03/09/2002 03:06 183 Desktop.ini
1 File(s) 183 bytes

Directory of C:\WINDOWS\system32\CONFIG\systemprofile\Recent

03/09/2002 03:06 150 Desktop.ini
1 File(s) 150 bytes

Directory of C:\WINDOWS\system32\CONFIG\systemprofile\SendTo

03/09/2002 09:57 181 DESKTOP.INI
1 File(s) 181 bytes

Directory of C:\WINDOWS\system32\CONFIG\systemprofile\Start Menu

03/09/2002 09:50 62 DESKTOP.INI
1 File(s) 62 bytes

Directory of C:\WINDOWS\system32\CONFIG\systemprofile\Start Menu\Programs

03/09/2002 03:06 292 DESKTOP.INI
1 File(s) 292 bytes

Directory of C:\WINDOWS\system32\CONFIG\systemprofile\Start Menu\Programs\Accessories

03/09/2002 03:06 542 DESKTOP.INI
1 File(s) 542 bytes

Directory of C:\WINDOWS\system32\CONFIG\systemprofile\Start Menu\Programs\Accessories\Accessibility

03/09/2002 10:00 348 DESKTOP.INI
1 File(s) 348 bytes

Directory of C:\WINDOWS\system32\CONFIG\systemprofile\Start Menu\Programs\Accessories\Entertainment

03/09/2002 10:00 84 DESKTOP.INI
1 File(s) 84 bytes

Directory of C:\WINDOWS\system32\CONFIG\systemprofile\Start Menu\Programs\Startup

03/09/2002 10:00 84 DESKTOP.INI
1 File(s) 84 bytes

Total Files Listed:
23 File(s) 3,196 bytes
0 Dir(s) 87,033,454,592 bytes free
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS\repair

03/09/2002 10:00 229,376 NTUSER.DAT
1 File(s) 229,376 bytes

Total Files Listed:
1 File(s) 229,376 bytes
0 Dir(s) 87,033,446,400 bytes free
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS\system32

31/05/2005 07:13 4,212 zllictbl.dat
1 File(s) 4,212 bytes

Directory of C:\WINDOWS\system32\CONFIG\systemprofile\Local Settings\Application Data\Microsoft\Windows

08/01/2004 13:35 262,144 UsrClass.dat
1 File(s) 262,144 bytes

Total Files Listed:
2 File(s) 266,356 bytes
0 Dir(s) 87,033,446,400 bytes free
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
************************************
**These are the system files found**
**Not allfiles found are bad **
************************************
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS\assembly\temp

20/04/2005 23:09 419,348 waveip.dll
1 File(s) 419,348 bytes

Total Files Listed:
1 File(s) 419,348 bytes
0 Dir(s) 87,033,446,400 bytes free
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS\assembly

08/01/2004 13:13 227 Desktop.ini
1 File(s) 227 bytes

Directory of C:\WINDOWS\assembly\temp

05/07/2005 00:41 605,625 pievaw.ini
27/06/2005 11:56 601,901 pievaw.ini2
2 File(s) 1,207,526 bytes

Total Files Listed:
3 File(s) 1,207,753 bytes
0 Dir(s) 87,033,442,304 bytes free
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS\Fonts

03/09/2002 09:59 67 DESKTOP.INI
1 File(s) 67 bytes

Total Files Listed:
1 File(s) 67 bytes
0 Dir(s) 87,033,442,304 bytes free
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS\system32\CONFIG\systemprofile\Application Data

03/09/2002 09:50 62 DESKTOP.INI
1 File(s) 62 bytes

Directory of C:\WINDOWS\system32\CONFIG\systemprofile\Application Data\Microsoft\Internet Explorer\Quick Launch

03/09/2002 03:06 139 DESKTOP.INI
1 File(s) 139 bytes

Directory of C:\WINDOWS\system32\CONFIG\systemprofile\Favorites

03/09/2002 03:06 122 Desktop.ini
1 File(s) 122 bytes

Directory of C:\WINDOWS\system32\CONFIG\systemprofile\Local Settings

08/01/2004 13:35 62 DESKTOP.INI
1 File(s) 62 bytes

Directory of C:\WINDOWS\system32\CONFIG\systemprofile\Local Settings\History

03/09/2002 09:58 113 DESKTOP.INI
1 File(s) 113 bytes

Directory of C:\WINDOWS\system32\CONFIG\systemprofile\Local Settings\History\History.IE5

03/09/2002 09:58 113 DESKTOP.INI
1 File(s) 113 bytes

Directory of C:\WINDOWS\system32\CONFIG\systemprofile\Local Settings\Temporary Internet Files

03/09/2002 09:58 67 DESKTOP.INI
1 File(s) 67 bytes

Directory of C:\WINDOWS\system32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5

03/09/2002 09:58 67 DESKTOP.INI
1 File(s) 67 bytes

Directory of C:\WINDOWS\system32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\3YW73ILA

27/06/2005 15:03 67 desktop.ini
1 File(s) 67 bytes

Directory of C:\WINDOWS\system32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ID2LGNIP

27/06/2005 15:03 67 desktop.ini
1 File(s) 67 bytes

Directory of C:\WINDOWS\system32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\J4MJV2TG

27/06/2005 15:03 67 desktop.ini
1 File(s) 67 bytes

Directory of C:\WINDOWS\system32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\X2U3VH2Z

27/06/2005 15:03 67 desktop.ini
1 File(s) 67 bytes

Directory of C:\WINDOWS\system32\CONFIG\systemprofile\My Documents

03/09/2002 03:06 76 DESKTOP.INI
1 File(s) 76 bytes

Directory of C:\WINDOWS\system32\CONFIG\systemprofile\My Documents\My Music

03/09/2002 03:06 181 Desktop.ini
1 File(s) 181 bytes

Directory of C:\WINDOWS\system32\CONFIG\systemprofile\My Documents\My Pictures

03/09/2002 03:06 183 Desktop.ini
1 File(s) 183 bytes

Directory of C:\WINDOWS\system32\CONFIG\systemprofile\Recent

03/09/2002 03:06 150 Desktop.ini
1 File(s) 150 bytes

Directory of C:\WINDOWS\system32\CONFIG\systemprofile\SendTo

03/09/2002 09:57 181 DESKTOP.INI
1 File(s) 181 bytes

Directory of C:\WINDOWS\system32\CONFIG\systemprofile\Start Menu

03/09/2002 09:50 62 DESKTOP.INI
1 File(s) 62 bytes

Directory of C:\WINDOWS\system32\CONFIG\systemprofile\Start Menu\Programs

03/09/2002 03:06 292 DESKTOP.INI
1 File(s) 292 bytes

Directory of C:\WINDOWS\system32\CONFIG\systemprofile\Start Menu\Programs\Accessories

03/09/2002 03:06 542 DESKTOP.INI
1 File(s) 542 bytes

Directory of C:\WINDOWS\system32\CONFIG\systemprofile\Start Menu\Programs\Accessories\Accessibility

03/09/2002 10:00 348 DESKTOP.INI
1 File(s) 348 bytes

Directory of C:\WINDOWS\system32\CONFIG\systemprofile\Start Menu\Programs\Accessories\Entertainment

03/09/2002 10:00 84 DESKTOP.INI
1 File(s) 84 bytes

Directory of C:\WINDOWS\system32\CONFIG\systemprofile\Start Menu\Programs\Startup

03/09/2002 10:00 84 DESKTOP.INI
1 File(s) 84 bytes

Total Files Listed:
23 File(s) 3,196 bytes
0 Dir(s) 87,033,438,208 bytes free
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9
  • 0

Advertisements


#11
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Sorry for the late night last night,maybe today will bring you some sunshine!

Lets start off by downloading a few necessary programs.

Download and Unzip Process Explorer Here
Scroll to the bottom of the page and select your Operating System.
Unzip it to its own folder on the desktop so you can find it later.
Download and install Advanced Process Manipulation Here

Then copy the part in bold below into notepad and save it directly to the rootdirectory as vundoh.reg
Set Filetype to "All files" (the file should now be here: C:\vundoh.reg)

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\req]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\waveip]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]

[-HKEY_CLASSES_ROOT\CLSID\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]

[-HKEY_CLASSES_ROOT\MSEvents.MSEvents.1]

[-HKEY_CLASSES_ROOT\MSEvents.MSEvents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]
"Compatibility Flags"=dword:00000400


Now reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Open Process Explorer.
  • Scroll down in the main window and find winlogon.exe
  • Right click on winlogon.exe and select Suspend
  • Leave Process Explorer open.
Now run HijackThis and put checkmarks in front of these two lines

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/
O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\assembly\temp\waveip.dll

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

O20 - Winlogon Notify: req - C:\WINDOWS\system32\req.dat (file missing)
O20 - Winlogon Notify: waveip - C:\WINDOWS\assembly\temp\waveip.dll


Do NOT fix them yet

Now open Advanced Process Manipulation.
  • Scroll down in the main window and find c:\windows\explorer.exe
  • Click on the entry and that will display a list of files in the second window.
  • Scroll down the list in the second window and find C:\WINDOWS\assembly\temp\waveip.dll
  • Right click on that entry and select Unload DLL
  • You will now lose your Start Bar and Desktop Icons. This is normal.
  • Leave Advanced Process Manipulation open
Go back to Process Explorer window.
  • Click File > Run
  • In the run box type regedit.exe /s C:\vundoh.reg
Back in Advanced Process Manipulation.
  • Scroll down in the main window and find c:\windows\system32\winlogon.exe
  • Click on the entry and that will display a list of files in the second window.
  • Scroll down the list in the second window and find C:\WINDOWS\assembly\temp\waveip.dll
  • Right click on that entry and select Unload DLL
  • You will have to click OK about six times
In HijackThis click Fix checked. You will be prompted you are about to remove a BHO. That's what you want.

Now back in Process Explorer.
  • Find winlogon.exe again.
  • Right click on winlogon.exe and select Resume
  • This should reboot your computer automatically.
After the reboot copy the code below into notepad and save it as findtheother.bat

echo ** This batch was originally written by OSC **
cd C:\WINDOWS\assembly\temp
if exist C:\contents.txt del C:\contents.txt
echo ************************************>> C:\contents.txt
echo **These are the hidden files found**>> C:\contents.txt
echo ************************************>> C:\contents.txt
dir /a:h >> c:\contents.txt
echo ************************************>> C:\contents.txt
echo **These are the system files found**>> C:\contents.txt
echo ************************************>> C:\contents.txt
dir /a:s >> C:\contents.txt
attrib /d /s -s -r -h -a
start notepad c:\contents.txt
exit


Then doubleclick that file and when it is done it will open a text file showing all hidden and system files in that folder. Post the contents of that file in a reply to this thread.

Post back with a fresh HiajackThis log once completed!
  • 0

#12
nigellajune

nigellajune

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Are we having fun yet??

That was rather scary - on the reboot I got a fatal system error and had to use the off switch. Was that supposed to happen?

Anyway, here's the findtheother results:

************************************
**These are the hidden files found**
************************************
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS\assembly\temp

06/07/2005 18:34 605,991 pievaw.ini
27/06/2005 11:56 601,901 pievaw.ini2
20/04/2005 23:09 419,348 waveip.dll
3 File(s) 1,627,240 bytes
0 Dir(s) 87,013,015,552 bytes free
************************************
**These are the system files found**
************************************
Volume in drive C has no label.
Volume Serial Number is 48D8-FCD9

Directory of C:\WINDOWS\assembly\temp

06/07/2005 18:34 605,991 pievaw.ini
27/06/2005 11:56 601,901 pievaw.ini2
20/04/2005 23:09 419,348 waveip.dll
3 File(s) 1,627,240 bytes
0 Dir(s) 87,013,011,456 bytes free


And the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 18:50:16, on 06/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\BTYAHO~3\SMARTB~1\BTHelpNotifier.exe
C:\progra~1\mcafee\MCAFEE~1\MssCli.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\BT Yahoo! Help\bin\mpbtn.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HJT\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell...gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thisislondon.co.uk/news
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thisislondon.co.uk/news
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTYAHO~3\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\MssCli.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O4 - Global Startup: BT Yahoo! Help.lnk = C:\Program Files\BT Yahoo! Help\bin\matcli.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...84/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} (EPSON Web Printer-SelfTest Control Class) - http://support.epson...rg/ESTPTest.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zone...ctor/WebSWK.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,21/mcgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btop...bcontrol012.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D8DB783A-7807-4EA2-899E-3BC599D905FD}: NameServer = 194.74.65.68 194.72.9.39
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - McAfee, Inc. - c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE
  • 0

#13
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Looks much better!

Go to this location please

C:\WINDOWS\assembly\temp

Open that Temp folder and Delete

pievaw.ini

pievaw.ini2

waveip.dll


Empty the Recycle Bin and Restart the PC!

Lets get the PC Scanned here and see if any trash is left laying around!
http://www.pandasoft...n_principal.htm

Save the Report it Generates and Post them along with a fresh HijackThis Log!
  • 0

#14
nigellajune

nigellajune

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I've not got a lot done today with all that's been going on here.

I can't see the temp folder so wasn't able to delete those files.

Ran the Panda scan anyway and threw up a whole new bunch of stuff as well as an old friend:


Incident Status Location

Adware:Adware/CWS No disinfected C:\Documents and Settings\Niki's\Favorites\Health
Spyware:Spyware/Virtumonde No disinfected Windows Registry
Virus:Exploit/CodeBase.S No disinfected C:\dieter.chm[1.htm]
Spyware:Spyware/Fstb No disinfected C:\dieter.chm[htm2chm_explorer]
Virus:W97M/Story.A Disinfected Personal Folders\Inbox\Iglu\Old Iglu\Replacement feature article\Switzerland favourite.doc
Virus:W97M/Story.A Disinfected Personal Folders\Inbox\Iglu\Old Iglu\Re: Iglu features\Aspen - Millennium.doc
Virus:W97M/Story.A Disinfected Personal Folders\Inbox\Iglu\Old Iglu\Articles attached this time!\Woodland skiing for weather.doc
Virus:W97M/Story.A Disinfected Personal Folders\Inbox\Iglu\Old Iglu\Articles attached this time!\Utah the best bet in the US.doc
Virus:W97M/Story.A Disinfected Personal Folders\Inbox\Iglu\Old Iglu\Iglu news articles\Whistler gets 2 new quads.doc
Virus:W97M/Story.A Disinfected Personal Folders\Inbox\Iglu\Old Iglu\Iglu news articles\Nauders - 8-seater.doc
Virus:W97M/Story.A Disinfected Personal Folders\Inbox\Iglu\Old Iglu\Iglu news articles\Aspen - Millennium.doc
Virus:W97M/Story.A Disinfected Personal Folders\Inbox\Iglu\Old Iglu\booking form translation\BookingformV2.doc
Virus:W97M/Story.A Disinfected Personal Folders\Inbox\Iglu\Old Iglu\Translations of the legal stuff\SecurityV1.doc
Virus:W97M/Story.A Disinfected Personal Folders\Inbox\Iglu\Old Iglu\bookingpage translation final\BookingformV2.doc
Virus:W97M/Story.A Disinfected Personal Folders\Inbox\Iglu\Old Iglu\Fw: bookingpage translation final\BookingformV2.doc
Virus:W97M/Story.A Disinfected Personal Folders\Inbox\Iglu\Old Iglu\feedback from emmanuelle\Niki.doc
Virus:W97M/Story.A Disinfected Personal Folders\Inbox\Iglu\Translations\Trans to Matt\Fw: bookingpage translation final\BookingformV2.doc
Virus:W97M/Story.A Disinfected Personal Folders\Inbox\Iglu\Translations\Trans to Matt\FYI Fw: booking form translation\BookingformV2.doc
Virus:W97M/Story.A Disinfected Personal Folders\Inbox\Iglu\Translations\Trans to Matt\German changes from lawyers\SecurityV1.doc
Virus:W97M/Story.A Disinfected Personal Folders\Inbox\Iglu\Translations\Iggy's Iglu game - french translation\Iggy's iglu F.doc
Virus:W97M/Story.A Disinfected Personal Folders\Inbox\Iglu\Partners\France Telecom\France Telecom\France Telecom.doc
Virus:JS/Kak.Worm Disinfected Personal Folders\Inbox\Iglu\2001 Staff\FW: Production Managers\MSG_RTF.TXT
Virus:W97M/Story.A Disinfected Personal Folders\Inbox\Iglu\FW: \New competition - France.doc
Spyware:Spyware/Virtumonde No disinfected C:\Program Files\HJT\hijackthis\backups\backup-20050706-183824-796.dll
Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\assembly\temp\waveip.dll

I'm going to reboot now then run Panda and HJT again.
  • 0

#15
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Run the Regedit that Metallica made for this but this time we will merge it manually!


REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\req]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\waveip]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]

[-HKEY_CLASSES_ROOT\CLSID\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]

[-HKEY_CLASSES_ROOT\MSEvents.MSEvents.1]

[-HKEY_CLASSES_ROOT\MSEvents.MSEvents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]
"Compatibility Flags"=dword:00000400

Just Open a Blank Notepad,Copy&Paste the above text into the Notepad page just as it appears here

Click File>> Save>> Go down to Save As Type and Make it "All Files"

Give it this name vundoh.reg

Double Click vundoh.reg

Open up HijackThis and Click Config>> Misc Tools>> Delete a File on Reboot and use the little explorer window to locate

C:\WINDOWS\assembly\temp\waveip.dll

Once you double click that file>> Click Yes to reboot

Once thats done,Post a fresh HijackThis log and anymore results from Panda
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP