Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Explorer & IE Crippled...Help! [RESOLVED]

Started by cosmidnight , Jul 03 2005 01:23 PM

This topic is locked

#31
Michelle

Posted 23 July 2005 - 10:07 AM

Malware Removal Goddess

Retired Staff
8,928 posts

It's looking much better! :tazz:

Run HiJackThis. Place a check next to the following items and click FIX CHECKED:

O4 - HKLM\..\Run: [ntub32.exe] C:\WINNT\ntub32.exe
O4 - HKLM\..\Run: [netmz32.exe] C:\WINNT\system32\netmz32.exe
O4 - HKLM\..\Run: [ietc32.exe] C:\WINNT\ietc32.exe

Close HiJackThis. Delete the following files:

C:\WINNT\ntub32.exe
C:\WINNT\system32\netmz32.exe
C:\WINNT\ietc32.exe

Please download Ewido Security Suite

Install ewido security suite
Launch ewido, there should be a big E icon on your desktop, double-click it.
The program will prompt you to update click the OK button
The program will now go to the main screen

You will need to update ewido to the latest definition files.

On the left hand side of the main screen click update
Click on Start

The update will start and a progress bar will show the updates being installed.

Once the updates are installed do the following:

Reboot into Safe Mode, you can do this by restarting your computer, then contiunally tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.
Now open Ewido Security Suite.
Click on scanner
Click Complete System Scan
Let the program scan the machine

While the scan is in progress you will be prompted to clean the first infected file it finds. Choose "remove", then put a check next to "Perform action on all infections" in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

Click Save report
Save the report to your desktop
Exit Ewido

Reboot into normal mode.

I need you to post the log from Ewido and a new HiJackThis log.

#32
cosmidnight

Posted 24 July 2005 - 09:34 AM

Member

Topic Starter
Member
24 posts

Hi again,
Here is the Ewido log

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 15:54:29, 24/07/2005
+ Report-Checksum: E46D45E0

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{9E590345-2CAF-3710-CEAE-2B56767589B6} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{C69CDB11-E654-F1B7-D3C1-E67DFB32D233} -> Spyware.LZIO : Cleaned with backup
HKU\S-1-5-21-1844237615-842925246-1202660629-1000\Software\WareOut -> TrojanDownloader.Wareout : Cleaned with backup
HKU\S-1-5-21-1844237615-842925246-1202660629-1000\Software\WareOut\Options -> TrojanDownloader.Wareout : Cleaned with backup
:mozilla.7:C:\Documents and Settings\O'Sullivan\Application Data\Mozilla\Firefox\Profiles\rkg8wvs7.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\WINNT\system32\winje.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\_default.pif:bmwlwi -> TrojanDownloader.Agent.oq : Cleaned with backup
C:\WINNT\_default.pif:gjbjv -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINNT\_default.pif:gvzcms -> TrojanDownloader.Agent.oq : Cleaned with backup
C:\WINNT\_default.pif:iqzozu -> TrojanDownloader.Agent.oq : Cleaned with backup
C:\WINNT\_default.pif:jkvfa -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINNT\_default.pif:kjadzb -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINNT\_default.pif:leufoi -> Trojan.Agent.em : Cleaned with backup
C:\WINNT\_default.pif:loztls -> TrojanDownloader.Agent.oq : Cleaned with backup
C:\WINNT\_default.pif:lqywxh -> Trojan.Agent.em : Cleaned with backup
C:\WINNT\_default.pif:mmydq -> TrojanDownloader.Agent.oq : Cleaned with backup
C:\WINNT\_default.pif:mrkhdh -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\_default.pif:nuhwsi -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\_default.pif:rdeus -> TrojanDownloader.Agent.oq : Cleaned with backup
C:\WINNT\_default.pif:rvzndu -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\_default.pif:ryedxw -> Spyware.SearchPage : Cleaned with backup
C:\WINNT\_default.pif:sngnji -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\_default.pif:uoeczx -> TrojanDownloader.Agent.oq : Cleaned with backup
C:\WINNT\_default.pif:uqscbx -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\_default.pif:vkdwvo -> Trojan.Agent.em : Cleaned with backup
C:\WINNT\_default.pif:wgxqld -> TrojanDownloader.Agent.oq : Cleaned with backup
C:\WINNT\_default.pif:wsjguu -> TrojanDownloader.Agent.oq : Cleaned with backup

::Report End

and the HJT log

Logfile of HijackThis v1.99.1
Scan saved at 16:17:06, on 24/07/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Works\WksSb.exe
C:\WINNT\SPMSMON.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Colm's AV Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [ChangeICON] C:\WINNT\SPMSMON.EXE
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

Talk soon,
Colm

#33
Michelle

Posted 24 July 2005 - 01:08 PM

Malware Removal Goddess

Retired Staff
8,928 posts

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):

Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
Double-click the file to install it as follows:
- Click "Next", read the agreement, Click "Next"
- Choose "Custom" click "Next".
- Leave the default installation directory as it is, then click "Next".
- UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
- On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
- Finally, click "Install"
Once the program is installed, it will open.
It will prompt you to update to the latest definitions, click Yes.
Once the definitions are installed, click Sweep Now on the left side.
Click the Start button.
When it's done scanning, click the Next button.
Make sure everything has a check next to it, then click the Next button.
It will remove all of the items found.
Click Session Log in the upper right corner, copy everything in that window.
Click the Summary tab and click Finish.
Paste the contents of the session log you copied into your next reply.

#34
cosmidnight

Posted 25 July 2005 - 05:37 AM

Member

Topic Starter
Member
24 posts

Hello again, :tazz:

I must say I'm feeling much better about this computer again thanks to you!!

Here's the log from Spy Sweeper

********
12:12: |··· Start of Session, 25 July 2005 ···|
12:12: Spy Sweeper started
12:12: Sweep initiated using definitions version 505
12:13: Starting Memory Sweep
12:24: Memory Sweep Complete, Elapsed Time: 00:11:03
12:24: Starting Registry Sweep
12:25: Found Adware: multidial
12:25: HKCR\dialerr.dialerr\ (3 subtraces) (ID = 4396491)
12:25: HKLM\software\classes\dialerr.dialerr\ (3 subtraces) (ID = 4396502)
12:25: Found Trojan Horse: trojan-downloader-wareout
12:25: HKU\S-1-5-21-1844237615-842925246-1202660629-1000\software\microsoft\internet explorer\extensions\cmdmapping\ || {bf69df00-2734-477f-8257-27cd04f88779} (ID = 4406439)
12:25: Registry Sweep Complete, Elapsed Time:00:01:05
12:25: Starting Cookie Sweep
12:25: Cookie Sweep Complete, Elapsed Time: 00:00:00
12:25: Starting File Sweep
12:27: Found Adware: cws_hotoffers_desktophijacker
12:27: wp.vir (ID = 4097217)
12:32: Warning: Failed to read file "c:\documents and settings\o'sullivan\local settings\temp\~df62fd.tmp". System Error. Code: 32.
The process cannot access the file because it is being used by another process
12:32: Warning: Failed to read file "c:\documents and settings\o'sullivan\local settings\temp\~df31d8.tmp". System Error. Code: 32.
The process cannot access the file because it is being used by another process
12:32: File Sweep Complete, Elapsed Time: 00:06:45
12:32: Full Sweep has completed. Elapsed time 00:19:33
12:32: Traces Found: 10
12:34: Removal process initiated
12:34: Quarantining All Traces: multidial
12:34: Quarantining All Traces: trojan-downloader-wareout
12:34: Quarantining All Traces: cws_hotoffers_desktophijacker
12:34: Removal process completed. Elapsed time 00:00:20
********
11:56: |··· Start of Session, 25 July 2005 ···|
11:56: Spy Sweeper started
11:58: Messenger service has been disabled.
12:08: Updating spyware definitions
12:11: Your spyware definitions have been updated.
12:12: |··· End of Session, 25 July 2005 ···|

Back soon,
Colm

#35
Michelle

Posted 25 July 2005 - 11:04 AM

Malware Removal Goddess

Retired Staff
8,928 posts

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin

Then see if you can find this file:

c:\documents and settings\o'sullivan\local settings\temp\~df62fd.tmp

If found, delete it - although it should be gone.

Post another HiJackThis log for me and let me know any other problems you're having!

#36
cosmidnight

Posted 26 July 2005 - 03:49 AM

Member

Topic Starter
Member
24 posts

Hi,

here is the log

Logfile of HijackThis v1.99.1
Scan saved at 10:42:36, on 26/07/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Works\WksSb.exe
C:\WINNT\SPMSMON.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\Colm's AV Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [ChangeICON] C:\WINNT\SPMSMON.EXE
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122369078475
O17 - HKLM\System\CCS\Services\Tcpip\..\{EBA3B090-611D-461A-929D-286702B1609E}: NameServer = 69.50.176.196 195.225.176.110
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Otherwise the system seems to behaving itself well! :tazz:

AntiVir Guard hasn't found anything odd since I ran ewido and although I can't seem to access Windows Update(probably because of my shyness towards cookies!) I'm sure that will right itself...

I am wondering about this HJT entry
"O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx"

I just don't understand what it is although I'm using Firefox as my default bowser(Should I still update IE or is it not a problem if I'm not using it?)

Have I mentioned how great you are lately?!

Colm

#37
Michelle

Posted 26 July 2005 - 11:30 AM

Malware Removal Goddess

Retired Staff
8,928 posts

msdxm.ocx - ActiveX control used by internet explorer to integrate things like audio and video and playing it in the Windows Media Player.

Nothing to worry about :tazz:

Run HiJackThis. Place a check next to the following item and click FIX CHECKED:

O17 - HKLM\System\CCS\Services\Tcpip\..\{EBA3B090-611D-461A-929D-286702B1609E}: NameServer = 69.50.176.196 195.225.176.110

Close HiJackThis.

Reboot and post a new HiJackThis log.

What kind of problem is it that you're having when you try to get windows updates? Some kind of error message or what's going on with that?

#38
Michelle

Posted 28 July 2005 - 09:55 PM

Malware Removal Goddess

Retired Staff
8,928 posts

I haven't heard from you in a couple of days, you need prevention programs otherwise you're going to be back shortly with an infected system again...

I need to see a new HiJackThis log to see if that O17 is still there.

#39
cosmidnight

Posted 29 July 2005 - 03:44 AM

Member

Topic Starter
Member
24 posts

Hello again,

Sorry I've taken so long but I was called away for a few days, don't worry I understand the inportance of all this and really appreciate all the help you've given me.

Here is the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:37:53, on 29/07/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\WINNT\SPMSMON.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\wuauclt.exe
C:\Colm's AV Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [ChangeICON] C:\WINNT\SPMSMON.EXE
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122369078475
O17 - HKLM\System\CCS\Services\Tcpip\..\{EBA3B090-611D-461A-929D-286702B1609E}: NameServer = 69.50.176.196 195.225.176.110
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

As you can see that line is still there...

As for the Windows Update, it prompted me to update my update software but when I do it tells me that the files required to use Windows Update are no longer installed or registered on my computer, I followed the recommended steps but it came up with the same problem again... I did install updates already so this is a new problem and none of their other advice seems to be relevant(surprise!)

Thanks again,
Colm

#40
cosmidnight

Posted 29 July 2005 - 10:06 AM

Member

Topic Starter
Member
24 posts

PLEASE DISREGARD THIS MESSAGE

Me again,

Feeling slightly confused now! :tazz:

I ran HJT again to retry fixing that line and when it came up it wasn't there anymore!
I hadn't rebooted so I'm not sure what I did(or if I did anything) because I'm convinced I posted the right logfile for you!

Anyway, here's the new one

Logfile of HijackThis v1.99.1
Scan saved at 10:37:53, on 29/07/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\WINNT\SPMSMON.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\wuauclt.exe
C:\Colm's AV Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [ChangeICON] C:\WINNT\SPMSMON.EXE
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122369078475
O17 - HKLM\System\CCS\Services\Tcpip\..\{EBA3B090-611D-461A-929D-286702B1609E}: NameServer = 69.50.176.196 195.225.176.110
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

[B]And now it's back for some reason! Sorry about that...

Bye for now,
Colm

Edited by cosmidnight, 29 July 2005 - 10:12 AM.

#41
Michelle

Posted 29 July 2005 - 10:39 AM

Malware Removal Goddess

Retired Staff
8,928 posts

Well, it's is there so you need to put a check next to it and click FIX CHECKED:

O17 - HKLM\System\CCS\Services\Tcpip\..\{EBA3B090-611D-461A-929D-286702B1609E}: NameServer = 69.50.176.196 195.225.176.110

Close HiJackThis.

Reboot and post a new HiJackThis log.

If it's still there, then we will do something else.

Will you post a new Silent Runner's log too, please?

#42
cosmidnight

Posted 01 August 2005 - 09:57 AM

Member

Topic Starter
Member
24 posts

Sorry but I again seem to have been too vague in my explanation of what happened!!

I did run HJT and removed that line, it had then reoccurred but seemed to vanish when I did a logfile to post(I think I may have deleted again without re-booting thinking about it now) which caused all the confusion(in my head at least :tazz:

) that led to the post I put up last and which caused me to edit it later when I saw the results of the scan again!

Sorry again

Now here is my HJT log

Logfile of HijackThis v1.99.1
Scan saved at 15:54:04, on 01/08/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Works\WksSb.exe
C:\WINNT\SPMSMON.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Colm's AV Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [ChangeICON] C:\WINNT\SPMSMON.EXE
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122369078475
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

and my Silent Runners...

"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Microsoft Works Portfolio" = "C:\Program Files\Microsoft Works\WksSb.exe /AllUsers" ["Microsoft® Corporation"]
"Microsoft Works Update Detection" = "C:\Program Files\Microsoft Works\WkDetect.exe" ["Microsoft® Corporation"]
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"WorksFUD" = "C:\Program Files\Microsoft Works\wkfud.exe" ["Microsoft® Corporation"]
"ChangeICON" = "C:\WINNT\SPMSMON.EXE" [null data]
"AVGCtrl" = ""C:\Program Files\AVPersonal\AVGNT.EXE" /min" ["H+BEDV Datentechnik GmbH"]

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer Access"
\StubPath = ""C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigIE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"]
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINNT\system32\ssmarque.scr" [MS]

Startup items in "O'Sullivan" & "All Users" startup folders:
------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]
"Microsoft Works Calendar Reminders" -> shortcut to: "C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe" ["Microsoft® Corporation"]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AntiVir Service, AntiVirService, ""C:\Program Files\AVPersonal\AVGUARD.EXE"" ["H+BEDV Datentechnik GmbH"]
AntiVir Update, AVWUpSrv, ""C:\Program Files\AVPersonal\AVWUPSRV.EXE"" ["H+BEDV Datentechnik GmbH, Germany"]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido\security suite\ewidoguard.exe" ["ewido networks"]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
Webroot Spy Sweeper Engine, svcWRSSSDK, "C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe" ["Webroot Software, Inc."]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 37 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 29 seconds.
---------- (total run time: 143 seconds)

Thanks again
Colm

#43
Michelle

Posted 01 August 2005 - 10:02 AM

Malware Removal Goddess

Retired Staff
8,928 posts

Ths Silent Runner's log looks good :tazz:

Did you fix that O17 in HIJackThis then reboot before rescanning with HiJackThis and posting a log this last time?

#44
cosmidnight

Posted 02 August 2005 - 10:48 AM

Member

Topic Starter
Member
24 posts

Thanks again!

This is what was causing my confusion the last time with the strange message, I did reboot the system and it wasn't there but now that I've rebooted the system a second time it has reoccurred on Hijack This again :tazz:

!!!!

Here is the new log

Logfile of HijackThis v1.99.1
Scan saved at 17:43:19, on 02/08/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Works\WksSb.exe
C:\WINNT\SPMSMON.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Colm's AV Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [ChangeICON] C:\WINNT\SPMSMON.EXE
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122369078475
O17 - HKLM\System\CCS\Services\Tcpip\..\{EBA3B090-611D-461A-929D-286702B1609E}: NameServer = 69.50.176.196 195.225.176.110
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Thanks again,
Colm

#45
cosmidnight

Posted 02 August 2005 - 11:02 AM

Member

Topic Starter
Member
24 posts

And now I've followed your steps again, rebooted and it's gone again :tazz:

Hope it stays gone this time!

Logfile of HijackThis v1.99.1
Scan saved at 18:01:17, on 02/08/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\WINNT\SPMSMON.EXE
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Colm's AV Files\hijackthis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [ChangeICON] C:\WINNT\SPMSMON.EXE
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122369078475
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Talk soon,
Colm