Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works

Regenerating files - possible malware?

  • Please log in to reply



    New Member

  • Member
  • Pip
  • 1 posts
I have a process that continues to start itself up and I have a few files which seem to regerate themselves. I don't recognize the filenames and it just seems a bit too suspicious to me.

I was wondering if anyone could give me a hand in diagnosing this possible problem.
Big thanks in advance.

the files that keep coming back are:

Here is my HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 10:46:09 AM, on 7/20/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Iomega\REV System Software\RevUDF.exe
C:\Program Files\WinGate\WinGate.exe
C:\Program Files\Iomega\REV System Software\imiconxp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinGate\wgengmon.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\administrator\Application Data\Mozilla\Profiles\default\isdrxxav.slt\prefs.js)
O1 - Hosts file is located at: C:\WINNT\System32\drivers\etc\hosts
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Iomega ImIconXP] C:\Program Files\Iomega\REV System Software\imiconxp.exe
O4 - HKLM\..\Run: [winsync] C:\WINNT\system32\joloaq.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinGate Engine Monitor.lnk = C:\Program Files\WinGate\wgengmon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab34120.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/...dy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab32846.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {BCF9A64D-1440-4404-863C-F5DF2B99F798} (Catan Online Game) - http://zone.msn.com/...an.cab36900.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/...xy.cab35645.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = NORTH
O17 - HKLM\System\CCS\Services\Tcpip\..\{52E0DFAC-03FE-4452-90C8-70816989AD49}: Domain = NORTH
O17 - HKLM\System\CCS\Services\Tcpip\..\{52E0DFAC-03FE-4452-90C8-70816989AD49}: NameServer =,
O17 - HKLM\System\CCS\Services\Tcpip\..\{CBD12EB2-D5B5-4A97-BB5A-893FF5131FB3}: NameServer =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = NORTH
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = NORTH
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: Site Server ILS Service (LDAPSVCX) - Unknown owner - C:\WINNT\System32\inetsrv\inetinfo.exe (file missing)
O23 - Service: MDaemon - Alt-N Technologies, Ltd. - C:\MDaemon\APP\MDAEMON.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: RevUDFService - Iomega Corp - C:\Program Files\Iomega\REV System Software\RevUDF.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Qbik WinGate Engine (WinGateEngine) - Qbik Software NZ Ltd - C:\Program Files\WinGate\WinGate.exe

Edited by rickberes, 20 July 2005 - 11:06 AM.

  • 0




    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi rickberes and Welcome to GeekstoGo!

Please Download the MWAV Scanner from Here

Unzip it to its predetermined Directory (C:\Kaspersky)

Locate "kavupd.exe" in the New Folder and Double Click to Update!

If you it says the signatures are more than 30 days old, keep trying!
Keep trying until you get the actual signatures!

When you see "Updates downloaded Successfully"

Please Press Enter to Continue and Close the Scanner for now!

Please download the trial version of Ewido Security Suite here:

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Download and Install
Dont use it yet!

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:

Look in the Kaspersky Folder and locate and Double Click "mwavscan.com" to Run the MWAV Scanner-> Put a tick in "Drive"-> Put a tick in "Scan All Files" Click "Scan Clean" to begin!

This Scan will take Several Hours or more to Complete,Depending on the Hard Drive Size!

Please be sure it is Completed before proceeding!

Once the Scan has finished,All entries Identified as Infected will displayed in the lower pane!

Highlight everything that is inside the lower pane and press Ctrl+C at the same time to Copy!

Open a Blank Notepad Page and Paste the results (Ctrl+V) to it!

Post those results back here!

Open and Run CleanUp!-> Click the Cleanup Button to begin-> Once Completed-> Click "Close"-> Click "NO" to Log Off!

Lastly,Open Ewido Security Suite-> Click "Scan the Entire System" Scan Button!

Clean everything it finds and Be sure to Click the Button to Save a Report!

Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab
Make Sure Normal Startup is Checked!!

Click Apply>>Close>>Follow the Prompts to Restart!!

Restart Normal and have the PC Scanned here:
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work!

Save the Report it generates

Post back with a fresh HijackThis log and the reports from-> MWAV scan-> Ewido and Panda!
  • 0

Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP