Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help! Loads of Pop Ups and Virus Alerts inc Spyware


  • Please log in to reply

#1
pingu27

pingu27

    Member

  • Member
  • PipPip
  • 14 posts
Hi

I hope someone can help me as I have been now trying to sort this for 3 days and have only just today come across your site today. I have been experiencing loads of pop ups informing me I have spyware installed on my system, it seems to have now taken over Internet Explorer and as many scans as I have been trying whatever it is keeps coming back - to be honest I now haven't a clue what to do!

I have run all the prepartion tasks as requested and although it seemed to remove a lot of threats etc they just seem to come back. (Internet Explorer now does not work at all and I have to access the internet through BT Yahoo!)

Here is a copy of my Hijack Log (followed by the Ewido report):

Logfile of HijackThis v1.99.1
Scan saved at 17:40:49, on 23/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YPAGER.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Rach\LOCALS~1\Temp\se.dll/space.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Rach\LOCALS~1\Temp\se.dll/space.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\common\ycomp5_1_6_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {816BD0AB-1359-408A-9594-7CB7F2CF9215} - C:\WINDOWS\System32\nlcf.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\ycomp5_1_6_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Rach\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [narkwk] C:\WINDOWS\System32\narkwk.exe
O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.btinternet.com/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1803B9EF-9905-4F34-AFC4-05D1BAB28801} (RegUserCfgUI Class) - http://us.dl1.yimg.c..._1/yregucfg.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.../UK/install.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1129812282763
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://downloads.bro...tivePreQual.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.bto...twebcontrol.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{819B6FA9-21E8-4E72-BDCD-C827B2388305}: NameServer = 194.74.65.68 194.72.9.34
O18 - Filter: text/html - {4D6101A6-AB56-48D4-BE5B-F9A6611DF701} - C:\WINDOWS\System32\nlcf.dll
O18 - Filter: text/plain - {4D6101A6-AB56-48D4-BE5B-F9A6611DF701} - C:\WINDOWS\System32\nlcf.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE


and the Ewido report

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 17:31:12, 23/10/2005
+ Report-Checksum: 9515E339

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6} -> Spyware.E2Give : Cleaned with backup
HKLM\SOFTWARE\Classes\IeBHOs.Control -> Spyware.E2G : Cleaned with backup
HKLM\SOFTWARE\Classes\IeBHOs.Control\CLSID -> Spyware.E2G : Cleaned with backup
HKLM\SOFTWARE\Classes\IeBHOs.Control\CLSID\\ -> Spyware.E2Give : Cleaned with backup
HKLM\SOFTWARE\Classes\IeBHOs.Control\CurVer -> Spyware.E2G : Cleaned with backup
HKLM\SOFTWARE\Classes\IeBHOs.Control.1 -> Spyware.E2G : Cleaned with backup
HKLM\SOFTWARE\Classes\IeBHOs.Control.1\CLSID\\ -> Spyware.E2Give : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\\ -> TrojanSpy.PerfectKeylogger : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6} -> Spyware.E2Give : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/HDPlugin1014.dll\\.Owner -> Spyware.Gator : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/HDPlugin1014.dll\\{DBAE7000-01EC-4162-8FEB-8A27AC937CA0} -> Spyware.Gator : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchAssistant Uninstall -> Spyware.CoolWebSearch : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A} -> Spyware.Antispykeylog : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6} -> Spyware.E2Give : Cleaned with backup
HKU\S-1-5-21-643571872-3238835185-2771580065-1007\Software\GIANTCompany\AntiSpyware\Alerts\2B319740-5E94-4AC4-A2FA-56B47B\\RegistryKey -> Spyware.E2Give : Cleaned with backup
HKU\S-1-5-21-643571872-3238835185-2771580065-1007\Software\GIANTCompany\AntiSpyware\Alerts\7F81E10B-EF94-4838-B65F-27A134\\RegistryKey -> Spyware.E2Give : Cleaned with backup
HKU\S-1-5-21-643571872-3238835185-2771580065-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6} -> Spyware.E2Give : Cleaned with backup
HKU\S-1-5-21-643571872-3238835185-2771580065-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6} -> Spyware.E2Give : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A} -> Spyware.Antispykeylog : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6} -> Spyware.E2Give : Cleaned with backup
[516] C:\WINDOWS\System32\kwk_32.dll -> TrojanSpy.Agent.gk : Error during cleaning
[540] C:\WINDOWS\System32\kwk_32.dll -> TrojanSpy.Agent.gk : Error during cleaning
[584] C:\WINDOWS\System32\kwk_32.dll -> TrojanSpy.Agent.gk : Error during cleaning
[596] C:\WINDOWS\System32\kwk_32.dll -> TrojanSpy.Agent.gk : Error during cleaning
[736] C:\WINDOWS\System32\kwk_32.dll -> TrojanSpy.Agent.gk : Error during cleaning
[796] C:\WINDOWS\System32\kwk_32.dll -> TrojanSpy.Agent.gk : Error during cleaning
[836] C:\WINDOWS\System32\kwk_32.dll -> TrojanSpy.Agent.gk : Error during cleaning
[876] C:\WINDOWS\System32\kwk_32.dll -> TrojanSpy.Agent.gk : Error during cleaning
[928] C:\WINDOWS\System32\kwk_32.dll -> TrojanSpy.Agent.gk : Error during cleaning
[1088] C:\WINDOWS\System32\kwk_32.dll -> TrojanSpy.Agent.gk : Error during cleaning
[1112] C:\WINDOWS\System32\kwk_32.dll -> TrojanSpy.Agent.gk : Error during cleaning
[1120] C:\WINDOWS\System32\kwk_32.dll -> TrojanSpy.Agent.gk : Error during cleaning
[1300] C:\WINDOWS\System32\kwk_32.dll -> TrojanSpy.Agent.gk : Error during cleaning
[1324] C:\WINDOWS\System32\kwk_32.dll -> TrojanSpy.Agent.gk : Error during cleaning
[1364] C:\WINDOWS\System32\kwk_32.dll -> TrojanSpy.Agent.gk : Error during cleaning
[1520] C:\WINDOWS\System32\kwk_32.dll -> TrojanSpy.Agent.gk : Error during cleaning
[1556] C:\WINDOWS\System32\kwk_32.dll -> TrojanSpy.Agent.gk : Error during cleaning
[1624] C:\WINDOWS\System32\kwk_32.dll -> TrojanSpy.Agent.gk : Error during cleaning
[1868] C:\WINDOWS\System32\kwk_32.dll -> TrojanSpy.Agent.gk : Error during cleaning
[324] C:\WINDOWS\System32\kwk_32.dll -> TrojanSpy.Agent.gk : Error during cleaning
[1540] C:\WINDOWS\System32\kwk_32.dll -> TrojanSpy.Agent.gk : Error during cleaning
[1664] C:\WINDOWS\System32\kwk_32.dll -> TrojanSpy.Agent.gk : Error during cleaning
[1640] C:\WINDOWS\System32\kwk_32.dll -> TrojanSpy.Agent.gk : Error during cleaning
[1820] C:\WINDOWS\System32\kwk_32.dll -> TrojanSpy.Agent.gk : Error during cleaning
[1944] C:\WINDOWS\System32\kwk_32.dll -> TrojanSpy.Agent.gk : Error during cleaning
[1980] C:\WINDOWS\System32\kwk_32.dll -> TrojanSpy.Agent.gk : Error during cleaning
[1992] C:\WINDOWS\System32\kwk_32.dll -> TrojanSpy.Agent.gk : Error during cleaning
[2016] C:\WINDOWS\System32\kwk_32.dll -> TrojanSpy.Agent.gk : Error during cleaning
[2092] C:\WINDOWS\System32\kwk_32.dll -> TrojanSpy.Agent.gk : Error during cleaning
[2228] C:\WINDOWS\System32\kwk_32.dll -> TrojanSpy.Agent.gk : Error during cleaning
[2420] C:\WINDOWS\System32\narkwk.exe -> TrojanSpy.VB.eh : Cleaned with backup
[2456] C:\WINDOWS\System32\kwk_32.dll -> TrojanSpy.Agent.gk : Error during cleaning
[2472] C:\WINDOWS\System32\narkwk.exe -> TrojanSpy.VB.eh : Error during cleaning
[2488] C:\WINDOWS\System32\kwk_32.dll -> TrojanSpy.Agent.gk : Error during cleaning
[2532] C:\WINDOWS\System32\kwk_32.exe -> TrojanSpy.Agent.gk : Cleaned with backup
[2720] C:\WINDOWS\System32\kwk_32.dll -> TrojanSpy.Agent.gk : Error during cleaning
[2756] C:\WINDOWS\System32\kwk_32.dll -> TrojanSpy.Agent.gk : Error during cleaning
[2856] C:\WINDOWS\System32\kwk_32.dll -> TrojanSpy.Agent.gk : Error during cleaning
[2880] C:\WINDOWS\System32\kwk_32.dll -> TrojanSpy.Agent.gk : Error during cleaning
[3188] C:\WINDOWS\System32\kwk_32.dll -> TrojanSpy.Agent.gk : Error during cleaning
[3212] C:\WINDOWS\System32\kwk_32.dll -> TrojanSpy.Agent.gk : Error during cleaning
C:\Documents and Settings\Luis\Local Settings\Temporary Internet Files\Content.IE5\IR6F2GAI\exitpoplight[1].htm -> Trojan.NoClose.i : Cleaned with backup
C:\Documents and Settings\Rach\Cookies\rach@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Rach\Cookies\rach@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Rach\Cookies\rach@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Rach\Cookies\rach@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Rach\Local Settings\Temp\Cookies\rach@y-1shz2prbmdj6wvny-1sez2pra2dj6wjl4khdpsdpgmdj6x9ny-1seq-2-2.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Rach\Local Settings\Temp\ei.exe.tcf -> TrojanDownloader.Small.bgl : Cleaned with backup
C:\Documents and Settings\Rach\Local Settings\Temp\jnnf.exe.tcf -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Rach\Local Settings\Temp\phnh.exe.tcf -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Rach\Local Settings\Temporary Internet Files\Content.IE5\85INW12V\ei[1].exe.tcf -> TrojanDownloader.Small.bgl : Cleaned with backup
C:\Documents and Settings\Rach\Local Settings\Temporary Internet Files\Content.IE5\LGKRDLC5\mm[1].js -> Spyware.Chitika : Cleaned with backup
C:\Documents and Settings\Rach\Local Settings\Temporary Internet Files\Content.IE5\OTUFK5EN\wbk244.tmp -> TrojanDropper.Zerolin : Cleaned with backup
C:\Documents and Settings\Will\Cookies\will@ilead.itrack[1].txt -> Spyware.Cookie.Itrack : Cleaned with backup
C:\Program Files\E2G\IeBHOs.dll -> Spyware.E2Give : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\1468C2F5-D806-4559-80D5-0C41FA\33D04B22-1AD9-4A53-B601-B04DD8 -> Spyware.E2Give : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\46E18FB0-DC0C-41DE-BA5F-449E96\829EEFA4-8510-4D92-8112-BE6AC1 -> Spyware.E2Give : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1\A0000003.dll -> Spyware.E2Give : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1\A0000304.exe -> TrojanSpy.Perfectkeylogger.153 : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1\A0000305.dll -> Not-A-Virus.Monitor.Perflogger.i : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1\A0000306.exe.tcf -> TrojanSpy.Agent.f : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1\A0000307.exe.tcf -> TrojanSpy.Agent.f : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1\A0000308.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\btwebcontrol.dll -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\kwk_32.exe -> TrojanSpy.Agent.gk : Cleaned with backup
C:\WINDOWS\SYSTEM32\narkwk.exe -> TrojanSpy.VB.eh : Cleaned with backup
C:\WINDOWS\SYSTEM32\__delete_on_reboot__kwk_32.dll -> TrojanSpy.Agent.gk : Cleaned with backup


::Report End

Please help!!
  • 0

Advertisements


#2
Danny

Danny

    Visiting Staff

  • Member
  • PipPipPip
  • 684 posts
Hi,

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

This will likely be a few step process in removing the malware that has infected your system. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

You have a nasty CoolWebSearch infection. First we will need to download a few tools that will help us in the removal of your problem.

Download about:buster by RubbeRDuckY Here.
Download CWShredder Here.
Download SpSeHjfix Here.
Download and install CleanUp! Here

Save all of these files somewhere you will remember like to the Desktop.

Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)

Run the CleanUp! installer. You dont need to do anything with it right now.

Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please run about:buster by RubbeRDuckY:
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

Now run CleanUp!. Click CleanUp and allow it to delete all the temporary files.Reboot your computer into normal windows.

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

After all that, please post back with how things went as well as the logs requested and a new HiJackThis log.

Danny :tazz:
  • 0

#3
pingu27

pingu27

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi - I am just going through the process you gave me but the CWShredder has saved to my desktop fine but once I press run that is all it does until I go to shut the computer doen and then it comes up as an unresponsive programme.

Should I just run all the other programmes but skip this one out?
  • 0

#4
Danny

Danny

    Visiting Staff

  • Member
  • PipPipPip
  • 684 posts
What do you mean? Is it just closing, or doing nothing when you hit "Fix"?
  • 0

#5
pingu27

pingu27

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi

It downloads to the desktop and then once I double click the icon it gives me the option to either Run or Cancel so I press Run and then that is it, it closes and does nothing - I don't even get to the fix stage. Then when i come to shut the whole computer down it comes up as an unresponsive programme in a blue box and gives you the choice to either cancel and return to the desktop or end programme.
  • 0

#6
pingu27

pingu27

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi again

I have worked through your list and after I had run the about:buster scan the CWShredder programme seemed to work fine so I updated it and ran that.

Here is what happened:

about:buster

That ran fine and came up that it found nothing. I still ran this twice as requested.

CWShredder

That removed a file called CWS:HiddenDII and once it had found it the programme made me reboot the system and then run the programme again which I did.

SpSeHjfix

Please find results below:


(10/27/05 15:46:20) SPSeHjFix started v1.1.2
(10/27/05 15:46:20) OS: WinXP Service Pack 2 (5.1.2600)
(10/27/05 15:46:20) Language: english
(10/27/05 15:46:20) Win-Path: C:\WINDOWS
(10/27/05 15:46:20) System-Path: C:\WINDOWS\system32
(10/27/05 15:46:20) Temp-Path: C:\DOCUME~1\Rach\LOCALS~1\Temp\


(10/27/05 15:49:03) SPSeHjFix started v1.1.2
(10/27/05 15:49:03) OS: WinXP Service Pack 2 (5.1.2600)
(10/27/05 15:49:03) Language: english
(10/27/05 15:49:03) Win-Path: C:\WINDOWS
(10/27/05 15:49:03) System-Path: C:\WINDOWS\system32
(10/27/05 15:49:03) Temp-Path: C:\DOCUME~1\Rach\LOCALS~1\Temp\
(10/27/05 15:49:13) Disinfection started
(10/27/05 15:49:13) Bad-Dll(IEP): c:\docume~1\rach\locals~1\temp\se.dll
(10/27/05 15:49:13) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\System32\nlcf.dll
(10/27/05 15:49:13) Searchassistant Uninstaller - Keys Deleted
(10/27/05 15:49:13) UBF: 6 - UBB: 5 - UBR: 15
(10/27/05 15:49:13) FilterKey: HKCR\text/html (deleted)
(10/27/05 15:49:13) FilterKey: HKCR\CLSID\{F1876955-C855-4899-B5F8-B7A352A2E7D9} (deleted)
(10/27/05 15:49:13) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(10/27/05 15:49:13) FilterKey: HKCR\text/plain (deleted)
(10/27/05 15:49:13) FilterKey: HKCR\CLSID\{F1876955-C855-4899-B5F8-B7A352A2E7D9} (error while deleting)
(10/27/05 15:49:13) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(10/27/05 15:49:13) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A68332BA-8789-476E-8645-62BA4B93AB79} (deleted)
(10/27/05 15:49:13) BHO-Key: HKCR\CLSID\{A68332BA-8789-476E-8645-62BA4B93AB79} (deleted)
(10/27/05 15:49:13) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp=rundll32 C:\DOCUME~1\Rach\LOCALS~1\Temp\se.dll,DllInstall (deleted)
(10/27/05 15:49:13) UBF: 4 - UBB: 4 - UBR: 14
(10/27/05 15:49:13) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\rach\locals~1\temp\se.dll/space.html
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\rach\locals~1\temp\se.dll/space.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(10/27/05 15:49:13) Stealth-String not found
(10/27/05 15:49:13) File added to delete: c:\windows\system32\nlcf.dll
(10/27/05 15:49:13) File added to delete: c:\docume~1\rach\locals~1\temp\se.dll
(10/27/05 15:49:13) Reboot


(10/27/05 15:50:31) SPSeHjFix started v1.1.2
(10/27/05 15:50:31) OS: WinXP Service Pack 2 (5.1.2600)
(10/27/05 15:50:31) Language: english
(10/27/05 15:50:31) Win-Path: C:\WINDOWS
(10/27/05 15:50:31) System-Path: C:\WINDOWS\system32
(10/27/05 15:50:31) Temp-Path: C:\DOCUME~1\Rach\LOCALS~1\Temp\
(10/27/05 15:50:45) Disinfection started
(10/27/05 15:50:45) Bad-Dll(IEP): (not found)
(10/27/05 15:50:45) Bad-Dll(IEP) in BHO: (not found)
(10/27/05 15:50:45) UBF: 4 - UBB: 4 - UBR: 14
(10/27/05 15:50:45) UBF: 4 - UBB: 4 - UBR: 14
(10/27/05 15:50:45) Bad IE-pages: (none)
(10/27/05 15:50:45) Stealth-String not found
(10/27/05 15:50:45) Not infected->END


CleanUp!

This ran fine

I then did a Kaspersky Online Scan - I did 3 of these as I was not sure which one to do so I have posted all 3 reports below (It was the top 3 options in the list)

KASPERSKY ON-LINE SCANNER REPORT
Thursday, October 27, 2005 16:49:04
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 27/10/2005
Kaspersky Anti-Virus database records: 147144


Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target Critical Areas
C:\WINDOWS
C:\DOCUME~1\Rach\LOCALS~1\Temp\

Scan Statistics
Total number of scanned objects 27757
Number of viruses found 0
Number of infected objects 0
Number of suspicious objects 0
Duration of the scan process 1155 sec

No malware has been detected. The sections that have been scanned are CLEAN.
Scan process completed.


Scan 2

KASPERSKY ON-LINE SCANNER REPORT
Thursday, October 27, 2005 17:31:50
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 27/10/2005
Kaspersky Anti-Virus database records: 147144


Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\

Scan Statistics
Total number of scanned objects 55273
Number of viruses found 6
Number of infected objects 30
Number of suspicious objects 0
Duration of the scan process 2266 sec

Infected Object Name Virus Name
C:\Documents and Settings\Rach\Local Settings\Application Data\Identities\{6F5E1AAE-7366-4A77-9CE8-33959940A005}\Microsoft\Outlook Express\Deleted Items.dbx/[From Halifax bank ][Date Wed, 12 Jan 2005 15:53:24 +0600]/UNNAMED/html Infected: Trojan-Spy.HTML.Bankfraud.hs

C:\Documents and Settings\Rach\Local Settings\Application Data\Identities\{6F5E1AAE-7366-4A77-9CE8-33959940A005}\Microsoft\Outlook Express\Deleted Items.dbx/[From Halifax bank ][Date Wed, 12 Jan 2005 15:53:24 +0600]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.hs

C:\Documents and Settings\Rach\Local Settings\Application Data\Identities\{6F5E1AAE-7366-4A77-9CE8-33959940A005}\Microsoft\Outlook Express\Deleted Items.dbx/[From Halifax ][Date Mon, 17 Jan 2005 13:34:38 -0200]/UNNAMED/html Infected: Trojan-Spy.HTML.Bankfraud.hs

C:\Documents and Settings\Rach\Local Settings\Application Data\Identities\{6F5E1AAE-7366-4A77-9CE8-33959940A005}\Microsoft\Outlook Express\Deleted Items.dbx/[From Halifax ][Date Mon, 17 Jan 2005 13:34:38 -0200]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.hs

C:\Documents and Settings\Rach\Local Settings\Application Data\Identities\{6F5E1AAE-7366-4A77-9CE8-33959940A005}\Microsoft\Outlook Express\Deleted Items.dbx/[From Halifax bank ][Date Sun, 20 Feb 2005 20:02:26 -0400]/UNNAMED/html Infected: Trojan-Spy.HTML.Bankfraud.hs

C:\Documents and Settings\Rach\Local Settings\Application Data\Identities\{6F5E1AAE-7366-4A77-9CE8-33959940A005}\Microsoft\Outlook Express\Deleted Items.dbx/[From Halifax bank ][Date Sun, 20 Feb 2005 20:02:26 -0400]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.hs

C:\Documents and Settings\Rach\Local Settings\Application Data\Identities\{6F5E1AAE-7366-4A77-9CE8-33959940A005}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.HTML.Bankfraud.hs

C:\Documents and Settings\Rach\My Documents\Runebot.exe/rinst.exe Infected: Trojan-Spy.Win32.Agent.f

C:\Documents and Settings\Rach\My Documents\Runebot.exe Infected: Trojan-Spy.Win32.Agent.f

C:\Program Files\Microsoft AntiSpyware\Quarantine\1C9E2EEE-057B-49A8-8EA7-4D9516\1B384F0E-F532-45F2-8694-1AF1C0 Infected: Trojan.Win32.StartPage.uz

C:\Program Files\Microsoft AntiSpyware\Quarantine\21E44B3E-DFAA-49BE-9666-7482B6\C59EC601-253D-4424-9C9C-417693 Infected: Trojan.Win32.StartPage.uz

C:\Program Files\Microsoft AntiSpyware\Quarantine\23DC50DF-6D4A-46D3-A3ED-3052CA\8AD5180B-4CA0-409C-B85B-25ACF2 Infected: Trojan.Win32.StartPage.uz

C:\Program Files\Microsoft AntiSpyware\Quarantine\268D7B50-A562-4F1A-9EB3-847791\4711B4F0-5E64-4C54-83B2-A9F50C Infected: Trojan.Win32.StartPage.uz

C:\Program Files\Microsoft AntiSpyware\Quarantine\29227F86-8094-4553-861B-6D1BCA\A67DF482-E304-463F-ACDC-AF5F94 Infected: Trojan.Win32.StartPage.uz

C:\Program Files\Microsoft AntiSpyware\Quarantine\29A561AF-A684-44B4-B6FB-91F17D\66E7AD07-E979-4FA9-A576-770864 Infected: Trojan.Win32.StartPage.uz

C:\Program Files\Microsoft AntiSpyware\Quarantine\3035D9E8-4C63-48DA-839F-75477E\350FB631-9EF9-4ABB-B2F7-AC307D Infected: Trojan.Win32.StartPage.uz

C:\Program Files\Microsoft AntiSpyware\Quarantine\3D291D41-C456-480C-A72E-EE3868\BC49FC4A-0A79-413D-88D6-08607F Infected: Trojan.Win32.StartPage.uz

C:\Program Files\Microsoft AntiSpyware\Quarantine\465D429C-2C0B-40BC-8551-7E0F21\84E4D32D-A0E9-4F7E-B67A-0B344C Infected: Trojan.Win32.StartPage.uz

C:\Program Files\Microsoft AntiSpyware\Quarantine\53F6E829-405A-4CA2-8952-72D758\A89DBA55-368D-4C9C-A266-FBCF67 Infected: Trojan.Win32.StartPage.uz

C:\Program Files\Microsoft AntiSpyware\Quarantine\5556685A-B255-41C2-9D36-68E2AE\9742C6C4-9A45-4AE1-BAF2-48FF95 Infected: Trojan.Win32.StartPage.uz

C:\Program Files\Microsoft AntiSpyware\Quarantine\888E8DBB-8793-494F-8073-6A6EB3\AA09BB4A-3F18-4706-807C-9B6FA9 Infected: Trojan.Win32.StartPage.uz

C:\Program Files\Microsoft AntiSpyware\Quarantine\B1D1DCED-6FAA-4DFD-8040-07B721\0C2A89E9-AF74-40CC-A25C-35B6C1 Infected: Trojan.Win32.StartPage.uz

C:\Program Files\Microsoft AntiSpyware\Quarantine\BC9E0397-FA1A-4621-99A0-D41167\CCBEEF30-9F57-40F0-A5E9-02DBEF Infected: Trojan.Win32.StartPage.uz

C:\Program Files\Microsoft AntiSpyware\Quarantine\CFAB5011-8BC2-4E7C-889B-A9AB54\270606BE-2F08-4D06-846F-57AACD Infected: Trojan.Win32.StartPage.uz

C:\Program Files\Norton AntiVirus\Quarantine\7CFC2B9F.dll Infected: Trojan.Win32.StartPage.uz

C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1\A0000336.dll Infected: Trojan-Spy.Win32.Agent.gk

C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1\A0000337.exe Infected: Trojan-Spy.Win32.VB.eh

C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1\A0000338.exe Infected: Trojan.Win32.Delf.og

C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1\A0000356.exe/rinst.exe Infected: Trojan-Spy.Win32.Agent.f

C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1\A0000356.exe Infected: Trojan-Spy.Win32.Agent.f

Scan process completed.


Scan 3

KASPERSKY ON-LINE SCANNER REPORT
Thursday, October 27, 2005 17:36:00
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 27/10/2005
Kaspersky Anti-Virus database records: 147144


Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target My Email
C:\

Scan Statistics
Total number of scanned objects 74
Number of viruses found 1
Number of infected objects 7
Number of suspicious objects 0
Duration of the scan process 106 sec

Infected Object Name Virus Name
C:\Documents and Settings\Rach\Local Settings\Application Data\Identities\{6F5E1AAE-7366-4A77-9CE8-33959940A005}\Microsoft\Outlook Express\Deleted Items.dbx/[From Halifax bank ][Date Wed, 12 Jan 2005 15:53:24 +0600]/UNNAMED/html Infected: Trojan-Spy.HTML.Bankfraud.hs

C:\Documents and Settings\Rach\Local Settings\Application Data\Identities\{6F5E1AAE-7366-4A77-9CE8-33959940A005}\Microsoft\Outlook Express\Deleted Items.dbx/[From Halifax bank ][Date Wed, 12 Jan 2005 15:53:24 +0600]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.hs

C:\Documents and Settings\Rach\Local Settings\Application Data\Identities\{6F5E1AAE-7366-4A77-9CE8-33959940A005}\Microsoft\Outlook Express\Deleted Items.dbx/[From Halifax ][Date Mon, 17 Jan 2005 13:34:38 -0200]/UNNAMED/html Infected: Trojan-Spy.HTML.Bankfraud.hs

C:\Documents and Settings\Rach\Local Settings\Application Data\Identities\{6F5E1AAE-7366-4A77-9CE8-33959940A005}\Microsoft\Outlook Express\Deleted Items.dbx/[From Halifax ][Date Mon, 17 Jan 2005 13:34:38 -0200]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.hs

C:\Documents and Settings\Rach\Local Settings\Application Data\Identities\{6F5E1AAE-7366-4A77-9CE8-33959940A005}\Microsoft\Outlook Express\Deleted Items.dbx/[From Halifax bank ][Date Sun, 20 Feb 2005 20:02:26 -0400]/UNNAMED/html Infected: Trojan-Spy.HTML.Bankfraud.hs

C:\Documents and Settings\Rach\Local Settings\Application Data\Identities\{6F5E1AAE-7366-4A77-9CE8-33959940A005}\Microsoft\Outlook Express\Deleted Items.dbx/[From Halifax bank ][Date Sun, 20 Feb 2005 20:02:26 -0400]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.hs

C:\Documents and Settings\Rach\Local Settings\Application Data\Identities\{6F5E1AAE-7366-4A77-9CE8-33959940A005}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.HTML.Bankfraud.hs

Scan process completed.


I then did another HiJack this report:

Logfile of HijackThis v1.99.1
Scan saved at 17:38:37, on 27/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\common\ycomp5_1_6_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\ycomp5_1_6_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [narkwk] C:\WINDOWS\System32\narkwk.exe
O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.btinternet.com/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1803B9EF-9905-4F34-AFC4-05D1BAB28801} (RegUserCfgUI Class) - http://us.dl1.yimg.c..._1/yregucfg.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.../UK/install.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1129812282763
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://downloads.bro...tivePreQual.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.bto...twebcontrol.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{819B6FA9-21E8-4E72-BDCD-C827B2388305}: NameServer = 194.74.65.68 194.72.9.34
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

My system seems to have less pop ups now but Internet Explorer does not work at all it just wants to send an error message to Microsoft. I am not sure if this is related or whether it just needs reinstalling but I though I would just leave it for now until the first problem is fixed!

Thanks or your help in advance

Rachael
  • 0

#7
Danny

Danny

    Visiting Staff

  • Member
  • PipPipPip
  • 684 posts
Hmm...

Download the newer version here: http://www.trendmicr.../cwshredder.exe

If it doesn't work, download http://www.safer-net...es/delcwssk.zip, and run it.

This should make it work.

Danny
  • 0

#8
pingu27

pingu27

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi

I got the CWShredder towork yesterday evening before I posted the log reports. It worked once the about:buster thing had run.

I then followed all your instructions and posted the log reports above.

What do i need to do now as the final KASPERSKY ON-LINE SCANNER REPORT picked up a couple more virus's but did not delete them just printed the report.

Cheers

Rachael
  • 0

#9
pingu27

pingu27

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi

Just wondering whether you had any idea what I should do now with regards to this virus thing as the scans you asked me to run were still picking up virus's and I daren't use that computer?

Cheers

Rachael
  • 0

#10
Danny

Danny

    Visiting Staff

  • Member
  • PipPipPip
  • 684 posts
Hi,

Can you post a new HijackThis log as well as the Kaspersky scan results?

Thanks,

Danny :tazz:
  • 0

Advertisements


#11
pingu27

pingu27

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi

Here is the new Hijack This result:

Logfile of HijackThis v1.99.1
Scan saved at 12:04:14, on 31/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\common\ycomp5_1_6_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\ycomp5_1_6_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [narkwk] C:\WINDOWS\System32\narkwk.exe
O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.btinternet.com/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1803B9EF-9905-4F34-AFC4-05D1BAB28801} (RegUserCfgUI Class) - http://us.dl1.yimg.c..._1/yregucfg.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.../UK/install.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1129812282763
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://downloads.bro...tivePreQual.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.bto...twebcontrol.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE


And the Kaspersky scan results are as follows (I did 3 as i was not sure which option to go for:

KASPERSKY ON-LINE SCANNER REPORT
Thursday, October 27, 2005 16:49:04
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 27/10/2005
Kaspersky Anti-Virus database records: 147144


Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target Critical Areas
C:\WINDOWS
C:\DOCUME~1\Rach\LOCALS~1\Temp\

Scan Statistics
Total number of scanned objects 27757
Number of viruses found 0
Number of infected objects 0
Number of suspicious objects 0
Duration of the scan process 1155 sec

No malware has been detected. The sections that have been scanned are CLEAN.
Scan process completed.


KASPERSKY ON-LINE SCANNER REPORT
Thursday, October 27, 2005 17:31:50
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 27/10/2005
Kaspersky Anti-Virus database records: 147144


Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\

Scan Statistics
Total number of scanned objects 55273
Number of viruses found 6
Number of infected objects 30
Number of suspicious objects 0
Duration of the scan process 2266 sec

Infected Object Name Virus Name
C:\Documents and Settings\Rach\Local Settings\Application Data\Identities\{6F5E1AAE-7366-4A77-9CE8-33959940A005}\Microsoft\Outlook Express\Deleted Items.dbx/[From Halifax bank ][Date Wed, 12 Jan 2005 15:53:24 +0600]/UNNAMED/html Infected: Trojan-Spy.HTML.Bankfraud.hs

C:\Documents and Settings\Rach\Local Settings\Application Data\Identities\{6F5E1AAE-7366-4A77-9CE8-33959940A005}\Microsoft\Outlook Express\Deleted Items.dbx/[From Halifax bank ][Date Wed, 12 Jan 2005 15:53:24 +0600]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.hs

C:\Documents and Settings\Rach\Local Settings\Application Data\Identities\{6F5E1AAE-7366-4A77-9CE8-33959940A005}\Microsoft\Outlook Express\Deleted Items.dbx/[From Halifax ][Date Mon, 17 Jan 2005 13:34:38 -0200]/UNNAMED/html Infected: Trojan-Spy.HTML.Bankfraud.hs

C:\Documents and Settings\Rach\Local Settings\Application Data\Identities\{6F5E1AAE-7366-4A77-9CE8-33959940A005}\Microsoft\Outlook Express\Deleted Items.dbx/[From Halifax ][Date Mon, 17 Jan 2005 13:34:38 -0200]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.hs

C:\Documents and Settings\Rach\Local Settings\Application Data\Identities\{6F5E1AAE-7366-4A77-9CE8-33959940A005}\Microsoft\Outlook Express\Deleted Items.dbx/[From Halifax bank ][Date Sun, 20 Feb 2005 20:02:26 -0400]/UNNAMED/html Infected: Trojan-Spy.HTML.Bankfraud.hs

C:\Documents and Settings\Rach\Local Settings\Application Data\Identities\{6F5E1AAE-7366-4A77-9CE8-33959940A005}\Microsoft\Outlook Express\Deleted Items.dbx/[From Halifax bank ][Date Sun, 20 Feb 2005 20:02:26 -0400]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.hs

C:\Documents and Settings\Rach\Local Settings\Application Data\Identities\{6F5E1AAE-7366-4A77-9CE8-33959940A005}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.HTML.Bankfraud.hs

C:\Documents and Settings\Rach\My Documents\Runebot.exe/rinst.exe Infected: Trojan-Spy.Win32.Agent.f

C:\Documents and Settings\Rach\My Documents\Runebot.exe Infected: Trojan-Spy.Win32.Agent.f

C:\Program Files\Microsoft AntiSpyware\Quarantine\1C9E2EEE-057B-49A8-8EA7-4D9516\1B384F0E-F532-45F2-8694-1AF1C0 Infected: Trojan.Win32.StartPage.uz

C:\Program Files\Microsoft AntiSpyware\Quarantine\21E44B3E-DFAA-49BE-9666-7482B6\C59EC601-253D-4424-9C9C-417693 Infected: Trojan.Win32.StartPage.uz

C:\Program Files\Microsoft AntiSpyware\Quarantine\23DC50DF-6D4A-46D3-A3ED-3052CA\8AD5180B-4CA0-409C-B85B-25ACF2 Infected: Trojan.Win32.StartPage.uz

C:\Program Files\Microsoft AntiSpyware\Quarantine\268D7B50-A562-4F1A-9EB3-847791\4711B4F0-5E64-4C54-83B2-A9F50C Infected: Trojan.Win32.StartPage.uz

C:\Program Files\Microsoft AntiSpyware\Quarantine\29227F86-8094-4553-861B-6D1BCA\A67DF482-E304-463F-ACDC-AF5F94 Infected: Trojan.Win32.StartPage.uz

C:\Program Files\Microsoft AntiSpyware\Quarantine\29A561AF-A684-44B4-B6FB-91F17D\66E7AD07-E979-4FA9-A576-770864 Infected: Trojan.Win32.StartPage.uz

C:\Program Files\Microsoft AntiSpyware\Quarantine\3035D9E8-4C63-48DA-839F-75477E\350FB631-9EF9-4ABB-B2F7-AC307D Infected: Trojan.Win32.StartPage.uz

C:\Program Files\Microsoft AntiSpyware\Quarantine\3D291D41-C456-480C-A72E-EE3868\BC49FC4A-0A79-413D-88D6-08607F Infected: Trojan.Win32.StartPage.uz

C:\Program Files\Microsoft AntiSpyware\Quarantine\465D429C-2C0B-40BC-8551-7E0F21\84E4D32D-A0E9-4F7E-B67A-0B344C Infected: Trojan.Win32.StartPage.uz

C:\Program Files\Microsoft AntiSpyware\Quarantine\53F6E829-405A-4CA2-8952-72D758\A89DBA55-368D-4C9C-A266-FBCF67 Infected: Trojan.Win32.StartPage.uz

C:\Program Files\Microsoft AntiSpyware\Quarantine\5556685A-B255-41C2-9D36-68E2AE\9742C6C4-9A45-4AE1-BAF2-48FF95 Infected: Trojan.Win32.StartPage.uz

C:\Program Files\Microsoft AntiSpyware\Quarantine\888E8DBB-8793-494F-8073-6A6EB3\AA09BB4A-3F18-4706-807C-9B6FA9 Infected: Trojan.Win32.StartPage.uz

C:\Program Files\Microsoft AntiSpyware\Quarantine\B1D1DCED-6FAA-4DFD-8040-07B721\0C2A89E9-AF74-40CC-A25C-35B6C1 Infected: Trojan.Win32.StartPage.uz

C:\Program Files\Microsoft AntiSpyware\Quarantine\BC9E0397-FA1A-4621-99A0-D41167\CCBEEF30-9F57-40F0-A5E9-02DBEF Infected: Trojan.Win32.StartPage.uz

C:\Program Files\Microsoft AntiSpyware\Quarantine\CFAB5011-8BC2-4E7C-889B-A9AB54\270606BE-2F08-4D06-846F-57AACD Infected: Trojan.Win32.StartPage.uz

C:\Program Files\Norton AntiVirus\Quarantine\7CFC2B9F.dll Infected: Trojan.Win32.StartPage.uz

C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1\A0000336.dll Infected: Trojan-Spy.Win32.Agent.gk

C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1\A0000337.exe Infected: Trojan-Spy.Win32.VB.eh

C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1\A0000338.exe Infected: Trojan.Win32.Delf.og

C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1\A0000356.exe/rinst.exe Infected: Trojan-Spy.Win32.Agent.f

C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP1\A0000356.exe Infected: Trojan-Spy.Win32.Agent.f

Scan process completed.


KASPERSKY ON-LINE SCANNER REPORT
Thursday, October 27, 2005 17:36:00
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 27/10/2005
Kaspersky Anti-Virus database records: 147144


Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target My Email
C:\

Scan Statistics
Total number of scanned objects 74
Number of viruses found 1
Number of infected objects 7
Number of suspicious objects 0
Duration of the scan process 106 sec

Infected Object Name Virus Name
C:\Documents and Settings\Rach\Local Settings\Application Data\Identities\{6F5E1AAE-7366-4A77-9CE8-33959940A005}\Microsoft\Outlook Express\Deleted Items.dbx/[From Halifax bank ][Date Wed, 12 Jan 2005 15:53:24 +0600]/UNNAMED/html Infected: Trojan-Spy.HTML.Bankfraud.hs

C:\Documents and Settings\Rach\Local Settings\Application Data\Identities\{6F5E1AAE-7366-4A77-9CE8-33959940A005}\Microsoft\Outlook Express\Deleted Items.dbx/[From Halifax bank ][Date Wed, 12 Jan 2005 15:53:24 +0600]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.hs

C:\Documents and Settings\Rach\Local Settings\Application Data\Identities\{6F5E1AAE-7366-4A77-9CE8-33959940A005}\Microsoft\Outlook Express\Deleted Items.dbx/[From Halifax ][Date Mon, 17 Jan 2005 13:34:38 -0200]/UNNAMED/html Infected: Trojan-Spy.HTML.Bankfraud.hs

C:\Documents and Settings\Rach\Local Settings\Application Data\Identities\{6F5E1AAE-7366-4A77-9CE8-33959940A005}\Microsoft\Outlook Express\Deleted Items.dbx/[From Halifax ][Date Mon, 17 Jan 2005 13:34:38 -0200]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.hs

C:\Documents and Settings\Rach\Local Settings\Application Data\Identities\{6F5E1AAE-7366-4A77-9CE8-33959940A005}\Microsoft\Outlook Express\Deleted Items.dbx/[From Halifax bank ][Date Sun, 20 Feb 2005 20:02:26 -0400]/UNNAMED/html Infected: Trojan-Spy.HTML.Bankfraud.hs

C:\Documents and Settings\Rach\Local Settings\Application Data\Identities\{6F5E1AAE-7366-4A77-9CE8-33959940A005}\Microsoft\Outlook Express\Deleted Items.dbx/[From Halifax bank ][Date Sun, 20 Feb 2005 20:02:26 -0400]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.hs

C:\Documents and Settings\Rach\Local Settings\Application Data\Identities\{6F5E1AAE-7366-4A77-9CE8-33959940A005}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.HTML.Bankfraud.hs

Scan process completed.


Thanks

Rachael
  • 0

#12
Danny

Danny

    Visiting Staff

  • Member
  • PipPipPip
  • 684 posts
Hi,

Open HijackThis, click the "Scan" button, and check the following items (If present):


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O4 - HKCU\..\Run: [narkwk] C:\WINDOWS\System32\narkwk.exe


Close all windows except HijackThis, and click the "Fix Checked" button.

Next, please enable viewing of hidden files as follows:

1) Go to My Computer, and click on the "Tools" menu
2) Click "Folder options"
3) Select the "View" tab
4) Make sure "Show hidden files and folders" is selected
5) Make sure "Hide extensions for known file types" is unchecked
6) Make sure "Hide protected operating system files (recommended)" is unchecked

Locate the following files and delete them:

C:\Documents and Settings\Rach\My Documents\Runebot.exe
C:\WINDOWS\System32\narkwk.exe

Reboot and post a new log.

Danny :tazz:
  • 0

#13
pingu27

pingu27

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi

I have run and deleted the bits you said but could not find the folder:

C:\WINDOWS\System32\narkwk.exe

Please find below a new HJT report

Logfile of HijackThis v1.99.1
Scan saved at 13:47:53, on 31/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\common\ycomp5_1_6_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\ycomp5_1_6_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.btinternet.com/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1803B9EF-9905-4F34-AFC4-05D1BAB28801} (RegUserCfgUI Class) - http://us.dl1.yimg.c..._1/yregucfg.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.../UK/install.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1129812282763
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://downloads.bro...tivePreQual.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.bto...twebcontrol.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE


Thanks for your help

Rachael
  • 0

#14
Danny

Danny

    Visiting Staff

  • Member
  • PipPipPip
  • 684 posts
How is your computer acting? Any more problems?

Danny :tazz:
  • 0

#15
pingu27

pingu27

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Its looking good! I will run it normally for a while as I have only just logged back onto it and get back to you shortly!

Rachael
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP