Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

PSGuard, Proxy-Spamlay and mcls.exe problems [RESOLVED]


  • This topic is locked This topic is locked

#1
GraemeJ

GraemeJ

    Member

  • Member
  • PipPip
  • 16 posts
I have various problems after visiting a website called KeyGen.
I got various problems with my screen (going black, saying I had an infection etc) and system crashing and being very slow.
Got advice to install VirusScan and Microsoft Spyware, but they deleted a virus called Proxy-Spamlay that keeps coming back.
Have followed all the suggestions in page saying 'What to do first' i.e. Trojan hunter, Ewido, etc, but system still incredibly slow - shows CPU usage as 100% percent. Also keep getting Message from Antispyware about Proxy-Spamlay being found and deleted.
Seems I may have removed PSGuard via Ad-aware, but maybe not!

My HI-Jack this log is below


Logfile of HijackThis v1.99.1
Scan saved at 13:19:42, on 08/11/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\tlpnkaaa.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SYSTEM32\SERVICES.EXE
C:\WINNT\system32\pctspk.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\CD-Eject Launcher V1\CDEJECT.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\program files\u-storage tools\ustorage.exe
C:\Program Files\iWare\iWare Mouse\3.2\MOUSE32A.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
c:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\VMConnect.exe
C:\WINNT\System32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\System32\cidaemon.exe
C:\DOCUMENTS AND SETTINGS\GRAEME.JEFFS\DESKTOP\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.lycos.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tiscali
F3 - REG:win.ini: run=C:\WINNT\inet20088\services.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [CD-Eject Launcher V1] "C:\Program Files\CD-Eject Launcher V1\CDEJECT.EXE"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [UStorag] c:\program files\u-storage tools\ustorage.exe sys_auto_run C:\Program Files\U-Storage Tools
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\iWare\iWare Mouse\3.2\MOUSE32A.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Phone Connection Monitor.lnk = C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0731104E-6ABC-42BA-90B7-5FD7DBA414A2} - http://www.fusionone...8/0/install.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1130879403201
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro....er/PROFILER.CAB
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zone...ctor/WebSWK.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4AB82CD5-7218-4170-9FC5-062C94797B91}: NameServer = 172.29.129.11 172.29.129.11
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O21 - SSODL: SysTray.Excn - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - C:\WINNT\System32\eppkpqfh.dll (file missing)
O21 - SSODL: IEFilter - {92EB071C-0512-403D-8827-0562415DCFAC} - C:\WINNT\system32\IEFilter.dll (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Service - Unknown owner - C:\WINNT\System32\Service.exe (file missing)

Any help gratefully received!
  • 0

Advertisements


#2
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello GraemeJ and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting, but continue with the fix.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which will not allow you to access the internet, or my instructions!

You have quite a mixture of malware and Trojans that need to be eradicated. Let’s see what we can do with the first sweep.

I note that you are running HijackThis from Desktop; please create a new folder for it (for example C:\Program Files\Hijackthis\Hijackthis.exe) and move the programme into it. It is very important you do this before anything else since backup files can be deleted if they are not within their own folder!

Firstly could you please disable Microsoft Antispyware from running during the fix, it may just hinder our attempts to change anything. Right click on the icon (looks like an archery target) in the task bar and click on Security Agents Status (Enabled) then click on Disable Real-time Protection. To re enable it, you follow the same steps but click on Enable Real-time Protection.

Please also disable Ewido from running for the same reason. Open Ewido and remove the guard option.

When your PC has been declared clean, please only enable one of those two programmes to run in real-time. All others should be used as “on demand” scanners. Having more than one antispyware programme running in real-time will cause slowness and even conflicts.

To start please download the following programme, we will run it later. Please save it to a place that you will remember, I suggest the Desktop:

CCleaner

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

F3 - REG:win.ini: run=C:\WINNT\inet20088\services.exe
O21 - SSODL: SysTray.Excn - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - C:\WINNT\System32\eppkpqfh.dll (file missing)
O21 - SSODL: IEFilter - {92EB071C-0512-403D-8827-0562415DCFAC} - C:\WINNT\system32\IEFilter.dll (file missing)
O23 - Service: Service - Unknown owner - C:\WINNT\System32\Service.exe (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Please now reboot into safe mode. Here's how:

Restart your computer and as soon as it starts booting up again continuously tap the F8 key. A menu should appear where you will be given the option to enter Safe Mode.

Please set your system to show all files; please see here if you're unsure how to do this.

Please delete this folder (if present) using Windows Explorer:

C:\WINNT\inet20088\

Please delete this file (if present) using Windows Explorer:

C:\WINNT\System32\tlpnkaaa.exe

Close Windows Explorer and Reboot normally

Now we must hide the files we revealed earlier by reversing the process, this is an important safeguard to stop important system files being deleted by accident.

There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, update it, check the default setting in the left-hand pane, ensure you uncheck old prefetch data found under the system tab, then click Analyze> Run Cleaner. You may be fairly surprised by how much it finds. Also click Issues then Scan for issues – fix selected issues

Post back a fresh HijackThis log (from normal mode) and I will take another look.
  • 0

#3
GraemeJ

GraemeJ

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Custyoldbloke,

Thanks so much for the quick reply.

I think I did all you said, though not 100% sure I moved HJT to its own folder - I made sure I opened it through Program Files in Window Explorer though.

I deleted the file and folder you said could be there, and were.

CCleaner said it found 83MB of stuff, and loads of issues, which are all fixed I think.
Was I supposed to run that in Safe Mode too? If so, fraid I didn't.

Anyway here is log for your comments.

Thanks again.

Graeme

Logfile of HijackThis v1.99.1
Scan saved at 17:36:48, on 08/11/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Network Associates\Common

Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft

Shared\VS7Debug\mdm.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\pctspk.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\CD-Eject Launcher V1\CDEJECT.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Adaptec

Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator

5\DirectCD\DirectCD.exe
C:\program files\u-storage tools\ustorage.exe
C:\Program Files\iWare\iWare Mouse\3.2\MOUSE32A.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common

Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network

Associates\TalkBack\TBMon.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
c:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
C:\Program Files\Vodafone\Vodafone Mobile

Connect\VMConnect.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\System32\cidaemon.exe
C:\Documents and Settings\graeme.jeffs\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start

Page = http://www.tiscali.co.uk/
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search

Bar = http://www.lycos.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start

Page = http://www.tiscali.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window

Title = Microsoft Internet Explorer provided by Tiscali
O2 - BHO: AcroIEHlprObj Class -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F}

- C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio -

{8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe

/logon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [CD-Eject Launcher V1] "C:\Program

Files\CD-Eject Launcher V1\CDEJECT.EXE"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program

Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program

Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common

Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program

Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [UStorag] c:\program files\u-storage

tools\ustorage.exe sys_auto_run C:\Program Files\U-Storage

Tools
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\iWare\iWare

Mouse\3.2\MOUSE32A.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program

Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network

Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network

Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting

Service] "C:\Program Files\Common Files\Network

Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft

AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter

4.2\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk =

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Phone Connection Monitor.lnk =

C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research -

{92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall

Control) -

http://housecall60.t...all/xscan60.cab
O16 - DPF: {0731104E-6ABC-42BA-90B7-5FD7DBA414A2} -

http://www.fusionone...8/0/install.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows

Genuine Advantage Validation Tool) -

http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}

(WUWebControl Class) -

http://update.micros...5Controls/en/x8

6/client/wuweb_site.cab?1130879403201
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader

Class) -

http://support.euro....mprofiler/PROFI

LER.CAB
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB}

(WebSpyWareKiller Class) -

http://download.zone...ywaredetector/W

ebSWK.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan

Installer Class) -

http://acs.pandasoft...free/asinst.cab
O17 -

HKLM\System\CCS\Services\Tcpip\..\{4AB82CD5-7218-4170-9FC5-06

2C94797B91}: NameServer = 172.29.1.11 172.29.1.11
O20 - Winlogon Notify: igfxcui -

C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Distributed Link Tracking Client Helper -

Unknown owner - C:\WINNT\System32\tlpnkaaa.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service

(dmadmin) - VERITAS Software Corp. -

C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks

- C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks -

C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) -

Network Associates, Inc. - C:\Program Files\Network

Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) -

Network Associates, Inc. - C:\Program Files\Network

Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager

(McTaskManager) - Network Associates, Inc. - C:\Program

Files\Network Associates\VirusScan\VsTskMgr.exe
  • 0

#4
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Graeme

Please do me a favour and resubmit your HJT scan, the one posted is scattered. It takes me about 20 minutes to put it back together into a readable format, whereas you can do it with just a click.

The reason it is scattered is likely to be word wrap being enabled in Notepad. After you have submitted it, please Preview Post to check all is OK before clicking Add Reply.
  • 0

#5
GraemeJ

GraemeJ

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Sorry, hope this one works.

P.s. from your biog see you're a golfer. Can you recommend any good books for a novice?

Log is below - hope its easier to read.
System seems quicker, but I could be mistaken.
Juts tried to sync my phone and Outlook, but couldn't as CPU showed using 100%
don't know if that's relevant or not

Thanks
Graeme


Logfile of HijackThis v1.99.1
Scan saved at 17:36:48, on 08/11/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\pctspk.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\CD-Eject Launcher V1\CDEJECT.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\program files\u-storage tools\ustorage.exe
C:\Program Files\iWare\iWare Mouse\3.2\MOUSE32A.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
c:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
C:\Program Files\Vodafone\Vodafone Mobile Connect\VMConnect.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\System32\cidaemon.exe
C:\Documents and Settings\graeme.jeffs\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiscali.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.lycos.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tiscali
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [CD-Eject Launcher V1] "C:\Program Files\CD-Eject Launcher V1\CDEJECT.EXE"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [UStorag] c:\program files\u-storage tools\ustorage.exe sys_auto_run C:\Program Files\U-Storage Tools
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\iWare\iWare Mouse\3.2\MOUSE32A.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Phone Connection Monitor.lnk = C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk/
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0731104E-6ABC-42BA-90B7-5FD7DBA414A2} - http://www.fusionone...8/0/install.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1130879403201
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro....er/PROFILER.CAB
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zone...ctor/WebSWK.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4AB82CD5-7218-4170-9FC5-062C94797B91}: NameServer = 172.29.1.11 172.29.1.11
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Distributed Link Tracking Client Helper - Unknown owner - C:\WINNT\System32\tlpnkaaa.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
  • 0

#6
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again Graeme

Golf was my real passion before getting Meniere's Disease, now I am lucky to put a good round together.

Two tips for you: Get lessons to begin with to stop all those bad habits from becoming permanent. Always remember, drive for show, putt for dough! Get a good putter and stick with it. You need about a year to get used to one.

When I became unwell, my wife took up the game so that someone who understood my condition would be with me. She had lessons and I have seen her average round go from 150 strokes to 96, and she is still going strong. My score went from 70 odd to 90 odd, with occasional good days in the low 80's.

Anyway, your log looks good with just one minor adjustment to make, however since you still have a slow PC, I'll check below the surface to see if anything undesirable is lurking.

Go to Start>Run and type Services.msc then hit OK
Scroll down and find this service:

Distributed Link Tracking Client Helper

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on Properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then OK.

Run HiJackThis. Click on None of the above, just start the program. Now, click on the Config button (bottom right), then click on Misc Tools, then click on Delete an NT Service a window will pop up. Enter this item into that field (copy and paste):

Distributed Link Tracking Client Helper

Click OK.

It should pull up information about the service, when it asks if you want to reboot now click YES

Rescan with HijackThis. Close all programmes leaving only HijackThis running. Place a checkmark or tick against the following:

O23 - Service: Distributed Link Tracking Client Helper - Unknown owner - C:\WINNT\System32\tlpnkaaa.exe (file missing)

Click on Fix Checked when finished and exit HijackThis.

Download:WinPFind

Right Click the Zip Folder and Select "Extract All"

Don't use it yet!

Reboot into Safe Mode: please see here if you are not sure how to do this.

From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient!

One you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder.

Restart normally and post the contents of WinPFind.txt
  • 0

#7
GraemeJ

GraemeJ

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Hi again.

Sorry to hear about your illness - be consoled by the fact that you and your wife would both comfortably beat me on current form. I know you're right about the putter, but problem is reconciling the fact that I'll never hit a great consistent drive,a nd have to accept that good putting may just make me a mediocre golfer..

I did what you told me, but when I got to
Distributed Link Tracking Client Helper
it was already stopped.
I also couldn't find:
O23 - Service: Distributed Link Tracking Client Helper - Unknown owner - C:\WINNT\System32\tlpnkaaa.exe (file missing)

Should the 'Show all folders' option have been on, cos I made sure it was.
I'll turn it back off now, but let me know what to do with this in future? assume stupidity on my part at all times

thanks again for your time
Graeme

The WinPFolder is pasted below:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows 2000 Current Build: Service Pack 4 Current Build Number: 2195
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PECompact2 06/11/2005 12:56:54 16351245 C:\WINNT\lpt$vpn.931
qoologic 06/11/2005 12:56:54 16351245 C:\WINNT\lpt$vpn.931
SAHAgent 06/11/2005 12:56:54 16351245 C:\WINNT\lpt$vpn.931
UPX! 03/05/2005 11:44:44 25157 C:\WINNT\RMAgentOutput.dll
UPX! 10/01/2005 16:17:24 170053 C:\WINNT\tsc.exe
PECompact2 06/11/2005 12:56:54 16351245 C:\WINNT\VPTNFILE.931
qoologic 06/11/2005 12:56:54 16351245 C:\WINNT\VPTNFILE.931
SAHAgent 06/11/2005 12:56:54 16351245 C:\WINNT\VPTNFILE.931
UPX! 18/02/2005 18:40:14 1044560 C:\WINNT\vsapi32.dll
aspack 18/02/2005 18:40:14 1044560 C:\WINNT\vsapi32.dll

Checking %System% folder...
PTech 29/08/2005 12:27:12 520968 C:\WINNT\SYSTEM32\LegitCheckControl.DLL
PECompact2 02/10/2005 19:40:46 2293088 C:\WINNT\SYSTEM32\MRT.exe
aspack 02/10/2005 19:40:46 2293088 C:\WINNT\SYSTEM32\MRT.exe
Umonitor 12/01/2005 19:39:46 531216 C:\WINNT\SYSTEM32\RASDLG.DLL
winsync 24/07/2002 18:00:00 1309184 C:\WINNT\SYSTEM32\WBDBASE.DEU

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
08/11/2005 19:37:36 H 643472 C:\WINNT\ShellIconCache
08/11/2005 19:39:20 S 64 C:\WINNT\CSC\00000001
07/11/2005 15:25:48 S 64 C:\WINNT\CSC\00000002
07/11/2005 11:23:46 S 64 C:\WINNT\CSC\csc1.tmp
06/11/2005 22:35:04 H 10820 C:\WINNT\Help\nocontnt.GID
01/11/2005 21:14:10 H 0 C:\WINNT\INF\oem41.inf
03/11/2005 13:27:34 H 0 C:\WINNT\INF\oem42.inf
08/11/2005 19:36:56 H 1024 C:\WINNT\SYSTEM32\CONFIG\DEFAULT.LOG
08/11/2005 19:43:50 H 1024 C:\WINNT\SYSTEM32\CONFIG\SAM.LOG
08/11/2005 19:41:00 H 1024 C:\WINNT\SYSTEM32\CONFIG\SECURITY.LOG
08/11/2005 19:46:20 H 1024 C:\WINNT\SYSTEM32\CONFIG\SOFTWARE.LOG
08/10/2005 20:02:08 HS 336 C:\WINNT\SYSTEM32\Microsoft\Protect\S-1-5-18\d754618d-5f94-4586-8c23-568ed627dec6
08/10/2005 20:02:08 HS 24 C:\WINNT\SYSTEM32\Microsoft\Protect\S-1-5-18\Preferred
08/11/2005 19:39:28 H 6 C:\WINNT\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 24/07/2002 18:00:00 67344 C:\WINNT\SYSTEM32\ACCESS.CPL
Microsoft Corporation 19/06/2003 19:05:04 301328 C:\WINNT\SYSTEM32\appwiz.cpl
Microsoft Corporation 19/06/2003 19:05:04 237328 C:\WINNT\SYSTEM32\DESK.CPL
Teleca Software Solutions AB 20/09/2004 12:09:04 344064 C:\WINNT\SYSTEM32\ecsepm.cpl
Microsoft Corporation 24/07/2002 18:00:00 31504 C:\WINNT\SYSTEM32\fax.cpl
Microsoft Corporation 24/07/2002 18:00:00 128272 C:\WINNT\SYSTEM32\HDWWIZ.CPL
Intel Corporation 14/01/2003 02:01:10 94208 C:\WINNT\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 29/08/2002 06:14:40 292352 C:\WINNT\SYSTEM32\inetcpl.cpl
Microsoft Corporation 20/02/2001 12:09:54 109056 C:\WINNT\SYSTEM32\INPUT.CPL
Microsoft Corporation 24/07/2002 18:00:00 118032 C:\WINNT\SYSTEM32\INTL.CPL
Microsoft Corporation 24/07/2002 18:00:00 36112 C:\WINNT\SYSTEM32\IRPROPS.CPL
Microsoft Corporation 30/10/2001 07:10:00 326144 C:\WINNT\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 03/06/2005 02:52:54 49265 C:\WINNT\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 24/07/2002 18:00:00 122128 C:\WINNT\SYSTEM32\MAIN.CPL
Microsoft Corporation 24/07/2002 18:00:00 303888 C:\WINNT\SYSTEM32\MMSYS.CPL
Microsoft Corporation 24/07/2002 18:00:00 17168 C:\WINNT\SYSTEM32\NCPA.CPL
Microsoft Corporation 24/07/2002 18:00:00 41232 C:\WINNT\SYSTEM32\NWC.CPL
Microsoft Corporation 19/06/2003 19:05:04 41232 C:\WINNT\SYSTEM32\odbccp32.cpl
Microsoft Corporation 19/06/2003 19:05:04 90896 C:\WINNT\SYSTEM32\powercfg.cpl
Microsoft Corporation 19/06/2003 19:05:04 83216 C:\WINNT\SYSTEM32\sticpl.cpl
Microsoft Corporation 19/06/2003 19:05:04 125712 C:\WINNT\SYSTEM32\SYSDM.CPL
Microsoft Corporation 24/07/2002 18:00:00 5904 C:\WINNT\SYSTEM32\TELEPHON.CPL
Microsoft Corporation 24/07/2002 18:00:00 61200 C:\WINNT\SYSTEM32\TIMEDATE.CPL
Dell 25/05/2001 06:57:04 90112 C:\WINNT\SYSTEM32\wndel48.cpl
Microsoft Corporation 26/05/2005 04:16:30 174360 C:\WINNT\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 29/08/2002 06:14:40 292352 C:\WINNT\SYSTEM32\DLLCACHE\inetcpl.cpl
Microsoft Corporation 12/01/2005 19:40:00 64784 C:\WINNT\SYSTEM32\DLLCACHE\msmq.cpl
Microsoft Corporation 26/05/2005 04:16:30 174360 C:\WINNT\SYSTEM32\DLLCACHE\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
25/10/2005 15:09:58 1575 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
27/10/2005 20:12:14 1584 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Phone Connection Monitor.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...
05/09/2005 13:56:24 22274 C:\Documents and Settings\graeme.jeffs\Application Data\Comma Separated Values (DOS).ADR
13/04/2004 18:42:28 38434 C:\Documents and Settings\graeme.jeffs\Application Data\Comma Separated Values (Windows).ADR
13/10/2004 11:39:50 24469 C:\Documents and Settings\graeme.jeffs\Application Data\Microsoft Excel.ADR
04/04/2004 21:52:46 22038 C:\Documents and Settings\graeme.jeffs\Application Data\Tab Separated Values (DOS).ADR
08/09/2005 11:20:52 26848 C:\Documents and Settings\graeme.jeffs\Application Data\Tab Separated Values (Windows).ADR

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\UltimateZip
{2F860D81-AF3C-11D4-BDB3-00E0987D8540} = C:\PROGRA~1\ULTIMA~1.7\uzshlex.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\VirusScan
{cda2863e-2497-4c49-9b89-06840e070a87} = C:\Program Files\Network Associates\VirusScan\shext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\UltimateZip
{2F860D81-AF3C-11D4-BDB3-00E0987D8540} = C:\PROGRA~1\ULTIMA~1.7\uzshlex.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\VirusScan
{cda2863e-2497-4c49-9b89-06840e070a87} = C:\Program Files\Network Associates\VirusScan\shext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\VirusScan
{cda2863e-2497-4c49-9b89-06840e070a87} = C:\Program Files\Network Associates\VirusScan\shext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= C:\WINNT\System32\docprop2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7f9609be-af9a-11d1-83e0-00c04fb6e984}
= %SystemRoot%\system32\faxshell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
= C:\WINNT\System32\docprop2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = @msdxmLC.dll,-1@1033,&Radio : C:\WINNT\System32\msdxm.ocx

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File and Folders Search ActiveX Control = C:\WINNT\system32\shell32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\System32\browseui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Synchronization Manager mobsync.exe /logon
PCTVOICE pctspk.exe
IgfxTray C:\WINNT\System32\igfxtray.exe
HotKeysCmds C:\WINNT\System32\hkcmd.exe
PRPCMonitor PRPCUI.exe
CD-Eject Launcher V1 "C:\Program Files\CD-Eject Launcher V1\CDEJECT.EXE"
SynTPLpr C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
CreateCD50 "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
AdaptecDirectCD "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
UStorag c:\program files\u-storage tools\ustorage.exe sys_auto_run C:\Program Files\U-Storage Tools
LWBMOUSE C:\Program Files\iWare\iWare Mouse\3.2\MOUSE32A.EXE
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
ShStatEXE "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
McAfeeUpdaterUI "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
Network Associates Error Reporting Service "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
THGuard "C:\Program Files\TrojanHunter 4.2\THGuard.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ctfmon.exe ctfmon.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
DisableTaskMgr 0


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
NoChangingWallPaper 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 149
NoActiveDesktop 0
NoSaveSettings 0
ClassicShell 0
NoThemesTab 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableTaskMgr 0
NoColorChoice 0
NoSizeChoice 0
NoDispScrSavPage 0
NoDispCPL 0
NoVisualStyleChoice 0
NoDispSettingsPage 0
NoDispAppearancePage 0
NoDispBackgroundPage 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
Network.ConnectionTray {7007ACCF-3202-11D1-AAD2-00805FC1270E} = C:\WINNT\system32\NETSHELL.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 08/11/2005 19:51:08
  • 0

#8
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again Graeme

The 023 entry ( Distributed Link Tracking Client Helper) is not malware, but since the file was missing, I thought I would get rid to save you getting some sort of a nag screen; if it is disabled, then that is fine.
Well the Winpfind log is negative.

Is it just slowness now, not pop-ups or redirects?
  • 0

#9
GraemeJ

GraemeJ

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Well, speed seems ok, but I keep getting this error message from VirusScan Alert, which says its found a Proxy-Spamlay Trojan, and deletd the file:
C:\WINNT\SYSTEM32\mscls.exe

I've tried - as you can probably see - loads of trojan killers, but this keeps happening.
The other problem is synchronising my phone and Outlook, when CPU goes up to 100%.

Any ideas?
  • 0

#10
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again

Synchronising your phone and Outlook, is a job for one of our experts in Microsoft products in the Win2K OS forum. I gave up with Outlook in 2001 when it got complicated.

For the malware which is being picked up on scanners, we can try something.

Download the Trial Version Spy Sweeper it is a 14-day trial.
  • Install it.
  • Once the programme is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, reboot into Safe Mode. Re-open Spysweeper, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.

  • 0

Advertisements


#11
GraemeJ

GraemeJ

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Hi again

Here is the log.
It didn't seem to find anythign, so there was nothing to remove.
Could it just be a problem with the VirusScan?




********
21:41: | Start of Session, 08 November 2005 |
21:41: Spy Sweeper started
21:41: Sweep initiated using definitions version 569
21:45: Starting Memory Sweep
21:47: Memory Sweep Complete, Elapsed Time: 00:01:15
21:47: Starting Registry Sweep
21:47: Registry Sweep Complete, Elapsed Time:00:00:13
21:47: Starting Cookie Sweep
21:47: Cookie Sweep Complete, Elapsed Time: 00:00:00
21:47: Starting File Sweep
21:49: Warning: Failed to open file "c:\program files\common files\adaptec shared\createcd\images\". The system cannot find the path specified
21:58: File Sweep Complete, Elapsed Time: 00:11:02
21:58: Full Sweep has completed. Elapsed time 00:16:46
21:58: Traces Found: 0
********
21:39: | Start of Session, 08 November 2005 |
21:39: Spy Sweeper started
21:39: Sweep initiated using definitions version 569
********
21:34: | Start of Session, 08 November 2005 |
21:34: Spy Sweeper started
21:34: Sweep initiated using definitions version 569
21:34: Starting Memory Sweep
21:35: Memory Sweep Complete, Elapsed Time: 00:01:06
21:35: Starting Registry Sweep
21:35: Registry Sweep Complete, Elapsed Time:00:00:14
21:35: Starting Cookie Sweep
21:35: Cookie Sweep Complete, Elapsed Time: 00:00:00
21:35: Starting File Sweep
********
21:22: | Start of Session, 08 November 2005 |
21:22: Spy Sweeper started
21:24: Your spyware definitions have been updated.
  • 0

#12
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again Graeme

I have difficuly believing that the file still exists but let's make sure

Download
Killbox by Option^Explicit

Please install Killbox by Option^Explicit.
  • Extract the programme to your desktop and double-click on its folder, then double-click on Killbox.exe to start the programme.
  • In the Killbox programme, select the Delete on Reboot option.
  • Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINNT\SYSTEM32\mscls.exe
  • Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
  • Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "Yes" at the reboot now prompt.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click download and run missingfilesetup.exe. Then try TheKillbox again.

I would be interested in the result of this fix.
  • 0

#13
GraemeJ

GraemeJ

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Hi again Crustyoldbloke,

I did what you said, but Kilbox said it couldn't find the file.
I did the delete on reboot thing anyway, and rebooted.
So far no error messages - could it be a problem with VirusScan?

I also have another question - I have Trojanhunterguard, Ewido, VirusScan and Microsoft Anti-Spyware all installed. Which is best, and should I disable the others or uninstall them, as some only have 14 day trial periods?

Thanks
G
  • 0

#14
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again Graeme

Without wishing in any way to denegrate virusscan, it seems likely to me that the file does not exist.

Of the programmes you have, I would choose Microsoft Anti-Spywareware as my realtime scanner, and Ewido as my on-demand scanner. Again I am not denegrating the effectiveness of the other programmes, but looking at your system in a practicle way.

I wish you happy safe surfing!
  • 0

#15
GraemeJ

GraemeJ

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Sorry, Crusty (can I call you Crusty?)

The same problem via a different route

Just ran the Ewido security suite scan, and it came up with a virus:
TrojanProxy.Morta.a

and the path was our old friend
C:\WINNT\SYSTEM32\mscls.exe

That means Ewido and Viruscan picking up same file, that seemingly doesn't exist, but both saying its roughly the same Trojan.

Help!

Graeme
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP