Hello there and many thanks for taking the time out of your day to help me with my case. It is very much appreciatted.
Before id did what you said i had already done a couple of things to aid in the removal of this worm.
I had already run the ad-aware se and also used Avast to perform a pre boot scan. Both apps found parts of the worm and as such removed it.
I am now posting the new hijack log and the scan report as suggested.
Many thanks(oh and sorry for the delay but im in the uk so there is the time difference!)
Logfile of HijackThis v1.99.1
Scan saved at 21:16:58, on 31/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\mpssvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\PhnxCDSvr.exe
C:\WINDOWS\slrundll.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.google.co.uk/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.eXentiasupport.com/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.google.co.uk/R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://www.elonex.com/O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [StacSysTray] C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\StacSysTray.exe -invisible
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RestoreIT!] "C:\Program Files\Phoenix Technologies\cME\RPro\ XP\VBPTASK.EXE" VBStart
O4 - HKLM\..\Run: [Eval] "C:\Program Files\Phoenix Technologies\cME\RPro\Eval\Eval.exe"
O4 - HKLM\..\Run: [Guard] "C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe" /background
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.eXentiasupport.com/
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) -
https://www.windowso...nSSWebAgent.CABO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft....k/?linkid=39204O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.micros...b?1125909620937O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.micros...b?1133293893092O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) -
http://www.kodakgall..._1/axofupld.cabO16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -
http://messenger.msn...pDownloader.cabO16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) -
http://fdl.msn.com/p...t/msnchat45.cabO18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: MSMPSVC - Unknown owner - C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MSMPSVC.exe" -n 4 (file missing)
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sigmatel PassThru (PassThru) - Unknown owner - C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\passthru.exe
O23 - Service: Phoenix VCD Service (PhnxVCDService) - Phoenix Technologies Ltd. - C:\WINDOWS\system32\PhnxCDSvr.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 21:05:32, 31/03/2006
+ Report-Checksum: 5705F943
+ Scan result:
C:\Documents and Settings\Malcolm\Cookies\
[email protected][1].txt -> TrackingCookie.2o7 : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][1].txt -> TrackingCookie.2o7 : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][2].txt -> TrackingCookie.Euroclick : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\malcolm@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][2].txt -> TrackingCookie.Bpath : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][1].txt -> TrackingCookie.Bpath : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\malcolm@adtech[2].txt -> TrackingCookie.Adtech : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\malcolm@advertising[1].txt -> TrackingCookie.Advertising : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][1].txt -> TrackingCookie.Falkag : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][1].txt -> TrackingCookie.Falkag : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\malcolm@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\malcolm@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][1].txt -> TrackingCookie.2o7 : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\malcolm@com[1].txt -> TrackingCookie.Com : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][1].txt -> TrackingCookie.Overture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\malcolm@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][1].txt -> TrackingCookie.Ru4 : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][1].txt -> TrackingCookie.Itrack : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\malcolm@ivwbox[1].txt -> TrackingCookie.Ivwbox : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\malcolm@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][1].txt -> TrackingCookie.2o7 : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][1].txt -> TrackingCookie.Overture : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\malcolm@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][2].txt -> TrackingCookie.Falkag : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\malcolm@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\malcolm@web-stat[2].txt -> TrackingCookie.Web-stat : Cleaned without backup
C:\Documents and Settings\Malcolm\Cookies\
[email protected][2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned without backup
C:\m500\Resco Audio Recorder v3.20\keygen.exe -> Logger.ProAgent.t : Cleaned without backup
C:\m500\Resco Keyboard Pro v4.34\keygen.exe -> Logger.ProAgent.t : Cleaned without backup
C:\Program Files\outlook\p.zip/Setup.exe -> Worm.VB.dw : Cleaned without backup
::Report End