Hi
From the look of his HiJack this log I have exactly the same problem as Benitus (other thread later down) however I did not want to confuse matters and hijack his thread.
I received the c:\spad pop up page the other day which I have had before. I thought a quick hijack this followed by running remove.exe would fix it, however when I went to a link in an old thread by Calamity Jane the program was not there.
Anyway, I have run HiJack this and removed all the lines with MYEXEXEX and SPAD as well as removing the C:\SPAD directory and my Hijack this log now looks as follows:
Logfile of HijackThis v1.97.7
Scan saved at 09:23:35, on 28/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Comshare\Application Server\AppServ.exe
C:\extensity_demo61\services\apache\Apache.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\extensity_demo61\services\apache\Apache.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\RightFax\faxctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\Dell\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\OfficeXP\Office10\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Download\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webint/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Comshare Job Manager.lnk = C:\Program Files\Comshare\Shared Files\jobman.exe
O4 - Global Startup: Job Manager.lnk = C:\Program Files\Comshare\Shared Files\jobman.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\OfficeXP\Office10\OSA.EXE
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\w3dbsmgr.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\OfficeXP\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O15 - Trusted Zone: *.comshare.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7907.4252083333
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://geac.webex.com/client/latest/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = uk.org.geac.com
O17 - HKLM\Software\..\Telephony: DomainName = uk.org.geac.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{59174E13-6ED8-4813-A440-EB44BA862719}: NameServer = 62.241.160.200 158.43.240.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{603DBCAD-C9E0-4476-9AB6-A1023D9182D1}: NameServer = 130.211.1.40 159.172.1.70
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = uk.org.geac.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = uk.org.geac.com
I have now installed SPYWARE BLASTER as well as IE-SPAD, I also run Ad-AWARE and SPYBOT regulary. I have all relevant Windows updates installed.
Any help from you kind people will be very gratefuly received.
Cheers
Chris
Full Version: Same Problem as Benitus
I also downloaded CWSHREDDER (1.57.0) however when I click on check for update all I get is
Current version: CWShredder v1.57.0
Connecting...
Fetching CWShredder update information from merijn.org...
And it just sits there. I thought I would get the latest version just in case that was required for the disinfection.
Current version: CWShredder v1.57.0
Connecting...
Fetching CWShredder update information from merijn.org...
And it just sits there. I thought I would get the latest version just in case that was required for the disinfection.
Hi HawkMan, and welcome to the forum!
Please copy the text in the box below to Notepad and save it to your desktop as spad.bat.
Double-click on the spad.bat file, and it will run and create a text document (spad.txt) on your desktop which will open in Notepad.
Copy and paste the contents of that entire file in this thread.
Please copy the text in the box below to Notepad and save it to your desktop as spad.bat.
CODE
Regedit /e spad.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions"
Start notepad.exe spad.txt
Exit
Start notepad.exe spad.txt
Exit
Double-click on the spad.bat file, and it will run and create a text document (spad.txt) on your desktop which will open in Notepad.
Copy and paste the contents of that entire file in this thread.
Thanks
Contents as follows:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}]
"clsid"="{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]
"clsid"="{869EE607-5376-486d-8DAC-EDC8E239AD5F}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{BD349053-7B3E-4B13-89B2-938A52514710}]
"clsid"="{BD349053-7B3E-4B13-89B2-938A52514710}"
"BandCLSID"="{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}"
"ButtonText"="Microsoft® JavaScript® Console"
"Default Visible"="No"
"HotIcon"="@shdoclc.dll,36"
"MenuStatusBar"="@shdoclc.dll,-865"
"MenuText"="JavaScript Console"
"ToolTip"="Opens JavaScript Console"
"ImageFilename"="shdocvw.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}]
"CLSID"="{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"
"Exec"="C:\\Program Files\\Messenger\\MSMSGS.EXE"
"Default Visible"="Yes"
"HotIcon"="C:\\Program Files\\Messenger\\MSMSGS.EXE,302"
"Icon"="C:\\Program Files\\Messenger\\MSMSGS.EXE,301"
"ButtonText"="Messenger"
"MenuText"="Windows Messenger"
"ToolTip"="Windows Messenger"
Contents as follows:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}]
"clsid"="{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]
"clsid"="{869EE607-5376-486d-8DAC-EDC8E239AD5F}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{BD349053-7B3E-4B13-89B2-938A52514710}]
"clsid"="{BD349053-7B3E-4B13-89B2-938A52514710}"
"BandCLSID"="{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}"
"ButtonText"="Microsoft® JavaScript® Console"
"Default Visible"="No"
"HotIcon"="@shdoclc.dll,36"
"MenuStatusBar"="@shdoclc.dll,-865"
"MenuText"="JavaScript Console"
"ToolTip"="Opens JavaScript Console"
"ImageFilename"="shdocvw.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}]
"CLSID"="{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"
"Exec"="C:\\Program Files\\Messenger\\MSMSGS.EXE"
"Default Visible"="Yes"
"HotIcon"="C:\\Program Files\\Messenger\\MSMSGS.EXE,302"
"Icon"="C:\\Program Files\\Messenger\\MSMSGS.EXE,301"
"ButtonText"="Messenger"
"MenuText"="Windows Messenger"
"ToolTip"="Windows Messenger"
Let's go to next step.
Please copy the text in the box below to Notepad and save it to your desktop as fixspad.reg
Locate fixspad.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer 'Yes' and wait for a message to appear similar to "Merged Successfully".
Reboot.
Delete the following folder:
c:\spad
Delete the following files:
c:\Documents and Settings\<username>\Local Settings\temp\c_10230.dll
c:\Windows\System32\hpcmdty.dll (Win 2K, Win XP)
c:\WIndows\System\hpcmdty.dll (Win 98, Win ME)
c:\WINNT\System32\hpcmdty.dll (Win NT)
The infection should have disappeared.
Please copy the text in the box below to Notepad and save it to your desktop as fixspad.reg
CODE
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]
[-HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\{BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B}]
[-HKEY_CLASSES_ROOT\CLSID\{BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B}]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}]
[-HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]
[-HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\{BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B}]
[-HKEY_CLASSES_ROOT\CLSID\{BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B}]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}]
[-HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}
Locate fixspad.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer 'Yes' and wait for a message to appear similar to "Merged Successfully".
Reboot.
Delete the following folder:
c:\spad
Delete the following files:
c:\Documents and Settings\<username>\Local Settings\temp\c_10230.dll
c:\Windows\System32\hpcmdty.dll (Win 2K, Win XP)
c:\WIndows\System\hpcmdty.dll (Win 98, Win ME)
c:\WINNT\System32\hpcmdty.dll (Win NT)
The infection should have disappeared.
Hi Fats (or should that be Mr Gordon)
I put the batch file together and it seemed to be just running so I wacked a pause at the end and there seems to be a prob
This is what was happening.
C:\Documents and Settings\chogb\Desktop>[-HKEY_CURRENT_USER\Software\Microsoft\I
nternet Explorer\Extensions\{BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B}]
The system cannot find the path specified.
C:\Documents and Settings\chogb\Desktop>[-HKEY_CLASSES_ROOT\CLSID\{BE2F2769-8A63
-4bc7-8A99-06C2C4AD7B9B}]
The system cannot find the path specified.
C:\Documents and Settings\chogb\Desktop>[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Extensions\{BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B}]
The system cannot find the path specified.
C:\Documents and Settings\chogb\Desktop>[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLS
ID\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]
The system cannot find the path specified.
C:\Documents and Settings\chogb\Desktop>[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CL
SID\{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}]
The system cannot find the path specified.
C:\Documents and Settings\chogb\Desktop>[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Extensions\{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}]
The system cannot find the path specified.
C:\Documents and Settings\chogb\Desktop>[-HKEY_USERS\.DEFAULT\Software\Microsoft
\Internet Explorer\Extensions\{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}
The system cannot find the path specified.
C:\Documents and Settings\chogb\Desktop>pause
Press any key to continue . . .
Chogb is myuser name
I put the batch file together and it seemed to be just running so I wacked a pause at the end and there seems to be a prob
This is what was happening.
C:\Documents and Settings\chogb\Desktop>[-HKEY_CURRENT_USER\Software\Microsoft\I
nternet Explorer\Extensions\{BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B}]
The system cannot find the path specified.
C:\Documents and Settings\chogb\Desktop>[-HKEY_CLASSES_ROOT\CLSID\{BE2F2769-8A63
-4bc7-8A99-06C2C4AD7B9B}]
The system cannot find the path specified.
C:\Documents and Settings\chogb\Desktop>[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Extensions\{BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B}]
The system cannot find the path specified.
C:\Documents and Settings\chogb\Desktop>[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLS
ID\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]
The system cannot find the path specified.
C:\Documents and Settings\chogb\Desktop>[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CL
SID\{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}]
The system cannot find the path specified.
C:\Documents and Settings\chogb\Desktop>[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Extensions\{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}]
The system cannot find the path specified.
C:\Documents and Settings\chogb\Desktop>[-HKEY_USERS\.DEFAULT\Software\Microsoft
\Internet Explorer\Extensions\{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}
The system cannot find the path specified.
C:\Documents and Settings\chogb\Desktop>pause
Press any key to continue . . .
Chogb is myuser name
:) You can call me just Fats.
Disregard those comments. Just redo the first step:
Let me see that again. Some registry entries should have gone for good.
Disregard those comments. Just redo the first step:
QUOTE
Please copy the text in the box below to Notepad and save it to your desktop as spad.bat.
Double-click on the spad.bat file, and it will run and create a text document (spad.txt) on your desktop which will open in Notepad.
Copy and paste the contents of that entire file in this thread.
CODE
Regedit /e spad.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions"
Start notepad.exe spad.txt
Exit
Start notepad.exe spad.txt
Exit
Double-click on the spad.bat file, and it will run and create a text document (spad.txt) on your desktop which will open in Notepad.
Copy and paste the contents of that entire file in this thread.
Let me see that again. Some registry entries should have gone for good.
Cheers Fats 
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}]
"clsid"="{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]
"clsid"="{869EE607-5376-486d-8DAC-EDC8E239AD5F}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{BD349053-7B3E-4B13-89B2-938A52514710}]
"clsid"="{BD349053-7B3E-4B13-89B2-938A52514710}"
"BandCLSID"="{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}"
"ButtonText"="Microsoft® JavaScript® Console"
"Default Visible"="No"
"HotIcon"="@shdoclc.dll,36"
"MenuStatusBar"="@shdoclc.dll,-865"
"MenuText"="JavaScript Console"
"ToolTip"="Opens JavaScript Console"
"ImageFilename"="shdocvw.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}]
"CLSID"="{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"
"Exec"="C:\\Program Files\\Messenger\\MSMSGS.EXE"
"Default Visible"="Yes"
"HotIcon"="C:\\Program Files\\Messenger\\MSMSGS.EXE,302"
"Icon"="C:\\Program Files\\Messenger\\MSMSGS.EXE,301"
"ButtonText"="Messenger"
"MenuText"="Windows Messenger"
"ToolTip"="Windows Messenger"
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}]
"clsid"="{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]
"clsid"="{869EE607-5376-486d-8DAC-EDC8E239AD5F}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{BD349053-7B3E-4B13-89B2-938A52514710}]
"clsid"="{BD349053-7B3E-4B13-89B2-938A52514710}"
"BandCLSID"="{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}"
"ButtonText"="Microsoft® JavaScript® Console"
"Default Visible"="No"
"HotIcon"="@shdoclc.dll,36"
"MenuStatusBar"="@shdoclc.dll,-865"
"MenuText"="JavaScript Console"
"ToolTip"="Opens JavaScript Console"
"ImageFilename"="shdocvw.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}]
"CLSID"="{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"
"Exec"="C:\\Program Files\\Messenger\\MSMSGS.EXE"
"Default Visible"="Yes"
"HotIcon"="C:\\Program Files\\Messenger\\MSMSGS.EXE,302"
"Icon"="C:\\Program Files\\Messenger\\MSMSGS.EXE,301"
"ButtonText"="Messenger"
"MenuText"="Windows Messenger"
"ToolTip"="Windows Messenger"
da**
Just after posting the message above I was went to another Website (a safe one) and a new window opened with the following URL
http://www.myexexex.com/oldindex.html
This was a page of porn links.
Just rerun Hijack this and I get the following log (BTW WEBINT is an internal intranet home page)
Logfile of HijackThis v1.97.7
Scan saved at 09:07:44, on 01/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Comshare\Application Server\AppServ.exe
C:\extensity_demo61\services\apache\Apache.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\extensity_demo61\services\apache\Apache.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\RightFax\faxctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\Dell\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\OfficeXP\Office10\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\chogb\LOCALS~1\Temp\mpdi.dat
C:\Documents and Settings\chogb\Application Data\rroa.exe
C:\Download\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webint/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [Wmhs] C:\Documents and Settings\chogb\Application Data\rroa.exe
O4 - HKCU\..\Run: [WNSA] C:\WINDOWS\System32\wnstssv.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Comshare Job Manager.lnk = C:\Program Files\Comshare\Shared Files\jobman.exe
O4 - Global Startup: Job Manager.lnk = C:\Program Files\Comshare\Shared Files\jobman.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\OfficeXP\Office10\OSA.EXE
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\w3dbsmgr.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\OfficeXP\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O15 - Trusted Zone: *.comshare.com
O15 - Trusted Zone: http://www.mt-download.com
O15 - Trusted Zone: http://www.myexexex.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7907.4252083333
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://geac.webex.com/client/latest/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = uk.org.geac.com
O17 - HKLM\Software\..\Telephony: DomainName = uk.org.geac.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{59174E13-6ED8-4813-A440-EB44BA862719}: NameServer = 62.241.160.200 158.43.240.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{603DBCAD-C9E0-4476-9AB6-A1023D9182D1}: NameServer = 130.211.1.40 159.172.1.70
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = uk.org.geac.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = uk.org.geac.com
Just after posting the message above I was went to another Website (a safe one) and a new window opened with the following URL
http://www.myexexex.com/oldindex.html
This was a page of porn links.
Just rerun Hijack this and I get the following log (BTW WEBINT is an internal intranet home page)
Logfile of HijackThis v1.97.7
Scan saved at 09:07:44, on 01/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Comshare\Application Server\AppServ.exe
C:\extensity_demo61\services\apache\Apache.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\extensity_demo61\services\apache\Apache.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\RightFax\faxctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\Dell\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\OfficeXP\Office10\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\chogb\LOCALS~1\Temp\mpdi.dat
C:\Documents and Settings\chogb\Application Data\rroa.exe
C:\Download\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webint/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [Wmhs] C:\Documents and Settings\chogb\Application Data\rroa.exe
O4 - HKCU\..\Run: [WNSA] C:\WINDOWS\System32\wnstssv.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Comshare Job Manager.lnk = C:\Program Files\Comshare\Shared Files\jobman.exe
O4 - Global Startup: Job Manager.lnk = C:\Program Files\Comshare\Shared Files\jobman.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\OfficeXP\Office10\OSA.EXE
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\w3dbsmgr.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\OfficeXP\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O15 - Trusted Zone: *.comshare.com
O15 - Trusted Zone: http://www.mt-download.com
O15 - Trusted Zone: http://www.myexexex.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7907.4252083333
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://geac.webex.com/client/latest/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = uk.org.geac.com
O17 - HKLM\Software\..\Telephony: DomainName = uk.org.geac.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{59174E13-6ED8-4813-A440-EB44BA862719}: NameServer = 62.241.160.200 158.43.240.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{603DBCAD-C9E0-4476-9AB6-A1023D9182D1}: NameServer = 130.211.1.40 159.172.1.70
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = uk.org.geac.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = uk.org.geac.com
I don't need to see the HT log to notice that the infection is still there.
Please tell me how you did the fixspad.reg step. I did it myself and it worked Ok, though I'm not infected.
This is the key of all this.
Please tell me how you did the fixspad.reg step. I did it myself and it worked Ok, though I'm not infected.
This is the key of all this.
I copied the text as indicated from the post and then pasted it into textpad, a 3rd party editor, then saved as a batch file on the desktop.
When that did not work I pasted the same text into notepad and saved to the desktop, and it still did not work.
The only difference between your text and mine was that I put a PAUSE in at the end so that I could see what was happening after your commands executed as the window was closing to quickly to see.
When that did not work I pasted the same text into notepad and saved to the desktop, and it still did not work.
The only difference between your text and mine was that I put a PAUSE in at the end so that I could see what was happening after your commands executed as the window was closing to quickly to see.
:blink:
Notice it's NOT a BATCH file but a REG file... That's the main difference. If you save it as a .bat file, it will try to execute every line as if they were executable lines. They are not. The main purpose of those lines is to delete them from the Registry, and that's why they have a minus sign before them.
Please save it as a REG file (.reg) and run it again.
Thank you.
Notice it's NOT a BATCH file but a REG file... That's the main difference. If you save it as a .bat file, it will try to execute every line as if they were executable lines. They are not. The main purpose of those lines is to delete them from the Registry, and that's why they have a minus sign before them.
Please save it as a REG file (.reg) and run it again.
Thank you.
Ah !
Doh !
Ok - It worked this time with the relevant messages as prescribed :thumb:
Doh !
Ok - It worked this time with the relevant messages as prescribed :thumb:
Good! :thumb:
Now go ahead with the final part (deleting the files) and post a fresh HT log.
Now go ahead with the final part (deleting the files) and post a fresh HT log.
Ok - FYI the files were not there, even in a hidden state
Here is the HiJack this Log
Logfile of HijackThis v1.97.7
Scan saved at 20:09:22, on 02/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Comshare\Application Server\AppServ.exe
C:\extensity_demo61\services\apache\Apache.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\extensity_demo61\services\apache\Apache.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\RightFax\faxctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Documents and Settings\chogb\Application Data\rroa.exe
C:\WINDOWS\System32\wnstssv.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\Dell\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\OfficeXP\Office10\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Download\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webint/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [Wmhs] C:\Documents and Settings\chogb\Application Data\rroa.exe
O4 - HKCU\..\Run: [WNSA] C:\WINDOWS\System32\wnstssv.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Comshare Job Manager.lnk = C:\Program Files\Comshare\Shared Files\jobman.exe
O4 - Global Startup: Job Manager.lnk = C:\Program Files\Comshare\Shared Files\jobman.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\OfficeXP\Office10\OSA.EXE
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\w3dbsmgr.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\OfficeXP\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O15 - Trusted Zone: *.comshare.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7907.4252083333
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://geac.webex.com/client/latest/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = uk.org.geac.com
O17 - HKLM\Software\..\Telephony: DomainName = uk.org.geac.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{59174E13-6ED8-4813-A440-EB44BA862719}: NameServer = 62.241.160.200 158.43.240.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{603DBCAD-C9E0-4476-9AB6-A1023D9182D1}: NameServer = 130.211.1.40 159.172.1.70
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = uk.org.geac.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = uk.org.geac.com
Here is the HiJack this Log
Logfile of HijackThis v1.97.7
Scan saved at 20:09:22, on 02/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Comshare\Application Server\AppServ.exe
C:\extensity_demo61\services\apache\Apache.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\extensity_demo61\services\apache\Apache.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\RightFax\faxctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Documents and Settings\chogb\Application Data\rroa.exe
C:\WINDOWS\System32\wnstssv.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\Dell\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\OfficeXP\Office10\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Download\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webint/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [Wmhs] C:\Documents and Settings\chogb\Application Data\rroa.exe
O4 - HKCU\..\Run: [WNSA] C:\WINDOWS\System32\wnstssv.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Comshare Job Manager.lnk = C:\Program Files\Comshare\Shared Files\jobman.exe
O4 - Global Startup: Job Manager.lnk = C:\Program Files\Comshare\Shared Files\jobman.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\OfficeXP\Office10\OSA.EXE
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\w3dbsmgr.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\OfficeXP\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O15 - Trusted Zone: *.comshare.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7907.4252083333
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://geac.webex.com/client/latest/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = uk.org.geac.com
O17 - HKLM\Software\..\Telephony: DomainName = uk.org.geac.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{59174E13-6ED8-4813-A440-EB44BA862719}: NameServer = 62.241.160.200 158.43.240.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{603DBCAD-C9E0-4476-9AB6-A1023D9182D1}: NameServer = 130.211.1.40 159.172.1.70
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = uk.org.geac.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = uk.org.geac.com
Still infected. :(
Please download Ad-aware from the link in my signature, install it, update it by clicking in the Globe icon and then Connect (last reference file is 01R313). Perform a FULL (Custom, the second option) scan as described in http://www.lavahelp.com/howto/fullscan/index.html, and when finished eliminate all that it finds (if you wish to do so. Keep in mind that some programs may not work after cleaning because they rely on advertising or grabbing your info to start operating. My opinion is that such programs don't deserve to reside in my machine, but that's just me...). When you are done, reboot and after rebooting perform a new FULL scan with Ad-aware, eliminating all that it finds.
Then reboot and post a fresh HT log.
Please download Ad-aware from the link in my signature, install it, update it by clicking in the Globe icon and then Connect (last reference file is 01R313). Perform a FULL (Custom, the second option) scan as described in http://www.lavahelp.com/howto/fullscan/index.html, and when finished eliminate all that it finds (if you wish to do so. Keep in mind that some programs may not work after cleaning because they rely on advertising or grabbing your info to start operating. My opinion is that such programs don't deserve to reside in my machine, but that's just me...). When you are done, reboot and after rebooting perform a new FULL scan with Ad-aware, eliminating all that it finds.
Then reboot and post a fresh HT log.
Hi Fats - Cheers for the continued help.
Ok - I already had Adaware installed so I performed a live update and received update 01R314 (not 313 as you mentioned - I assume this is even more uptodate) changed the scan settings as indicated and run a scan then rebooted, re scanned and rebooted. Following is the HJT log
Logfile of HijackThis v1.97.7
Scan saved at 09:28:55, on 03/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Comshare\Application Server\AppServ.exe
C:\extensity_demo61\services\apache\Apache.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\extensity_demo61\services\apache\Apache.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\RightFax\faxctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\Dell\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Download\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webint/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy3.comshare.com:3128
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Comshare Job Manager.lnk = C:\Program Files\Comshare\Shared Files\jobman.exe
O4 - Global Startup: Job Manager.lnk = C:\Program Files\Comshare\Shared Files\jobman.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\OfficeXP\Office10\OSA.EXE
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\w3dbsmgr.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\OfficeXP\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O15 - Trusted Zone: *.comshare.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7907.4252083333
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://geac.webex.com/client/latest/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = uk.org.geac.com
O17 - HKLM\Software\..\Telephony: DomainName = uk.org.geac.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{59174E13-6ED8-4813-A440-EB44BA862719}: NameServer = 62.241.160.200 158.43.240.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = uk.org.geac.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = uk.org.geac.com
Ok - I already had Adaware installed so I performed a live update and received update 01R314 (not 313 as you mentioned - I assume this is even more uptodate) changed the scan settings as indicated and run a scan then rebooted, re scanned and rebooted. Following is the HJT log
Logfile of HijackThis v1.97.7
Scan saved at 09:28:55, on 03/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Comshare\Application Server\AppServ.exe
C:\extensity_demo61\services\apache\Apache.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\extensity_demo61\services\apache\Apache.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\RightFax\faxctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\Dell\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Download\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webint/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy3.comshare.com:3128
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Comshare Job Manager.lnk = C:\Program Files\Comshare\Shared Files\jobman.exe
O4 - Global Startup: Job Manager.lnk = C:\Program Files\Comshare\Shared Files\jobman.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\OfficeXP\Office10\OSA.EXE
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\w3dbsmgr.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\OfficeXP\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O15 - Trusted Zone: *.comshare.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7907.4252083333
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://geac.webex.com/client/latest/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = uk.org.geac.com
O17 - HKLM\Software\..\Telephony: DomainName = uk.org.geac.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{59174E13-6ED8-4813-A440-EB44BA862719}: NameServer = 62.241.160.200 158.43.240.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = uk.org.geac.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = uk.org.geac.com
Hmmm
I have just noticed that I am getting an icon appear on my desktop. It is labeled as Default and is a shortcut. It is a blue square with a yellow cross in it. The properties of the scortcut are
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.-- Look for another playground --palazzo.com/index.php?sourceid=101969
I have already deleted it once and it has reappeared.
I have just noticed that I am getting an icon appear on my desktop. It is labeled as Default and is a shortcut. It is a blue square with a yellow cross in it. The properties of the scortcut are
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.-- Look for another playground --palazzo.com/index.php?sourceid=101969
I have already deleted it once and it has reappeared.
:mad: That's another junkie.
Download and run CWShredder (there is a new version) from http://www.spywareinfo.com/~merijn/files/CWShredder.exe . Press Fix. After that reboot and post a fresh HT log.
Download and run CWShredder (there is a new version) from http://www.spywareinfo.com/~merijn/files/CWShredder.exe . Press Fix. After that reboot and post a fresh HT log.
OK - Downloaded shredder from your link and run it. It said that it found no errors at the end, however I have rebooted and here is the log you requested.
Logfile of HijackThis v1.97.7
Scan saved at 23:30:12, on 03/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Comshare\Application Server\AppServ.exe
C:\extensity_demo61\services\apache\Apache.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\extensity_demo61\services\apache\Apache.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\RightFax\faxctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\Program Files\Comshare\Shared Files\jobman.exe
C:\Program Files\Comshare\Shared Files\jobman.exe
C:\PVSW\Bin\w3dbsmgr.exe
C:\PROGRA~1\Dell\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Download\HijackThis.exe
C:\WINDOWS\system32\userinit.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webint/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy3.comshare.com:3128
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Comshare Job Manager.lnk = C:\Program Files\Comshare\Shared Files\jobman.exe
O4 - Global Startup: Job Manager.lnk = C:\Program Files\Comshare\Shared Files\jobman.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\OfficeXP\Office10\OSA.EXE
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\w3dbsmgr.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\OfficeXP\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O15 - Trusted Zone: *.comshare.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7907.4252083333
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://geac.webex.com/client/latest/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = uk.org.geac.com
O17 - HKLM\Software\..\Telephony: DomainName = uk.org.geac.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = uk.org.geac.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = uk.org.geac.com
Logfile of HijackThis v1.97.7
Scan saved at 23:30:12, on 03/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Comshare\Application Server\AppServ.exe
C:\extensity_demo61\services\apache\Apache.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\extensity_demo61\services\apache\Apache.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\RightFax\faxctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\Program Files\Comshare\Shared Files\jobman.exe
C:\Program Files\Comshare\Shared Files\jobman.exe
C:\PVSW\Bin\w3dbsmgr.exe
C:\PROGRA~1\Dell\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Download\HijackThis.exe
C:\WINDOWS\system32\userinit.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webint/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy3.comshare.com:3128
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Comshare Job Manager.lnk = C:\Program Files\Comshare\Shared Files\jobman.exe
O4 - Global Startup: Job Manager.lnk = C:\Program Files\Comshare\Shared Files\jobman.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\OfficeXP\Office10\OSA.EXE
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\w3dbsmgr.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\OfficeXP\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O15 - Trusted Zone: *.comshare.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7907.4252083333
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://geac.webex.com/client/latest/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = uk.org.geac.com
O17 - HKLM\Software\..\Telephony: DomainName = uk.org.geac.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = uk.org.geac.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = uk.org.geac.com
OK - Just came back from being out for an hour to find a flipping toolbar had self installed. Removed with add/remove programs.
I have just done an adaware scan and it found 132 new objects !
So I have removed them, but the infection seems to be steping up a gear. I keep getting messages from spyware guard that xy or z has tried to change as well !.
Anyway, here is current HT log.
Logfile of HijackThis v1.97.7
Scan saved at 12:04:16, on 04/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Comshare\Application Server\AppServ.exe
C:\extensity_demo61\services\apache\Apache.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\extensity_demo61\services\apache\Apache.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\RightFax\faxctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\PROGRA~1\Dell\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\OfficeXP\Office10\OUTLOOK.EXE
c:\documents and settings\chogb\local settings\temp\Ow.exe
C:\WINDOWS\System32\qcysyiag.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Download\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webint/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /igonO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKLM\..\Run: [Ow.exe] c:\documents and settings\chogb\local settings\temp\Ow.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [rlnhhyi] C:\WINDOWS\System32\qcysyiag.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKLM\..\RunOnce: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" "+b1"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Comshare Job Manager.lnk = C:\Program Files\Comshare\Shared Files\jobman.exe
O4 - Global Startup: Job Manager.lnk = C:\Program Files\Comshare\Shared Files\jobman.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\OfficeXP\Office10\OSA.EXE
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\w3dbsmgr.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\OfficeXP\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O15 - Trusted Zone: *.comshare.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7907.4252083333
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://geac.webex.com/client/latest/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = uk.org.geac.com
O17 - HKLM\Software\..\Telephony: DomainName = uk.org.geac.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{59174E13-6ED8-4813-A440-EB44BA862719}: NameServer = 62.241.160.200 158.43.240.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{603DBCAD-C9E0-4476-9AB6-A1023D9182D1}: NameServer = 130.211.1.40 159.172.1.70
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = uk.org.geac.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = uk.org.geac.com
I have just done an adaware scan and it found 132 new objects !
So I have removed them, but the infection seems to be steping up a gear. I keep getting messages from spyware guard that xy or z has tried to change as well !.
Anyway, here is current HT log.
Logfile of HijackThis v1.97.7
Scan saved at 12:04:16, on 04/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Comshare\Application Server\AppServ.exe
C:\extensity_demo61\services\apache\Apache.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\extensity_demo61\services\apache\Apache.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\RightFax\faxctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\PROGRA~1\Dell\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\OfficeXP\Office10\OUTLOOK.EXE
c:\documents and settings\chogb\local settings\temp\Ow.exe
C:\WINDOWS\System32\qcysyiag.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Download\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webint/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /igon
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKLM\..\Run: [Ow.exe] c:\documents and settings\chogb\local settings\temp\Ow.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [rlnhhyi] C:\WINDOWS\System32\qcysyiag.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKLM\..\RunOnce: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" "+b1"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Comshare Job Manager.lnk = C:\Program Files\Comshare\Shared Files\jobman.exe
O4 - Global Startup: Job Manager.lnk = C:\Program Files\Comshare\Shared Files\jobman.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\OfficeXP\Office10\OSA.EXE
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\w3dbsmgr.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\OfficeXP\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O15 - Trusted Zone: *.comshare.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7907.4252083333
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://geac.webex.com/client/latest/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = uk.org.geac.com
O17 - HKLM\Software\..\Telephony: DomainName = uk.org.geac.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{59174E13-6ED8-4813-A440-EB44BA862719}: NameServer = 62.241.160.200 158.43.240.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{603DBCAD-C9E0-4476-9AB6-A1023D9182D1}: NameServer = 130.211.1.40 159.172.1.70
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = uk.org.geac.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = uk.org.geac.com
I'm really sorry. I was all the day working hard at my job and now I have some time to devote here :( (though I'm still at work)
Do you recognize this app?
C:\Program Files\Comshare\Application Server\AppServ.exe
I think you do, but just in case (I saw you're running Apache).
These files are totally suspicious, please send them for analysis:
C:\WINDOWS\System32\qcysyiag.exe
c:\documents and settings\chogb\local settings\temp\Ow.exe
C:\WINDOWS\System32\dp-him.exe
How to Show Hidden Files
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
Try send them in a ZIP file to my email addy (I'll send it to you via PM), so I can share them.
Now close all your programs and browser windows, run again HT and fix the following:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webint/
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Ow.exe] c:\documents and settings\chogb\local settings\temp\Ow.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [rlnhhyi] C:\WINDOWS\System32\qcysyiag.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - Global Startup: BTTray.lnk = ?
Also if you don't recognize the Domain or the IP range, check these:
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = uk.org.geac.com
O17 - HKLM\Software\..\Telephony: DomainName = uk.org.geac.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{59174E13-6ED8-4813-A440-EB44BA862719}: NameServer = 62.241.160.200 158.43.240.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{603DBCAD-C9E0-4476-9AB6-A1023D9182D1}: NameServer = 130.211.1.40 159.172.1.70
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = uk.org.geac.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = uk.org.geac.com
Press Fix checked. Reboot in Safe mode:
How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam
Then delete the files:
C:\WINDOWS\System32\qcysyiag.exe
c:\documents and settings\chogb\local settings\temp\Ow.exe
C:\WINDOWS\System32\dp-him.exe
And empty ALL your temp folders, including Internet Temporary Files folder.
Reboot in normal mode and post a fresh HT log.
Do you recognize this app?
C:\Program Files\Comshare\Application Server\AppServ.exe
I think you do, but just in case (I saw you're running Apache).
These files are totally suspicious, please send them for analysis:
C:\WINDOWS\System32\qcysyiag.exe
c:\documents and settings\chogb\local settings\temp\Ow.exe
C:\WINDOWS\System32\dp-him.exe
How to Show Hidden Files
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
Try send them in a ZIP file to my email addy (I'll send it to you via PM), so I can share them.
Now close all your programs and browser windows, run again HT and fix the following:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webint/
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Ow.exe] c:\documents and settings\chogb\local settings\temp\Ow.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [rlnhhyi] C:\WINDOWS\System32\qcysyiag.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - Global Startup: BTTray.lnk = ?
Also if you don't recognize the Domain or the IP range, check these:
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = uk.org.geac.com
O17 - HKLM\Software\..\Telephony: DomainName = uk.org.geac.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{59174E13-6ED8-4813-A440-EB44BA862719}: NameServer = 62.241.160.200 158.43.240.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{603DBCAD-C9E0-4476-9AB6-A1023D9182D1}: NameServer = 130.211.1.40 159.172.1.70
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = uk.org.geac.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = uk.org.geac.com
Press Fix checked. Reboot in Safe mode:
How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam
Then delete the files:
C:\WINDOWS\System32\qcysyiag.exe
c:\documents and settings\chogb\local settings\temp\Ow.exe
C:\WINDOWS\System32\dp-him.exe
And empty ALL your temp folders, including Internet Temporary Files folder.
Reboot in normal mode and post a fresh HT log.
Please check your PM inbox :thumb:
Hi Fats
Appologies for the slightly delayed response. Many thanks for your continued help on this :thumb:
The files
C:\WINDOWS\System32\qcysyiag.exe
c:\documents and settings\chogb\local settings\temp\Ow.exe
C:\WINDOWS\System32\dp-him.exe
were not on my machine, even in a hidden form.
I deleted the HT entries that you specified, the following:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webint/
Is an internal intranet page so I left this reference in.
The domain is a recognised domain and the IP addresses look ok
Here is the latest HT Log
Logfile of HijackThis v1.97.7
Scan saved at 11:15:49, on 07/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Comshare\Application Server\AppServ.exe
C:\extensity_demo61\services\apache\Apache.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\extensity_demo61\services\apache\Apache.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\RightFax\faxctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Download\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webint/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy3.comshare.com:3128
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Comshare Job Manager.lnk = C:\Program Files\Comshare\Shared Files\jobman.exe
O4 - Global Startup: Job Manager.lnk = C:\Program Files\Comshare\Shared Files\jobman.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\OfficeXP\Office10\OSA.EXE
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\w3dbsmgr.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\OfficeXP\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O15 - Trusted Zone: *.comshare.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7907.4252083333
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://geac.webex.com/client/latest/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = uk.org.geac.com
O17 - HKLM\Software\..\Telephony: DomainName = uk.org.geac.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = uk.org.geac.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = uk.org.geac.com
Appologies for the slightly delayed response. Many thanks for your continued help on this :thumb:
The files
C:\WINDOWS\System32\qcysyiag.exe
c:\documents and settings\chogb\local settings\temp\Ow.exe
C:\WINDOWS\System32\dp-him.exe
were not on my machine, even in a hidden form.
I deleted the HT entries that you specified, the following:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webint/
Is an internal intranet page so I left this reference in.
The domain is a recognised domain and the IP addresses look ok
Here is the latest HT Log
Logfile of HijackThis v1.97.7
Scan saved at 11:15:49, on 07/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Comshare\Application Server\AppServ.exe
C:\extensity_demo61\services\apache\Apache.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\extensity_demo61\services\apache\Apache.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\RightFax\faxctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Download\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webint/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy3.comshare.com:3128
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Comshare Job Manager.lnk = C:\Program Files\Comshare\Shared Files\jobman.exe
O4 - Global Startup: Job Manager.lnk = C:\Program Files\Comshare\Shared Files\jobman.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\OfficeXP\Office10\OSA.EXE
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\w3dbsmgr.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\OfficeXP\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O15 - Trusted Zone: *.comshare.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7907.4252083333
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://geac.webex.com/client/latest/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = uk.org.geac.com
O17 - HKLM\Software\..\Telephony: DomainName = uk.org.geac.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = uk.org.geac.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = uk.org.geac.com
To me it looks ok. Are you experiencing any trouble now?
Hi Fats
No problems since I removed the entries and posted the last log.
Also, even after an update, adaware is not finding any problems.
I will keep an eye on the situation but fingers crossed it looks OK !
I would like to say a BIG thank you to yourself and your collegues on this board for the time and effort that you dedicate to the cause !
If I could post you a beer I would ! :thumb:
Many Thanks
Chris
No problems since I removed the entries and posted the last log.
Also, even after an update, adaware is not finding any problems.
I will keep an eye on the situation but fingers crossed it looks OK !
I would like to say a BIG thank you to yourself and your collegues on this board for the time and effort that you dedicate to the cause !
If I could post you a beer I would ! :thumb:
Many Thanks
Chris
:angry:
BUM
Talk about counting your chicks before they are hatched
Just had a window open up with the following URL - http://www.myexexex.com/oldindex.html
:mad: :mad: :mad:
Current HT log is as follows:
Logfile of HijackThis v1.97.7
Scan saved at 09:30:26, on 08/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Comshare\Application Server\AppServ.exe
C:\extensity_demo61\services\apache\Apache.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\extensity_demo61\services\apache\Apache.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\RightFax\faxctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\OfficeXP\Office10\OUTLOOK.EXE
C:\DOCUME~1\chogb\LOCALS~1\Temp\fppc.dat
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Download\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webint/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Wmhs] C:\Documents and Settings\chogb\Application Data\rroa.exe
O4 - HKLM\..\RunOnce: [wu] C:\DOCUME~1\chogb\LOCALS~1\Temp\wu.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Comshare Job Manager.lnk = C:\Program Files\Comshare\Shared Files\jobman.exe
O4 - Global Startup: Job Manager.lnk = C:\Program Files\Comshare\Shared Files\jobman.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\OfficeXP\Office10\OSA.EXE
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\w3dbsmgr.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\OfficeXP\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O15 - Trusted Zone: *.comshare.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7907.4252083333
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://geac.webex.com/client/latest/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = uk.org.geac.com
O17 - HKLM\Software\..\Telephony: DomainName = uk.org.geac.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{59174E13-6ED8-4813-A440-EB44BA862719}: NameServer = 62.241.160.200 158.43.240.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{603DBCAD-C9E0-4476-9AB6-A1023D9182D1}: NameServer = 130.211.1.40 159.172.1.70
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = uk.org.geac.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = uk.org.geac.com
BUM
Talk about counting your chicks before they are hatched
Just had a window open up with the following URL - http://www.myexexex.com/oldindex.html
:mad: :mad: :mad:
Current HT log is as follows:
Logfile of HijackThis v1.97.7
Scan saved at 09:30:26, on 08/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Comshare\Application Server\AppServ.exe
C:\extensity_demo61\services\apache\Apache.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\extensity_demo61\services\apache\Apache.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\RightFax\faxctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\OfficeXP\Office10\OUTLOOK.EXE
C:\DOCUME~1\chogb\LOCALS~1\Temp\fppc.dat
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Download\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webint/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Wmhs] C:\Documents and Settings\chogb\Application Data\rroa.exe
O4 - HKLM\..\RunOnce: [wu] C:\DOCUME~1\chogb\LOCALS~1\Temp\wu.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Comshare Job Manager.lnk = C:\Program Files\Comshare\Shared Files\jobman.exe
O4 - Global Startup: Job Manager.lnk = C:\Program Files\Comshare\Shared Files\jobman.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\OfficeXP\Office10\OSA.EXE
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\w3dbsmgr.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\OfficeXP\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O15 - Trusted Zone: *.comshare.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7907.4252083333
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://geac.webex.com/client/latest/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = uk.org.geac.com
O17 - HKLM\Software\..\Telephony: DomainName = uk.org.geac.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{59174E13-6ED8-4813-A440-EB44BA862719}: NameServer = 62.241.160.200 158.43.240.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{603DBCAD-C9E0-4476-9AB6-A1023D9182D1}: NameServer = 130.211.1.40 159.172.1.70
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = uk.org.geac.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = uk.org.geac.com
OK - I have just done an adaware scan and 4 objects were found.
They are:
Item 1.
Vendor - Clickspring
Type - RegValue
Category - Dataminer
Object - HKEY_CURRENT_USER:Software\Microsoft\Windows\CurrentVersion\Run\
Comment - "Wmhs"
Item 2.
Vendor - Clickspring
Type - Process
Category - Dataminer
Object - c:\documents and settings\chogb\application data\rroa.exe
Item 3.
Vendor - Clickspring
Type - Folder
Category - Dataminer
Object - c:\program files\PurityScan\
Item 4.
Vendor - Clickspring
Type - File
Category - Dataminer
Object - c:\program files\PurityScan\purityscan.exe
At the moment I have not removed them, I will await instruction.
They are:
Item 1.
Vendor - Clickspring
Type - RegValue
Category - Dataminer
Object - HKEY_CURRENT_USER:Software\Microsoft\Windows\CurrentVersion\Run\
Comment - "Wmhs"
Item 2.
Vendor - Clickspring
Type - Process
Category - Dataminer
Object - c:\documents and settings\chogb\application data\rroa.exe
Item 3.
Vendor - Clickspring
Type - Folder
Category - Dataminer
Object - c:\program files\PurityScan\
Item 4.
Vendor - Clickspring
Type - File
Category - Dataminer
Object - c:\program files\PurityScan\purityscan.exe
At the moment I have not removed them, I will await instruction.
Yes please, ensure yourself that you have Ad-aware 6.181 with last reference file (is 01R315) and perform a FULL (Custom, the second option) scan as described in http://www.lavahelp.com/howto/fullscan/index.html, and when finished eliminate all that it finds. When you are done, reboot and after rebooting perform a new FULL scan with Ad-aware, eliminating all that it finds. And when you finish reboot and post a fresh HT log.
Hi Fats
Defo 100% uptodate on adaware.
Here is the HT log
Logfile of HijackThis v1.97.7
Scan saved at 09:42:46, on 09/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Comshare\Application Server\AppServ.exe
C:\extensity_demo61\services\apache\Apache.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\extensity_demo61\services\apache\Apache.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\RightFax\faxctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Download\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webint/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Comshare Job Manager.lnk = C:\Program Files\Comshare\Shared Files\jobman.exe
O4 - Global Startup: Job Manager.lnk = C:\Program Files\Comshare\Shared Files\jobman.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\OfficeXP\Office10\OSA.EXE
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\w3dbsmgr.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\OfficeXP\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O15 - Trusted Zone: *.comshare.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7907.4252083333
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://geac.webex.com/client/latest/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = uk.org.geac.com
O17 - HKLM\Software\..\Telephony: DomainName = uk.org.geac.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{59174E13-6ED8-4813-A440-EB44BA862719}: NameServer = 62.241.160.200 158.43.240.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{603DBCAD-C9E0-4476-9AB6-A1023D9182D1}: NameServer = 130.211.1.40 159.172.1.70
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = uk.org.geac.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = uk.org.geac.com
Defo 100% uptodate on adaware.
Here is the HT log
Logfile of HijackThis v1.97.7
Scan saved at 09:42:46, on 09/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Comshare\Application Server\AppServ.exe
C:\extensity_demo61\services\apache\Apache.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\extensity_demo61\services\apache\Apache.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\RightFax\faxctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Download\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webint/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Comshare Job Manager.lnk = C:\Program Files\Comshare\Shared Files\jobman.exe
O4 - Global Startup: Job Manager.lnk = C:\Program Files\Comshare\Shared Files\jobman.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\OfficeXP\Office10\OSA.EXE
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\w3dbsmgr.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\OfficeXP\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O15 - Trusted Zone: *.comshare.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7907.4252083333
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://geac.webex.com/client/latest/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = uk.org.geac.com
O17 - HKLM\Software\..\Telephony: DomainName = uk.org.geac.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{59174E13-6ED8-4813-A440-EB44BA862719}: NameServer = 62.241.160.200 158.43.240.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{603DBCAD-C9E0-4476-9AB6-A1023D9182D1}: NameServer = 130.211.1.40 159.172.1.70
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = uk.org.geac.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = uk.org.geac.com
:( Just had another myexexex pop up.
Adaware scans are finding nothing BTW.
Cheers
Cheers
Your log is clean...
Please perform a system restore purge, like said in:
http://service1.symantec.com/SUPPORT/tsgen...=&osv=&osv_lvl=
Don't forget to reenable it!
Tell us what happens then.
Please perform a system restore purge, like said in:
http://service1.symantec.com/SUPPORT/tsgen...=&osv=&osv_lvl=
Don't forget to reenable it!
Tell us what happens then.
Infact....
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
Close IE and then checkmark those entries. Click 'Fix Checked' and rerun Internet Explorer. :thumb:
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
Close IE and then checkmark those entries. Click 'Fix Checked' and rerun Internet Explorer. :thumb:
OK
Followed Fats advice and completed the restore purge, and have also followed SpyDie's advice and removed the requested items.
Rebooted, updated adaware to latest ref file and scanned - that came up clean.
Here is my latest HT log.
I am off on holiday for a week now, so the computer will be off. When I am back I will check this thread for your response.
Cheers
Logfile of HijackThis v1.97.7
Scan saved at 11:51:27, on 11/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Comshare\Application Server\AppServ.exe
C:\extensity_demo61\services\apache\Apache.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\extensity_demo61\services\apache\Apache.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\RightFax\faxctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Comshare\Shared Files\jobman.exe
C:\Program Files\Comshare\Shared Files\jobman.exe
C:\PVSW\Bin\w3dbsmgr.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\OfficeXP\Office10\OUTLOOK.EXE
C:\WINDOWS\System32\wisptis.exe
C:\Download\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webint/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy3.comshare.com:3128
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Comshare Job Manager.lnk = C:\Program Files\Comshare\Shared Files\jobman.exe
O4 - Global Startup: Job Manager.lnk = C:\Program Files\Comshare\Shared Files\jobman.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\OfficeXP\Office10\OSA.EXE
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\w3dbsmgr.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\OfficeXP\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O15 - Trusted Zone: *.comshare.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7907.4252083333
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://geac.webex.com/client/latest/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = uk.org.geac.com
O17 - HKLM\Software\..\Telephony: DomainName = uk.org.geac.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{59174E13-6ED8-4813-A440-EB44BA862719}: NameServer = 62.241.160.200 158.43.240.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{603DBCAD-C9E0-4476-9AB6-A1023D9182D1}: NameServer = 130.211.1.40 159.172.1.70
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = uk.org.geac.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = uk.org.geac.com
Followed Fats advice and completed the restore purge, and have also followed SpyDie's advice and removed the requested items.
Rebooted, updated adaware to latest ref file and scanned - that came up clean.
Here is my latest HT log.
I am off on holiday for a week now, so the computer will be off. When I am back I will check this thread for your response.
Cheers
Logfile of HijackThis v1.97.7
Scan saved at 11:51:27, on 11/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Comshare\Application Server\AppServ.exe
C:\extensity_demo61\services\apache\Apache.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\extensity_demo61\services\apache\Apache.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\RightFax\faxctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Comshare\Shared Files\jobman.exe
C:\Program Files\Comshare\Shared Files\jobman.exe
C:\PVSW\Bin\w3dbsmgr.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\OfficeXP\Office10\OUTLOOK.EXE
C:\WINDOWS\System32\wisptis.exe
C:\Download\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webint/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy3.comshare.com:3128
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Comshare Job Manager.lnk = C:\Program Files\Comshare\Shared Files\jobman.exe
O4 - Global Startup: Job Manager.lnk = C:\Program Files\Comshare\Shared Files\jobman.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\OfficeXP\Office10\OSA.EXE
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\w3dbsmgr.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\OfficeXP\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O15 - Trusted Zone: *.comshare.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7907.4252083333
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://geac.webex.com/client/latest/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = uk.org.geac.com
O17 - HKLM\Software\..\Telephony: DomainName = uk.org.geac.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{59174E13-6ED8-4813-A440-EB44BA862719}: NameServer = 62.241.160.200 158.43.240.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{603DBCAD-C9E0-4476-9AB6-A1023D9182D1}: NameServer = 130.211.1.40 159.172.1.70
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = uk.org.geac.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = uk.org.geac.com
The log is clean. Tell us how is all doing when you are back.
OK - I am back and for the last few days everything seems to be fine.
One thing though, Notepad has not worked for a while and reading some of the posts here I see that Notepad going funny can be the result of infections.
When I check the properties for notepad from the start menu it says
Target: C:\WINDOWS\system32\actmovie.exe
Is this a 'dodgy' file ?
It says start in: %HOMEDRIVE%%HOMEPATH%
Adaware scans on the latest update are finding nothing.
Doing a search for Notepad.exe finds
C:\Windows\notepad.exe 65k in size
C:\Windows\notepad.exe.bak 65k in size
C:\Windows\system32\notepad.exe.bak 65k in size
C:\Windows\Prefetch\NOTEPAD.EXE-189578DA.pf 32k in size
Here is the latest HT log
Logfile of HijackThis v1.97.7
Scan saved at 15:37:48, on 25/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comshare\Application Server\AppServ.exe
C:\extensity_demo61\services\apache\Apache.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\extensity_demo61\services\apache\Apache.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\RightFax\faxctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Nokia\Tools\NclTray.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\PROGRA~1\Dell\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\OfficeXP\Office10\OUTLOOK.EXE
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Download\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webint/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\Tools\NclTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKLM\..\RunOnce: [IE 3.0 RegSvr schannel.dll] C:\WINDOWS\System32\regsvr32.exe /s C:\WINDOWS\System32\schannel.dll
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Comshare Job Manager.lnk = C:\Program Files\Comshare\Shared Files\jobman.exe
O4 - Global Startup: Job Manager.lnk = C:\Program Files\Comshare\Shared Files\jobman.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\OfficeXP\Office10\OSA.EXE
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\w3dbsmgr.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\OfficeXP\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.comshare.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell.com/global/apps/s...er/PROFILER.CAB
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7907.4252083333
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://geac.webex.com/client/latest/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = uk.org.geac.com
O17 - HKLM\Software\..\Telephony: DomainName = uk.org.geac.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{59174E13-6ED8-4813-A440-EB44BA862719}: NameServer = 62.241.160.200 158.43.240.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{603DBCAD-C9E0-4476-9AB6-A1023D9182D1}: NameServer = 130.211.1.40 159.172.1.70
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = uk.org.geac.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = uk.org.geac.com
One thing though, Notepad has not worked for a while and reading some of the posts here I see that Notepad going funny can be the result of infections.
When I check the properties for notepad from the start menu it says
Target: C:\WINDOWS\system32\actmovie.exe
Is this a 'dodgy' file ?
It says start in: %HOMEDRIVE%%HOMEPATH%
Adaware scans on the latest update are finding nothing.
Doing a search for Notepad.exe finds
C:\Windows\notepad.exe 65k in size
C:\Windows\notepad.exe.bak 65k in size
C:\Windows\system32\notepad.exe.bak 65k in size
C:\Windows\Prefetch\NOTEPAD.EXE-189578DA.pf 32k in size
Here is the latest HT log
Logfile of HijackThis v1.97.7
Scan saved at 15:37:48, on 25/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comshare\Application Server\AppServ.exe
C:\extensity_demo61\services\apache\Apache.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\extensity_demo61\services\apache\Apache.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\RightFax\faxctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Nokia\Tools\NclTray.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\PROGRA~1\Dell\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\OfficeXP\Office10\OUTLOOK.EXE
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Download\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webint/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\Tools\NclTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKLM\..\RunOnce: [IE 3.0 RegSvr schannel.dll] C:\WINDOWS\System32\regsvr32.exe /s C:\WINDOWS\System32\schannel.dll
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Comshare Job Manager.lnk = C:\Program Files\Comshare\Shared Files\jobman.exe
O4 - Global Startup: Job Manager.lnk = C:\Program Files\Comshare\Shared Files\jobman.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\OfficeXP\Office10\OSA.EXE
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\w3dbsmgr.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\OfficeXP\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.comshare.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell.com/global/apps/s...er/PROFILER.CAB
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7907.4252083333
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://geac.webex.com/client/latest/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = uk.org.geac.com
O17 - HKLM\Software\..\Telephony: DomainName = uk.org.geac.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{59174E13-6ED8-4813-A440-EB44BA862719}: NameServer = 62.241.160.200 158.43.240.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{603DBCAD-C9E0-4476-9AB6-A1023D9182D1}: NameServer = 130.211.1.40 159.172.1.70
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = uk.org.geac.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = uk.org.geac.com
Yes, it's strange...
I can remember something related, but can't quite remember what it was.
Please do the following:
- Search here (and in other forums as well) about Notepad (without the .exe), and read the results. Maybe someone reported the same.
- Go to http://www.kaspersky.com/scanforvirus and analize ONE BY ONE the files you showed to me. KAV is an excellente AV so we'll know that way if they are or not infected.
Please post back your findings.
I can remember something related, but can't quite remember what it was.
Please do the following:
- Search here (and in other forums as well) about Notepad (without the .exe), and read the results. Maybe someone reported the same.
- Go to http://www.kaspersky.com/scanforvirus and analize ONE BY ONE the files you showed to me. KAV is an excellente AV so we'll know that way if they are or not infected.
Please post back your findings.
I have scanned
C:\WINDOWS\system32\actmovie.exe
C:\Windows\notepad.exe
C:\Windows\notepad.exe.bak
C:\Windows\system32\notepad.exe.bak
C:\Windows\Prefetch\NOTEPAD.EXE-189578DA.pf
And all come up as clean.
Still no idea what the actmovie file is though.
C:\WINDOWS\system32\actmovie.exe
C:\Windows\notepad.exe
C:\Windows\notepad.exe.bak
C:\Windows\system32\notepad.exe.bak
C:\Windows\Prefetch\NOTEPAD.EXE-189578DA.pf
And all come up as clean.
Still no idea what the actmovie file is though.
And I can not really find any other posts that refer to this problem.
Any idea what I should do fats ?
Any idea what I should do fats ?
actmovie.exe is legitimate (DirectShow Setup Tool) as I have it here on my WinXP as well. However the Target for Notepad should be %SystemRoot%\system32\notepad.exe Try changing that and see if it works now from the start menu.
On your HijackThis log, scan and checkmark these items, then press *fix checked*
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webint/
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab <---this is tagged as spyware or adware by SpywareBlaster
On your HijackThis log, scan and checkmark these items, then press *fix checked*
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webint/
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab <---this is tagged as spyware or adware by SpywareBlaster
Thanks for the reply ClamityJane :wub:
I have removed the 016 entry, however the other one that points to http://webint/ I have left in as that is just an internal intranet page.
Notepad.exe is in C:\windows so I have changed the target to that, thanks for telling me about the actmovie file, I am curious how it replaced itself for notepad.
Anyway, hope I am clean now, Adaware has not found anything for a good few days and I have loaded the latest reference files.
Many thanks to yourself, fats and spydie for the invaluable service that you provide. I am sorry to see that it is getting busier in here, I hope that is because more people are finding you and not because more are infected.
I am off to paypal some of the freeware that you guys have suggested now to make sure that it is there in the future !
Thanks again.
I have removed the 016 entry, however the other one that points to http://webint/ I have left in as that is just an internal intranet page.
Notepad.exe is in C:\windows so I have changed the target to that, thanks for telling me about the actmovie file, I am curious how it replaced itself for notepad.
Anyway, hope I am clean now, Adaware has not found anything for a good few days and I have loaded the latest reference files.
Many thanks to yourself, fats and spydie for the invaluable service that you provide. I am sorry to see that it is getting busier in here, I hope that is because more people are finding you and not because more are infected.
I am off to paypal some of the freeware that you guys have suggested now to make sure that it is there in the future !
Thanks again.
{{{Hugs}}} :hug: to you HawkMan.
And thanks. Those guys who write some of the finest programs to help us all our for free are really doing some service. That will be much appreciated.
And thanks. Those guys who write some of the finest programs to help us all our for free are really doing some service. That will be much appreciated.
QUOTE (HawkMan @ Jun 26 2004, 07:09 AM)
I have scanned
C:\WINDOWS\system32\actmovie.exe
C:\Windows\notepad.exe
C:\Windows\notepad.exe.bak
C:\Windows\system32\notepad.exe.bak
C:\Windows\Prefetch\NOTEPAD.EXE-189578DA.pf
And all come up as clean.
Still no idea what the actmovie file is though.
C:\WINDOWS\system32\actmovie.exe
C:\Windows\notepad.exe
C:\Windows\notepad.exe.bak
C:\Windows\system32\notepad.exe.bak
C:\Windows\Prefetch\NOTEPAD.EXE-189578DA.pf
And all come up as clean.
Still no idea what the actmovie file is though.
Wait a minute! ~adjusts glasses~
Two of those notepad files have an extra extension that does not belong there.
Delete these two files:
C:\Windows\notepad.exe.bak <--delete file
C:\Windows\system32\notepad.exe.bak <--delete file
download a fresh copy of notepad and save it to this folder:
C:\Windows\system32
Get the download here:
http://www.spywareinfo.com/~merijn/winfiles.html#notepad
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.