I come to THE MASTERS for advice out of sheer desperation!
My McAfee continues to detect keylog-briss in a number of locations. It has slipped past my ad-aware & search & destroy scans. I also assume it's the reason my firefox browser keeps starting up with virus alerts?
Please advise based on the following log.
Thanks aplenty! :)
Logfile of HijackThis v1.99.1
Scan saved at 2:25:37 PM, on 23/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\system32\GSICON.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\utspuooo\acwCDAQN.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-au\msnappau.exe
C:\Program Files\NetPumper\NetPumperIEProxy.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEENAU/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ninemsn.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.zonealarm.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {41D78520-01BA-A262-F933-4CB398F9C813} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Nurb 16] C:\DOCUME~1\Owner\APPLIC~1\DATEUS~1\OPTIONDRVHOPE.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download with NetPumper - C:\Program Files\NetPumper\AddUrl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{77389A98-F2E4-4B29-A243-8903C981EBBB}: NameServer = 203.12.160.35,203.12.160.36
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: PDEngine - Unknown owner - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Unknown owner - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Full Version: Help please! Another Keylog-Briss problem
Hi williambj,
Please create a list of programs that can be removed using Add/Remove Programs
Start HiJackThis. Click "Config"->"Misc Tools"->"Open Uninstall Manager" ->"Save List".
Save the log to a convenient location, and copy it into this thread.
You might want to save this page on your favorites, so you can find it again when you return. You can also click on your name and click on "Find All Posts" to find your thread.
Run HijackThis, click on "Scan" and check the boxes next to all these items.
O2 - BHO: (no name) - {41D78520-01BA-A262-F933-4CB398F9C813} - (no file)
There are restrictions set on Control Panel. If you or your system administrator has not put this restriction on Control Panel, also check this item.
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with NetPumper - C:\Program Files\NetPumper\AddUrl.htm
Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked". Restart your computer and post a new log in this thread.
Check your computer with the following free anti-virus/anti-trojan products.
Housecall Anti Virus Panda Anti Virus Trojan Scan Bit Defender
Is McAfee still picking it up? And if so, where?
QUOTE
O4 - HKCU\..\Run: [Nurb 16] C:\DOCUME~1\Owner\APPLIC~1\DATEUS~1\OPTIONDRVHOPE.exe
What is this program?Please create a list of programs that can be removed using Add/Remove Programs
Start HiJackThis. Click "Config"->"Misc Tools"->"Open Uninstall Manager" ->"Save List".
Save the log to a convenient location, and copy it into this thread.
You might want to save this page on your favorites, so you can find it again when you return. You can also click on your name and click on "Find All Posts" to find your thread.
Run HijackThis, click on "Scan" and check the boxes next to all these items.
O2 - BHO: (no name) - {41D78520-01BA-A262-F933-4CB398F9C813} - (no file)
There are restrictions set on Control Panel. If you or your system administrator has not put this restriction on Control Panel, also check this item.
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with NetPumper - C:\Program Files\NetPumper\AddUrl.htm
Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked". Restart your computer and post a new log in this thread.
Check your computer with the following free anti-virus/anti-trojan products.
Housecall Anti Virus Panda Anti Virus Trojan Scan Bit Defender
Is McAfee still picking it up? And if so, where?
Thanks Bobbi for helping me out!
Here's my list of programs as advised.
I'll attempt the suggested fix tomorrrow as i'll be needing to stay online overnight. :thumb:
AC3Filter (remove only)
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Type Manager Deluxe 4.1
Advanced WMA Workshop version 2.03b
Advanced ZIP Password Recovery
Aladdin DropStuff 5.0
Aladdin Expander 5.0
Anti-Leech Plugin for Internet Explorer
Anti-Leech Plugin for Netscape, Mozilla, Opera
DivX Player 2.1
DivX Pro Codec
D-Link DSL-200 ADSL Modem
EXPStudio Audio Editor 3.5.1
Free Registry Fix 3.0
Google Toolbar for Internet Explorer
HijackThis 1.99.1
iPod for Windows User Guide
iPod System Software Updater 2.1
iTunes
J2SE Runtime Environment 5.0 Update 1
McAfee VirusScan
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB886906)
Microsoft Data Access Components KB870669
Microsoft Office XP Professional with FrontPage
Microsoft Windows Journal Viewer
Mozilla Firefox (1.0.5)
NetPumper 1.22.0.0
ninemsn Toolbar
NOMAD MuVo
PerfectDisk
QuickTime
RealPlayer
SoulSeek 157 test 5
SoulSeek Client 156c
Spybot - Search & Destroy 1.3
Viewpoint Media Player
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinMX
WinRAR archiver
WinZip
XviD MPEG-4 Video Codec
ZoneAlarm
Here's my list of programs as advised.
I'll attempt the suggested fix tomorrrow as i'll be needing to stay online overnight. :thumb:
AC3Filter (remove only)
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Type Manager Deluxe 4.1
Advanced WMA Workshop version 2.03b
Advanced ZIP Password Recovery
Aladdin DropStuff 5.0
Aladdin Expander 5.0
Anti-Leech Plugin for Internet Explorer
Anti-Leech Plugin for Netscape, Mozilla, Opera
DivX Player 2.1
DivX Pro Codec
D-Link DSL-200 ADSL Modem
EXPStudio Audio Editor 3.5.1
Free Registry Fix 3.0
Google Toolbar for Internet Explorer
HijackThis 1.99.1
iPod for Windows User Guide
iPod System Software Updater 2.1
iTunes
J2SE Runtime Environment 5.0 Update 1
McAfee VirusScan
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB886906)
Microsoft Data Access Components KB870669
Microsoft Office XP Professional with FrontPage
Microsoft Windows Journal Viewer
Mozilla Firefox (1.0.5)
NetPumper 1.22.0.0
ninemsn Toolbar
NOMAD MuVo
PerfectDisk
QuickTime
RealPlayer
SoulSeek 157 test 5
SoulSeek Client 156c
Spybot - Search & Destroy 1.3
Viewpoint Media Player
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinMX
WinRAR archiver
WinZip
XviD MPEG-4 Video Codec
ZoneAlarm
OK, did as requested. Log is further below.
Keylog-briss is still being picked up. It happens while Ad-Aware is dredging through my temporary internet files (I scanned after making the suggested changes & rebooting). It's being found at these locations:
C:\Documents and Settings\Owner\Local Settings\Temp\AAWTMP\C118280\301367\bridge.dll
C:\Documents and Settings\Owner\Local Settings\Temp\AAWTMP\C118280\301367\jao.dll
C:\Documents and Settings\Owner\Local Settings\Temp\AAWTMP\C118280\6AC57\bridge.dll
C:\Documents and Settings\Owner\Local Settings\Temp\AAWTMP\C118280\6AC57\jao.dll
Ad-Aware is also unable to delete some nasties appearing in a mystery folder in my Program Files. C:\Program Files\utspuooo\acwCDAQN.dll and C:\Program Files\utspuooo\acwCDAQN.exe I tried to delete myself but it says access denied.
New hijack log:
Logfile of HijackThis v1.99.1
Scan saved at 6:19:55 PM, on 24/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\GSICON.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\PROGRA~1\utspuooo\acwCDAQN.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-au\msnappau.exe
C:\Program Files\NetPumper\NetPumperIEProxy.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://g.ninemsn.com.au/0SEENAU/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ninemsn.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://www.zonealarm.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN
Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN
Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar1.dll
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN
Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
-osboot
O4 - HKCU\..\Run: [Nurb 16] C:\DOCUME~1\Owner\APPLIC~1\DATEUS~1\OPTIONDRVHOPE.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat
5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: &Google Search - res://c:\program
files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program
files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program
files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program
files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program
files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) -
http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{77389A98-F2E4-4B29-A243-8903C981EBBB}: NameServer =
203.12.160.35,203.12.160.36
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network
Associates\VirusScan\Avsynmgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network
Associates\McShield\Mcshield.exe
O23 - Service: PDEngine - Unknown owner - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Unknown owner - C:\Program
Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Keylog-briss is still being picked up. It happens while Ad-Aware is dredging through my temporary internet files (I scanned after making the suggested changes & rebooting). It's being found at these locations:
C:\Documents and Settings\Owner\Local Settings\Temp\AAWTMP\C118280\301367\bridge.dll
C:\Documents and Settings\Owner\Local Settings\Temp\AAWTMP\C118280\301367\jao.dll
C:\Documents and Settings\Owner\Local Settings\Temp\AAWTMP\C118280\6AC57\bridge.dll
C:\Documents and Settings\Owner\Local Settings\Temp\AAWTMP\C118280\6AC57\jao.dll
Ad-Aware is also unable to delete some nasties appearing in a mystery folder in my Program Files. C:\Program Files\utspuooo\acwCDAQN.dll and C:\Program Files\utspuooo\acwCDAQN.exe I tried to delete myself but it says access denied.
New hijack log:
Logfile of HijackThis v1.99.1
Scan saved at 6:19:55 PM, on 24/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\GSICON.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\PROGRA~1\utspuooo\acwCDAQN.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-au\msnappau.exe
C:\Program Files\NetPumper\NetPumperIEProxy.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://g.ninemsn.com.au/0SEENAU/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ninemsn.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://www.zonealarm.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN
Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN
Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar1.dll
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN
Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
-osboot
O4 - HKCU\..\Run: [Nurb 16] C:\DOCUME~1\Owner\APPLIC~1\DATEUS~1\OPTIONDRVHOPE.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat
5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: &Google Search - res://c:\program
files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program
files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program
files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program
files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program
files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) -
http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{77389A98-F2E4-4B29-A243-8903C981EBBB}: NameServer =
203.12.160.35,203.12.160.36
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network
Associates\VirusScan\Avsynmgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network
Associates\McShield\Mcshield.exe
O23 - Service: PDEngine - Unknown owner - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Unknown owner - C:\Program
Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Hi williambj,
That should take care of all the Temporary Internet files.
Go to Online malware scan and submit C:\Program Files\utspuooo\acwCDAQN.exe.
Tell me the result.
Open "Add/Remove Programs" in the Control Panel. Select the following items:
Folders and files with a tilde (~), means that there is a file/folder that starts with the six characters in front of the tilde, note that there may be spaces in the name. If there are more than one, please report them back and do not delete!
QUOTE
OK, did as requested. Log is further below.
Keylog-briss is still being picked up. It happens while Ad-Aware is dredging through my temporary internet files (I scanned after making the suggested changes & rebooting). It's being found at these locations:
C:\Documents and Settings\Owner\Local Settings\Temp\AAWTMP\C118280\301367\bridge.dll
C:\Documents and Settings\Owner\Local Settings\Temp\AAWTMP\C118280\301367\jao.dll
C:\Documents and Settings\Owner\Local Settings\Temp\AAWTMP\C118280\6AC57\bridge.dll
C:\Documents and Settings\Owner\Local Settings\Temp\AAWTMP\C118280\6AC57\jao.dll
This one is easy. Go to "Start" -> "Run" and type in the box: "cleanmgr". Let it scan your system for files to remove. Make sure these 3 are checked and then press "Ok" to remove:Keylog-briss is still being picked up. It happens while Ad-Aware is dredging through my temporary internet files (I scanned after making the suggested changes & rebooting). It's being found at these locations:
C:\Documents and Settings\Owner\Local Settings\Temp\AAWTMP\C118280\301367\bridge.dll
C:\Documents and Settings\Owner\Local Settings\Temp\AAWTMP\C118280\301367\jao.dll
C:\Documents and Settings\Owner\Local Settings\Temp\AAWTMP\C118280\6AC57\bridge.dll
C:\Documents and Settings\Owner\Local Settings\Temp\AAWTMP\C118280\6AC57\jao.dll
- Temporary Files
- Temporary Internet Files
- Recycle Bin
That should take care of all the Temporary Internet files.
QUOTE
Ad-Aware is also unable to delete some nasties appearing in a mystery folder in my Program Files. C:\Program Files\utspuooo\acwCDAQN.dll and C:\Program Files\utspuooo\acwCDAQN.exe I tried to delete myself but it says access denied.
Go to Online malware scan and submit C:\Program Files\utspuooo\acwCDAQN.exe.
Tell me the result.
Open "Add/Remove Programs" in the Control Panel. Select the following items:
- NetPumper 1.22.0.0
Folders and files with a tilde (~), means that there is a file/folder that starts with the six characters in front of the tilde, note that there may be spaces in the name. If there are more than one, please report them back and do not delete!
QUOTE
O4 - HKCU\..\Run: [Nurb 16] C:\DOCUME~1\Owner\APPLIC~1\DATEUS~1\OPTIONDRVHOPE.exe
Do you know what program this is? If not, can you submit that file to Jotti as well.
Thanks again Bobbi! 
The clean-up on the temp files worked a treat so i no longer have that insidious keylog-briss!
However... after running the malware scans as advised, it seems i've uncovered some other critters.
Below are the scan reports for:
[A] C:\Program Files\utspuooo\acwCDAQN.exe
[B] C:\Program Files\tuowrst\vwospvq.exe (from another dodgy neighbouring folder i was worried about); and
[C] C:\Documents and Settings\Owner\Application Data\DateUserMeow\OPTIONDRVHOPE.exe
[A]
AntiVir: Found TR/Spy.Hailport.2
ArcaVir:Found Adware.Commonname.G
Avast: Found nothing
AVG Antivirus: Found nothing
BitDefender: Found Trojan.Commonname.B
ClamAV: Found Adware.Comna-2
Dr.Web: Found not a virus Adware.CommonName
F-Prot Antivirus: Found nothing
Fortinet: Found Adware/Commonname.I
Kaspersky Anti-Virus: Found Trojan.Win32.CommonName.b
NOD32: Found a variant of Win32/Adware.CommonName application
Norman Virus Control: Found W32/CommonName.I
UNA: Found nothing
VBA32: Found AdWare.CommonName.i
[B]
AntiVir: Found SPR/CommonName.g
ArcaVir: Found nothing
Avast: Found Win32:Trojano-1476
AVG Antivirus: Found nothing
BitDefender: Found Trojan.Commonname.A
ClamAV: Found nothing
Dr.Web: Found not a virus Adware.CommonName
F-Prot Antivirus: Found nothing
Fortinet: Found Adware/Commonname.I
Kaspersky Anti-Virus: Found Trojan.Win32.CommonName.a
NOD32: Found Win32/Adware.CommonName.A application
Norman Virus Control: Found W32/CommonName.G
UNA: Found Adware.CommonName
VBA32: Found Adware.Win32.CommonName
[C]
AntiVir: Found TR/Dldr.Swizzor.CO
ArcaVir: Found nothing
Avast: Found nothing
AVG Antivirus: Found nothing
BitDefender: Found nothing
ClamAV: Found nothing
Dr.Web: Found nothing
F-Prot Antivirus: Found nothing
Fortinet: Found nothing
Kaspersky Anti-Virus: Found Trojan-Downloader.Win32.Swizzor.dm
NOD32: Found probably a variant of Win32/TrojanDownloader.Swizzor (probable variant)
Norman Virus Control: Found Lop.E
UNA: Found nothing
VBA32: Found nothing
The clean-up on the temp files worked a treat so i no longer have that insidious keylog-briss!
However... after running the malware scans as advised, it seems i've uncovered some other critters.
Below are the scan reports for:
[A] C:\Program Files\utspuooo\acwCDAQN.exe
[B] C:\Program Files\tuowrst\vwospvq.exe (from another dodgy neighbouring folder i was worried about); and
[C] C:\Documents and Settings\Owner\Application Data\DateUserMeow\OPTIONDRVHOPE.exe
[A]
AntiVir: Found TR/Spy.Hailport.2
ArcaVir:Found Adware.Commonname.G
Avast: Found nothing
AVG Antivirus: Found nothing
BitDefender: Found Trojan.Commonname.B
ClamAV: Found Adware.Comna-2
Dr.Web: Found not a virus Adware.CommonName
F-Prot Antivirus: Found nothing
Fortinet: Found Adware/Commonname.I
Kaspersky Anti-Virus: Found Trojan.Win32.CommonName.b
NOD32: Found a variant of Win32/Adware.CommonName application
Norman Virus Control: Found W32/CommonName.I
UNA: Found nothing
VBA32: Found AdWare.CommonName.i
[B]
AntiVir: Found SPR/CommonName.g
ArcaVir: Found nothing
Avast: Found Win32:Trojano-1476
AVG Antivirus: Found nothing
BitDefender: Found Trojan.Commonname.A
ClamAV: Found nothing
Dr.Web: Found not a virus Adware.CommonName
F-Prot Antivirus: Found nothing
Fortinet: Found Adware/Commonname.I
Kaspersky Anti-Virus: Found Trojan.Win32.CommonName.a
NOD32: Found Win32/Adware.CommonName.A application
Norman Virus Control: Found W32/CommonName.G
UNA: Found Adware.CommonName
VBA32: Found Adware.Win32.CommonName
[C]
AntiVir: Found TR/Dldr.Swizzor.CO
ArcaVir: Found nothing
Avast: Found nothing
AVG Antivirus: Found nothing
BitDefender: Found nothing
ClamAV: Found nothing
Dr.Web: Found nothing
F-Prot Antivirus: Found nothing
Fortinet: Found nothing
Kaspersky Anti-Virus: Found Trojan-Downloader.Win32.Swizzor.dm
NOD32: Found probably a variant of Win32/TrojanDownloader.Swizzor (probable variant)
Norman Virus Control: Found Lop.E
UNA: Found nothing
VBA32: Found nothing
Hi williambj,
Can you restart your computer into safe mode and delete these folders:
C:\Program Files\utspuooo
C:\Program Files\tuowrst
C:\Documents and Settings\Owner\Application Data\DateUserMeow
Now.... let's see if there are other files hiding from us. Save Silent Runners.vbs to your desktop and double click on it to run. This will make a file called something like "Startup Programs (UserName) DateTime.txt". Double click on it, so it'll open in Notepad. Post the text here.
Can you also post a log from HijackThis.
Can you restart your computer into safe mode and delete these folders:
C:\Program Files\utspuooo
C:\Program Files\tuowrst
C:\Documents and Settings\Owner\Application Data\DateUserMeow
Now.... let's see if there are other files hiding from us. Save Silent Runners.vbs to your desktop and double click on it to run. This will make a file called something like "Startup Programs (UserName) DateTime.txt". Double click on it, so it'll open in Notepad. Post the text here.
Can you also post a log from HijackThis.
I was able to delete tuowrst and DateUserMeow while in safe mode but not utspuooo. BUGGER!! - as they say in my country. 
The specific error message reads: Cannot delete acwCDAQN.dll Access is denied. Make sure the disk is not full or write-protected and that the file is not currently in use.
fyi, soon after starting up my PC, I always get a ZoneAlarm alert asking for acwCDAQN.exe to access the internet to which i reply no.
The complete contents of \utspuooo are:
acwCDAQN.dll
acwCDAQN.exe
cnml.exe
dfs.dat
exit.dat
profile.dat
After rebooting normally, I ran the scans as suggested. Results below.
"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Nurb 16" = "C:\DOCUME~1\Owner\APPLIC~1\DATEUS~1\OPTIONDRVHOPE.exe" [file not found]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"GSICONEXE" = "GSICON.EXE" ["D-Link"]
"iTunesHelper" = "C:\Program Files\iTunes\iTunesHelper.exe" ["Apple Computer, Inc."]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"(Default)" = """ = (data in unrecognized format!)" [file not found]
"Zone Labs Client" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]
"msnappau" = ""C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-au\msnappau.exe"" [MS]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe" ["Sun Microsystems, Inc."]
"mode locks gpl jugs" = "C:\Documents and Settings\All Users\Application Data\activenewmodelocks\Regs does.exe" [null data]
"MSConfig" = "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto" [MS]
HKLM\Software\Microsoft\Active Setup\Installed Components\
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx" [empty string]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{9394EDE7-C8B5-483E-8773-474BF36AF6E4}\(Default) = "ST" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll" [MS]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\(Default) = "MSNToolBandBHO" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{EA588C8B-066E-4220-91D5-F921AA603DF4}" = "NOMAD MuVoShell Hook"
-> {CLSID}\InProcServer32\(Default) = "MuVoh.dll" ["Creative Technology Ltd."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
HKLM\System\CurrentControlSet\Control\Session Manager\
INFECTION WARNING! "BootExecute" = "PDBoot.exe autocheck autochk *" ["Raxco Software, Inc."], [file not found], [MS], [file not found]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
DropStuff Context Menu\(Default) = "{2e336dc0-54f8-11d1-abd5-447270537466}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Aladdin Systems\DropStuff\ShllExtn.Dll" ["Aladdin Systems, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
DropStuff Context Menu\(Default) = "{2e336dc0-54f8-11d1-abd5-447270537466}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Aladdin Systems\DropStuff\ShllExtn.Dll" ["Aladdin Systems, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]
Startup items in "Owner" & "All Users" startup folders:
-------------------------------------------------------
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Acrobat Assistant" -> shortcut to: "C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe" ["Adobe Systems Inc."]
Enabled Scheduled Tasks:
------------------------
"A0A38C5D91840B45" -> launches: "c:\docume~1\owner\applic~1\dateus~1\Scr beep pure.exe" [file not found]
"Auto-scheduled task of Free Registry Fix" -> launches: "C:\Program Files\Free Registry Fix\regfix.exe /run" ["Promosoft Corp."]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = "ninemsn" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll" [MS]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = "0"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll" ["Sun Microsystems, Inc."]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [file not found]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
AVSync Manager, AvSynMgr, ""C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe"" ["Network Associates, Inc."]
iPod Service, iPodService, "C:\Program Files\iPod\bin\iPodService.exe" ["Apple Computer, Inc."]
McShield, McShield, ""C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe"" ["Network Associates, Inc."]
PDEngine, PDEngine, "C:\Program Files\Raxco\PerfectDisk\PDEngine.exe" [empty string]
PDScheduler, PDSched, "C:\Program Files\Raxco\PerfectDisk\PDSched.exe" [empty string]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "Yes" at the first message box.
---------- (total run time: 55 seconds, including 18 seconds for message boxes)
Logfile of HijackThis v1.99.1
Scan saved at 9:27:42 PM, on 27/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINDOWS\system32\GSICON.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\utspuooo\acwCDAQN.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-au\msnappau.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://g.ninemsn.com.au/0SEENAU/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ninemsn.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://www.zonealarm.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN
Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN
Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar1.dll
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN
Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
-osboot
O4 - HKCU\..\Run: [Nurb 16] C:\DOCUME~1\Owner\APPLIC~1\DATEUS~1\OPTIONDRVHOPE.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat
5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: &Google Search - res://c:\program
files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program
files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program
files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program
files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program
files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) -
http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{77389A98-F2E4-4B29-A243-8903C981EBBB}: NameServer =
203.12.160.35,203.12.160.36
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network
Associates\VirusScan\Avsynmgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network
Associates\McShield\Mcshield.exe
O23 - Service: PDEngine - Unknown owner - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Unknown owner - C:\Program
Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
The specific error message reads: Cannot delete acwCDAQN.dll Access is denied. Make sure the disk is not full or write-protected and that the file is not currently in use.
fyi, soon after starting up my PC, I always get a ZoneAlarm alert asking for acwCDAQN.exe to access the internet to which i reply no.
The complete contents of \utspuooo are:
acwCDAQN.dll
acwCDAQN.exe
cnml.exe
dfs.dat
exit.dat
profile.dat
After rebooting normally, I ran the scans as suggested. Results below.
"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Nurb 16" = "C:\DOCUME~1\Owner\APPLIC~1\DATEUS~1\OPTIONDRVHOPE.exe" [file not found]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"GSICONEXE" = "GSICON.EXE" ["D-Link"]
"iTunesHelper" = "C:\Program Files\iTunes\iTunesHelper.exe" ["Apple Computer, Inc."]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"(Default)" = """ = (data in unrecognized format!)" [file not found]
"Zone Labs Client" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]
"msnappau" = ""C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-au\msnappau.exe"" [MS]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe" ["Sun Microsystems, Inc."]
"mode locks gpl jugs" = "C:\Documents and Settings\All Users\Application Data\activenewmodelocks\Regs does.exe" [null data]
"MSConfig" = "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto" [MS]
HKLM\Software\Microsoft\Active Setup\Installed Components\
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx" [empty string]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{9394EDE7-C8B5-483E-8773-474BF36AF6E4}\(Default) = "ST" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll" [MS]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\(Default) = "MSNToolBandBHO" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{EA588C8B-066E-4220-91D5-F921AA603DF4}" = "NOMAD MuVoShell Hook"
-> {CLSID}\InProcServer32\(Default) = "MuVoh.dll" ["Creative Technology Ltd."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
HKLM\System\CurrentControlSet\Control\Session Manager\
INFECTION WARNING! "BootExecute" = "PDBoot.exe autocheck autochk *" ["Raxco Software, Inc."], [file not found], [MS], [file not found]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
DropStuff Context Menu\(Default) = "{2e336dc0-54f8-11d1-abd5-447270537466}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Aladdin Systems\DropStuff\ShllExtn.Dll" ["Aladdin Systems, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
DropStuff Context Menu\(Default) = "{2e336dc0-54f8-11d1-abd5-447270537466}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Aladdin Systems\DropStuff\ShllExtn.Dll" ["Aladdin Systems, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]
Startup items in "Owner" & "All Users" startup folders:
-------------------------------------------------------
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Acrobat Assistant" -> shortcut to: "C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe" ["Adobe Systems Inc."]
Enabled Scheduled Tasks:
------------------------
"A0A38C5D91840B45" -> launches: "c:\docume~1\owner\applic~1\dateus~1\Scr beep pure.exe" [file not found]
"Auto-scheduled task of Free Registry Fix" -> launches: "C:\Program Files\Free Registry Fix\regfix.exe /run" ["Promosoft Corp."]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = "ninemsn" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll" [MS]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = "0"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll" ["Sun Microsystems, Inc."]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [file not found]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
AVSync Manager, AvSynMgr, ""C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe"" ["Network Associates, Inc."]
iPod Service, iPodService, "C:\Program Files\iPod\bin\iPodService.exe" ["Apple Computer, Inc."]
McShield, McShield, ""C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe"" ["Network Associates, Inc."]
PDEngine, PDEngine, "C:\Program Files\Raxco\PerfectDisk\PDEngine.exe" [empty string]
PDScheduler, PDSched, "C:\Program Files\Raxco\PerfectDisk\PDSched.exe" [empty string]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "Yes" at the first message box.
---------- (total run time: 55 seconds, including 18 seconds for message boxes)
Logfile of HijackThis v1.99.1
Scan saved at 9:27:42 PM, on 27/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINDOWS\system32\GSICON.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\utspuooo\acwCDAQN.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-au\msnappau.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://g.ninemsn.com.au/0SEENAU/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ninemsn.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://www.zonealarm.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN
Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN
Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar1.dll
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN
Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
-osboot
O4 - HKCU\..\Run: [Nurb 16] C:\DOCUME~1\Owner\APPLIC~1\DATEUS~1\OPTIONDRVHOPE.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat
5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: &Google Search - res://c:\program
files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program
files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program
files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program
files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program
files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) -
http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{77389A98-F2E4-4B29-A243-8903C981EBBB}: NameServer =
203.12.160.35,203.12.160.36
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network
Associates\VirusScan\Avsynmgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network
Associates\McShield\Mcshield.exe
O23 - Service: PDEngine - Unknown owner - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Unknown owner - C:\Program
Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Hi williambj,
Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme.reg and save it on your Desktop.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer "Yes" and wait for a message to appear similar to "Merged Successfully".
The above Registry file was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
Run HijackThis, click on "Scan" and check the boxes next to all these items.
O4 - HKCU\..\Run: [Nurb 16] C:\DOCUME~1\Owner\APPLIC~1\DATEUS~1\OPTIONDRVHOPE.exe
Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked".
Restart your computer in Safe Mode. How do I Safe Boot my computer?
Show hidden files. How do I show hidden files?
At the end if the fix you can return the files to hidden status if you want.
Folders and files with a tilde (~), means that there is a file/folder that starts with the six characters in front of the tilde, note that there may be spaces in the name. If there are more than one, please report them back and do not delete!
Delete the following files in red (it could be that they are deleted already):
C:\Windows\Tasks\A0A38C5D91840B45.job
Delete the following folders in red (it could be that they are deleted already):
c:\Documents And Settings\owner\Application Data\dateus~1 <-- probably gone, but check anyway ;)
C:\Documents and Settings\All Users\Application Data\activenewmodelocks
Restart your computer and post a new log in this thread.
Please enable everything you have turned off in 'System Configuration Utility' (MSConfig.exe). This way your system will not hide any potential malware and hijackers. What I cannot see, I cannot fix!
Reboot and post a fresh log. Afterwards you can turn off everything you had turned off. Do NOT restart your computer while everything is turned on
Can you delete any of the files in c:\utspuooo now?
Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme.reg and save it on your Desktop.
QUOTE
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
@=""
Locate fixme.reg on your Desktop and double-click on it. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
@=""
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer "Yes" and wait for a message to appear similar to "Merged Successfully".
The above Registry file was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
Run HijackThis, click on "Scan" and check the boxes next to all these items.
O4 - HKCU\..\Run: [Nurb 16] C:\DOCUME~1\Owner\APPLIC~1\DATEUS~1\OPTIONDRVHOPE.exe
Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked".
Restart your computer in Safe Mode. How do I Safe Boot my computer?
Show hidden files. How do I show hidden files?
At the end if the fix you can return the files to hidden status if you want.
Folders and files with a tilde (~), means that there is a file/folder that starts with the six characters in front of the tilde, note that there may be spaces in the name. If there are more than one, please report them back and do not delete!
Delete the following files in red (it could be that they are deleted already):
C:\Windows\Tasks\A0A38C5D91840B45.job
Delete the following folders in red (it could be that they are deleted already):
c:\Documents And Settings\owner\Application Data\dateus~1 <-- probably gone, but check anyway ;)
C:\Documents and Settings\All Users\Application Data\activenewmodelocks
Restart your computer and post a new log in this thread.
Please enable everything you have turned off in 'System Configuration Utility' (MSConfig.exe). This way your system will not hide any potential malware and hijackers. What I cannot see, I cannot fix!
Reboot and post a fresh log. Afterwards you can turn off everything you had turned off. Do NOT restart your computer while everything is turned on
Can you delete any of the files in c:\utspuooo now?
Hi Bobbi. Thanks again for persevering with my viral soul!
So i did the fixme.reg thing + the fix in hijackthis which all went ok.
On rebooting in safe mode all the files mentioned were gone except activenewmodelocks folder which I got rid of. I appeared to have already had everything enabled in System Configuration Utility - I think. How do I tell? Everything was checked. Log is below. After rebooting I still couldn't exorcise utspuooo. NOOOOOOO!!!! :furious:
As for tilde files, there was mainly a swag of temp files in :\Documents and Settings\Owner\Local Settings\Temp - eg, ~DF3850.tmp
Otherwise there was:
A~NSISU_.EXE-345A3321.pf
MIXIDL~1.EXE-36AC34E7.pf
REGSDO~1.EXE-0A34B9CE.pf
[in C:\WINDOWS\Prefetch]
DistId~l.ock
[in C:\Program Files\Adobe\Acrobat 5.0\Distillr\Tmp]
~$Normal.dot
[in C:\Documents and Settings\Owner\Application Data\Microsoft\Templates]
[after 1st reboot]
Logfile of HijackThis v1.99.1
Scan saved at 9:36:26 PM, on 29/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINDOWS\system32\GSICON.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\utspuooo\acwCDAQN.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-au\msnappau.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEENAU/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ninemsn.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.zonealarm.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{77389A98-F2E4-4B29-A243-8903C981EBBB}: NameServer = 203.12.160.35,203.12.160.36
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: PDEngine - Unknown owner - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Unknown owner - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
[after 2nd reboot]
Logfile of HijackThis v1.99.1
Scan saved at 9:46:00 PM, on 29/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\system32\GSICON.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\utspuooo\acwCDAQN.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-au\msnappau.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEENAU/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ninemsn.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.zonealarm.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{77389A98-F2E4-4B29-A243-8903C981EBBB}: NameServer = 203.12.160.35,203.12.160.36
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: PDEngine - Unknown owner - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Unknown owner - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
So i did the fixme.reg thing + the fix in hijackthis which all went ok.
On rebooting in safe mode all the files mentioned were gone except activenewmodelocks folder which I got rid of. I appeared to have already had everything enabled in System Configuration Utility - I think. How do I tell? Everything was checked. Log is below. After rebooting I still couldn't exorcise utspuooo. NOOOOOOO!!!! :furious:
As for tilde files, there was mainly a swag of temp files in :\Documents and Settings\Owner\Local Settings\Temp - eg, ~DF3850.tmp
Otherwise there was:
A~NSISU_.EXE-345A3321.pf
MIXIDL~1.EXE-36AC34E7.pf
REGSDO~1.EXE-0A34B9CE.pf
[in C:\WINDOWS\Prefetch]
DistId~l.ock
[in C:\Program Files\Adobe\Acrobat 5.0\Distillr\Tmp]
~$Normal.dot
[in C:\Documents and Settings\Owner\Application Data\Microsoft\Templates]
[after 1st reboot]
Logfile of HijackThis v1.99.1
Scan saved at 9:36:26 PM, on 29/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINDOWS\system32\GSICON.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\utspuooo\acwCDAQN.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-au\msnappau.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEENAU/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ninemsn.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.zonealarm.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{77389A98-F2E4-4B29-A243-8903C981EBBB}: NameServer = 203.12.160.35,203.12.160.36
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: PDEngine - Unknown owner - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Unknown owner - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
[after 2nd reboot]
Logfile of HijackThis v1.99.1
Scan saved at 9:46:00 PM, on 29/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\system32\GSICON.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\utspuooo\acwCDAQN.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-au\msnappau.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEENAU/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ninemsn.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.zonealarm.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{77389A98-F2E4-4B29-A243-8903C981EBBB}: NameServer = 203.12.160.35,203.12.160.36
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: PDEngine - Unknown owner - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Unknown owner - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Hi williambj,
Well, we're making some headway! Everything is gone from the log. WEe just have to worry about the utspuooo folder.
Run HijackThis. Click on "Config...", "Misc Tools", "Open process manager". In the list of process select "C:\PROGRA~1\utspuooo\acwCDAQN.exe" and click on "Kill process". Answer yes and the process should be terminated. Open explorer and go to the folder and delete it.
Is it gone?
Well, we're making some headway! Everything is gone from the log. WEe just have to worry about the utspuooo folder.
Run HijackThis. Click on "Config...", "Misc Tools", "Open process manager". In the list of process select "C:\PROGRA~1\utspuooo\acwCDAQN.exe" and click on "Kill process". Answer yes and the process should be terminated. Open explorer and go to the folder and delete it.
Is it gone?
I'm getting warmer, I can sense it......
I killed the process. But I couldn't kill the folder!
I did have a couple of programs open while doing so - i assume this wouldnt make a difference. I'll try deleting again when I next reboot.
I noticed I can delete 2 of the .dat files in there but not profile.dat, the .dll and the 2 .exes.
I killed the process. But I couldn't kill the folder!
I did have a couple of programs open while doing so - i assume this wouldnt make a difference. I'll try deleting again when I next reboot.
I noticed I can delete 2 of the .dat files in there but not profile.dat, the .dll and the 2 .exes.
Can you also try this in Safe Mode? Can you rename the files in the folder?
Nope. Tried to delete & rename in safe mode but it just won't die!
The folder can be renamed but none of the contents can.
The folder can be renamed but none of the contents can.
Ok.... You can rename the folder. Some more experiments in Safe Mode. Can you move the folder. In that case the permissions would change. Making it possible for you to remove...
OK well that leaves me with one final problem: i'm an idiot.
I feel really stupid for not doing that in the first place.
Thanks Bobbi for exorcising all my demons! Another case closed. :thumb:
I feel really stupid for not doing that in the first place.
Thanks Bobbi for exorcising all my demons! Another case closed. :thumb:
Hey williambj,
I gather everything is all right now?
This is a good time to set up protection against further attacks. Read the article behind this link "How did I get infected". If you don't already have them, you need an antivirus that is updated, a good firewall for example Kerio Personal Firewall or ZoneLabs Zone Alarm, a spyware blocker like SpywareBlaster and also IE-Spyads and spyware detection (Ad-aware SE and SpyBot S+D). All of these have good free versions available... be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually useless, but also often have malware in them....
Instead of Internet Explorer, use a different browser like Opera, Mozilla or Firefox.
Last, but not least, you need to keep Windows and Internet Explorer up to date by getting all the latest security patches that protects your computer.
This can be accessed by going to http://windowsupdate.microsoft.com/ and following the prompts. If you are running Windows XP get updated to SP-2
Please post back if you are still having any problems....
I gather everything is all right now?
This is a good time to set up protection against further attacks. Read the article behind this link "How did I get infected". If you don't already have them, you need an antivirus that is updated, a good firewall for example Kerio Personal Firewall or ZoneLabs Zone Alarm, a spyware blocker like SpywareBlaster and also IE-Spyads and spyware detection (Ad-aware SE and SpyBot S+D). All of these have good free versions available... be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually useless, but also often have malware in them....
Instead of Internet Explorer, use a different browser like Opera, Mozilla or Firefox.
Last, but not least, you need to keep Windows and Internet Explorer up to date by getting all the latest security patches that protects your computer.
This can be accessed by going to http://windowsupdate.microsoft.com/ and following the prompts. If you are running Windows XP get updated to SP-2
Please post back if you are still having any problems....
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.