Computer sending out spam without my knowledge

BullGuard Antivirus Forum > Virus Removal > Removal Help > Computer sending out spam without my knowledge

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

no_snow
New Member

Date Joined Dec 2006
Total Posts : 9

Posted 12-25-2006 9:35 (GMT +1)

My ISP provider saves my router is sending out spam. Though I don't think related, I have had problems with Spoolsvv.exe and ISTbar which I haven't been able to permantly remove.

This is my Hijack file - thanks in advance.

Logfile of HijackThis v1.99.1
Scan saved at 12:24:16 PM, on 25/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\ltmsg.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\OpwareSE2.exe
E:\Program Files\Zero Knowledge\TELUS Security service\Freedom.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\WINDOWS\system32\devldr32.exe
D:\Program Files\QUICKENW\QWDLLS.EXE
D:\PROGRA~1\MOZILL~1\FIREFOX.EXE
E:\Program Files\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://globeandmail.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - e:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [OpwareSE2] "E:\Program Files\OpwareSE2.exe"
O4 - HKLM\..\Run: [DCOM Server] D:\DOCUME~1\Pete\LOCALS~1\Temp\explorer.exe
O4 - HKLM\..\Run: [TELUS Security service] E:\Program Files\Zero Knowledge\TELUS Security service\Freedom.exe
O4 - HKLM\..\Run: [spoolsvv] D:\WINDOWS\system32\spoolsvv.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "E:\WCESCOMM.EXE"
O4 - HKCU\..\Run: [shell] "D:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [0mcamcap] D:\WINDOWS\system32\0mcamcap.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Billminder.lnk = D:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Quicken Startup.lnk = D:\Program Files\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - e:\INetRepl.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - e:\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1127442538449
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://tss.unbc.ca/msrdp.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9C196458-4145-46AF-8A77-1506878DFECA} - http://www.mail.sd57.bc.ca/ClientDownloads/fcplugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28578.cab
O20 - Winlogon Notify: artm_newreg - D:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winsys2freg - D:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - E:\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - D:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

no_snow
New Member

Date Joined Dec 2006
Total Posts : 9

Posted 12-27-2006 12:27 (GMT +1)

Hi and thanks again in advance.

I completed the requested scans. With the Killbox program, I got the following comment while trying to delete:

"pendingFileRenameOperations Registry Data has been removed by External Process!"

I assume one of my security systems would not allow the change to registry. After looking at the logs, you can tell me if I need to rerun the scans with all of my security systems off.

The following are the logs from Superantispyware and hiJack this:

1st Superantispyware run.

SUPERAntiSpyware Scan Log
Generated 12/26/2006 at 02:48 PM

Application Version : 3.4.1000

Core Rules Database Version : 3143
Trace Rules Database Version: 1159

Scan type : Complete Scan
Total Scan Time : 01:10:56

Memory items scanned : 449
Memory threats detected : 1
Registry items scanned : 6012
Registry threats detected : 15
File items scanned : 49496
File threats detected : 5

Trojan.ARTM/Polymorph
D:\DOCUMENTS AND SETTINGS\ALL USERS\DOCUMENTS\SETTINGS\ARTM_NEW.DLL
D:\DOCUMENTS AND SETTINGS\ALL USERS\DOCUMENTS\SETTINGS\ARTM_NEW.DLL
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\artm_newreg
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\artm_newreg
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\artm_newreg#DllName
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\artm_newreg#Startup
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\artm_newreg#Impersonate
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\artm_newreg#Asynchronous

Trojan.SpoolSVV/32
[spoolsvv] D:\WINDOWS\SYSTEM32\SPOOLSVV.EXE
D:\WINDOWS\SYSTEM32\SPOOLSVV.EXE

Spyware.WebSearch (WinTools/Huntbar)
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#DeviceDesc

Adware.MyWay
D:\Program Files\MyWay

Adware.Tracking Cookie
D:\Documents and Settings\Pete\Cookies\pete@bellglobemediapublishing.122.2o7.txt

Trojan.ClbBt
D:\WINDOWS\COMDLJ32.DLL

Logfile of HijackThis v1.99.1
Scan saved at 3:11:28 PM, on 26/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
E:\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\Common Files\Command Software\dvpapi.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\devldr32.exe
D:\WINDOWS\system32\ltmsg.exe
D:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\OpwareSE2.exe
E:\Program Files\Zero Knowledge\TELUS Security service\Freedom.exe
D:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\QUICKENW\QWDLLS.EXE
D:\WINDOWS\system32\notepad.exe
E:\Program Files\Hijack\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - e:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [OpwareSE2] "E:\Program Files\OpwareSE2.exe"
O4 - HKLM\..\Run: [DCOM Server] D:\DOCUME~1\Pete\LOCALS~1\Temp\explorer.exe
O4 - HKLM\..\Run: [TELUS Security service] E:\Program Files\Zero Knowledge\TELUS Security service\Freedom.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] e:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = D:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: Billminder.lnk = D:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Quicken Startup.lnk = D:\Program Files\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://e:\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - e:\INetRepl.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - e:\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1127442538449
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://tss.unbc.ca/msrdp.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9C196458-4145-46AF-8A77-1506878DFECA} - http://www.mail.sd57.bc.ca/ClientDownloads/fcplugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28578.cab
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - E:\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - D:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

no_snow
New Member

Date Joined Dec 2006
Total Posts : 9

Posted 12-27-2006 11:06 (GMT +1)

Thanks again.

Here are the Dr Web and Hijack reports.

Dr Web report

A0273483.exe;D:\System Volume Information\_restore{0C4490BC-4276-471A-AE7E-1DFA95A8E829}\RP1015;Trojan.DownLoader.15764;Deleted.;
A0273484.dll;D:\System Volume Information\_restore{0C4490BC-4276-471A-AE7E-1DFA95A8E829}\RP1015;Trojan.Spambot;Deleted.;

Logfile of HijackThis v1.99.1
Scan saved at 1:57:07 PM, on 27/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
E:\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\Common Files\Command Software\dvpapi.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\ltmsg.exe
D:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\OpwareSE2.exe
E:\Program Files\Zero Knowledge\TELUS Security service\Freedom.exe
D:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\QUICKENW\QWDLLS.EXE
E:\Program Files\Hijack\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - e:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [OpwareSE2] "E:\Program Files\OpwareSE2.exe"
O4 - HKLM\..\Run: [DCOM Server] D:\DOCUME~1\Pete\LOCALS~1\Temp\explorer.exe
O4 - HKLM\..\Run: [TELUS Security service] E:\Program Files\Zero Knowledge\TELUS Security service\Freedom.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] e:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = D:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: Billminder.lnk = D:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Quicken Startup.lnk = D:\Program Files\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://e:\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - e:\INetRepl.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - e:\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1127442538449
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://tss.unbc.ca/msrdp.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9C196458-4145-46AF-8A77-1506878DFECA} - http://www.mail.sd57.bc.ca/ClientDownloads/fcplugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28578.cab
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - E:\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - D:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14350

Posted 12-29-2006 6:26 (GMT +1)

Hi no snow

Run Hijackthis and place a check beside each of the following. Close all other browser windows except HJT.
Click fix checked:

O4 - HKLM\..\Run: [DCOM Server] D:\DOCUME~1\Pete\LOCALS~1\Temp\explorer.exe

You may want to print this or save it to notepad as we will go to safe mode.

Re-start your PC in Safe mode,

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Delete the following files or folders (delete item in bold). Please do not be concerned if
any of the items are not found as they may have been automatically removed by actions I had
you take earlier in the cleaning process.

Delete-

Files:

D:\DOCUME~1\Pete\LOCALS~1\Temp\explorer.exe

Reboot normally

Please download Combofix:

http://download.bleepingcomputer.com/sUBs/combofix.exe

and save to the desktop.

1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log and tell how things are running.

Note:
Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Do NOT post your problem in someone elses thread.

Start a new topic so that it may receive proper attention.

Do not PM me with logfiles. They will be deleted

no_snow
New Member

Date Joined Dec 2006
Total Posts : 9

Posted 12-30-2006 12:37 (GMT +1)

Hi and thanks again.

The logfiles are found below.

As I opened my web browser (Firefox) the windows installer opened and started installing. As I was not expecting this and I did not have any windows updates ready to install on my taskbar, I cancelled it. It did not tell me what it was installing.

Here are the logfiles.

The Big Cheese - 06-12-29 14:20:31.32 Service Pack 2
ComboFix 06.11.27 - Running from: "D:\Documents and Settings\The Big Cheese\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

D:\Documents and Settings\All Users\Documents\Settings

((((((((((((((((((((((((((((((( Files Created from 2006-11-29 to 2006-12-29 ))))))))))))))))))))))))))))))))))

2006-12-27 13:58 <DIR> dr-h----- D:\Documents and Settings\The Big Cheese\Recent
2006-12-26 13:51 0 --a------ D:\WINDOWS\system32\CMMGR32.EXE
2006-12-26 13:30 <DIR> d-------- D:\Program Files\SUPERAntiSpyware
2006-12-26 13:30 <DIR> d-------- D:\Documents and Settings\The Big Cheese\Application Data\SUPERAntiSpyware.com
2006-12-26 13:28 <DIR> d-------- D:\Program Files\Common Files\Wise Installation Wizard
2006-12-26 13:16 <DIR> d-------- D:\Documents and Settings\The Big Cheese\Application Data\Sun
2006-12-26 11:52 <DIR> d-------- D:\!KillBox
2006-12-25 14:16 <DIR> d-------- D:\Documents and Settings\The Big Cheese\WINDOWS
2006-12-25 14:09 <DIR> d-------- D:\Program Files\AnswerWorks 4.0
2006-12-25 14:06 <DIR> d-------- D:\Documents and Settings\The Big Cheese\Application Data\Autodesk
2006-12-25 14:06 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Autodesk
2006-12-25 13:59 <DIR> d-------- D:\Program Files\Common Files\Autodesk Shared
2006-12-25 13:58 <DIR> d-------- D:\Program Files\Autodesk
2006-12-24 11:32 <DIR> d-------- D:\WINDOWS\system32\ActiveScan
2006-12-23 20:01 <DIR> d-------- D:\Documents and Settings\The Big Cheese\DoctorWeb
2006-12-23 17:31 3,968 --a------ D:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-12-16 14:27 <DIR> d-------- D:\WINDOWS\WBEM
2006-12-16 14:26 <DIR> d-------- D:\WINDOWS\system32\en-US
2006-12-16 14:24 <DIR> d--h-c--- D:\WINDOWS\ie7
2006-12-16 14:21 121,856 --------- D:\WINDOWS\system32\xmllite.dll
2006-12-16 14:19 <DIR> d-------- D:\WINDOWS\network diagnostic
2006-12-05 15:56 <DIR> d-------- D:\Program Files\AviSynth 2.5
2006-12-05 15:55 <DIR> d-------- D:\Program Files\pspvideo9

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-12-29 12:30 -------- d-------- D:\Program Files\Mozilla Firefox
2006-12-28 12:30 -------- d-------- D:\Program Files\QUICKENW
2006-12-26 13:51 -------- d-------- D:\Program Files\FirstClass
2006-12-26 13:28 -------- d-a------ D:\Program Files\Common Files
2006-12-26 13:24 -------- d-------- D:\Program Files\Java
2006-12-24 13:20 -------- d-------- D:\Program Files\Internet Explorer
2006-12-24 13:17 -------- d-------- D:\Program Files\Common Files\PestPatrol
2006-12-24 13:14 -------- d-------- D:\Program Files\Common Files\Command Software
2006-12-12 21:57 -------- d-------- D:\Program Files\Outlook Express
2006-12-12 21:57 -------- d-------- D:\Program Files\Common Files\System
2006-12-06 22:40 2362184 --a------ D:\WINDOWS\system32\wmvcore.dll
2006-11-24 16:52 -------- d---s---- D:\Documents and Settings\The Big Cheese\Application Data\Microsoft
2006-11-07 21:06 679424 --a------ D:\WINDOWS\system32\inetcomm.dll
2006-11-07 21:03 6049280 --------- D:\WINDOWS\system32\ieframe.dll
2006-11-07 21:03 50688 --------- D:\WINDOWS\system32\msfeedsbs.dll
2006-11-07 21:03 458752 --------- D:\WINDOWS\system32\msfeeds.dll
2006-11-07 21:03 413696 --a------ D:\WINDOWS\system32\vbscript.dll
2006-11-07 21:03 231424 --a------ D:\WINDOWS\system32\webcheck.dll
2006-11-07 21:03 180736 --------- D:\WINDOWS\system32\ieui.dll
2006-11-07 21:03 156160 --a------ D:\WINDOWS\system32\msls31.dll
2006-11-07 03:27 382976 --a------ D:\WINDOWS\system32\iedkcs32.dll
2006-11-07 03:27 229376 --a------ D:\WINDOWS\system32\ieaksie.dll
2006-11-07 03:26 71680 --a------ D:\WINDOWS\system32\admparse.dll
2006-11-07 03:26 55296 --a------ D:\WINDOWS\system32\iesetup.dll
2006-11-07 03:26 54784 --a------ D:\WINDOWS\system32\ie4uinit.exe
2006-11-07 03:26 43008 --a------ D:\WINDOWS\system32\iernonce.dll
2006-11-07 03:26 152064 --a------ D:\WINDOWS\system32\ieakeng.dll
2006-11-07 03:26 13312 --a------ D:\WINDOWS\system32\ieudinit.exe
2006-11-07 03:26 123904 --a------ D:\WINDOWS\system32\advpack.dll
2006-11-07 03:25 161792 --a------ D:\WINDOWS\system32\ieakui.dll
2006-11-04 14:14 1245696 --a------ D:\WINDOWS\system32\msxml4.dll
2006-10-19 05:56 713216 --a------ D:\WINDOWS\system32\sxs.dll
2006-10-17 12:06 78336 --a------ D:\WINDOWS\system32\ieencode.dll
2006-10-17 12:05 40960 --a------ D:\WINDOWS\system32\licmgr10.dll
2006-10-17 12:05 206336 --------- D:\WINDOWS\system32\WinFXDocObj.exe
2006-10-17 12:05 105984 --a------ D:\WINDOWS\system32\url.dll
2006-10-17 12:04 101376 --a------ D:\WINDOWS\system32\occache.dll
2006-10-17 12:03 17408 --a------ D:\WINDOWS\system32\corpol.dll
2006-10-17 11:58 61952 --------- D:\WINDOWS\system32\icardie.dll
2006-10-17 11:58 12288 --------- D:\WINDOWS\system32\msfeedssync.exe
2006-10-17 11:57 36352 --a------ D:\WINDOWS\system32\imgutil.dll
2006-10-17 11:57 266752 --------- D:\WINDOWS\system32\iertutil.dll
2006-10-17 11:56 45568 --a------ D:\WINDOWS\system32\mshta.exe
2006-10-17 11:28 48128 --a------ D:\WINDOWS\system32\mshtmler.dll
2006-10-17 11:27 380928 --------- D:\WINDOWS\system32\ieapfltr.dll
2006-10-13 04:35 142336 --a------ D:\WINDOWS\system32\nwprovau.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="D:\\WINDOWS\\system32\\ctfmon.exe"
"SpybotSD TeaTimer"="e:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"LTWinModem1"="ltmsg.exe 9"
"SunJavaUpdateSched"="\"D:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"iTunesHelper"="\"E:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"E:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NvCplDaemon"="RUNDLL32.EXE D:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"OpwareSE2"="\"E:\\Program Files\\OpwareSE2.exe\""
"TELUS Security service"="E:\\Program Files\\Zero Knowledge\\TELUS Security service\\Freedom.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="D:\\WINDOWS\\System32\\CTFMON.EXE"
"MSMSGS"="\"D:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="D:\\WINDOWS\\System32\\CTFMON.EXE"
"MSMSGS"="\"D:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-12-29 14:22:42.63
D:\ComboFix.txt ... 06-12-29 14:22

Logfile of HijackThis v1.99.1
Scan saved at 3:05:02 PM, on 29/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
E:\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\Common Files\Command Software\dvpapi.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\ltmsg.exe
D:\WINDOWS\system32\devldr32.exe
D:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\OpwareSE2.exe
E:\Program Files\Zero Knowledge\TELUS Security service\Freedom.exe
D:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\QUICKENW\QWDLLS.EXE
E:\Program Files\Hijack\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - e:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [OpwareSE2] "E:\Program Files\OpwareSE2.exe"
O4 - HKLM\..\Run: [TELUS Security service] E:\Program Files\Zero Knowledge\TELUS Security service\Freedom.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] e:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = D:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: Billminder.lnk = D:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Quicken Startup.lnk = D:\Program Files\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://e:\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - e:\INetRepl.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - e:\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1127442538449
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://tss.unbc.ca/msrdp.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9C196458-4145-46AF-8A77-1506878DFECA} - http://www.mail.sd57.bc.ca/ClientDownloads/fcplugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28578.cab
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - E:\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - D:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - D:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14350

Posted 12-30-2006 7:38 (GMT +1)

I can´t find any suspicious items in the log´s. However I recommend You install antivirus and firewall:

http://free.grisoft.com/freeweb.php/doc/1/

http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp?lid=zaskulist_download

When installed run Full systemscan with AVG antivirus.

Reboot and tell how Your computer are behaving now

Do NOT post your problem in someone elses thread.

Start a new topic so that it may receive proper attention.

Do not PM me with logfiles. They will be deleted

no_snow
New Member

Date Joined Dec 2006
Total Posts : 9

Posted 12-31-2006 8:14 (GMT +1)

Hi and thanks again.

I ran the following programs as this is what I have done traditionally.

Spybot which found:
HKEY_LOCAT_MACHINE\SOFTWARE\ISTbar which it was unable to remove.

Ad-Aware SE which found:
same as Spybot and HKEY_CLASSES_ROOT.aspfile\persistenth...
said both would be removed on next reboot.

Zero-Knowledge Freedom - Virus Scan (this is part of my subscription service bundled with my internet provider)
no files found

Zero-Knowledge Anti Spyware (again bundled with my internet provider)
Found Webhancer
c;\WINDOWS\Temporary Internet Files\Content.IE5\8tezghij\nwsh-icon.jpg

I then shut down my Zero-Knowledge Firewall, Virus and spyware programs

Set up Zone Alarm

Ran AVG Antivirus which found Downloader.Generic2.XPT
C:\WINDOWS\SYSTEM\MACROMED\SHOCKWARE 8\Download Exe.
C:\WINDOWS\SYSTEM32\MACROMED\SHOCKWARE 8\ Download Exe.

Ran AVG Antispyware which found
ISTbar which it wasn't able to remove (error while deleting)

The computer is slow responding now - I am trying to adjust the settings of the security software. I have not received any new notification that my computer is sending out spam.

no_snow
New Member

Date Joined Dec 2006
Total Posts : 9

Posted 12-31-2006 8:32 (GMT +1)

Hi again,

I also notice in the Windows Task Manager under Processes is that
"explorer.exe" is always using a small amount of CPU 1-3%. I only ask because
one of the previous cleaning steps was to get rid of a "explorer.exe" file. Is this normal?

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14350

Posted 1-1-2007 10:40 (GMT +1)

Download Registrar Registry Manager from here:
http://www.resplendence.com/download/reglite.exe

Put it in its own folder. You may want to keep this program. It is an excellent free, registry editor.

Copy and paste the follow text (in bold) into the address bar, then hit 'Go':
HKEY_LOCAL_MACHINE/Software/

Find -ISTbar
Right click on it, and select delete.
If you get a confirmation question, respond OK then close out the program.

Reboot and tell if You´ve get rid of ISTbar ?

If you have explorer exe open, is it normal

Do NOT post your problem in someone elses thread.

Start a new topic so that it may receive proper attention.

Do not PM me with logfiles. They will be deleted

no_snow
New Member

Date Joined Dec 2006
Total Posts : 9

Posted 1-1-2007 9:40 (GMT +1)

Hi and Happy New Year.

After reading the warning about Tron, should I be concerned about anything I did that Tron was involved with?

In regular start up mode, the registry manager was unable to remove ISTbar. It gave the response "Access Denied". I tried this with both Spybot running in resident mode and with Spybot shut off.

Will it make a difference if I try it in safe mode start up?

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14350

Posted 1-2-2007 9:43 (GMT +1)

No need to be concerned ;-)

Copy and paste the follow text (in bold) into the address bar, then hit 'Go':
HKEY_LOCAL_MACHINE/Software/

Find -ISTbar

Then try this -

To update the permissions of the registry subkey, follow these steps:

a. Click Start, click Run, type regedit, and then click OK to start Registry Editor.

b. Locate and right-click the registry subkey (ISTbar), and then click Permissions.
c. Under Group or user names, click Administrators.

d. Under Permissions for Administrators, make sure that the Allow check box for the following entries is selected:

• Full Control
• Read

e. Click Apply, and then click OK. See if You can delete -ISTbar - now
f. On the File menu, click Exit to quit Registry Editor.

Reboot and if it help ?

Do NOT post your problem in someone elses thread.

Start a new topic so that it may receive proper attention.

Do not PM me with logfiles. They will be deleted

no_snow
New Member

Date Joined Dec 2006
Total Posts : 9

Posted 1-3-2007 2:32 (GMT +1)

Hi,

I still got the access denied message. I tried with both a safe mode and regular boot-up.

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14350

Posted 1-3-2007 2:05 (GMT +1)

Let´s see if Spysweeper can get rid of it, it normally can -

Download Free Trial of Spysweeper

http://www.webroot.com/download/trial/ssfsetup972.exe

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)
You will be prompted to check for updated definitions, please do so.
(This may take several minutes)Click on "Options > Sweep Options" and check "Sweep all Folders on Selected drives". Check "Local Disc C".
Under What to Sweep: check all of the boxes except Sweep Contents of Compressed Files and do not Sweep Systemrestore Folder.

Click on Sweep and allow it to fully scan your system.

When the sweep has finished, click "Remove". Click "Select All" and then "Next".

Reboot normally, and tell how things are running

Do NOT post your problem in someone elses thread.

Start a new topic so that it may receive proper attention.

Do not PM me with logfiles. They will be deleted

no_snow
New Member

Date Joined Dec 2006
Total Posts : 9

Posted 1-6-2007 1:35 (GMT +1)

Hi,

Spysweeper appears to have done the trick.

I scanned afterwards with Spybot and it was clean.
I then did a full scan with Avi Spyware which crashed due to being low on virtual memory.
I tried to uninstall Spysweeper, and after several attempts, was able to do it in safe mode.
I reran Avi Spyware which gave a clean report.

However the computer is now very slow.
The Anti Spyware just shut down due to a runtime error.

I assume I am having some kind of conflict with security software.

I am currently running:
Spyblaster
Spybot in resident mode
Zone Alarm
Avi Antivirus
Avi Spyware

Any ideas?

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14350

Posted 1-6-2007 9:30 (GMT +1)

If You still have a slow computer, please post fresh hijackthis log. I can´t find conflicts with the above programs

Do NOT post your problem in someone elses thread.

Start a new topic so that it may receive proper attention.

Do not PM me with logfiles. They will be deleted

Forum Information

Currently it is Saturday, January 10, 2009 1:11 AM (GMT +1)
There are a total of 66.010 posts in 16.187 threads.
In the last 3 days there were 18 new threads and 109 reply posts. View Active Threads