mfisher
-
Content Count
6 -
Joined
-
Last visited
Content Type
Profiles
Forums
Calendar
Posts posted by mfisher
-
-
Reopened per User Request
Hi Matt,
Thanks for re-opening this topic. There has been no re-occurance of the problem but I've followed your instructions (somewhat belatedly) as requested. However I was unable to remove the file c:\program files\common files\system\ms1src.exe as it didn't seem to exist. I did the rest of the stuff though no probs. Here is the latest HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 07:49:55 PM, on 04/04/2006
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aapt.net.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aapt.net.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AAPT
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\AAPT\Adsl\dslagent.exe
O4 - HKLM\..\Run: [bO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aapt.net.au/
O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - https://delphiplus.ap.joneslanglasalle.com/...plus/msddsc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
-
Hi Matt,
Thanks for taking over from Danny, I really appreciate it. What you got me to do seemed to solve the problem - for now anyway, but I'll post the logs in case there is anything else you think I should do. Things like this sometimes seem to re-appear.
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 06:59:16 PM, 16/03/2006
+ Report-Checksum: 4823F11
+ Scan result:
HKLM\SOFTWARE\Classes\NaviPromo.EGNaviScoring -> Adware.NaviPromo : Cleaned with backup
HKLM\SOFTWARE\Classes\NaviPromo.EGNaviScoring\CLSID -> Adware.NaviPromo : Cleaned with backup
HKLM\SOFTWARE\Classes\NaviPromo.EGNaviScoring.1 -> Adware.NaviPromo : Cleaned with backup
HKU\S-1-5-21-484763869-299502267-839522115-500\Software\PrimeSoft -> Adware.SafeSearch : Cleaned with backup
HKU\S-1-5-21-484763869-299502267-839522115-500\Software\PrimeSoft\qsearch -> Adware.SafeSearch : Cleaned with backup
[1284] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE -> Adware.Gator : Cleaned with backup
[1360] C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE -> Adware.Gator : Cleaned with backup
C:\!KillBox\ms1src.exe -> Downloader.Dluca.ci : Cleaned with backup
C:\HJT\backups\backup-20060301-182840-992.dll -> Downloader.Wintrim.ax : Cleaned with backup
C:\Program Files\Aquatica Waterworlds\AQ3Helper.exe -> Adware.Gator : Cleaned with backup
C:\Program Files\Butterfly Oasis Screensaver\BO1Helper.exe -> Adware.Gator : Cleaned with backup
C:\Program Files\Butterfly Oasis Screensaver\BO1Uninstaller.exe -> Adware.Gator : Cleaned with backup
C:\Program Files\Butterfly Oasis Screensaver\ButterflyOasis.exe -> Adware.GAINNetwork : Cleaned with backup
C:\Program Files\Common Files\CMEII\CMEIIAPI.dll -> Adware.Gator : Cleaned with backup
C:\Program Files\Common Files\CMEII\GAppMgr.dll -> Adware.Gator : Cleaned with backup
C:\Program Files\Common Files\CMEII\GController.dll -> Adware.Gator : Cleaned with backup
C:\Program Files\Common Files\CMEII\GDwldEng.dll -> Adware.Gator : Cleaned with backup
C:\Program Files\Common Files\CMEII\GIoclClient.dll -> Adware.Gator : Cleaned with backup
C:\Program Files\Common Files\CMEII\GMTProxy.dll -> Adware.Gator : Cleaned with backup
C:\Program Files\Common Files\CMEII\GObjs.dll -> Adware.Gator : Cleaned with backup
C:\Program Files\Common Files\dlaerhjl\drtanjneaj\tanpcalhl.exe -> Adware.Gator : Cleaned with backup
C:\Program Files\Common Files\dlaerhjl\fjlalbaa\lcnbcbed.exe -> Adware.Gator : Cleaned with backup
C:\Program Files\Common Files\GMT\EGIEProcess.dll -> Adware.Gator : Cleaned with backup
C:\Program Files\Common Files\GMT\GatorStubSetup.exe -> Adware.Gator : Cleaned with backup
C:\Program Files\Common Files\GMT\GMT.exe -> Adware.Gator : Cleaned with backup
C:\Program Files\Common Files\GMT\gtrawbm.fil -> Adware.Gator : Cleaned with backup
C:\Program Files\Common Files\GMT\GUninstaller.exe -> Adware.Gator : Cleaned with backup
C:\Program Files\Common Files\System\ms1src.exe -> Downloader.Dluca.ci : Cleaned with backup
C:\WINNT\Downloaded Program Files\CONFLICT.1\HDPlugin1101.dll -> Adware.Gator : Cleaned with backup
C:\WINNT\system32\ydfyeoui.exe -> Downloader.Dluca : Cleaned with backup
::Report End
Logfile of HijackThis v1.99.1
Scan saved at 07:06:33 PM, on 16/03/2006
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aapt.net.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aapt.net.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AAPT
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\AAPT\Adsl\dslagent.exe
O4 - HKLM\..\Run: [bO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AQ3HelperStartUp] C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE /partner AQ3
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ms1src] c:\program files\common files\system\ms1src.exe /install
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aapt.net.au/
O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - https://delphiplus.ap.joneslanglasalle.com/...plus/msddsc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
-
Hi Danny,
Here are the log files you requested. Thanks again for all your help.
Cheers,
Matt
Logfile of HijackThis v1.99.1
Scan saved at 07:40:46 PM, on 01/03/2006
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\NavNT\vptray.exe
C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\program files\common files\system\ms1src.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aapt.net.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aapt.net.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AAPT
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\AAPT\Adsl\dslagent.exe
O4 - HKLM\..\Run: [bO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AQ3HelperStartUp] C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE /partner AQ3
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ms1src] c:\program files\common files\system\ms1src.exe /install
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aapt.net.au/
O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - https://delphiplus.ap.joneslanglasalle.com/...plus/msddsc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
Incident Status Location
Adware:Adware/Gator Not disinfected C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE
Adware:Adware/Gator Not disinfected C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE
Spyware:Spyware/Dluca Not disinfected C:\program files\common files\system\ms1src.exe
Adware:Adware/Gator Not disinfected C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE
Adware:Adware/Gator Not disinfected C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE
Adware:adware/navipromo Not disinfected C:\WINNT\SYSTEM32\Mservice.dll
Adware:adware/dluxde Not disinfected C:\PROGRAM FILES\linksw
Potentially unwanted tool:application/regclean32 Not disinfected C:\PROGRAM FILES\Registry Cleaner Trial
Adware:adware/gator Not disinfected C:\PROGRAM FILES\COMMON FILES\GMT
Spyware:spyware/dluca Not disinfected Windows Registry
Potentially unwanted tool:application/mywebsearch Not disinfected HKEY_CLASSES_ROOT\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239}
Dialer:dialer.b Not disinfected HKEY_CLASSES_ROOT\Interface\{F8ACA5A0-060A-478A-8368-1407780D2251}
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Administrator\Cookies\scottg@apmebf[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator\Cookies\scottg@atdmt[2].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Administrator\Cookies\scottg@qksrv[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Administrator\Cookies\scottg@statcounter[1].txt
Spyware:Spyware/Dluca Not disinfected C:\!KillBox\ms1src.exe
Possible Virus. Not disinfected C:\!KillBox\xau.exe
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Administrator\Cookies\scottg@apmebf[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator\Cookies\scottg@atdmt[2].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Administrator\Cookies\scottg@qksrv[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Administrator\Cookies\scottg@statcounter[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\scottg@belnk[2].txt
Dialer:Dialer.Gen Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\dia6.exe
Dialer:Dialer.CE Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\ICD1.tmp\netslv32.inf
Adware:Adware/SafeSearch Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_124.tmp
Adware:Adware/SafeSearch Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_208.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_21C.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_26C.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_384.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_398.tmp
Adware:Adware/SafeSearch Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_3B0.tmp
Adware:Adware/SafeSearch Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_3C8.tmp
Adware:Adware/SafeSearch Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_3D4.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_3EC.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_3F0.tmp
Adware:Adware/SafeSearch Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_3F8.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_418.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_424.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_444.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_45C.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_464.tmp
Adware:Adware/SafeSearch Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_470.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_478.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_484.tmp
Adware:Adware/SafeSearch Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_488.tmp
Adware:Adware/SafeSearch Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_504.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_50C.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_510.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_514.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_518.tmp
Adware:Adware/SafeSearch Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_51C.tmp
Adware:Adware/SafeSearch Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_528.tmp
Adware:Adware/SafeSearch Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_52C.tmp
Adware:Adware/SafeSearch Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_534.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_538.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_53C.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_540.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_544.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_548.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_54C.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_550.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_554.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_558.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_55C.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_560.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_564.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_568.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_56C.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_570.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_574.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_578.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_57C.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_580.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_584.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_588.tmp
Adware:Adware/SafeSearch Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_58C.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_590.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_594.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_598.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_59C.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_5A4.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_5A8.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_5AC.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_5B0.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_5B4.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_5B8.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_5BC.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_5C0.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_5C8.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_5CC.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_5D4.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_5D8.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_5E8.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_608.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_60C.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_62C.tmp
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\ss596.exe
Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\wnk8cf.exe
Possible Virus. Not disinfected C:\Documents and Settings\Administrator\My Documents\Merrijig\blondes_au.exe
Adware:Adware/SLAgent Not disinfected C:\HJT\backups\backup-20060301-182840-992.dll
Potentially unwanted tool:Application/FunWeb Not disinfected C:\HJT\backups\backup-20060301-182841-421.inf
Adware:Adware/Gator Not disinfected C:\Program Files\Aquatica Waterworlds\AQ3Helper.exe
Adware:Adware/Gator Not disinfected C:\Program Files\Butterfly Oasis Screensaver\BO1Helper.exe
Adware:Adware/Gator Not disinfected C:\Program Files\Butterfly Oasis Screensaver\BO1Uninstaller.exe
Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\CMEII\CMEIIAPI.dll
Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\CMEII\GAppMgr.dll
Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\CMEII\GController.dll
Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\CMEII\GDwldEng.dll
Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\CMEII\GIocl.dll
Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\CMEII\GIoclClient.dll
Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\CMEII\GMTProxy.dll
Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\CMEII\GObjs.dll
Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\CMEII\GStore.dll
Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\CMEII\GStoreServer.dll
Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\CMEII\Gtools.dll
Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\dlaerhjl\drtanjneaj\tanpcalhl.exe
Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\dlaerhjl\fjlalbaa\lcnbcbed.exe
Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\GMT\EGGCEngine.dll
Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\GMT\egIEEngine.dll
Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\GMT\EGIEProcess.dll
Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\GMT\GatorStubSetup.exe
Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\GMT\GMT.exe
Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\GMT\gtrawbm.fil
Spyware:Spyware/Dluca Not disinfected C:\Program Files\Common Files\System\ms1src.exe
Adware:Adware/Gator Not disinfected C:\WINNT\Downloaded Program Files\CONFLICT.1\HDPlugin1101.dll
Virus:Trj/Downloader.gen Disinfected C:\WINNT\system32\wclmaeyq.exe
Virus:Trj/Downloader.gen Disinfected C:\WINNT\system32\xkaruswm.exe
Virus:Trj/Downloader.gen Disinfected C:\WINNT\system32\xnsdbgke.exe
Virus:Trj/Downloader.gen Disinfected C:\WINNT\system32\ycjeqxlk.exe
Spyware:Spyware/Dluca Not disinfected C:\WINNT\system32\ydfyeoui.exe
Virus:Trj/Downloader.gen Disinfected C:\WINNT\system32\yrgwzhrl.exe
Virus:Trj/Downloader.gen Disinfected C:\WINNT\system32\zvfcerla.exe
-
Hi Danny,
Thanks for your quick reply. I followed your instructions but when I ran the vbs script it didn't give me the prompts you talked about. All I could see it do was create a file on the desktop called runnow.txt which I have pasted below.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"nwiz"="nwiz.exe /install"
"Smapp"="C:\\Program Files\\Analog Devices\\SoundMAX\\Smtray.exe"
"vptray"="C:\\Program Files\\NavNT\\vptray.exe"
"xau"="c:\\winnt\\system32\\xau.exe /nocomm"
"DSLAGENTEXE"="C:\\Program Files\\AAPT\\Adsl\\dslagent.exe"
"Cddrv32"="c:\\winnt\\system32\\cddrv32.exe"
"BO1HelperStartUp"="C:\\PROGRA~1\\BUTTER~1\\BO1HEL~1.EXE /partner BO1"
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AQ3HelperStartUp"="C:\\PROGRA~1\\AQUATI~1\\AQ3HEL~1.EXE /partner AQ3"
"ms1src"="c:\\program files\\common files\\system\\ms1src.exe /install"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"OWSYPHAQ"="c:\\winnt\\system32\\owsyphaq.exe /install"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
Anyhoo I pressed on with your instructions and got the following HiJackThis log.
Logfile of HijackThis v1.99.1
Scan saved at 06:58:43 PM, on 21/02/2006
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\NavNT\vptray.exe
C:\winnt\system32\xau.exe
C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\program files\common files\system\ms1src.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aapt.net.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aapt.net.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AAPT
F3 - REG:win.ini: run=c:\winnt\system32\cddrv32.exe
O2 - BHO: (no name) - {008DB894-99ED-445D-8547-0E7C9808898D} - C:\WINNT\mslagent\4b_1,0,1,2_mslagent.dll (file missing)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {E539DEA3-BA67-4F1F-A897-5F2F4F29A063} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [xau] c:\winnt\system32\xau.exe /nocomm
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\AAPT\Adsl\dslagent.exe
O4 - HKLM\..\Run: [Cddrv32] c:\winnt\system32\cddrv32.exe
O4 - HKLM\..\Run: [bO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AQ3HelperStartUp] C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE /partner AQ3
O4 - HKLM\..\Run: [ms1src] c:\program files\common files\system\ms1src.exe /install
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [OWSYPHAQ] c:\winnt\system32\owsyphaq.exe /install
O4 - HKCU\..\Run: [Cddrv32] c:\winnt\system32\cddrv32.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aapt.net.au/
O16 - DPF: {14325268-79E0-4D2A-89A4-FFFC6E22741E} - http://akamai.downloadv3.com/binaries/Live...ervice_3_EN.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.6.cab
O16 - DPF: {3446598E-00E4-4B5E-99A6-87ECCA8324A2} - http://akamai.downloadv3.com/binaries/EGDA...ACCESS_1056.cab
O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - https://delphiplus.ap.joneslanglasalle.com/...plus/msddsc.cab
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
What now? Thanks again for your help - I really appreciate it.
-
Hi,
I've never done this before so I hope I'm in the right place. I'm yet another person trying to remove sweepstakes.com wih no luck so far. I have run HiJackThis and the log file is below. Can anyone help??? I'm desparate!
Logfile of HijackThis v1.99.1
Scan saved at 12:39:56 PM, on 18/02/2006
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\NavNT\vptray.exe
C:\winnt\system32\xau.exe
C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE
C:\program files\common files\system\ms1src.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\winnt\system32\owsyphaq.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aapt.net.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aapt.net.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AAPT
F3 - REG:win.ini: run=c:\winnt\system32\cddrv32.exe
O2 - BHO: (no name) - {008DB894-99ED-445D-8547-0E7C9808898D} - C:\WINNT\mslagent\4b_1,0,1,2_mslagent.dll (file missing)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {E539DEA3-BA67-4F1F-A897-5F2F4F29A063} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [xau] c:\winnt\system32\xau.exe /nocomm
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\AAPT\Adsl\dslagent.exe
O4 - HKLM\..\Run: [Cddrv32] c:\winnt\system32\cddrv32.exe
O4 - HKLM\..\Run: [bO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AQ3HelperStartUp] C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE /partner AQ3
O4 - HKLM\..\Run: [ms1src] c:\program files\common files\system\ms1src.exe /install
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [OWSYPHAQ] c:\winnt\system32\owsyphaq.exe /install
O4 - HKCU\..\Run: [Cddrv32] c:\winnt\system32\cddrv32.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aapt.net.au/
O16 - DPF: {14325268-79E0-4D2A-89A4-FFFC6E22741E} - http://akamai.downloadv3.com/binaries/Live...ervice_3_EN.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.6.cab
O16 - DPF: {3446598E-00E4-4B5E-99A6-87ECCA8324A2} - http://akamai.downloadv3.com/binaries/EGDA...ACCESS_1056.cab
O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - https://delphiplus.ap.joneslanglasalle.com/...plus/msddsc.cab
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
Thanks....
Another Sweepstakes.com Question[RESOLVED]
in Malware Removal
Posted
Thanks for all your help Matt, the computer is now so much easier to use. I'll pass on your suggestions to the main users of the computer and hopefully nothing like this happens again.
Cheers!