Harm Posted June 6, 2006 Report Share Posted June 6, 2006 Logfile of HijackThis v1.99.1Scan saved at 05:20:48, on 06/06/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Microsoft Hardware\Mouse\point32.exeC:\WINDOWS\system32\CTHELPER.EXEC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Internet Explorer\iexplore.exeD:\My Documents\Programs\cwshredder\Hijackthis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonder.co.uk/O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocxO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [POINTER] point32.exeO4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kO4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXEO4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXEO4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1147347440437O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111...all/xscan53.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{EC0E7610-6776-4506-93CF-3BAD510A69F6}: NameServer = 62.31.176.39,195.118.53.175O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dllO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exePosted my problem in other forum and following reply my problem is as follows---Hi i am new here so am not sure if this is the right place to get help with my little problem.I am on a dayley basis getting the same cokies coming up in adaware and allways removing them but that is not my problem but it is related i think anyway i was clearing out my temp internet files and found i could not delete this one file and would like to get some help to get rid of it if you nice ppl can that is.the file is in C:\Documents and Settings\username\Local Settings\Temporary Internet Files and when i try and delete it i get the error noise but no popup saying it is in use or anything like you normally get i have looked at the properties of the file and noticed part of the name is the same as one of the cokies i mentioned earlier the file name is [http://spe.atdmt.com/ds/LEAK] but it is not showing as a webpage either in explorer.So if anyone here is able to help me of give me info of someone or a place who can i would be very greatful.Thanks in advance.Edit: encased the file name as showed as a link do not want anyone else to get infected but it dose not show as a virus scanned by a few good scanners. Link to post Share on other sites
therock247uk Posted June 6, 2006 Report Share Posted June 6, 2006 Please download ewido anti-malware it is a trial version of the program.Install ewido anti-malwareWhen installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".Launch ewido, there should be an icon on your desktop double-click it.The program will now go to the main screenYou will need to update ewido to the latest definition files.On the left hand side of the main screen click updateThen click on Start UpdateThe update will start and a progress bar will show the updates being installed.If you are having problems with the updater, you can use this link to manually update ewido.ewido manual updatesBoot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.Open Ewido againClick on scannerClick on Complete System Scan and the scan will begin.While the scan is in progress you will be prompted to clean files, click OKWhen it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.Once the scan has completed, there will be a button located on the bottom of the screen named Save reportClick Save report.Save the report .txt file to your desktop.Now close ewido anti-malware.Reboot and Post the report Ewido made and a new Hijackthis log here in a reply. Link to post Share on other sites
Harm Posted June 7, 2006 Author Report Share Posted June 7, 2006 Here are the 2 reports you asked for ewido found no infections .Logfile of HijackThis v1.99.1Scan saved at 03:04:22, on 07/06/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\userinit.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Microsoft Hardware\Mouse\point32.exeC:\WINDOWS\system32\CTHELPER.EXEC:\WINDOWS\system32\ctfmon.exeC:\Program Files\ewido anti-malware\ewidoctrl.exeC:\WINDOWS\system32\nvsvc32.exeD:\My Documents\Programs\cwshredder\Hijackthis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonder.co.uk/O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocxO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [POINTER] point32.exeO4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kO4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXEO4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXEO4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1147347440437O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111...all/xscan53.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{EC0E7610-6776-4506-93CF-3BAD510A69F6}: NameServer = 62.31.176.39,195.118.53.175O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dllO23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe=====================================================================--------------------------------------------------------- ewido anti-malware - Scan report--------------------------------------------------------- + Created on: 03:01:45, 07/06/2006 + Report-Checksum: 875ADADA + Scan result: No infected objects found.::Report End Link to post Share on other sites
therock247uk Posted June 7, 2006 Report Share Posted June 7, 2006 Please download ATF Cleaner by Atribune.This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.Under Main choose: Select AllClick the Empty Selected button.If you use Firefox browserClick Firefox at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browserClick Opera at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.For Technical Support, double-click the e-mail address located at the bottom of each menu.Please go HERE to run Panda's ActiveScanOnce you are on the Panda site click the Scan your PC buttonA new window will open...click the Check Now buttonEnter your CountryEnter your State/ProvinceEnter your e-mail address and click sendSelect either Home User or CompanyClick the big Scan Now buttonIf it wants to install an ActiveX component allow itIt will start downloading the files it requires for the scan (Note: It may take a couple of minutes)When download is complete, click on My Computer to start the scanWhen the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report Link to post Share on other sites
Harm Posted June 7, 2006 Author Report Share Posted June 7, 2006 (edited) Hi I have done both the ATF Cleaner and Panda Scan, the Panda Scan found nothing but the file is still there in temp internet files and cannot be deleted I would like to say thankyou for your help so far. Edited June 7, 2006 by Harm Link to post Share on other sites
therock247uk Posted June 8, 2006 Report Share Posted June 8, 2006 Hmm can you try and delete it with this program http://www.atribune.org/downloads/KillBox.exe on standard kill if not try delete on reboot... Link to post Share on other sites
Harm Posted June 8, 2006 Author Report Share Posted June 8, 2006 Hmmm....Heres the thing when i try to set the path to the file using browse i select the file hit ok but the path dose not show up in the field if u understand what i mean so i am unable to kill it. Link to post Share on other sites
therock247uk Posted June 9, 2006 Report Share Posted June 9, 2006 Can you give me the full path to this file? Link to post Share on other sites
Harm Posted June 9, 2006 Author Report Share Posted June 9, 2006 Hi for some reason i checked today for it and it was gone the file is no longer on my pc weird, I would like to say thanks for all your help with this problem i will keep an eye on it to see if it returns.The path was in my first post but here it is again for reference.C:\Documents and Settings\username\Local Settings\Temporary Internet Files\LEAK*but when i looked at its properties it was called [http://spe.atdmt.com/ds/LEAK*]Thanks again for all your help.Harm Link to post Share on other sites
therock247uk Posted June 10, 2006 Report Share Posted June 10, 2006 Please download FileFind from Atribune.Unzip the file and save it to your desktop.To run FileFind, please do the following:Click on FileFind.exeIn the box labeled "Enter the directory to search"Enter Drive eg.. C:\[*]In the box labeled "Enter the file to search"Enter the file LEAK* to search for the file(s)[*]Now click on the "Find" button[*]Once the utility has found the files click on "Export"[*]This will save a text file to your C:\ drive as "Export.txt"[*]Double click on Export.txt, copy and paste this information in your next post Link to post Share on other sites
Matt Posted July 11, 2006 Report Share Posted July 11, 2006 Inactive topic...If you still need help on this problem, contact me or one of the Moderators to re-open this up.Topic closed. Link to post Share on other sites
Recommended Posts