There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
Search
 
Malware Removal & HijackThis Logs
Tag Cloud
audio bios blue screen boot bsod computer connection crash dcom dell driver drivers email error excel firefox google hard drive hardware hijackthis internet laptop logon logs off macro malware microsoft motherboard network networking problem ram recovery router screen slow software sound trojan usb userinit.exe virus vista webcam wifi windows windows 7 windows 7 64 bit windows xp wireless
Search
Search for:
Tech Support Guy Forums > Security & Malware Removal > Malware Removal & HijackThis Logs >
Is MSevents BHO a trojan or virus? (New)

Tip: Click here to scan for System Errors and Optimize PC performance
[ Sponsored Link ]

Closed Thread
Page 1 of 5 1 234 Last »
 
Thread Tools
Aardvaark6's Avatar
Junior Member with 8 posts.
  
Join Date: Apr 2005
Experience: Intermediate
12-Apr-2005, 08:50 PM #1
Question Is MSevents BHO a trojan or virus?
Hi Tech Guys!

Last week I started having browser problems: couldn't launch from email links, IE seemed to hang, etc. Soon after, my AV scanner (PC-cillin) started reporting a virus BKDR_SMAL.AI which it could not clean or quarantine! The indentified file was c:/windows/system32/req.dat. Then I started searching the web for a solution and came across some threads in TechGuy. I followed the suggestion in one of the threads which involved deleting the file with KillBox and removing the registry entries with HJT. Eventually, success!!

However, I am still having occasional problems. Below is a current HJT log. I suspect the BHO MSevents which I have noticed in a number of HJT logs in other threads about similar browsing problems. I have tried a number of times to delete the DLL file with KillBox without success. If I delete the registry entries with HJT, they just re-appear within seconds.

Any suggestions?


Logfile of HijackThis v1.99.1
Scan saved at 10:48:24 AM, on 13/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\CtrlVol.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ike\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
F2 - REG:system.ini: Shell=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [LMgrOSD] C:\Program Files\Launch Manager\OSDCtrl.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.co...haringctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/def...ploader_v6.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O20 - Winlogon Notify: webjava - C:\WINDOWS\system32\export\webjava.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
Register for free to hide this ad!
Byteman's Avatar
Moderator with 15,470 posts.
  
Join Date: Jan 2002
Location: NY
Experience: Junkware Jouster
12-Apr-2005, 10:47 PM #2
Hi,
Save these directions somehow> copy and paste to a Notepad text file and save on desktop, or print out....

Turn off SpyBot's TeaTimer before making the changes needed, it can prevent those:

Open Spybot>Tools>Resident.
Look in "Resident Protection Status" and you'll see boxes to select/deselect TeaTimer

I want you to scan the entire system at the sites below>

Panda will let you save a Report when it finishes> do that, the file is called activescan.txt, save to desktop, copy and paste the contents of it into your next reply, we will need to see what is fixed or not....



http://www.pandasoftware.com/actives..._principal.htm



http://housecall.antivirus.com/housecall/start_corp.asp

Be sure to use the AUTOCLEAN setting checkbox, and scan all hard (data) drives.
___________--

You might find that the scans remove those infected files, if so, just post a new log> OR>

In your next scan with HJT, if these or parts of them are still showing, fix the items and delete the files:


Run Hijackthis again> put checks next to these items, then click "Fix checked:"

O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll

O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O20 - Winlogon Notify: webjava - C:\WINDOWS\system32\export\webjava.dll


Set these settings to see hidden/system files:

Quote:
Originally Posted by flrman1
Because XP will not always show you hidden files and folders by default, Go to Start > Search>Files and Folders>> and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type %temp% in the Run box, and OK. The Temp folder will open. Click Edit > Select All then File > Delete to delete the entire contents of the Temp folder.
Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK.
Restart the computer to Safe Mode> when you restart, tap the F8 key as soon as you see some text on screen, you will then see the startup menu, with your arrow key select Safe Mode (only) and hit your Enter key once, give it plenty of time to get to the desktop.

Navigate to the folders shown that hold the files listed at the ends of lines below, and delete the files:

C:\WINDOWS\system32\export\webjava.dll
C:\Windows\RUNXMLPL.exe


Restart> run scans with antispyware, antivirus that you have and post a brand new HJT log made after all is done.
__________________
Mung (computer term), the act of making several incremental changes to an item that combine to destroy it
Donate directly to help the site TSG Library
TSG's Welcome Guide- Tips, Rules, How to use TSG and more!
Last edited by Byteman : 12-Apr-2005 10:54 PM.
The_Egg's Avatar
Senior Member with 1,157 posts.
  
Join Date: Sep 2002
12-Apr-2005, 11:41 PM #3
Hi Byteman

Just to add to what's already been said...

Yup, it's the same problem we've got right now in this other current thread
http://forums.techguy.org/t351228.html

I've tried almost everything to get rid of it, but the pest still persists.
Though I haven't given up yet.

As Byteman says, these are the equivalent bad entries in your log:

O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll

O20 - Winlogon Notify: webjava - C:\WINDOWS\system32\export\webjava.dll


These entries (possibly related, possibly not) also need fixing:

F2 - REG:system.ini: Shell=

O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe

A google search on RUNXMLPL.EXE doesn't yield much info, but these were the few results which stood out (mainly because most of the others weren't in English):

http://castlecops.com/postp281584.html
http://www.cybertechhelp.com/forums/...&mode=threaded


The BHO/Winlogon and Req.dat items are definitely the vundo trojan, but it looks like a new variant that the removal tool can't detect.

This new variant is embedding itself into the winlogon process, which makes it a lot trickier to remove, and also restarts itself whenever it's terminated, and re-enables itself at shutdown/restart whenever it's been removed (or attempted to be removed).

The BHO and Winlogon dll name varies according to the different combination of the two sets of three letters (see symantec article for details), and the file is always dropped in an already existing legit subfolder in Windows\System32.

MSEvents Object and REQ.DAT are the common denominators.

I also tried to cleanup with the BKDR_SMALL.AI info gathered from the Trend Micro site, and then some, but that also failed in txgrl1977's case, heh.


Hang on in there, and hopefully flrman1, byteman, me or someone else will come up with a fix.

You seem to have made more headway than txgrl1977 so far, because you've managed to successfully get rid of req.dat, so you may now also be able to kill the rest of it.


Stay tuned...

_________________________
Last edited by The_Egg : 13-Apr-2005 12:12 AM.
Byteman's Avatar
Moderator with 15,470 posts.
  
Join Date: Jan 2002
Location: NY
Experience: Junkware Jouster
12-Apr-2005, 11:57 PM #4
Hi Egg...gee, in the two or three threads I read about it, it looked soooo easy!!!!!!! They did not report all the trouble that other poster is seeing...maybe those posts I read were from an older variant; this stuff is not getting any easier! Thanks for the input...
__________________
Mung (computer term), the act of making several incremental changes to an item that combine to destroy it
Donate directly to help the site TSG Library
TSG's Welcome Guide- Tips, Rules, How to use TSG and more!
dvk01's Avatar
Moderator with 28,655 posts.
  
Join Date: Dec 2002
Location: Loughton, Essex, UK
13-Apr-2005, 05:17 AM #5
The only way to delete these pests with a winlogon entry is to use killbox & delete on reboot

winlogon loads the file before windows starts so it can't be deleted any other way

you MUST delete the file before attempting to fix the entries in HJT as they have a registry protection in the file that detects the registry being altered & immediately reinstalls the registry entries as well that keeps the file in place

so for this one

Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

now run killbox and paste The FIRST ONE of these lines into the box, select delete on reboot & then press the red X button,say yes to the prompt but NO to reboot now

then continue to paste the lines in in turn and follow the above procedure every time, If it says file is missing, or if it says unable to delete then make a note of the file name and let us know when you reply

C:\WINDOWS\system32\export\webjava.dll
C:\Windows\RUNXMLPL.exe

Then on killbox top bar press tools and then empty temp files and follow those prompts and say yes to everything

then reboot and fix the entries mentioned in hjt

then please post a hjt log taken in normal mode and then one taken in safe mode I want to compare them
__________________
Derek Microsoft MVP/Windows - Security Thespykiller | Security & Privacy
I am helping you, please help me by donating to help keep the Hedgehog Rescue Centre running
dvk01's Avatar
Moderator with 28,655 posts.
  
Join Date: Dec 2002
Location: Loughton, Essex, UK
13-Apr-2005, 07:19 AM #6
This is probably involved and hidden
C:\WINDOWS\system32\req.exe

also killbox that at the same time as the others
dvk01's Avatar
Moderator with 28,655 posts.
  
Join Date: Dec 2002
Location: Loughton, Essex, UK
13-Apr-2005, 07:23 AM #7
also look for a webjava.exe in the same folder as the dll & killbox that along with the others

Vundo have a habit of using a dll & an exe file together in the same folder and often a duplicate in temp folder

Sometimes the exe file is named in reverse in the temp folder so for example webjava.dll would have a avajbew.exe file somewhere

wea re still trying to get to grips with one and even though it's spreading we haven't had copies of any of the files yet so if anybody has any copies we can use them to analyse and see what it drops anywhere

please go to http://www.thespykiller.co.uk/forum/index.php?board=1.0 and upload these files so I can examine them and distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files
__________________
Derek Microsoft MVP/Windows - Security Thespykiller | Security & Privacy
I am helping you, please help me by donating to help keep the Hedgehog Rescue Centre running
Aardvaark6's Avatar
Junior Member with 8 posts.
  
Join Date: Apr 2005
Experience: Intermediate
13-Apr-2005, 09:35 AM #8
OK TechGuys, here's where I'm at. Followed the suggestion from dvk01 - sorry to Byteman & "The Egg", dvk01's method looked simpler! Well, this managed to get rid of the RUNXMLPL.exe entry but the others (webjava.dll) are still there! This was not too much of a surprise since when I used KillBox prior to my initial posting I tried "delete on reboot" and then selected "reboot now", KillBox came back with an error message "PendingFileRenameOperations Registry Data has been Removed by External Process!". Seems like this nasty pest knows how to stop itself being removed by this technique.

Following are two HJT logs: see what you think guys. Thanks. I the mean time, I guess I'll give the other suggestions a try.


First, after a "normal" restart:

Logfile of HijackThis v1.99.1
Scan saved at 10:55:53 PM, on 13/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\CtrlVol.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Ike\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
F2 - REG:system.ini: Shell=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [LMgrOSD] C:\Program Files\Launch Manager\OSDCtrl.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.co...haringctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/def...ploader_v6.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O20 - Winlogon Notify: webjava - C:\WINDOWS\system32\export\webjava.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe

Now in "safe mode":

Logfile of HijackThis v1.99.1
Scan saved at 11:01:19 PM, on 13/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Ike\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
F2 - REG:system.ini: Shell=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [LMgrOSD] C:\Program Files\Launch Manager\OSDCtrl.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.co...haringctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/def...ploader_v6.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O20 - Winlogon Notify: webjava - C:\WINDOWS\system32\export\webjava.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
dvk01's Avatar
Moderator with 28,655 posts.
  
Join Date: Dec 2002
Location: Loughton, Essex, UK
13-Apr-2005, 12:52 PM #9
OK

look in this folder and see what other files are in there

C:\WINDOWS\system32\export\

It should normally be an empty folder so any files taht are in there are suspect

copy any you find and send to me please


please go to http://www.thespykiller.co.uk/forum/index.php?board=1.0 and upload these files so I can examine them and distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files


and also do this log for me

download and unzip http://www.diamondcs.com.au/index.php?page=asviewer and double click the asviewer.exe file
press main and make sure the top 3 items are ticked, press refresh & then save and copy that log back here
__________________
Derek Microsoft MVP/Windows - Security Thespykiller | Security & Privacy
I am helping you, please help me by donating to help keep the Hedgehog Rescue Centre running
dvk01's Avatar
Moderator with 28,655 posts.
  
Join Date: Dec 2002
Location: Loughton, Essex, UK
13-Apr-2005, 06:19 PM #10
download registry search from
http://www.billsway.com/vbspage/
unzip it & say yes to any prompts about letting it run
enter webjava in the box & press go

it will appear to close but in awhile a box will pop up if it has found the name anywhere in the registry then a text file will open with all details please post that file back here
or if it says nothing found then let us know
__________________
Derek Microsoft MVP/Windows - Security Thespykiller | Security & Privacy
I am helping you, please help me by donating to help keep the Hedgehog Rescue Centre running
dvk01's Avatar
Moderator with 28,655 posts.
  
Join Date: Dec 2002
Location: Loughton, Essex, UK
13-Apr-2005, 08:09 PM #11
OK I have got the copy of webjava.dll & i'm looking at it

as soon as I check the output from the registry search we should be able to fix the pest
Aardvaark6's Avatar
Junior Member with 8 posts.
  
Join Date: Apr 2005
Experience: Intermediate
13-Apr-2005, 08:13 PM #12
Derek,

Uploaded files to MySpyKiller as requested. Link to posting is: http://www.thespykiller.co.uk/forum/...hp?topic=121.0

ASviewer log follows. Thanks again for your help.
Cheers,
Ike.

DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Ike@IKE-02, 04-14-2005
c:\windows\system32\config.nt
C:\WINDOWS\system32\himem.sys
c:\windows\system.ini [drivers]
timer=timer.drv
c:\windows\system.ini [boot]\scrnsave.exe
C:\WINDOWS\System32\logon.scr
HKCU\Control Panel\Desktop\scrnsave.exe
C:\WINDOWS\System32\logon.scr
HKCR\vbsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ATIModeChange
C:\WINDOWS\system32\Ati2mdxx.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ATIPTA
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SynTPLpr
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SynTPEnh
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AGRSMMSG
C:\WINDOWS\AGRSMMSG.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SoundMan
C:\WINDOWS\SOUNDMAN.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\LaunchAp
C:\Program Files\Launch Manager\LaunchAp.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\PowerKey
C:\Program Files\Launch Manager\PowerKey.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\LManager
C:\Program Files\Launch Manager\HotkeyApp.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CtrlVol
C:\Program Files\Launch Manager\CtrlVol.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\LMgrOSD
C:\Program Files\Launch Manager\OSDCtrl.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Wbutton
C:\Program Files\Launch Manager\Wbutton.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AS00_Gear511
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Pop3trap.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NeroFilterCheck
C:\WINDOWS\system32\NeroCheck.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\gcasServ
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SpybotSD TeaTimer
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\System32\webcheck.dll
C:\WINDOWS\System32\stobject.dll
C:\Documents and Settings\Ike\Start Menu\Programs\Startup\SpywareGuard.lnk
C:\Program Files\SpywareGuard\sgmain.exe
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINDOWS\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINDOWS\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog 9\Catalog_Entries\
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\rsvpsp.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
C:\WINDOWS\inf\unregmp2.exe /ShowWMP
HKLM\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}\
C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE
HKLM\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\
RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
HKLM\Software\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\
C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE
HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\
C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\{306D6C21-C1B6-4629-986C-E59E1875B8AF}\
C:\WINDOWS\System32\rundll32.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\
%ProgramFiles%\Outlook Express\setup50.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
HKLM\Software\Microsoft\Active Setup\Installed Components\{4b218e3e-bc98-4770-93d3-2731b9329278}\
C:\WINDOWS\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
HKLM\Software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}\
rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.QuietInstall.PerUser
HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub
HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\
%ProgramFiles%\Outlook Express\setup50.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\
regsvr32.exe /s /n /i:U shell32.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
C:\WINDOWS\system32\ie4uinit.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{8b15971b-5355-4c82-8c07-7e181ea07608}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser
HKLM\System\CurrentControlSet\Services\acernbm\
C:\WINDOWS\system32\drivers\acernbm.sys
HKLM\System\CurrentControlSet\Services\AFD\
C:\WINDOWS\System32\drivers\afd.sys
HKLM\System\CurrentControlSet\Services\Ati HotKey Poller\
C:\WINDOWS\System32\Ati2evxx.exe
HKLM\System\CurrentControlSet\Services\AudioSrv\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Browser\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\CryptSvc\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\DCFS2K\
C:\WINDOWS\system32\drivers\dcfs2k.sys
HKLM\System\CurrentControlSet\Services\Dhcp\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Dnscache\
C:\WINDOWS\System32\svchost.exe -k NetworkService
HKLM\System\CurrentControlSet\Services\ERSvc\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Eventlog\
C:\WINDOWS\system32\services.exe
HKLM\System\CurrentControlSet\Services\Fax\
C:\WINDOWS\system32\fxssvc.exe
HKLM\System\CurrentControlSet\Services\helpsvc\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\irda\
C:\WINDOWS\System32\DRIVERS\irda.sys
HKLM\System\CurrentControlSet\Services\Irmon\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\KodakCCS\
C:\WINDOWS\system32\drivers\KodakCCS.exe
HKLM\System\CurrentControlSet\Services\lanmanserver\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\lanmanworkstation\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\LmHosts\
C:\WINDOWS\System32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\osadmi\
C:\WINDOWS\system32\drivers\osadmi.sys
HKLM\System\CurrentControlSet\Services\PlugPlay\
C:\WINDOWS\system32\services.exe
HKLM\System\CurrentControlSet\Services\PolicyAgent\
C:\WINDOWS\System32\lsass.exe
HKLM\System\CurrentControlSet\Services\ProtectedStorage\
C:\WINDOWS\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\RpcSs\
C:\WINDOWS\system32\svchost -k rpcss
HKLM\System\CurrentControlSet\Services\SamSs\
C:\WINDOWS\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\Schedule\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\seclogon\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\SENS\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\SharedAccess\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\ShellHWDetection\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Spooler\
C:\WINDOWS\system32\spoolsv.exe
HKLM\System\CurrentControlSet\Services\srservice\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\stisvc\
C:\WINDOWS\System32\svchost.exe -k imgsvc
HKLM\System\CurrentControlSet\Services\Themes\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Tmfilter\
C:\WINDOWS\System32\drivers\TmXPFlt.sys
HKLM\System\CurrentControlSet\Services\Tmntsrv\
C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
HKLM\System\CurrentControlSet\Services\Tmpreflt\
C:\WINDOWS\System32\drivers\Tmpreflt.sys
HKLM\System\CurrentControlSet\Services\tmproxy\
C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
HKLM\System\CurrentControlSet\Services\tmtdi\
C:\WINDOWS\System32\Drivers\tmtdi.sys
HKLM\System\CurrentControlSet\Services\TrkWks\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\UMWdf\
C:\WINDOWS\System32\wdfmgr.exe
HKLM\System\CurrentControlSet\Services\uploadmgr\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Vsapint\
C:\WINDOWS\System32\drivers\Vsapint.sys
HKLM\System\CurrentControlSet\Services\W32Time\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\WebClient\
C:\WINDOWS\System32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\winmgmt\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\wuauserv\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\WZCSVC\
C:\WINDOWS\System32\svchost.exe -k netsvcs
dvk01's Avatar
Moderator with 28,655 posts.
  
Join Date: Dec 2002
Location: Loughton, Essex, UK
13-Apr-2005, 08:18 PM #13
after lookning inside the file I don't think it will be as easy as we thought

it looks like it makes 6 backup copies of itself in different locations and when anyone of them is touched it will regenerate the whole lot again

I'm trying to workout what file names and where they are likely to be
__________________
Derek Microsoft MVP/Windows - Security Thespykiller | Security & Privacy
I am helping you, please help me by donating to help keep the Hedgehog Rescue Centre running
Aardvaark6's Avatar
Junior Member with 8 posts.
  
Join Date: Apr 2005
Experience: Intermediate
13-Apr-2005, 08:24 PM #14
Which script did you want me to run from billsway.com?
dvk01's Avatar
Moderator with 28,655 posts.
  
Join Date: Dec 2002
Location: Loughton, Essex, UK
13-Apr-2005, 08:29 PM #15
registry search about 3/4 down the page

and can you do a search onn the computer for any files called webjava and get their exact location please
Closed Thread Bookmark and Share   techguy.org/352359
Page 1 of 5 1 234 Last »

THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Smart Search

Find your solution!


« Previous Thread | Malware Removal & HijackThis Logs | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.

Thread Tools


Twitter Twitter! | Podcast | Mobile | Advertise
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -5. The time now is 04:16 PM.
Copyright © 1996 - 2010 TechGuy, Inc. All rights reserved.
Powered by vBulletin, Copyright © 2000 - 2010, Jelsoft Enterprises Ltd.
 Powered by Cermak Technologies, Inc.