1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Invisible Files - this one's pure nuts!

Discussion in 'Virus & Other Malware Removal' started by ulrichburke, Nov 1, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. ulrichburke

    ulrichburke Thread Starter

    Joined:
    Jun 25, 2007
    Messages:
    45
    Dear Anyone.

    Got a comp. with a 19 gig hard drive. Windows XP Pro, Avast, ZoneAlarm on board. About a month back, the hard-drive developed a 12-gig 'black hole' - I added up the size of ALL the folders/files I could find and there was 12 gig unaccounted for, quite a bite out of 19 gigs! So someone told me about Avant Fix-It Utilities 8 Pro, which I bought from their website.

    When I checked the hard-drive with it, it found, hiding in the FONTS folder of all things, an absolute STACK of movies, software, zip/rar files, all sorts!! I didn't know about any of them, but it was obvious that's what the 'black hole' was - all those mysterious files. But - Windows Search - the doggie in the START part - can't find 'em. And Avant tells me they're locked to another program - it doesn't say what the other program IS, which doesn't help - and it can't delete them! If it means anything, they're all the same size, 113K. But there's LOADS of 'em!

    How the hell do I get rid of them - and HOW the hell did they get there in the first place? There's 3 James Bond movies, all the Need for Speed games, all sorts - if I could access them I'd dump 'em on a DVD before deleting them, but I can't, I can only find them with Avant! And Avant won't let me do anything with them. I've got Limewire now, but I didn't have Limewire a month back which is when I noticed the black hole, so they can't have been dumped on me by a Limewire user.

    Any ideas!?!

    Chris (ulrichburke on site)
     
  2. WhitPhil

    WhitPhil Gone but never forgotten Trusted Advisor

    Joined:
    Oct 4, 2000
    Messages:
    8,684
    It sounds like your PC has been infiltrated, and is now being used as a server to distribute these files.

    Download, install and run HiJackThis.
    Run the scan and save log.
    When the LOG file opens in NotePad, select all, copy
    Then return here, Post a Reply to this thread, and paste the contents for review.
     
  3. wtxcowboy

    wtxcowboy

    Joined:
    May 25, 2004
    Messages:
    1,243
    have u tried doing anything with em in safe mode?
     
  4. ulrichburke

    ulrichburke Thread Starter

    Joined:
    Jun 25, 2007
    Messages:
    45
    Dear WhitPhil.

    Here's the HijackThis log for you - I've got a strong feeling that if my computer was a person right now, it would be Typhoid Mary!!

    Incidentally, your link to HijackThis doesn't work. But I found it on www.download.com and used it from there.

    Hoping you spot something interesting here!

    Chris.

    Logfile of HijackThis v1.99.1
    Scan saved at 23:33:31, on 10/31/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\pqlukvgw.exe
    C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
    C:\Program Files\GizmoPlugin\GizmoPlugin.exe
    C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
    C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\AOL\1184390527\ee\AOLSoftware.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
    C:\WINDOWS\soundman.exe
    C:\Program Files\Winamp\winampa.exe
    C:\WINDOWS\VM305_STI.EXE
    C:\WINDOWS\Fonts\svchost.exe
    C:\WINDOWS\mrofinu1188.exe
    C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\Program Files\MessengerSkinner\MessengerSkinner.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    C:\Program Files\WinAble\winable.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\Program Files\Photolightning\autodetect.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\limewire\limewire.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\WinRAR\WinRAR.exe
    C:\DOCUME~1\CHRISB~1\LOCALS~1\Temp\Rar$EX01.563\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://english.icrfast.com/index.php?rvs=hompag
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
    R3 - Default URLSearchHook is missing
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
    O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\iipafthj.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1184390527\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [EPSON Stylus C46 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE /P23 "EPSON Stylus C46 Series" /O6 "USB001" /M "Stylus C46"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
    O4 - HKLM\..\Run: [SoundMan] soundman.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
    O4 - HKLM\..\Run: [BigDog305] C:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)
    O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
    O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689220221DD3257
    O4 - HKLM\..\Run: [ecd70405] rundll32.exe "C:\WINDOWS\system32\jpvbumhb.dll",b
    O4 - HKLM\..\Run: [VirusScannerPro] C:\PROGRA~1\AVANQU~1\Fix-It\MemCheck.exe
    O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
    O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
    O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [messengerskinner] C:\Program Files\MessengerSkinner\MessengerSkinner.exe
    O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
    O4 - Global Startup: Autodetect.lnk = C:\Program Files\Photolightning\autodetect.exe
    O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
    O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?f268aa65b82a4764adedf5cb5beced76
    O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?f268aa65b82a4764adedf5cb5beced76
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: AdsGone - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\program files\adsgone\adsgone (file missing)
    O9 - Extra 'Tools' menuitem: &AdsGone Settings - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\program files\adsgone\adsgone (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
    O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
    O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
    O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
    O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
    O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
    O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\SCRABBLE\Images\stg_drm.ocx
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
    O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
    O16 - DPF: {80B38492-FB56-4B0E-ABDD-8B14EB05F9A7} - http://www.directxtras.com/speaksforitself/download/mstts_mary.cab
    O16 - DPF: {975390A5-CD67-4C07-8F00-934D23824E0F} - http://www.directxtras.com/speaksforitself/download/mstts_sam.cab
    O16 - DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} (MSN Music Mediabar) - http://sib1.od2.com/common/musicmanager/installation/MusicManagerPlugin.CAB
    O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
    O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\SCRABBLE\Images\armhelper.ocx
    O16 - DPF: {D4BC3B10-F024-4EF7-A62C-A298A11B51B5} - http://www.directxtras.com/speaksforitself/download/mstts_mike.cab
    O16 - DPF: {E4DFABBD-F5F6-11D3-8421-0080C6F79C42} (SpeechControl Class) - http://www.directxtras.com/speaksforitself/download/speechplugin.cab
    O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B0E62681-FC9A-48A6-B8ED-A7C6001250E9}: NameServer = 212.139.132.27 212.139.132.26
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - AppInit_DLLs: C:\WINDOWS\system32\__c0012D08.dat
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 (clr_optimization_v2.0.50727_32) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (file missing)
    O23 - Service: DomainService - - C:\WINDOWS\system32\pqlukvgw.exe
    O23 - Service: Fix-It Task Manager - Avanquest Software USA, Inc. - C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Gizmo VoIP Service (Gizmo Plugin) - SIPphone, Inc. - C:\Program Files\GizmoPlugin\GizmoPlugin.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
     
  5. WhitPhil

    WhitPhil Gone but never forgotten Trusted Advisor

    Joined:
    Oct 4, 2000
    Messages:
    8,684
    Thanks for letting me know that the site had changed it's links.
    Unfortunately, Download.com is an old version.

    Go to Trend's site and install and run this version and post back the log again.

    And, yes you have some "strange ones" active. I've asked that a Gold Shield check out the log.
     
  6. ulrichburke

    ulrichburke Thread Starter

    Joined:
    Jun 25, 2007
    Messages:
    45
    Dear WhitPhil.

    That's me I'm afraid - if anything's gonna get me it will never be anything nice and commonplace. It will always be a virus from Venus! The probs increase - I've now got something called 'Bestseller Antivirus' trying to install itself every 5 minutes or so. I don't believe it's an antivirus, I believe it's some kind of Trojan trying to make out it's an antivirus. It keeps trying to make an 'Installing...' box happen, but zonealarm is keeping it out. Just.

    I made the pratheaded mistake of installing Limewire to search for one piece of software I wanted. Now Add/Remove programs thinks I've only got 4 pieces of software installed, Photoshop, Context Tool (which I've never heard of and can't remove) PlayMP3z, WinAble and Windows Live Toolbar. In Internet Explorer, which I'm not using - I'm using Firefox right now - something called Security Toolbar 7.1 has appeared from nowhere - I never installed it - and because it's not showing up in Add/Remove programs, I don't know how to delete it. I can hide it, sure, but I can't get rid of it. And IE7 windows purporting to be from LIVE Safety Centre are proliferating like rabbits - I don't believe they're anything to do with Microsoft because the actual address in the address bar is www.savetheinformation.com/v2/?gaga...421&air=hamm_h5_pop&lir=pop_1&afr=hamm_15003_
    ecd704aa%20DF9EDFD5EB0D40BC897066AC4299C421
    -they've obviously never heard of the site TINY URL!!

    I wish Microsoft would get the bugs out of IE for once and for all.

    Right. For starters, as I can't use add/remove programs right now - I THINK all my software still exists, when you click on Start/All Programs it all seems to be there and working - how do I get rid of Limewire? Or how do I stop it from starting up all the time whether I want to use it or not? Right now, if I go into the Programs folder, I can select stuff but I can't move it or delete it by pressing the DELETE button - nothing happens if I try to do so. And I can't drag'n'drop folders from there into the Recycle bin any more.

    How do I get rid of this Bestseller joke? It's well-and-truly got control of IE - can't even close the windows it's constantly creating! (If you right-click on the group and choose 'Close Group', it just does the No-Can-Do 'Gonk' sound.) But choosing Close Group DOES seem to hold the amount of windows created to 15. For awhile.

    Ah, well. Here's the updated Trend HijackThis readout - I hope you can spot something in it

    Thanks in advance

    Chris.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:12:35, on 11/1/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\pqlukvgw.exe
    C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
    C:\Program Files\GizmoPlugin\GizmoPlugin.exe
    C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
    C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\AOL\1184390527\ee\AOLSoftware.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
    C:\WINDOWS\soundman.exe
    C:\Program Files\Winamp\winampa.exe
    C:\WINDOWS\VM305_STI.EXE
    C:\WINDOWS\Fonts\svchost.exe
    C:\WINDOWS\mrofinu1188.exe
    C:\Program Files\outlook\outlook.exe
    C:\Program Files\winupdates\winupdates.exe
    C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    C:\Program Files\MessengerSkinner\MessengerSkinner.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\Program Files\WinAble\winable.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Photolightning\autodetect.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\Program Files\limewire\limewire.exe
    C:\Documents and Settings\Chris Burke\Desktop\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://english.icrfast.com/index.php?rvs=hompag
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
    R3 - Default URLSearchHook is missing
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
    O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\iipafthj.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1184390527\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [EPSON Stylus C46 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE /P23 "EPSON Stylus C46 Series" /O6 "USB001" /M "Stylus C46"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
    O4 - HKLM\..\Run: [SoundMan] soundman.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
    O4 - HKLM\..\Run: [BigDog305] C:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)
    O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
    O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689220221DD3257
    O4 - HKLM\..\Run: [ecd70405] rundll32.exe "C:\WINDOWS\system32\jpvbumhb.dll",b
    O4 - HKLM\..\Run: [VirusScannerPro] C:\PROGRA~1\AVANQU~1\Fix-It\MemCheck.exe
    O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
    O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
    O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
    O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
    O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [messengerskinner] C:\Program Files\MessengerSkinner\MessengerSkinner.exe
    O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Autodetect.lnk = C:\Program Files\Photolightning\autodetect.exe
    O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
    O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?f268aa65b82a4764adedf5cb5beced76
    O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?f268aa65b82a4764adedf5cb5beced76
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: AdsGone - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\program files\adsgone\adsgone (file missing)
    O9 - Extra 'Tools' menuitem: &AdsGone Settings - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\program files\adsgone\adsgone (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
    O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
    O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
    O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
    O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
    O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\SCRABBLE\Images\stg_drm.ocx
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
    O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
    O16 - DPF: {80B38492-FB56-4B0E-ABDD-8B14EB05F9A7} - http://www.directxtras.com/speaksforitself/download/mstts_mary.cab
    O16 - DPF: {975390A5-CD67-4C07-8F00-934D23824E0F} - http://www.directxtras.com/speaksforitself/download/mstts_sam.cab
    O16 - DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} (MSN Music Mediabar) - http://sib1.od2.com/common/musicmanager/installation/MusicManagerPlugin.CAB
    O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
    O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\SCRABBLE\Images\armhelper.ocx
    O16 - DPF: {D4BC3B10-F024-4EF7-A62C-A298A11B51B5} - http://www.directxtras.com/speaksforitself/download/mstts_mike.cab
    O16 - DPF: {E4DFABBD-F5F6-11D3-8421-0080C6F79C42} (SpeechControl Class) - http://www.directxtras.com/speaksforitself/download/speechplugin.cab
    O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B0E62681-FC9A-48A6-B8ED-A7C6001250E9}: NameServer = 212.139.132.27 212.139.132.26
    O20 - AppInit_DLLs: C:\WINDOWS\system32\__c0012D08.dat
    O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 (clr_optimization_v2.0.50727_32) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (file missing)
    O23 - Service: DomainService - - C:\WINDOWS\system32\pqlukvgw.exe
    O23 - Service: Fix-It Task Manager - Avanquest Software USA, Inc. - C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Gizmo VoIP Service (Gizmo Plugin) - SIPphone, Inc. - C:\Program Files\GizmoPlugin\GizmoPlugin.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
    O24 - Desktop Component 0: (no name) - http://person.com/images/personal/215/283215/3.1147262889.jpeg

    --
    End of file - 11671 bytes

    P.S. 'Hijack This' has a 'Fix Checked Items' option - can you suggest which items I choose to be fixed?
     
  7. ulrichburke

    ulrichburke Thread Starter

    Joined:
    Jun 25, 2007
    Messages:
    45
    Dear WhitPhil.

    That's me I'm afraid - if anything's gonna get me it will never be anything nice and commonplace. It will always be a virus from Venus! The probs increase - I've now got something called 'Bestseller Antivirus' trying to install itself every 5 minutes or so. I don't believe it's an antivirus, I believe it's some kind of Trojan trying to make out it's an antivirus. It keeps trying to make an 'Installing...' box happen, but zonealarm is keeping it out. Just.

    I made the pratheaded mistake of installing Limewire to search for one piece of software I wanted. Now Add/Remove programs thinks I've only got 4 pieces of software installed, Photoshop, Context Tool (which I've never heard of and can't remove) PlayMP3z, WinAble and Windows Live Toolbar. In Internet Explorer, which I'm not using - I'm using Firefox right now - something called Security Toolbar 7.1 has appeared from nowhere - I never installed it - and because it's not showing up in Add/Remove programs, I don't know how to delete it. I can hide it, sure, but I can't get rid of it. And IE7 windows purporting to be from LIVE Safety Centre are proliferating like rabbits - I don't believe they're anything to do with Microsoft because the actual address in the address bar is www.savetheinformation.com/v2/?gaga...421&air=hamm_h5_pop&lir=pop_1&afr=hamm_15003_
    ecd704aa%20DF9EDFD5EB0D40BC897066AC4299C421
    -they've obviously never heard of the site TINY URL!!

    I wish Microsoft would get the bugs out of IE for once and for all.

    Right. For starters, as I can't use add/remove programs right now - I THINK all my software still exists, when you click on Start/All Programs it all seems to be there and working - how do I get rid of Limewire? Or how do I stop it from starting up all the time whether I want to use it or not? Right now, if I go into the Programs folder, I can select stuff but I can't move it or delete it by pressing the DELETE button - nothing happens if I try to do so. And I can't drag'n'drop folders from there into the Recycle bin any more.

    How do I get rid of this Bestseller joke? It's well-and-truly got control of IE - can't even close the windows it's constantly creating! (If you right-click on the group and choose 'Close Group', it just does the No-Can-Do 'Gonk' sound.) But choosing Close Group DOES seem to hold the amount of windows created to 15. For awhile.

    And yes, the James Bond movies/other weird zipfiles are STILL there, Windows STILL can't find them (so I can't delete them) and Avant STILL says they're 'locked', so can't be deleted (whatever that means!)

    Ah, well. Here's the updated Trend HijackThis readout - I hope you can spot something in it

    Thanks in advance

    Chris.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:12:35, on 11/1/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\pqlukvgw.exe
    C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
    C:\Program Files\GizmoPlugin\GizmoPlugin.exe
    C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
    C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\AOL\1184390527\ee\AOLSoftware.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
    C:\WINDOWS\soundman.exe
    C:\Program Files\Winamp\winampa.exe
    C:\WINDOWS\VM305_STI.EXE
    C:\WINDOWS\Fonts\svchost.exe
    C:\WINDOWS\mrofinu1188.exe
    C:\Program Files\outlook\outlook.exe
    C:\Program Files\winupdates\winupdates.exe
    C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    C:\Program Files\MessengerSkinner\MessengerSkinner.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\Program Files\WinAble\winable.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Photolightning\autodetect.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\Program Files\limewire\limewire.exe
    C:\Documents and Settings\Chris Burke\Desktop\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://english.icrfast.com/index.php?rvs=hompag
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
    R3 - Default URLSearchHook is missing
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
    O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\iipafthj.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1184390527\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [EPSON Stylus C46 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE /P23 "EPSON Stylus C46 Series" /O6 "USB001" /M "Stylus C46"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
    O4 - HKLM\..\Run: [SoundMan] soundman.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
    O4 - HKLM\..\Run: [BigDog305] C:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)
    O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
    O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1188.exe 61A847B5BBF72813339330466188719AB689201522886B092CBD44BD8689220221DD3257
    O4 - HKLM\..\Run: [ecd70405] rundll32.exe "C:\WINDOWS\system32\jpvbumhb.dll",b
    O4 - HKLM\..\Run: [VirusScannerPro] C:\PROGRA~1\AVANQU~1\Fix-It\MemCheck.exe
    O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
    O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
    O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
    O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
    O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [messengerskinner] C:\Program Files\MessengerSkinner\MessengerSkinner.exe
    O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Autodetect.lnk = C:\Program Files\Photolightning\autodetect.exe
    O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
    O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?f268aa65b82a4764adedf5cb5beced76
    O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?f268aa65b82a4764adedf5cb5beced76
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: AdsGone - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\program files\adsgone\adsgone (file missing)
    O9 - Extra 'Tools' menuitem: &AdsGone Settings - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\program files\adsgone\adsgone (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
    O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
    O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
    O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
    O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
    O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\SCRABBLE\Images\stg_drm.ocx
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
    O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
    O16 - DPF: {80B38492-FB56-4B0E-ABDD-8B14EB05F9A7} - http://www.directxtras.com/speaksforitself/download/mstts_mary.cab
    O16 - DPF: {975390A5-CD67-4C07-8F00-934D23824E0F} - http://www.directxtras.com/speaksforitself/download/mstts_sam.cab
    O16 - DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} (MSN Music Mediabar) - http://sib1.od2.com/common/musicmanager/installation/MusicManagerPlugin.CAB
    O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
    O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\SCRABBLE\Images\armhelper.ocx
    O16 - DPF: {D4BC3B10-F024-4EF7-A62C-A298A11B51B5} - http://www.directxtras.com/speaksforitself/download/mstts_mike.cab
    O16 - DPF: {E4DFABBD-F5F6-11D3-8421-0080C6F79C42} (SpeechControl Class) - http://www.directxtras.com/speaksforitself/download/speechplugin.cab
    O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B0E62681-FC9A-48A6-B8ED-A7C6001250E9}: NameServer = 212.139.132.27 212.139.132.26
    O20 - AppInit_DLLs: C:\WINDOWS\system32\__c0012D08.dat
    O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: .NET Runtime Optimization Service v2.0.50727_X86 (clr_optimization_v2.0.50727_32) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (file missing)
    O23 - Service: DomainService - - C:\WINDOWS\system32\pqlukvgw.exe
    O23 - Service: Fix-It Task Manager - Avanquest Software USA, Inc. - C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Gizmo VoIP Service (Gizmo Plugin) - SIPphone, Inc. - C:\Program Files\GizmoPlugin\GizmoPlugin.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
    O24 - Desktop Component 0: (no name) - http://person.com/images/personal/215/283215/3.1147262889.jpeg

    --
    End of file - 11671 bytes

    P.S. 'Hijack This' has a 'Fix Checked Items' option - can you suggest which items I choose to be fixed?
     
  8. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,283
    First Name:
    Derek
    you have navipromo as a result of installing the scumware messenger skinner

    Please download Navilog1 by IL-MAFIOSO:
    http://perso.orange.fr/il.mafioso/Navifix/Navilog1.zip
    • Extract its contents to the desktop.
    • Double click on navilog1.exe to install it on your computer.
    • When the installation is complete, the tool will start automatically.
    • If it doesn't start automatically, please double click on Navilog1 shortcut on your desktop to run it.
    • Press E for English from the language Menu.
    • Type 1 in the next Menu to select Search and press Enter.
    • Wait for the Scan to finish (It may take a reasonable amount of time)
    • Press any key as requested .
    • A new document will be produced: fixnavi.txt.
    • Please copy/paste the contents of this report in your next reply.
    The report is also saved in the root of the directory, "%SystemDrive%\fixnavi.txt". (usually C:\fixnavi.txt)
     
  9. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,283
    First Name:
    Derek
    there will be alot more to do as well with several other bad infections there taht we will deal with after navipromo
     
  10. ulrichburke

    ulrichburke Thread Starter

    Joined:
    Jun 25, 2007
    Messages:
    45
    Dear Sir.

    Here follows the FixNavi report for you.

    As well as the James Bond films, I now have an absolute TON of invisible stuff on my hard drive - all zipfiles of software, videos, TV series, games. As before, Windows cannot see it, only Fix-It utilities can see the zipfiles. And Fix-It can't delete the files because it says they're 'locked'! (There's some films in the list I'd love to have, if only I could see them, but if I can't make 'em visible I'd rather get rid of them and have my hard drive back!) Unfortunately, Fix-It doesn't move files, it only sees them and deletes them.

    I promise I will donate to your Hedgehog Sanctuary to thank you for getting me through this lot. I LOVE hedgehogs, though I've only ever seen one in real life once, briefly, near an old flat of mine. I'd love to see another one, I'd love even more to hold one, they're such lovely, mild-mannered, unassuming little creatures. Can you donate via Postal Order - I'm unemployed and haven't got a card, but I can send a Postal Order somewhere (they're instantaneous, cheques have to be ratified and waited for, I prefer using P.O's, or International Money orders if you're abroad, I forgot you mightn't live in England!)

    Here's the readout. In the DOS window, there was a sudden appearance of a MASSIVE amount of hexadecimal but I couldn't copy it to show it to you, so here's the readout as-is.

    Search Navipromo version 3.3.4 began on Thu 11/01/2007 at 19:50:55.98

    !!! Warning, this report may include legitimate files/programs !!!
    !!! Post this report on the forum you are being helped !!!
    !!! Don't continue with removal unless instructed by an authorized helper !!!
    Fix running from C:\Program Files\navilog1
    Updated on 02.11.2007 at 12h00 by IL-MAFIOSO

    Microsoft Windows XP [Version 5.1.2600]
    Version Internet Explorer : 6.0.2900.2180

    Done in normal mode

    *** Searching for installed Software ***




    *** Search folders in C:\WINDOWS ***



    *** Search folders in C:\Program Files ***

    C:\Program Files\MessengerSkinner found !


    *** Search folders in C:\Documents and Settings\All Users\Application Data ***




    *** Search folders in C:\Documents and Settings\Chris Burke\Application Data ***

    ...\Application Data\MessengerSkinner found !

    *** Search folders in C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS ***


    *** Search with Catchme-rootkit/stealth malware detector by gmer ***
    for more info : http://www.gmer.net

    No file found in :

    - C:\WINDOWS\system32
    - C:\DOCUME~1\CHRISB~1\LOCALS~1\APPLIC~1



    *** Search with GenericNaviSearch ***
    !!! Possibility of legitimate files in the result !!!
    !!! Must always be checked before manually deleting !!!

    * Scan in C:\WINDOWS\system32 *

    * Scan in C:\DOCUME~1\CHRISB~1\LOCALS~1\APPLIC~1 *



    *** Search files ***


    C:\WINDOWS\pack.epk found !
    C:\WINDOWS\system32\nvs2.inf found !
    C:\WINDOWS\prefetch\MESSENGERSKINNER.EXE-0EE2A110.pf found !


    *** Search specific Registry keys ***


    *** Complementary Search ***
    (Search specific files)

    1)Search known files:
    C:\WINDOWS\system32\ttvwa.ini2 found ! Possible Vundo infection, not cleaned with this tool !
    C:\WINDOWS\system32\ttvwa.bak1 found ! Possible Vundo infection, not cleaned with this tool !
    C:\WINDOWS\system32\ttvwa.bak2 found ! Possible Vundo infection, not cleaned with this tool !

    2)Heuristic Search :

    C:\WINDOWS\system32\fdsrphfdus.dat found !
    C:\WINDOWS\system32\fdsrphfdus_nav.dat found !


    3)Certificates Search :

    Egroup certificate found !


    *** Search completed on Thu 11/01/2007 at 19:58:06.04 ***

    Hope this helps!

    Chris.

    P.S. I know I probably shouldn't ask this, but if you know any way of making those zip-files visible so I could stick them on CD/DVD before deleting 'em.... If that's immoral, feel free not to tell me, I'll just delete them and get my hard drive space back when you tell me how to do that.
     
  11. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,283
    First Name:
    Derek
    we will attempt to sort out your hidden files afterwards

    next stage

    Double-click on Navilog1 shortcut on your Desktop
    • On main menu, choose 4
    • You will be asked to type the name of the malware file.
    • Please enter the following text in bold (nothing else)

      fdsrphfdus
    • You will be asked to re-enter the name. Please do so.
    • The tool will then advise you that it will restart your computer.
    • Save your open documents, if any, and close all windows.
    • Press any key as requested.
    • If your computer doesn't restart automatically, restart it manually.
    • Choose your usual session if necessary.
    • Wait for the *** Cleaning stage complete! ….*** message (Please be patient. It may take a reasonable amount of time).
    • A new notepad document will be produced.
    • Please save the document and copy/paste the contents of this report in your next reply.
    • Your desktop will now appear.

    Note : In the event you lose your desktop, press CTRL+ALT+Delete to bring up the Task Manager. Then, click on "Process" tab. Click on File and choose "Run" Explorer.

    you have vundo as well so we will nee to clear that and whtever else we find after we deal with messenger skinnner & navipromo
     
  12. ulrichburke

    ulrichburke Thread Starter

    Joined:
    Jun 25, 2007
    Messages:
    45
    Dear dvk01.

    That Navilog is one great piece of kit - HUGE respect to the French guy who wrote it. Top virus/malware removal tool - but I'm glad you're taking me through things in stages because it's a naked scalpel, you really have to know what you're doing with it.

    Anyway, here's the report generated after performing the requested actions:-


    Navipromo Removal version 3.3.4 started on Fri 11/02/2007 at 4:19:13.18

    Fix running from C:\Program Files\navilog1
    Updated on 02.11.2007 at 12h00 by IL-MAFIOSO


    Microsoft Windows XP [Version 5.1.2600]
    Internet Explorer : 6.0.2900.2180


    Manual Removal

    Typed filename : fdsrphfdus

    *** Searching, making backups and deleting files ***

    * Deletion in C:\WINDOWS\system32 *

    fdsrphfdus.dat found !
    Copy fdsrphfdus.dat done !
    fdsrphfdus.dat deleted !

    fdsrphfdus_nav.dat found !
    Copy fdsrphfdus_nav.dat done !
    fdsrphfdus_nav.dat deleted !

    fdsrphfdus_navps.dat found !
    Copy fdsrphfdus_navps.dat done !
    fdsrphfdus_navps.dat deleted !

    C:\WINDOWS\prefetch\fdsrphfdus*.pf found !
    Copy C:\WINDOWS\prefetch\fdsrphfdus*.pf done !
    C:\WINDOWS\prefetch\fdsrphfdus*.pf deleted !

    * Deletion in C:\DOCUME~1\CHRISB~1\LOCALS~1\APPLIC~1 *


    *** Deleting folders in C:\WINDOWS ***


    *** Deleting folders in C:\Program Files ***

    C:\Program Files\MessengerSkinner ...deleting...
    C:\Program Files\MessengerSkinner deleted !


    *** Deleting folders in C:\Documents and Settings\All Users\Application Data ***


    *** Deleting folders in C:\Documents and Settings\Chris Burke\Application Data ***

    ...\Application Data\MessengerSkinner ...deleting...
    ...\Application Data\MessengerSkinner deleted !


    *** Deleting folders in C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS ***



    *** Deleting files ***

    C:\WINDOWS\pack.epk deleted !
    C:\WINDOWS\system32\nvs2.inf deleted !
    C:\WINDOWS\prefetch\MESSENGERSKINNER.EXE-0EE2A110.pf deleted !

    *** Deleting temporary files ***

    Cleaning of C:\WINDOWS\Temp done !
    Cleaning of C:\Documents and Settings\Chris Burke\Local Settings\Temp done !

    *** Complementary Search ***
    (Search specific files)

    1)Search known files:

    C:\WINDOWS\system32\ttvwa.ini2 found ! Possible Vundo infection, not cleaned with this tool !
    C:\WINDOWS\system32\ttvwa.bak1 found ! Possible Vundo infection, not cleaned with this tool !
    C:\WINDOWS\system32\ttvwa.bak2 found ! Possible Vundo infection, not cleaned with this tool !

    2)Heuristic search and deletion with backups :

    C:\WINDOWS\System32\cmddvuu.dat found !
    Copy C:\WINDOWS\system32\cmddvuu.dat done !
    C:\WINDOWS\system32\cmddvuu.dat deleted !

    C:\WINDOWS\System32\cmddvuu_nav.dat found !
    Copy C:\WINDOWS\system32\cmddvuu_nav.dat done !
    C:\WINDOWS\system32\cmddvuu_nav.dat deleted !


    *** Copy Registry to Backupnavi folder ***

    Backing up Registry done !

    *** Cleaning Registry ***

    Registry cleaned


    *** Certificates ***

    Egroup Certificate deleted !

    *** Suspicious Files not deleted by Navilog1 ***
    !! Possible legitimate file(s), must be checked before deleting !!

    C:\WINDOWS\system32\ceyyaqhep.exe found !
    C:\WINDOWS\system32\cmddvuu.exe found !
    C:\WINDOWS\system32\cmddvuu_navps.dat found !

    *** Cleaning stage complete on Fri 11/02/2007 at 4:28:11.59 ***

    Now for Step 2!

    Yours respectfully

    Chris.
     
  13. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,283
    First Name:
    Derek
    it looks like it didn't get all the navipromo

    lets try the automatic fix as it looks like an extra version has installed itself


    Option #3:

    Double-click on Navilog1 shortcut on your Desktop
    • On main menu, choose 3
    • Follow the instructions and wait.
    • The tool will then advise you that it will restart your computer.
    • Save your open documents, if any, and close all windows.
    • Press any key as requested.
    • If your computer doesn't restart automatically, restart it manually.
    • Choose your usual session if necessary.
    • Wait for the *** Cleaning stage complete! ….*** message (Please be patient. It may take a reasonable amount of time).
    • A new notepad document will be produced.
    • Please save the document and copy/paste the contents of this report in your next reply.
    • Your desktop will now appear.

    Note : In the event you lose your desktop, press CTRL+ALT+Delete to bring up the Task Manager. Then, click on "Process" tab. Click on File and choose "Run" Explorer.
     
  14. ulrichburke

    ulrichburke Thread Starter

    Joined:
    Jun 25, 2007
    Messages:
    45
    Dear dvk01

    I chose Option 3 with Navilog, as per your instructions, and got the following log at the end:

    Navipromo Removal version 3.3.4 started on Fri 11/02/2007 at 12:13:35.10

    Fix running from C:\Program Files\navilog1
    Updated on 02.11.2007 at 12h00 by IL-MAFIOSO


    Microsoft Windows XP [Version 5.1.2600]
    Internet Explorer : 6.0.2900.2180

    Automatic removal
    without Catchme and GNS results



    *** Deleting folders in C:\WINDOWS ***


    *** Deleting folders in C:\Program Files ***


    *** Deleting folders in C:\Documents and Settings\All Users\Application Data ***


    *** Deleting folders in C:\Documents and Settings\Chris Burke\Application Data ***


    *** Deleting folders in C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS ***



    *** Deleting files ***

    C:\WINDOWS\system32\nvs2.inf deleted !

    *** Deleting temporary files ***

    Cleaning of C:\WINDOWS\Temp done !
    Cleaning of C:\Documents and Settings\Chris Burke\Local Settings\Temp done !

    *** Complementary Search ***
    (Search specific files)

    1)Search known files:

    C:\WINDOWS\system32\ttvwa.ini2 found ! Possible Vundo infection, not cleaned with this tool !
    C:\WINDOWS\system32\ttvwa.bak1 found ! Possible Vundo infection, not cleaned with this tool !
    C:\WINDOWS\system32\ttvwa.bak2 found ! Possible Vundo infection, not cleaned with this tool !

    2)Heuristic search and deletion with backups :


    *** Copy Registry to Backupnavi folder ***

    Backing up Registry done !

    *** Cleaning Registry ***

    Registry cleaned

    *** Certificates ***

    Egroup Certificate not found !

    *** Suspicious Files not deleted by Navilog1 ***
    !! Possible legitimate file(s), must be checked before deleting !!

    C:\WINDOWS\system32\ceyyaqhep.exe found !
    C:\WINDOWS\system32\cmddvuu.exe found !
    C:\WINDOWS\system32\cmddvuu.dat found !
    C:\WINDOWS\system32\cmddvuu_navps.dat found !

    *** Cleaning stage complete on Fri 11/02/2007 at 12:18:51.90 ***

    Got a new thing starting happening. The 'Windows Installer' yellow box keeps flashing up, saying 'Preparing to Install....'. But it doesn't say what it's preparing to install, so it's obviously nothing good! It never gets as far as actually installing anything, though.

    I now have Norton Security running - yeah, look who shut the stable door after the horse bolted, I'm in full agreement with you....!! So that's prob. what's stopping the installation happening, right?

    Looking forwards to your next instructions. The poor hard drive is so clogged with mysterious zipfiles that Windows can't see that it's taking ages to do ANYTHING now, but because Navilog uses (the supposedly non-existent) DOS, it's nice and fast.

    Any ideas - I know you're still in 'virus cleaning' mode - how to make the zipfiles visible so I can save them to DVD and then delete them, or just scrub them from the drive if all else fails? I'm seriously a tad worried about the state of the hard-drive, don't want the darned thing failing on me before it's de-virused! The operation was successful but the patient died, sort of thing, y'know!

    Yours with respect

    Chris.
     
  15. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,283
    First Name:
    Derek
    it is still showing there

    run it again with option 2 please
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/646563

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice