Solved: Hijackthis - Can someone read this log?

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

mike9inch

Thread Starter
Joined
Jul 12, 2005
Messages
189
Would appreciate any "good" advice on what to do having run this log.



Logfile of HijackThis v1.99.1
Scan saved at 14:55:53, on 12/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\xqspgxvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SlipStream Web Accelerator\slipaccel.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.myinternetpass.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\SlipStream Web Accelerator\PBHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [HDAudio Driver 2.0] C:\WINDOWS\system32\xqspgxvr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Tiscali Web Accelerator.lnk = C:\Program Files\SlipStream Web Accelerator\slipaccel.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\SlipStream Web Accelerator\slipaccel.exe/250
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\SlipStream Web Accelerator\slipaccel.exe/227
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.myinternetpass.com
O15 - Trusted Zone: *.zonelabs.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1120743126764
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7FBDC3B-7EB8-4796-B407-EE8137C2840B}: NameServer = 212.74.112.66 212.74.112.67
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

cheers!
Problems I have: NO dial tone when modem is dialling - BUT it DOES connect to the inernet OK! - so, not a major problem but irritating having checked settings in XP are ok.
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
119,156
Hi and welcome to TSG,

You do have a trojan in there so let's do this:

Please download and run the following program(s):

AD-AWARE

Go here and download Ad-Aware SE.

Install the program and launch it.

First, in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

From the main window, click Start then under Select a scan Mode tick Perform full system scan.

Next, deselect Search for negligible risk entries.

Now to perform a scan, click the Next button.

When the scan is finished, mark everything for removal and get rid of it. To do so, right-click in the window and choose select all from the drop down menu and then click Next)

Restart your computer.


SPYBOT SEARCH & DESTROY

Go here and download Spybot Search & Destroy.

Install the program and launch it.

Before scanning press Online and Search for Updates .

Put a check mark at and install all updates.

Click Check for Problems and when the scan is finished let Spybot fix/remove all it finds marked in RED.

Restart your computer.

Then, after rebooting, please post another log and we’ll see what’s left to get rid of.


Ccleaner and Ewido

Go here to download CCleaner.
  • Install CCleaner
  • Launch CCleaner and look in the upper right corner and click on the "Options" button.
  • Click "Advanced" and remove the check by "Only delete files in Windows temp folders older than 48 hours".
  • Click OK
  • Do not run CCleaner yet. You will run it later in safe mode.


Download the trial version of Ewido Security Suite here.
  • Install ewido.
  • During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido
  • It will prompt you to update click the OK button and it will go to the main screen
  • On the left side of the main screen click update
  • Click on Start and let it update.
  • DO NOT run a scan yet. You will do that later in safe mode.

Click here for info on how to boot to safe mode if you don't already know how.


Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.


Restart your computer into safe mode now. Perform the following steps in safe mode:


* Run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan it will prompt you to clean files, click OK
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop.

Start CCleaner and click Run Cleaner


* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


Restart back into Windows normally now.


Come back here and post a new HijackThis log, as well as the log from the Ewido scan.
 

mike9inch

Thread Starter
Joined
Jul 12, 2005
Messages
189
Hi,
many thanks for your help. I never knew I had so many problems with my laptop! The Ewido picked up 19 issues not highlighted by adaware, spybot or my Avg antivirus software either or zonealarm!

Please note:

1. Hijacklog shown below
2. Ewido scan log shown below
2. CCleaner Run - BUT there is ALSO an "ISSUES" option which I ran "just to see what happened" but I have NOT actioned the "ISSUES" option as you have not asked me to - The point being that can you tell me if I can run it - it looks a useful facility and will clear upthe system even more.

MANY thanks for your help - Please let me know what to do next.

Cheers!
Mike
 

mike9inch

Thread Starter
Joined
Jul 12, 2005
Messages
189
Logfile of HijackThis v1.99.1
Scan saved at 19:14:02, on 12/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\SlipStream Web Accelerator\slipaccel.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.myinternetpass.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\SlipStream Web Accelerator\PBHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [HDAudio Driver 2.0] C:\WINDOWS\system32\xqspgxvr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Tiscali Web Accelerator.lnk = C:\Program Files\SlipStream Web Accelerator\slipaccel.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\SlipStream Web Accelerator\slipaccel.exe/250
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\SlipStream Web Accelerator\slipaccel.exe/227
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.myinternetpass.com
O15 - Trusted Zone: *.192.com
O15 - Trusted Zone: *.abbeygardensales.co.uk
O15 - Trusted Zone: *.abchomeopathy.com
O15 - Trusted Zone: *.abebooks.co.uk
O15 - Trusted Zone: *.advfn.com
O15 - Trusted Zone: *.adviceonline.co.uk
O15 - Trusted Zone: *.aeg-electrolux.co.uk
O15 - Trusted Zone: *.albanyvintners.com
O15 - Trusted Zone: *.alberon.com
O15 - Trusted Zone: *.alpharooms.com
O15 - Trusted Zone: *.alternativemedicine.com
O15 - Trusted Zone: *.amazon.co.uk
O15 - Trusted Zone: *.andyrace.co.uk
O15 - Trusted Zone: *.annoyances.org
O15 - Trusted Zone: *.aph.com
O15 - Trusted Zone: *.applegarth.biz
O15 - Trusted Zone: *.appliancebargains.co.uk
O15 - Trusted Zone: *.applyonlinenow.com
O15 - Trusted Zone: *.asda.com
O15 - Trusted Zone: *.auctionview.co.uk
O15 - Trusted Zone: *.auto-europe.co.uk
O15 - Trusted Zone: *.autotrader.co.uk
O15 - Trusted Zone: *.baa.com
O15 - Trusted Zone: *.bargainholidays.com
O15 - Trusted Zone: *.be-direct.co.uk
O15 - Trusted Zone: *.bigfoot.com
O15 - Trusted Zone: *.blackcircles.com
O15 - Trusted Zone: *.blackwell-synergy.com
O15 - Trusted Zone: *.blessedherbs.com
O15 - Trusted Zone: *.bloomberg.co.uk
O15 - Trusted Zone: *.bloomberg.com
O15 - Trusted Zone: *.bodychannel.net
O15 - Trusted Zone: *.boilerjuice.com
O15 - Trusted Zone: *.bookryanair.com
O15 - Trusted Zone: *.boschappliances.co.uk
O15 - Trusted Zone: *.british-car-auctions.co.uk
O15 - Trusted Zone: *.britishairways.com
O15 - Trusted Zone: *.britishhairways.com
O15 - Trusted Zone: *.brittanytourism.com
O15 - Trusted Zone: *.bromakin.co.uk
O15 - Trusted Zone: *.btmodemprotection.com
O15 - Trusted Zone: *.butlerscheeses.co.uk
O15 - Trusted Zone: *.bwea.com
O15 - Trusted Zone: *.ca-mapping.co.uk
O15 - Trusted Zone: *.cahoot.co.uk
O15 - Trusted Zone: *.cahoot.com
O15 - Trusted Zone: *.call18866.co.uk
O15 - Trusted Zone: *.call1899.co.uk
O15 - Trusted Zone: *.cantos.com
O15 - Trusted Zone: *.capitalone.co.uk
O15 - Trusted Zone: *.carjet.co.uk
O15 - Trusted Zone: *.carpages.co.uk
O15 - Trusted Zone: *.carrentals.co.uk
O15 - Trusted Zone: *.casasspain.com
O15 - Trusted Zone: *.cbfsms.com
O15 - Trusted Zone: *.cheephotels.co.uk
O15 - Trusted Zone: *.chinesemedicinesampler.com
O15 - Trusted Zone: *.choicesdirect.com
O15 - Trusted Zone: *.ciao.co.uk
O15 - Trusted Zone: *.citicards.co.uk
O15 - Trusted Zone: *.cnbceurope.com
O15 - Trusted Zone: *.co-op-2u.com
O15 - Trusted Zone: *.co-op2u.co.uk
O15 - Trusted Zone: *.co-op2u.com
O15 - Trusted Zone: focus.comdirect.co.uk
O15 - Trusted Zone: http://download.com.com
O15 - Trusted Zone: *.comdirect.co.uk
O15 - Trusted Zone: *.comet.co.uk
O15 - Trusted Zone: http://www.confused.com
O15 - Trusted Zone: *.conran.co.uk
O15 - Trusted Zone: *.conran.com
O15 - Trusted Zone: *.crystalfrance.co.uk
O15 - Trusted Zone: *.cts-online3.co.uk
O15 - Trusted Zone: *.ctshirts.co.uk
O15 - Trusted Zone: *.curezone.com
O15 - Trusted Zone: *.deals4u.co.uk
O15 - Trusted Zone: *.dell.co.uk
O15 - Trusted Zone: *.dell.com
O15 - Trusted Zone: *.diagnose-me.com
O15 - Trusted Zone: *.digicams-uk.com
O15 - Trusted Zone: *.digitaldirectuk.com
O15 - Trusted Zone: *.download.com
O15 - Trusted Zone: *.dr-schulze.com
O15 - Trusted Zone: *.drclark.com
O15 - Trusted Zone: *.drclarkstore.com
O15 - Trusted Zone: *.ds-roofline.co.uk
O15 - Trusted Zone: *.easyjet.co.uk
O15 - Trusted Zone: *.easyjet.com
O15 - Trusted Zone: *.ebay.co.uk
O15 - Trusted Zone: *.ebigchina.com
O15 - Trusted Zone: *.edenfarms.co.uk
O15 - Trusted Zone: *.efax.com
O15 - Trusted Zone: *.electricfencing.co.uk
O15 - Trusted Zone: *.energyhelpline.com
O15 - Trusted Zone: *.eni.it
O15 - Trusted Zone: *.entitlements.co.uk
O15 - Trusted Zone: *.equalexchange.co.uk
O15 - Trusted Zone: *.espanabreaks.com
O15 - Trusted Zone: *.esure.com
O15 - Trusted Zone: *.ethicalshopper.co.uk
O15 - Trusted Zone: *.euroffice.co.uk
O15 - Trusted Zone: *.ewebcart.com
O15 - Trusted Zone: *.expedia.co.uk
O15 - Trusted Zone: *.ferrovial.com
O15 - Trusted Zone: *.ferrysale.com
O15 - Trusted Zone: *.fidelity.co.uk
O15 - Trusted Zone: *.firetrust.com
O15 - Trusted Zone: *.flavasava.co.uk
O15 - Trusted Zone: *.flybe.com
O15 - Trusted Zone: *.flymonarch.com
O15 - Trusted Zone: *.fool.co.uk
O15 - Trusted Zone: *.fool.com
O15 - Trusted Zone: *.forbes.com
O15 - Trusted Zone: *.fpdsavills.co.uk
O15 - Trusted Zone: *.freetranslation.com
O15 - Trusted Zone: *.frenchconnections.co.uk
O15 - Trusted Zone: *.frenchholidayhomes.com
O15 - Trusted Zone: *.friendsreunited.co.uk
O15 - Trusted Zone: *.frw.co.uk
O15 - Trusted Zone: *.funds-sp.com
O15 - Trusted Zone: *.gamingclubsportsbook.com
O15 - Trusted Zone: *.garthfisher.com
O15 - Trusted Zone: *.gerald-simonds.co.uk
O15 - Trusted Zone: *.getoily.com
O15 - Trusted Zone: *.gite.com
O15 - Trusted Zone: *.gites-de-france.fr
O15 - Trusted Zone: *.goodnessdirect.co.uk
O15 - Trusted Zone: *.google.co.uk
O15 - Trusted Zone: *.gov.uk
O15 - Trusted Zone: *.gpnotebook.co.uk
O15 - Trusted Zone: *.greenbuildingstore.co.uk
O15 - Trusted Zone: *.grisoft.com
O15 - Trusted Zone: *.grovelands.com
O15 - Trusted Zone: *.halifax-online.co.uk
O15 - Trusted Zone: *.healthandyoga.com
O15 - Trusted Zone: *.healthproductsforlife.com
O15 - Trusted Zone: *.hemscott.com
O15 - Trusted Zone: *.herbs-hands-healing.co.uk
O15 - Trusted Zone: *.highernature.co.uk
O15 - Trusted Zone: http://www.hkusb.com
O15 - Trusted Zone: *.holiday-rentals-world.com
O15 - Trusted Zone: *.holidayautos.co.uk
O15 - Trusted Zone: *.holidayextras.co.uk
O15 - Trusted Zone: *.hollandandbarrett.com
O15 - Trusted Zone: *.home.co.uk
O15 - Trusted Zone: *.hotpoint.co.uk
O15 - Trusted Zone: *.icelolly.com
O15 - Trusted Zone: *.idealhealthservices.com
O15 - Trusted Zone: *.indesitcompany.com
O15 - Trusted Zone: *.tesco.insurance.co.uk
O15 - Trusted Zone: *.insureandgo.com
O15 - Trusted Zone: *.intelligentmoney.com
O15 - Trusted Zone: *.interparcel.com
O15 - Trusted Zone: *.invisalign.com
O15 - Trusted Zone: *.jamesvillas.co.uk
O15 - Trusted Zone: *.johnlewis.com
O15 - Trusted Zone: *.keemlaw.co.uk
O15 - Trusted Zone: *.lastminute.com
O15 - Trusted Zone: *.laterooms.com
O15 - Trusted Zone: *.lineone.net
O15 - Trusted Zone: *.liverpoolvictoria.co.uk
O15 - Trusted Zone: *.london2012.org
O15 - Trusted Zone: *.majorgeeks.com
O15 - Trusted Zone: *.map24.com
O15 - Trusted Zone: *.maporama.com
O15 - Trusted Zone: *.mcafee.com
O15 - Trusted Zone: *.menshealth.co.uk
O15 - Trusted Zone: *.mhdewormer.com
O15 - Trusted Zone: *.miele.co.uk
O15 - Trusted Zone: *.moltengold.com
O15 - Trusted Zone: *.moneysavingexpert.com
O15 - Trusted Zone: *.mx2.co.uk
O15 - Trusted Zone: *.mytravel.com
O15 - Trusted Zone: *.mytyres.co.uk
O15 - Trusted Zone: *.nads.co.uk
O15 - Trusted Zone: http://www.nationalrail.co.uk
O15 - Trusted Zone: *.nature.org
O15 - Trusted Zone: *.nectar.com
O15 - Trusted Zone: *.nethouseprices.com
O15 - Trusted Zone: *.next.co.uk
O15 - Trusted Zone: *.nhs.uk
O15 - Trusted Zone: *.nomatica.co.uk
O15 - Trusted Zone: *.nomatica.com
O15 - Trusted Zone: *.npower.com
O15 - Trusted Zone: *.ntl.com
O15 - Trusted Zone: *.ntlfreedom.com
O15 - Trusted Zone: *.ntlworld.com
O15 - Trusted Zone: *.obeynature.com
O15 - Trusted Zone: *.oddschecker.com
O15 - Trusted Zone: *.office-world.co.uk
O15 - Trusted Zone: *.old-maps.co.uk
O15 - Trusted Zone: *.online-secure-reservations.net
O15 - Trusted Zone: *.onlineseafood.co.uk
O15 - Trusted Zone: *.openjet.com
O15 - Trusted Zone: *.opodo.co.uk
O15 - Trusted Zone: *.familyfundtrust.org.uk
O15 - Trusted Zone: *.next.org.uk
O15 - Trusted Zone: *.visionofbritain.org.uk
O15 - Trusted Zone: *.ottobock.co.uk
O15 - Trusted Zone: *.oxyshop.co.uk
O15 - Trusted Zone: *.pacificmediaplc.com
O15 - Trusted Zone: *.page-moy.co.uk
O15 - Trusted Zone: *.panasonic.co.uk
O15 - Trusted Zone: *.parkandsave.co.uk
O15 - Trusted Zone: *.parkaph.co.uk
O15 - Trusted Zone: *.parking4less.co.uk
O15 - Trusted Zone: *.pattersons.co.uk
O15 - Trusted Zone: *.paypal.com
O15 - Trusted Zone: *.pcpitstop.com
O15 - Trusted Zone: *.pcworld.co.uk
O15 - Trusted Zone: *.petertyson.co.uk
O15 - Trusted Zone: *.ph-ion.com
O15 - Trusted Zone: *.pitchcare.com
O15 - Trusted Zone: *.police.uk
O15 - Trusted Zone: *.powerhouse.co.uk
O15 - Trusted Zone: *.prezzybox.com
O15 - Trusted Zone: *.priceline.co.uk
O15 - Trusted Zone: *.priceline.com
O15 - Trusted Zone: *.pricerunner.co.uk
O15 - Trusted Zone: *.qxl.co.uk
O15 - Trusted Zone: *.rac.co.uk
O15 - Trusted Zone: *.realmadrid.com
O15 - Trusted Zone: *.reuters.com
O15 - Trusted Zone: *.royalmail.com
O15 - Trusted Zone: *.rpoints.com
O15 - Trusted Zone: *.ryanair.co.uk
O15 - Trusted Zone: *.ryanair.com
O15 - Trusted Zone: *.sainsburyswine.co.uk
O15 - Trusted Zone: *.satellites.co.uk
O15 - Trusted Zone: *.savapoint.com
O15 - Trusted Zone: *.saveonyourbills.co.uk
O15 - Trusted Zone: *.savills.co.uk
O15 - Trusted Zone: *.scalesontheweb.co.uk
O15 - Trusted Zone: *.scferrybookings.co.uk
O15 - Trusted Zone: *.searchappliance.co.uk
O15 - Trusted Zone: *.seeyoumonday.com
O15 - Trusted Zone: *.seeyoumonday.info
O15 - Trusted Zone: *.sell247.com
O15 - Trusted Zone: *.shirt-press.co.uk
O15 - Trusted Zone: *.shoe-shop.com
O15 - Trusted Zone: *.shopping.com
O15 - Trusted Zone: *.sky.co.uk
O15 - Trusted Zone: *.sky.com
O15 - Trusted Zone: *.skyeurope.com
O15 - Trusted Zone: *.skyscanner.net
O15 - Trusted Zone: http://www.smallholder.co.uk
O15 - Trusted Zone: *.smartmoney.com
O15 - Trusted Zone: *.secure.squaregain.co.uk
O15 - Trusted Zone: *.squaregain.co.uk
O15 - Trusted Zone: *.stigauk.com
O15 - Trusted Zone: *.summerinitaly.com
O15 - Trusted Zone: *.sunrisemedical.com
O15 - Trusted Zone: *.swapeo.com
O15 - Trusted Zone: *.swaphouse.org
O15 - Trusted Zone: *.swopworld.com
O15 - Trusted Zone: *.tdwaterhouse.co.uk
O15 - Trusted Zone: *.tesco.com
O15 - Trusted Zone: *.theaa.com
O15 - Trusted Zone: *.thebbq.co.uk
O15 - Trusted Zone: http://www.thepoultrysite.com
O15 - Trusted Zone: *.thestreet.com
O15 - Trusted Zone: *.thetrainline.com
O15 - Trusted Zone: *.thomsonflights.com
O15 - Trusted Zone: *.thomsonfly.com
O15 - Trusted Zone: *.ticketmaster.co.uk
O15 - Trusted Zone: *.timesonline.co.uk
O15 - Trusted Zone: *.timesonline.com
O15 - Trusted Zone: *.tiscali.co.uk
O15 - Trusted Zone: *.tonycraze.com
O15 - Trusted Zone: *.toolsforhealing.com
O15 - Trusted Zone: *.total-cure.com
O15 - Trusted Zone: *.totaldigital.biz
O15 - Trusted Zone: *.trade-appliances.co.uk
O15 - Trusted Zone: *.travelsupermarket.com
O15 - Trusted Zone: *.ukfoodonline.co.uk
O15 - Trusted Zone: *.ultraframe.co.uk
O15 - Trusted Zone: *.ultraframe.com
O15 - Trusted Zone: *.urlportfolio.com
O15 - Trusted Zone: http://www.velvetenergy.com
O15 - Trusted Zone: *.viamichelin.com
O15 - Trusted Zone: *.villa-vacation.com
O15 - Trusted Zone: *.villaplus.com
O15 - Trusted Zone: *.villarama.com
O15 - Trusted Zone: *.vitaminshoppe.com
O15 - Trusted Zone: *.voovit.com
O15 - Trusted Zone: *.waitrosedirect.co.uk
O15 - Trusted Zone: *.wasteconnect.co.uk
O15 - Trusted Zone: *.wastepoint.co.uk
O15 - Trusted Zone: *.willhill.com
O15 - Trusted Zone: *.worldpay.com
O15 - Trusted Zone: *.uk.wwte4.com
O15 - Trusted Zone: *.xl.com
O15 - Trusted Zone: *.zonelabs.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1120743126764
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7FBDC3B-7EB8-4796-B407-EE8137C2840B}: NameServer = 212.74.114.193 212.74.112.66
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
 

mike9inch

Thread Starter
Joined
Jul 12, 2005
Messages
189
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 18:56:12, 12/07/2005
+ Report-Checksum: 16542B6F

+ Scan result:

C:\DELL\DellNet Setup\Setup DellNet.exe/Dellnet.exe -> Heuristic.Win32.Dialer : Cleaned with backup
:mozilla.13:C:\Documents and Settings\martyn\Application Data\Mozilla\Firefox\Profiles\h9j4xxeq.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.15:C:\Documents and Settings\martyn\Application Data\Mozilla\Firefox\Profiles\h9j4xxeq.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.18:C:\Documents and Settings\martyn\Application Data\Mozilla\Firefox\Profiles\h9j4xxeq.default\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
:mozilla.19:C:\Documents and Settings\martyn\Application Data\Mozilla\Firefox\Profiles\h9j4xxeq.default\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
:mozilla.20:C:\Documents and Settings\martyn\Application Data\Mozilla\Firefox\Profiles\h9j4xxeq.default\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
:mozilla.21:C:\Documents and Settings\martyn\Application Data\Mozilla\Firefox\Profiles\h9j4xxeq.default\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
:mozilla.31:C:\Documents and Settings\martyn\Application Data\Mozilla\Firefox\Profiles\h9j4xxeq.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.32:C:\Documents and Settings\martyn\Application Data\Mozilla\Firefox\Profiles\h9j4xxeq.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.41:C:\Documents and Settings\martyn\Application Data\Mozilla\Firefox\Profiles\h9j4xxeq.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.42:C:\Documents and Settings\martyn\Application Data\Mozilla\Firefox\Profiles\h9j4xxeq.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.43:C:\Documents and Settings\martyn\Application Data\Mozilla\Firefox\Profiles\h9j4xxeq.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.44:C:\Documents and Settings\martyn\Application Data\Mozilla\Firefox\Profiles\h9j4xxeq.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.46:C:\Documents and Settings\martyn\Application Data\Mozilla\Firefox\Profiles\h9j4xxeq.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.71:C:\Documents and Settings\martyn\Application Data\Mozilla\Firefox\Profiles\h9j4xxeq.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\martyn\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\my.class-66076485-3bf7a7d2.class -> TrojanDownloader.Small.aaq : Cleaned with backup
C:\Documents and Settings\martyn\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP272\A0031308.exe -> TrojanDownloader.Small.aaq : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP272\A0031319.exe -> TrojanDownloader.Agent.qq : Cleaned with backup
C:\WINDOWS\SYSTEM32\xqspgxvr.exe -> TrojanDownloader.Agent.qu : Cleaned with backup


::Report End
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
119,156
I don't recommend that you proceed with the "Issues" part of CCleaner as you could run into some trouble that it may delete some valid things. That's why we don't ask that it be run.

Rescan with HijackThis and have it fix these entries:

O4 - HKLM\..\Run: [HDAudio Driver 2.0] C:\WINDOWS\system32\xqspgxvr.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

Click Here and download Killbox and save it to your desktop but don’t run it yet.



Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click fix checked.


O4 - HKLM\..\Run: [HDAudio Driver 2.0] C:\WINDOWS\system32\xqspgxvr.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)




Then boot to safe mode:


How to restart to safe mode


Now configure your computer to show all hidden files and folders like so:

Go to Start - Search and under "More advanced search options", make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders."

Next, click on My Computer, Go to Tools - Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types". Now click "Apply to all folders." Click "Apply" and then "OK."


Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.


C:\WINDOWS\system32\xqspgxvr.exe


Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

Exit the Killbox.


Reboot normally now and do this:

Click here and download The Hoster. UnZip the file and press Restore Original Hosts and press OK. Exit Program.

Reboot and post another HijackThis log please.
 

mike9inch

Thread Starter
Joined
Jul 12, 2005
Messages
189
Can I just check with you before going much further?

I am slightly nervous, to say the least, that this may not work or it may screw up my pc even more – hope you can appreciate my anxiety. After all, to the normal user my laptop is working ok at present, and I can’t afford to be without it.

I’m a bit concerned because the first entry you asked me to delete in hijackthis is not there:

O4 - HKLM\..\Run: [HDAudio Driver 2.0] C:\WINDOWS\system32\xqspgxvr.exe

HOWEVER, the next two were there, and I confirm I HAVE deleted these successfully:

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)


I have downloaded killbox.

I then booted to safe mode.

I confirm that there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders."

I confirm that on My Computer, Go to Tools - Folder Options. Click on the View tab and "Show hidden files and folders" is checked.

HOWEVER, I am NERVOUS about unchecking "Hide protected operating system files" and "Hide extensions for known file types". These appear critically important to the system and I am worried what the effect will be.

Moreover, I am not clear about the killbox instructions as I am aware of “xqspgxvr” existing in two locations:

XQSPGXVR.EXE-0F746E39.pf in c/windows/prefetch
XQSPGXVR in c/windows/system32

The killbox instructions though simply refer to one system 32 entry:

“Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\system32\xqspgxvr.exe

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

Exit the Killbox.


Could you please clarify what I am to do in killbox? Then, of course, I will have to run the hoster file routines you referred to and another hijackthis log.

I attach an updated hijackthis - updated of course with just the 2 deletions at start of this phase of the repair.
 

Attachments

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
119,156
Logfile of HijackThis v1.99.1
Scan saved at 21:57:56, on 12/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\BacsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SlipStream Web Accelerator\slipaccel.exe
C:\Program Files\Apoint\Apntex.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.myinternetpass.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\SlipStream Web Accelerator\PBHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Tiscali Web Accelerator.lnk = C:\Program Files\SlipStream Web Accelerator\slipaccel.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\SlipStream Web Accelerator\slipaccel.exe/250
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\SlipStream Web Accelerator\slipaccel.exe/227
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.myinternetpass.com
O15 - Trusted Zone: *.192.com
O15 - Trusted Zone: *.abbeygardensales.co.uk
O15 - Trusted Zone: *.abchomeopathy.com
O15 - Trusted Zone: *.abebooks.co.uk
O15 - Trusted Zone: *.advfn.com
O15 - Trusted Zone: *.adviceonline.co.uk
O15 - Trusted Zone: *.aeg-electrolux.co.uk
O15 - Trusted Zone: *.albanyvintners.com
O15 - Trusted Zone: *.alberon.com
O15 - Trusted Zone: *.alpharooms.com
O15 - Trusted Zone: *.alternativemedicine.com
O15 - Trusted Zone: *.amazon.co.uk
O15 - Trusted Zone: *.andyrace.co.uk
O15 - Trusted Zone: *.annoyances.org
O15 - Trusted Zone: *.aph.com
O15 - Trusted Zone: *.applegarth.biz
O15 - Trusted Zone: *.appliancebargains.co.uk
O15 - Trusted Zone: *.applyonlinenow.com
O15 - Trusted Zone: *.asda.com
O15 - Trusted Zone: *.auctionview.co.uk
O15 - Trusted Zone: *.auto-europe.co.uk
O15 - Trusted Zone: *.autotrader.co.uk
O15 - Trusted Zone: *.baa.com
O15 - Trusted Zone: *.bargainholidays.com
O15 - Trusted Zone: *.be-direct.co.uk
O15 - Trusted Zone: *.bigfoot.com
O15 - Trusted Zone: *.blackcircles.com
O15 - Trusted Zone: *.blackwell-synergy.com
O15 - Trusted Zone: *.blessedherbs.com
O15 - Trusted Zone: *.bloomberg.co.uk
O15 - Trusted Zone: *.bloomberg.com
O15 - Trusted Zone: *.bodychannel.net
O15 - Trusted Zone: *.boilerjuice.com
O15 - Trusted Zone: *.bookryanair.com
O15 - Trusted Zone: *.boschappliances.co.uk
O15 - Trusted Zone: *.british-car-auctions.co.uk
O15 - Trusted Zone: *.britishairways.com
O15 - Trusted Zone: *.britishhairways.com
O15 - Trusted Zone: *.brittanytourism.com
O15 - Trusted Zone: *.bromakin.co.uk
O15 - Trusted Zone: *.btmodemprotection.com
O15 - Trusted Zone: *.butlerscheeses.co.uk
O15 - Trusted Zone: *.bwea.com
O15 - Trusted Zone: *.ca-mapping.co.uk
O15 - Trusted Zone: *.cahoot.co.uk
O15 - Trusted Zone: *.cahoot.com
O15 - Trusted Zone: *.call18866.co.uk
O15 - Trusted Zone: *.call1899.co.uk
O15 - Trusted Zone: *.cantos.com
O15 - Trusted Zone: *.capitalone.co.uk
O15 - Trusted Zone: *.carjet.co.uk
O15 - Trusted Zone: *.carpages.co.uk
O15 - Trusted Zone: *.carrentals.co.uk
O15 - Trusted Zone: *.casasspain.com
O15 - Trusted Zone: *.cbfsms.com
O15 - Trusted Zone: *.cheephotels.co.uk
O15 - Trusted Zone: *.chinesemedicinesampler.com
O15 - Trusted Zone: *.choicesdirect.com
O15 - Trusted Zone: *.ciao.co.uk
O15 - Trusted Zone: *.citicards.co.uk
O15 - Trusted Zone: *.cnbceurope.com
O15 - Trusted Zone: *.co-op-2u.com
O15 - Trusted Zone: *.co-op2u.co.uk
O15 - Trusted Zone: *.co-op2u.com
O15 - Trusted Zone: focus.comdirect.co.uk
O15 - Trusted Zone: http://download.com.com
O15 - Trusted Zone: *.comdirect.co.uk
O15 - Trusted Zone: *.comet.co.uk
O15 - Trusted Zone: http://www.confused.com
O15 - Trusted Zone: *.conran.co.uk
O15 - Trusted Zone: *.conran.com
O15 - Trusted Zone: *.crystalfrance.co.uk
O15 - Trusted Zone: *.cts-online3.co.uk
O15 - Trusted Zone: *.ctshirts.co.uk
O15 - Trusted Zone: *.curezone.com
O15 - Trusted Zone: *.deals4u.co.uk
O15 - Trusted Zone: *.dell.co.uk
O15 - Trusted Zone: *.dell.com
O15 - Trusted Zone: *.diagnose-me.com
O15 - Trusted Zone: *.digicams-uk.com
O15 - Trusted Zone: *.digitaldirectuk.com
O15 - Trusted Zone: *.download.com
O15 - Trusted Zone: *.dr-schulze.com
O15 - Trusted Zone: *.drclark.com
O15 - Trusted Zone: *.drclarkstore.com
O15 - Trusted Zone: *.ds-roofline.co.uk
O15 - Trusted Zone: *.easyjet.co.uk
O15 - Trusted Zone: *.easyjet.com
O15 - Trusted Zone: *.ebay.co.uk
O15 - Trusted Zone: *.ebigchina.com
O15 - Trusted Zone: *.edenfarms.co.uk
O15 - Trusted Zone: *.efax.com
O15 - Trusted Zone: *.electricfencing.co.uk
O15 - Trusted Zone: *.energyhelpline.com
O15 - Trusted Zone: *.eni.it
O15 - Trusted Zone: *.entitlements.co.uk
O15 - Trusted Zone: *.equalexchange.co.uk
O15 - Trusted Zone: *.espanabreaks.com
O15 - Trusted Zone: *.esure.com
O15 - Trusted Zone: *.ethicalshopper.co.uk
O15 - Trusted Zone: *.euroffice.co.uk
O15 - Trusted Zone: *.ewebcart.com
O15 - Trusted Zone: *.expedia.co.uk
O15 - Trusted Zone: *.ferrovial.com
O15 - Trusted Zone: *.ferrysale.com
O15 - Trusted Zone: *.fidelity.co.uk
O15 - Trusted Zone: *.firetrust.com
O15 - Trusted Zone: *.flavasava.co.uk
O15 - Trusted Zone: *.flybe.com
O15 - Trusted Zone: *.flymonarch.com
O15 - Trusted Zone: *.fool.co.uk
O15 - Trusted Zone: *.fool.com
O15 - Trusted Zone: *.forbes.com
O15 - Trusted Zone: *.fpdsavills.co.uk
O15 - Trusted Zone: *.freetranslation.com
O15 - Trusted Zone: *.frenchconnections.co.uk
O15 - Trusted Zone: *.frenchholidayhomes.com
O15 - Trusted Zone: *.friendsreunited.co.uk
O15 - Trusted Zone: *.frw.co.uk
O15 - Trusted Zone: *.funds-sp.com
O15 - Trusted Zone: *.gamingclubsportsbook.com
O15 - Trusted Zone: *.garthfisher.com
O15 - Trusted Zone: *.gerald-simonds.co.uk
O15 - Trusted Zone: *.getoily.com
O15 - Trusted Zone: *.gite.com
O15 - Trusted Zone: *.gites-de-france.fr
O15 - Trusted Zone: *.goodnessdirect.co.uk
O15 - Trusted Zone: *.google.co.uk
O15 - Trusted Zone: *.gov.uk
O15 - Trusted Zone: *.gpnotebook.co.uk
O15 - Trusted Zone: *.greenbuildingstore.co.uk
O15 - Trusted Zone: *.grisoft.com
O15 - Trusted Zone: *.grovelands.com
O15 - Trusted Zone: *.halifax-online.co.uk
O15 - Trusted Zone: *.healthandyoga.com
O15 - Trusted Zone: *.healthproductsforlife.com
O15 - Trusted Zone: *.hemscott.com
O15 - Trusted Zone: *.herbs-hands-healing.co.uk
O15 - Trusted Zone: *.highernature.co.uk
O15 - Trusted Zone: http://www.hkusb.com
O15 - Trusted Zone: *.holiday-rentals-world.com
O15 - Trusted Zone: *.holidayautos.co.uk
O15 - Trusted Zone: *.holidayextras.co.uk
O15 - Trusted Zone: *.hollandandbarrett.com
O15 - Trusted Zone: *.home.co.uk
O15 - Trusted Zone: *.hotpoint.co.uk
O15 - Trusted Zone: *.icelolly.com
O15 - Trusted Zone: *.idealhealthservices.com
O15 - Trusted Zone: *.indesitcompany.com
O15 - Trusted Zone: *.tesco.insurance.co.uk
O15 - Trusted Zone: *.insureandgo.com
O15 - Trusted Zone: *.intelligentmoney.com
O15 - Trusted Zone: *.interparcel.com
O15 - Trusted Zone: *.invisalign.com
O15 - Trusted Zone: *.jamesvillas.co.uk
O15 - Trusted Zone: *.johnlewis.com
O15 - Trusted Zone: *.keemlaw.co.uk
O15 - Trusted Zone: *.lastminute.com
O15 - Trusted Zone: *.laterooms.com
O15 - Trusted Zone: *.lineone.net
O15 - Trusted Zone: *.liverpoolvictoria.co.uk
O15 - Trusted Zone: *.london2012.org
O15 - Trusted Zone: *.majorgeeks.com
O15 - Trusted Zone: *.map24.com
O15 - Trusted Zone: *.maporama.com
O15 - Trusted Zone: *.mcafee.com
O15 - Trusted Zone: *.menshealth.co.uk
O15 - Trusted Zone: *.mhdewormer.com
O15 - Trusted Zone: *.miele.co.uk
O15 - Trusted Zone: *.moltengold.com
O15 - Trusted Zone: *.moneysavingexpert.com
O15 - Trusted Zone: *.mx2.co.uk
O15 - Trusted Zone: *.mytravel.com
O15 - Trusted Zone: *.mytyres.co.uk
O15 - Trusted Zone: *.nads.co.uk
O15 - Trusted Zone: http://www.nationalrail.co.uk
O15 - Trusted Zone: *.nature.org
O15 - Trusted Zone: *.nectar.com
O15 - Trusted Zone: *.nethouseprices.com
O15 - Trusted Zone: *.next.co.uk
O15 - Trusted Zone: *.nhs.uk
O15 - Trusted Zone: *.nomatica.co.uk
O15 - Trusted Zone: *.nomatica.com
O15 - Trusted Zone: *.npower.com
O15 - Trusted Zone: *.ntl.com
O15 - Trusted Zone: *.ntlfreedom.com
O15 - Trusted Zone: *.ntlworld.com
O15 - Trusted Zone: *.obeynature.com
O15 - Trusted Zone: *.oddschecker.com
O15 - Trusted Zone: *.office-world.co.uk
O15 - Trusted Zone: *.old-maps.co.uk
O15 - Trusted Zone: *.online-secure-reservations.net
O15 - Trusted Zone: *.onlineseafood.co.uk
O15 - Trusted Zone: *.openjet.com
O15 - Trusted Zone: *.opodo.co.uk
O15 - Trusted Zone: *.familyfundtrust.org.uk
O15 - Trusted Zone: *.next.org.uk
O15 - Trusted Zone: *.visionofbritain.org.uk
O15 - Trusted Zone: *.ottobock.co.uk
O15 - Trusted Zone: *.oxyshop.co.uk
O15 - Trusted Zone: *.pacificmediaplc.com
O15 - Trusted Zone: *.page-moy.co.uk
O15 - Trusted Zone: *.panasonic.co.uk
O15 - Trusted Zone: *.parkandsave.co.uk
O15 - Trusted Zone: *.parkaph.co.uk
O15 - Trusted Zone: *.parking4less.co.uk
O15 - Trusted Zone: *.pattersons.co.uk
O15 - Trusted Zone: *.paypal.com
O15 - Trusted Zone: *.pcpitstop.com
O15 - Trusted Zone: *.pcworld.co.uk
O15 - Trusted Zone: *.petertyson.co.uk
O15 - Trusted Zone: *.ph-ion.com
O15 - Trusted Zone: *.pitchcare.com
O15 - Trusted Zone: *.police.uk
O15 - Trusted Zone: *.powerhouse.co.uk
O15 - Trusted Zone: *.prezzybox.com
O15 - Trusted Zone: *.priceline.co.uk
O15 - Trusted Zone: *.priceline.com
O15 - Trusted Zone: *.pricerunner.co.uk
O15 - Trusted Zone: *.qxl.co.uk
O15 - Trusted Zone: *.rac.co.uk
O15 - Trusted Zone: *.realmadrid.com
O15 - Trusted Zone: *.reuters.com
O15 - Trusted Zone: *.royalmail.com
O15 - Trusted Zone: *.rpoints.com
O15 - Trusted Zone: *.ryanair.co.uk
O15 - Trusted Zone: *.ryanair.com
O15 - Trusted Zone: *.sainsburyswine.co.uk
O15 - Trusted Zone: *.satellites.co.uk
O15 - Trusted Zone: *.savapoint.com
O15 - Trusted Zone: *.saveonyourbills.co.uk
O15 - Trusted Zone: *.savills.co.uk
O15 - Trusted Zone: *.scalesontheweb.co.uk
O15 - Trusted Zone: *.scferrybookings.co.uk
O15 - Trusted Zone: *.searchappliance.co.uk
O15 - Trusted Zone: *.seeyoumonday.com
O15 - Trusted Zone: *.seeyoumonday.info
O15 - Trusted Zone: *.sell247.com
O15 - Trusted Zone: *.shirt-press.co.uk
O15 - Trusted Zone: *.shoe-shop.com
O15 - Trusted Zone: *.shopping.com
O15 - Trusted Zone: *.sky.co.uk
O15 - Trusted Zone: *.sky.com
O15 - Trusted Zone: *.skyeurope.com
O15 - Trusted Zone: *.skyscanner.net
O15 - Trusted Zone: http://www.smallholder.co.uk
O15 - Trusted Zone: *.smartmoney.com
O15 - Trusted Zone: *.secure.squaregain.co.uk
O15 - Trusted Zone: *.squaregain.co.uk
O15 - Trusted Zone: *.stigauk.com
O15 - Trusted Zone: *.summerinitaly.com
O15 - Trusted Zone: *.sunrisemedical.com
O15 - Trusted Zone: *.swapeo.com
O15 - Trusted Zone: *.swaphouse.org
O15 - Trusted Zone: *.swopworld.com
O15 - Trusted Zone: *.tdwaterhouse.co.uk
O15 - Trusted Zone: *.techguy.org
O15 - Trusted Zone: *.tesco.com
O15 - Trusted Zone: *.theaa.com
O15 - Trusted Zone: *.thebbq.co.uk
O15 - Trusted Zone: http://www.thepoultrysite.com
O15 - Trusted Zone: http://www.thespykiller.co.uk
O15 - Trusted Zone: *.thestreet.com
O15 - Trusted Zone: *.thetrainline.com
O15 - Trusted Zone: *.thomsonflights.com
O15 - Trusted Zone: *.thomsonfly.com
O15 - Trusted Zone: *.ticketmaster.co.uk
O15 - Trusted Zone: *.timesonline.co.uk
O15 - Trusted Zone: *.timesonline.com
O15 - Trusted Zone: *.tiscali.co.uk
O15 - Trusted Zone: *.tonycraze.com
O15 - Trusted Zone: *.toolsforhealing.com
O15 - Trusted Zone: *.total-cure.com
O15 - Trusted Zone: *.totaldigital.biz
O15 - Trusted Zone: *.trade-appliances.co.uk
O15 - Trusted Zone: *.travelsupermarket.com
O15 - Trusted Zone: *.ukfoodonline.co.uk
O15 - Trusted Zone: *.ultraframe.co.uk
O15 - Trusted Zone: *.ultraframe.com
O15 - Trusted Zone: *.urlportfolio.com
O15 - Trusted Zone: http://www.velvetenergy.com
O15 - Trusted Zone: *.viamichelin.com
O15 - Trusted Zone: *.villa-vacation.com
O15 - Trusted Zone: *.villaplus.com
O15 - Trusted Zone: *.villarama.com
O15 - Trusted Zone: *.vitaminshoppe.com
O15 - Trusted Zone: *.voovit.com
O15 - Trusted Zone: *.waitrosedirect.co.uk
O15 - Trusted Zone: *.wasteconnect.co.uk
O15 - Trusted Zone: *.wastepoint.co.uk
O15 - Trusted Zone: *.willhill.com
O15 - Trusted Zone: *.worldpay.com
O15 - Trusted Zone: *.uk.wwte4.com
O15 - Trusted Zone: *.xl.com
O15 - Trusted Zone: *.zonelabs.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1120743126764
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7FBDC3B-7EB8-4796-B407-EE8137C2840B}: NameServer = 212.74.112.67 212.74.114.129
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
119,156
It looks like Ewido has taken care of the trojan but many infections hide there. Let's do an on-line scan from Panda and see if it finds anything.

Do the Panda Active Scan. Be sure to save the log it creates.

Do you still see this file?

C:\WINDOWS\system32\xqspgxvr.exe

It should no longer be there. The one in the prefetch files can be deleted.

Let's wait and see what Panda finds, if anything, before proceeding any further.

Do you really want all of those sites in your trusted zone? Some of them don't look too trustworthy just judging by their names.
 

mike9inch

Thread Starter
Joined
Jul 12, 2005
Messages
189
Hijackthis reduced - have cut the trusted sites etc.

Also panda found 3-4 viruses not found in the other ewisoftware!

windows/system32/xqspgxvr.exe is still there.

What next? Many thanks for your help so far.



Panda file shown below.


Incident Status Location

Adware:Adware/Oemji No disinfected C:\Program Files\SlipStream Web Accelerator\PBHelper.dll
Virus:Trj/Downloader.DKG Disinfected C:\WINDOWS\SYSTEM32\bhsxkve.exe
Virus:Trj/Downloader.DKG Disinfected C:\WINDOWS\SYSTEM32\rvfuv.exe
Virus:Trj/Downloader.DKG Disinfected C:\WINDOWS\SYSTEM32\wixzarp.exe


Logfile of HijackThis v1.99.1
Scan saved at 01:17:42, on 13/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\BacsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SlipStream Web Accelerator\slipaccel.exe
C:\Program Files\Apoint\Apntex.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.myinternetpass.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\SlipStream Web Accelerator\PBHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Tiscali Web Accelerator.lnk = C:\Program Files\SlipStream Web Accelerator\slipaccel.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.myinternetpass.com
O15 - Trusted Zone: *.pandasoftware.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1120743126764
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
119,156
Boot to safe mode and delete this file:

C:\WINDOWS\system32\xqspgxvr.exe

How's everything running?
 

mike9inch

Thread Starter
Joined
Jul 12, 2005
Messages
189
everything running faster than when i started with you etc.

But, ..."HOW" do you want me to delete the "x" file in safe mode?

any special routine? Do I use killbox?

Are you sure it is safe to do it ?
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
119,156
Yes, it's safe to do it. It's a trojan file that was cleaned by Ewido but it looks like the actual file is still there.

Just navigate to it, highlight the file and click on delete.


Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on My Computer and click on Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on Start – All Programs – Accessories – System Tools and then select System Restore.

In the System Restore wizard, select Create a restore point and click the Next button.

Type a name for your new restore point then click on Create.


I also recommend downloading SPYWAREBLASTER & SPYWAREGUARD for added protection.


Read here for info on how to tighten your security.



Delete your temporary files:

In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

Go to Start - Run and type %temp% in the Run box. The Temp folder will open. Click Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel - Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.
 

mike9inch

Thread Starter
Joined
Jul 12, 2005
Messages
189
I've deleted that "x" file and made sure it wasn't left in the recycling bin etc.

I have not done the other tasks you set me though - ie not done the clear restore etc and beyond.

Why? Well, I thought I'd like to run first a hijackthis report again and just get your professional feedback on its current readings.

Does it look OK to you?

Are there other entries on it that "must" or you would "recommend" are deleted in order to tidy up or speed up my pc or make it safer etc?

Some look harmless, but of course I am NOT an expert so would prefer you to advise.

I reside in the UK and understand you are in Canada - hence the time dif in my replying to your earlier post.

Once again many thanks to you.





Logfile of HijackThis v1.99.1
Scan saved at 17:22:27, on 13/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\BacsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SlipStream Web Accelerator\slipaccel.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.myinternetpass.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\SlipStream Web Accelerator\PBHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Tiscali Web Accelerator.lnk = C:\Program Files\SlipStream Web Accelerator\slipaccel.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\SlipStream Web Accelerator\slipaccel.exe/250
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\SlipStream Web Accelerator\slipaccel.exe/227
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.myinternetpass.com
O15 - Trusted Zone: *.download.com
O15 - Trusted Zone: *.javacoolsoftware.net
O15 - Trusted Zone: *.virusscan.jotti.org
O15 - Trusted Zone: *.pandasoftware.com
O15 - Trusted Zone: *.squaregain.co.uk
O15 - Trusted Zone: *.trendmicro.com
O15 - Trusted Zone: *.zonelabs.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1120743126764
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7FBDC3B-7EB8-4796-B407-EE8137C2840B}: NameServer = 212.74.112.66 212.74.112.67
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Top