Hi All, I’ve had some very weird happenings in recent days:

1. On Sunday I was using laptop via router, closedown came up with an IE programme running can’t close. I always use firefox but closed the programme anyway, not paying enough attention.

2. This morning on my main computer I got an email pruportedly from myself! It turned out to be from a European Pharma, well turns out it is based in Canada (allegedly!!).

3. I found parts of my Spywareblaster disabled. I am not aware of ever having done this.

4. In panic am now running as I type on main computer an avast scan. So far had 4 win32 Adware-Gen viruses moved to chest, scan still running.

I am terrified, no that’s not strong enough; shaking, petrified that someone is doing premium rate calls on my line. Not much help from my telecom provider, they say a bill for something of that sort might not “surface” for months.

PLEASE ADVISE, IF IT IS POSSIBLY VERY BAD NEWS I STILL NEED TO KNOW!!! Will try to copy and send scan findings.

The first thing not to do is panic as you may hit the wrong button somewhere

Download & Run HijackThis.exe

[*]Download HJTInstall.exe to your Desktop.
[*]Doubleclick HJTInstall.exe to install it.
[*]By default it will install to C:\Program Files\Trend Micro\HijackThis .
[*]Click on Install.
[*]It will create a HijackThis icon on the desktop.
[*]Once installed, it will launch Hijackthis.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Copy/Paste the log to your next reply please.

Don’t use the Analyse This button, its findings are dangerous if misinterpreted.
Don’t have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Done that on main computer. Will repeat on laptop asap. Thanks and more advice please!!

PS: I am wondering if while fidgeting earlier today I may have done something to change my internet connections as my startup now asks for a password!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:16:17 PM, on 2/13/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\PROGRA~1\SiOL\ADSL\app\pppoeservice.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\WINNT\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\msiexec.exe
C:\PROGRA~1\SiOL\ADSL\app\EnterNetFolder.Exe
C:\PROGRA~1\SiOL\ADSL\app\enternet.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1001\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [SBAutoUpdate] “C:\Program Files\SpywareBlaster\sbautoupdate.exe”
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM..\Run: [zzzHPSETUP] D:\Setup.exe
O4 - HKLM..\Run: [EPSON Stylus C46 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE /P23 “EPSON Stylus C46 Series” /O5 “LPT1:” /M “Stylus C46”
O4 - HKLM..\Run: [EPSON Stylus C62 Series (Copy 4)] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P32 “EPSON Stylus C62 Series (Copy 4)” /O6 “USB001” /M “Stylus C62”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [msnappau] “C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe”
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
O4 - HKCU..\RunOnce: [Netscape] C:\Program Files\Mozilla Firefox\firefox.exe -installer
O4 - HKCU..\RunOnce: [FlashPlayerUpdate] C:\PROGRA~1\MOZILL~1\plugins\GetFlash.exe -p
O4 - HKUS.DEFAULT..\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background (User ‘Default user’)
O4 - HKUS.DEFAULT..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User ‘Default user’)
O4 - HKUS.DEFAULT..\RunOnce: [FlashPlayerUpdate] C:\PROGRA~1\MOZILL~1\plugins\GetFlash.exe -p (User ‘Default user’)
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191839439562
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4544/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip..{2BFDBC9B-FCD8-43D9-939C-8142941373D7}: NameServer = 193.189.160.11
O17 - HKLM\System\CS1\Services\Tcpip..{2BFDBC9B-FCD8-43D9-939C-8142941373D7}: NameServer = 193.189.160.11
O17 - HKLM\System\CS2\Services\Tcpip..{2BFDBC9B-FCD8-43D9-939C-8142941373D7}: NameServer = 193.189.160.11
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\SiOL\ADSL\app\pppoeservice.exe
O23 - Service: Windows Process Moniter - Unknown owner - C:\WINNT\winmon.exe (file missing)

–
End of file - 7926 bytes

This from my laptop. main computer (as above reply) is on 2000 Pro, this one on vista ultimate 32.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:25:02, on 13/02/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.skybroadband.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKCU..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-19..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘NETWORK SERVICE’)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

–
End of file - 3656 bytes

There were four of these adware gens (now in chest) on my main computer; at a total guess (you’ll put me right) something to do with changing from my username and password to administrator; which is what I think I have done and why the computer doesn’t recognize even my email now, inviting me to set one up!!

The are all in C: Doc and Sets: /…/PCHPInstall-1.exe; twice
And…PHCPInstall.exe; twice

Still to scan laptop.

If I am right your first hjt log gives indications of a vundo infection, I base this on this entry:
O23 - Service: Windows Process Moniter - Unknown owner - C:\WINNT\winmon.exe (file missing)

In the old days (2005) this was killed a.o. using killbox, but there is a rather more modern approach for it now, and let essexboy lead you through this cleansing routine,

polonus

Ok looks like sdbot.vb worm on the first Hijackthis so I will hit that first

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. [b]

O4 - HKLM..\Run: [zzzHPSETUP] D:\Setup.exe
O23 - Service: Windows Process Moniter - Unknown owner - C:\WINNT\winmon.exe (file missing)

[/b]Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

THEN

@echo off sc stop Windows Process Moniter sc delete Windows Process Moniter exit

Next you will need to create the batch fix to do that copy and paste [b]ALL[/b] of the above in the quote box to a notepad file. Then in the text file go to [b]FILE > SAVE AS [/b] and in the dropdown box select [b]SAVE AS TYPE [/b] to[b] ALL FILES [/b] Then in the [b]FILE NAME [/b] box type [b]fix.bat[/b]

This will create a batch file
http://img524.imageshack.us/img524/9383/batmp6.jpg

Then run fix.bat by double clicking you may see a black box appear this is normal

NEXT

Please download the OTMoveIt2 by OldTimer.

[*] Save it to your desktop.
[*] Please double-click OTMoveIt2.exe to run it.
[*]Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\WINNT\winmon.exe 

[*] Return to OTMoveIt2, right click in the “Paste List of Files/Folders to be Moved” window (under the light blue bar) and choose Paste.

[*] Return to OTMoveIt2, right click in the “Paste List Of Files/Patterns To Search For and Move” window (under the yellow bar) and choose Paste.

[*]Click the red Moveit! button.
[*]Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
[*]Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

FINALLY FOR NOW

Download WinPFind35u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.

[*]Close ALL OTHER PROGRAMS.
[*]Open the WinPFind35u folder and double-click on WinPFind35U.exe to start the program.
[*]Under Additional Scans click the checkboxes in front of the following items to select them:

Reg - BotCheck

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and attach the log. I will review it when it comes in.

For the laptop just to check it run winpfind on that one as well

I’m battling through, give me another few minutes; having problems with running programmes, batch is on desktop but never seems able to open to run.

Heres the moveit scan

File/Folder C:\WINNT\winmon.exe not found.
File/Folder O4 - HKLM..\Run: [zzzHPSETUP] D:\Setup.exe not found.
File/Folder O23 - Service: Windows Process Moniter - Unknown owner - C:\WINNT\winmon.exe (file missing) not found.
[Custom Input]
< O4 - HKLM..\Run: [zzzHPSETUP] D:\Setup.exe >
File/Folder O4 - HKLM..\Run: [zzzHPSETUP] D:\Setup.exe not found.
< O23 - Service: Windows Process Moniter - Unknown owner - C:\WINNT\winmon.exe (file missing) >
File/Folder O23 - Service: Windows Process Moniter - Unknown owner - C:\WINNT\winmon.exe (file missing) not found.

OTMoveIt2 v1.0.20 log created on 02142008_145117

I can’t get winpfind to run, see also my above post - it is there on the desktop but keeps asking to overwrite.

Also I disabled the local area network connection but when I rebooted it seemed to be still running???

Edit I just ran hijack this again and the two ‘offenders’ were not there.

This may make no sense from where you are, but where I am it looks worth asking.

Now i can’t get online from the main computer; I wonder if the unknown user was infact myself and when I might have changed my network ID to administrator, which I have now removed, that is what the problem might be!!!
Reason I wonder is because I can still get on via dial up but not through the router.

When i go into Network ID wizard username is administrator and my password is in ‘domain’. Is that right?

Shoot me down though guys no worries you are the experts!!

See also my two posts above.

Ok network stuff is way out of my realm I just fire and forget on that. Mayhap someone with some knowledge of these areas could help

Fair enough! Is there anything else I can do though, you did say that was for starters.

If not, I really respect your help yesterday, warmly appreciated.

Have I made progress?

Hi hawick,

Here you can get the info to restore that connection:
http://support.microsoft.com/kb/329441

polonus

Fair enough! Is there anything else I can do though, you did say that was for starters.

I would have liked to see the winpfind log .. However I can use another analysis tool

Please download Deckard’s System Scanner (DSS) and save it to your Desktop.
[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt – please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.