5 replies to this topic

[SoiDog]

I had a few minor dramas with IE6 shutting down un-aided as well some conflicting mentions of "phone diallers" on my system. I have updated and run the programmes suggested and now submit a HJT log for comments. Any advice is much appreciated. Many thanks

Logfile of HijackThis v1.99.1
Scan saved at 9:45:58 PM, on 4/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\D-Link\DSL-210\CnxDslTb.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\BACKED UP APPS\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\D-Link\DSL-210\CnxDslTb.exe"
O4 - Startup: Reminders - Check.lnk = C:\Program Files\Multi Reminders\reminder.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{322B5D28-9418-4C23-A736-69063E6F99E7}: NameServer = 202.69.137.137 202.69.137.138
O17 - HKLM\System\CS1\Services\Tcpip\..\{322B5D28-9418-4C23-A736-69063E6F99E7}: NameServer = 202.69.137.137 202.69.137.138
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

[AndyManchesta]

Hi SoiDog, Welcome to the forum

There's no malware problems showing in your log so hopefully the scanners you used removed the junk, Is your ISP based in Thailand and are you still having problems with IE shutting down, if you do does it show any errors first or just close the browser window ? ,

Can you install Ewido and run a full scan then run Panda's online scan and post back the logs if they detect any problems.

Download Ewido Anti-Malware from HERE

• When installing, under "Additional Options" uncheck "Install background guard"
  
• From the main ewido screen, click on update in the left menu, then click the Start update button.
  
• After the update finishes (the status bar at the bottom will display "Update successful"),
  
• Click on the Scanner button in the left menu, then click Complete System Scan.

If ewido finds anything, it will pop up a notification. You can select Remove and check the boxes Perform action with all infections and Create encrypted backup before clicking on OK.
When the scan finishes, click on Save Report. This will create a text file that you can save to the desktop and post back

Finally run Panda Activescan from Here.

Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan
(Note: It may take a couple of minutes)
- When the download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location so you can post it back.


Thanks

Andy

[SoiDog]

Many thanks AndyManchesta

I have done as you suggested, and there are no problems to report with Ewido. Funnily enough though, Panda throws up the following:


Incident Status Location

Dialer:Dialer.XD Not disinfected C:\WINDOWS\Downloaded Program Files\start.INF
Dialer:Dialer.ABR Not disinfected C:\WINDOWS\Downloaded Program Files\startbf.inf
Dialer:dialer.xd Not disinfected C:\WINDOWS\switchagreement.txt
No other cleaner seems to find anything at all, and the IE problem has stopped Any suggestions for getting rid of these dialers. if in fact they do exist. Thanks again

[AndyManchesta]

Hi SoiDog

They will be leftover malware files so its fine to remove them,

Goto Start Menu > Run > Type

cmd

Press OK then type or copy and paste these lines onto the cmd screen and press Enter after each one:

del %systemroot%\Downlo~1\start.INF
Press Enter
del %systemroot%\Downlo~1\startbf.inf
Press Enter
del %systemroot%\switchagreement.txt
Press Enter
exit
Press Enter

Consider Installing Spywareblaster if you do not have it as it can help prevent malware and block malicious ActiveX based installs via webpages.

Let us know if you have any more problems

Andy

[SoiDog]

AndyManchesta, on Apr 10 2006, 01:06 PM, said:

Hi SoiDog

They will be leftover malware files so its fine to remove them,

Goto Start Menu > Run > Type

cmd

Press OK then type or copy and paste these lines onto the cmd screen and press Enter after each one:

del %systemroot%\Downlo~1\start.INF
Press Enter
del %systemroot%\Downlo~1\startbf.inf
Press Enter
del %systemroot%\switchagreement.txt
Press Enter
exit
Press Enter

Done and done Andy

Consider Installing Spywareblaster if you do not have it as it can help prevent malware and block malicious ActiveX based installs via webpages.

Let us know if you have any more problems

Andy

Done and done Andy All now hunky dory. I had spywareblaster installed already, thats why it was a bit of a shock to see those dialer entries. Many thanks for all your great and informative help. Very much appretiated

[AndyManchesta]

Your Welcome

Happy Surfing