Spyware grinding laptop to a halt in xp

Question

Turnip 0 Light Poster

19 Years Ago

Hi everyone
I'm posting because my dad's laptop has essentially filled up with spyware to the extent that he cannot connect to the internet.

Essentially he has a Sony Vaio laptop that had windows 98 SE on and just recently he put xp on also. He never connected it to the internet and didn't have any spyware or virus protection. However just recently my parent's pc went to the big electronics store in the sky so they've linked the laptop to their broadband connection. Without any protection it soon filled with spyware and this weekend I put adaware and spybot on it to try and remove it all (I'm gonna put virus protection on next weekend).
When I started work on it the laptop wouldn't connect to the internet in xp but if loaded in 98 it would have no problems. Now after running adaware and spybot I can get connected to the internet but as soon as I do there is some spyware that hasn't been caught that immediately kicks in and the laptop grinds to a halt. I've got a hjt log that I've posted below and I'd really apreciate it if someone could have a quick scan.

By the way I'd really like to learn to interpret this stuff myself is there anywhere I can learn?

Cheers everyone

Logfile of HijackThis v1.98.2
Scan saved at 11:28:25, on 06/02/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\POWERPANEL\PROGRAM\PCFMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\SYSTEM\PELMICED.EXE
C:\WINDOWS\DSLAUNCH.EXE
C:\PROGRAM FILES\SONY\SMART LABEL\SSLOSERV.EXE
C:\PROGRAM FILES\SONY\HOTKEY UTILITY\HKSERV.EXE
C:\PROGRAM FILES\APOINT\APOINT.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\BT VOYAGER 105 ADSL MODEM\DSLSTAT.EXE
C:\PROGRAM FILES\BT VOYAGER 105 ADSL MODEM\DSLAGENT.EXE
C:\PROGRAM FILES\BATTERYSCOPE\BATMGR.EXE
C:\PROGRAM FILES\SONY\VAIO ACTION SETUP\VASERV.EXE
C:\PROGRAM FILES\APOINT\APWHEEL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\E_SICN03.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.iesearch.freeserve.com/iesearch/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.freeserve.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
- C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [YAMAHA DS-XG Launcher] c:\windows\dslaunch.exe
O4 - HKLM\..\Run: [Smart Label OServer] C:\PROGRAM FILES\SONY\SMART
LABEL\SSLOSERV.EXE
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey
Utility\HKserv.exe
O4 - HKLM\..\Run: [AlpsPoint] C:\Progra~1\Apoint\Apoint.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL
Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL
Modem\dslagent.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN
Messenger\MsnMsgr.Exe" /background
O4 - Startup: BatteryScope.lnk = C:\Program
Files\BatteryScope\Batmgr.exe
O4 - Startup: PowerPanel.lnk = C:\Program
Files\PowerPanel\Program\PcfMgr.exe
O4 - Startup: VAIO Action Setup (Server).lnk = C:\Program
Files\SONY\VAIO Action Setup\VAServ.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk =
C:\Windows\system\E_SRCV03.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

windows-virus

4 Contributors
20 Replies
198 Views
3 Weeks Discussion Span
Latest Post 19 Years Ago Latest Post by crunchie

pcschrottie 1 Posting Whiz in Training

19 Years Ago

Isn't there a site where you can have your hijackthis-log checked? There is one in german, so I'm sure there's one in english too. It would be a good first thing to do instead of filling up forums with these logs.

After a VERY brief look at your log-file, I would say it's more or less clean. The problem isn't the spyware/adware/pornware/virus/backdoor etc etc, the problem is YOU, the user.

If you really need to use the Internet Explorer, get familiar with its security-options. A PC doesn't fill up with spyware "just like that" after it is connected to the internet.

Try to use Mozilla/Firefox or something similar and see if the "pollution" stops.

Also a virus scanner cannot protect you if you just download and run about everything you see on a website.

Michael

pcschrottie 1 Posting Whiz in Training

19 Years Ago

simply because they didn't realize that they should, or even what virus protection was.

I know this problem.

because as soon as the internet is connected I get a handful of "fake" dialog boxes asking me to visit security and adult sites aswell as poups requesting I install toolbars before the computer grinds to a complete halt.

Could it be that you're talking about the messenger service? And did you experience the crash of your PC also when you where offline? Test it. Could be a driver or hardware problem.

http://www.itc.virginia.edu/desktop/docs/messagepopup/

however a lot of it does so through less than obvious means

ActiveX, for an example. You should check if it is activated on your parent's PC. This site is about dialers, but the problem is the same:

http://www.emsisoft.com/en/kb/articles/tec041212/

Problem is: with a "secure" IE, you will have difficulties using certain websites. That's where you should use the "trusted zone". Or, easier, use a different browser instead as suggested above.

I didn't mean to be harsh, it's just that the questions are always the same and people don't read the sticky threads. ;)

Michael

crunchie 990 Most Valuable Poster

19 Years Ago

Turnip. This is an appropriate place to post :D. That is why this forum was set up in the first place, to help people who are having problems.
Personally I do not trust the online hijackthis log scanners as they do not give enough direction and have too many false positives.
Although I see nothing in your log either it could well be hidden somewhere.
If you have anything disabled in msconfig, re-enable it and reboot and post another log.
Does 98 have messenger?
You are also running an out of date hijackthis. Update hijackthis to version 1.99. Run hijackthis & go to *Config\Misc Tools\Check for update on-line*. If the site is down, go here. Remove the old version by opening the program, going to config\misc tools, then uninstall & exit. You then have to delete the file manually. Unzip the new version into the hijackthis folder.

pcschrottie 1 Posting Whiz in Training

19 Years Ago

There's a registry entry that adaware cannot remove

Try it in safe mode (hit F8 during startup). And yes, you have to run HijackThis under Windows XP to get track of the spyware installed there.

I get a window saying something like "your pc will shutdown in 45 seconds. This has been authorised by NT_______ ..."

I think Blaster gave you a minute, so it must be Sasser. You should install either Service Pack 2 on your Windows XP system or the following 2 patches:

Blaster-Patch =>

http://www.microsoft.com/downloads/details.aspx?FamilyID=2354406c-c5b6-44ac-9532-3de40f69c074&displaylang=en

Sasser-Patch =>

http://www.microsoft.com/downloads/details.aspx?FamilyID=3549ea9e-da3f-43b9-a4f1-af243b6168f3&displaylang=en

You MUST either install SP2 or these 2 patches before connecting a Windows XP system to the internet!

Best thing to do would be probably to reinstall the whole system, then update it with all the latest patches including SP2, then get rid of IE except for Windows Update and also install a decent antivirus software like AVG 7.0 FreeEdition.

Michael

dlh6213 27 Posting Maven

19 Years Ago

Hey Turnip, you may want to have your parents read this as it's kind of related:

http://www.daniweb.com/techtalkforums/thread16365.html

You can find Hijackthis tutorials at these sites (and more if you do a google search):

http://hometown.aol.co.uk/jrmc137/hjttutorial/tutorial.htm
http://hjt.wizardsofwebsites.com/
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42
http://www.spywareinfo.com/~merijn/htlogtutorial.html

By the way, I don't see anything bad in that log either, but since XP is where you are having problems, that is where you need to scan with HJT.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Turnip 0 Light Poster · Answer 1 · 2005-02-07T18:41:58+00:00

Harsh but fair I think.

My appologies if this is an inapropriate post for this forum. I have had help with my own pc from here in the past and thought this was a good place to start. I'll google search for somewhere to post this log, but if anyone has any suggestions or sites to recommend they would be much appreciated.

I am well aware that spyware doesn't just jump onto a pc and that most of it is in fact stuff that people have asked to be downloaded, however a lot of it does so through less than obvious means. Unfortunately the problem is not me the user it's my parents the users (I did point out it was their machine) and they are unfortunately not as up to speed with computing issues as some people. As I said they didn't even have any virus protection, simply because they didn't realize that they should, or even what virus protection was.

Thanks for your brief look, but there definitely is spyware on there, because as soon as the internet is connected I get a handful of "fake" dialog boxes asking me to visit security and adult sites aswell as poups requesting I install toolbars before the computer grinds to a complete halt.

Cheers anyway, as I said I'll find somewhere more appropriate to post, i didn't mean to cause offence.

Turnip 0 Light Poster · Answer 2 · 2005-02-07T19:30:11+00:00

Thanks very much, you were right it is the messengerservice I'll get that turned off for starters.
There's also something to do with installing a toolbar. I can't remember the name, but it has what appears to be an install file on c: that keeps regenerating when I delete it. There's a registry entry that adaware cannot remove and/or keeps regenerating, again I can't remember the name of it but it's three letters followed by a the word "bar." The last thing is that after a few minutes once I try to connect to the internet I get a window saying something like "your pc will shutdown in 45 seconds. This has been authorised by NT_______ ..." Again I can't remember the details. I really need to get them. Sorry for the vagueness, I'll get all the details next weekend and try to post if you'd be happy to take a look?

I understand regarding people posting the same old stuff time and again. I feel really bad for posting to be honest cos I know you guys give up your free time to help us lowly folk that really don't have a clue about the detailed workings of a pc. But you can certainly be sure that we're all very greatfull for it.

Cheers very much again

Phil

Turnip 0 Light Poster · Answer 3 · 2005-02-07T19:46:42+00:00

Thanks also Crunchie. I'll grab an updated hijack this and follow your directions too.

You mentioned win 98 not having messenger. The laptop originally had 98 but has also had xp installed. During boot up there is an option for which to use and win 98 still works fine, it is just in xp that the problems occur. I noticed the hijack this log says windows 98, but I thought I ran it while using xp, maybe I'm wrong though. I grabbed the log in a hurry before I left my parents last night, which is why I don't have the details for the other problems on the system. I'll get some more detailed info when I visit them again next weekend.

Thanks

Phil

Turnip 0 Light Poster · Answer 4 · 2005-02-07T22:43:32+00:00

Micheal
Dead right again. Checked out the sasser worm on trendmicro and it has exactly the same dialogue boxes as I'm seeing on the laptop, with the "LSA shell has encountered a problem" message and the "system shutdown" message.

You are obviously on a roll :)

Thanks
Phil

Turnip 0 Light Poster · Answer 5 · 2005-02-07T22:54:04+00:00

Oh by the way can any of you recommend any antivirus software. I often hear bad things about Norton and I had trouble getting it off my own system when I replaced it last year. I now have Trendmicro PCCillin on my PC, which I'm happy with and includes a firewall and this is what I was going to put on my dad's laptop. But are there any others that are worth considering?

Just thought I'd ask some people in the know while I have your ears. I'm not looking for a review of the whole section of the software industry, just a couple of names that I can go away and research myself.

pcschrottie 1 Posting Whiz in Training · Answer 6 · 2005-02-07T23:09:21+00:00

pcschrottie 1 Posting Whiz in Training

19 Years Ago

* deleted *

pcschrottie 1 Posting Whiz in Training · Answer 7 · 2005-02-07T23:09:46+00:00

I already mentioned one above:

http://free.grisoft.com/freeweb.php/doc/2/

Runs well on my computer, even though the update-server seems to have some problems from time to time.

If you want to spend money, I personaly would recommend Kaspersky 5.0 Personal Edition. It's known for its good detection of all kinds of malware. There's a 30-day trial version for downloading:

http://www.kaspersky.com/personal

There are several others, these are just programs I have had good experience with.

About the firewall: just use the one that comes with Windows XP, should be good enough for your parent's purpose. The SP2-firewall has some improvements, by the way.
I personaly can't recommend you one of these all-in-one softwares like Norton Internet Security. All they normaly do is use a lot of resources.

Michael

dlh6213 27 Posting Maven Team Colleague · Answer 8 · 2005-02-08T14:21:57+00:00

Oh by the way can any of you recommend any antivirus software.

Here are some discussions on antivirus programs here at DaniWeb:

http://www.daniweb.com/techtalkforums/thread17349-nod32.html

http://www.daniweb.com/techtalkforums/thread12883-nod32.html

http://www.daniweb.com/techtalkforums/thread3330-nod32.html

Turnip 0 Light Poster · Answer 9 · 2005-02-28T01:51:01+00:00

Hi again
Right well Ive finally got chance to have a good wrestle with my dads laptop. I've cleaned it with adaware and spybot s&d. I tried to put kaspersky on but apparently it is not sold to uk users so I put NOD32 on instead. It found 16 viruses/worms/trojans. I've canceled the windows message service and I've enabled the xp firewall.
I now have internet access but it's horrendously slow.
I've put a hijack this log below I'd be very grateful if someone could have a look through it to see if there are any other nasties.

Thanks
Phil

Logfile of HijackThis v1.99.1
Scan saved at 19:12:16, on 27/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Eset\nod32krn.exe
D:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
D:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
D:\WINDOWS\System32\nesse69.exe
D:\Program Files\Eset\nod32kui.exe
D:\WINDOWS\System32\pingppac.exe
D:\WINDOWS\System32\ctfmon.exe
D:\WINDOWS\System32\dnswn.exe
C:\HJT\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DSLSTATEXE] D:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] D:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Windows Compliant] winole.exe
O4 - HKLM\..\Run: [Microsoft Excel] msexcel.exe
O4 - HKLM\..\Run: [Microsoft is Gay] nesse69.exe
O4 - HKLM\..\Run: [BBDial] D:\Program Files\BT Voyager 105 ADSL Modem\BT Broadband.exe
O4 - HKLM\..\Run: [dBbFUobc] D:\WINDOWS\doreymf.exe
O4 - HKLM\..\Run: [sais] d:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [Asaha] C:\Program Files\Rjrant\Mmmskk.exe
O4 - HKLM\..\Run: [Dns Server] dnswn.exe
O4 - HKLM\..\Run: [Microsoft Update] Svhost.exe
O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [PPPOEO] pingppac.exe
O4 - HKLM\..\RunServices: [Windows Compliant] winole.exe
O4 - HKLM\..\RunServices: [Microsoft Excel] msexcel.exe
O4 - HKLM\..\RunServices: [Microsoft is Gay] nesse69.exe
O4 - HKLM\..\RunServices: [Dns Server] dnswn.exe
O4 - HKLM\..\RunServices: [Microsoft Update] Svhost.exe
O4 - HKLM\..\RunServices: [PPPOEO] pingppac.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Excel] msexcel.exe
O4 - HKCU\..\Run: [Windows Compliant] winole.exe
O4 - HKCU\..\Run: [Dns Server] dnswn.exe
O4 - HKCU\..\Run: [Microsoft Update] Svhost.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - D:\Program Files\Eset\nod32krn.exe

Turnip 0 Light Poster · Answer 10 · 2005-02-28T05:05:03+00:00

One other problem that I thought had gone away, but hasjust returned. When I connect to the internet I get I dialog telling me "Sitebar is ready to be deployed" and asking me to confirm the installation. I'm not sure if that shows up in the HJT log so thought I should say that as well

Thanks

Phil

dlh6213 27 Posting Maven Team Colleague · Answer 11 · 2005-02-28T07:32:24+00:00

Go to Add/Remove Programs in your Control Panel and remove these (if found):

180solutions
Rjrant

You may need to use Pocket Killbox for some of these, but let's see how hijackthis does with them first. Scan with HJT and have it fix the following entries:

O4 - HKLM\..\Run: [Windows Compliant] winole.exe
O4 - HKLM\..\Run: [Microsoft Excel] msexcel.exe
O4 - HKLM\..\Run: [Microsoft is Gay] nesse69.exe
O4 - HKLM\..\Run: [dBbFUobc] D:\WINDOWS\doreymf.exe
O4 - HKLM\..\Run: [sais] d:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [Asaha] C:\Program Files\Rjrant\Mmmskk.exe
O4 - HKLM\..\Run: [Dns Server] dnswn.exe
O4 - HKLM\..\Run: [Microsoft Update] Svhost.exe
O4 - HKLM\..\Run: [PPPOEO] pingppac.exe
O4 - HKLM\..\RunServices: [Windows Compliant] winole.exe
O4 - HKLM\..\RunServices: [Microsoft Excel] msexcel.exe
O4 - HKLM\..\RunServices: [Microsoft is Gay] nesse69.exe
O4 - HKLM\..\RunServices: [Dns Server] dnswn.exe
O4 - HKLM\..\RunServices: [Microsoft Update] Svhost.exe
O4 - HKLM\..\RunServices: [PPPOEO] pingppac.exe
O4 - HKCU\..\Run: [Microsoft Excel] msexcel.exe
O4 - HKCU\..\Run: [Windows Compliant] winole.exe
O4 - HKCU\..\Run: [Dns Server] dnswn.exe
O4 - HKCU\..\Run: [Microsoft Update] Svhost.exe

Be sure all windows are closed other that HJT before hitting the Fix button

Go to the following locations and delete the highlighted file or folder:

D:\WINDOWS\doreymf.exe
D:\Program Files\180solutions
C:\Program Files\Rjrant

Reboot

Close all browser windows, scan with HJT, and post a new log please.

Turnip 0 Light Poster · Answer 12 · 2005-03-06T06:01:22+00:00

Done that, thanks. The log is below. All the stuff you said is gone. There was an unistall for 180 solutions but not for Rjrant.
A couple of new things have appeared. I guess they need removing?

Logfile of HijackThis v1.99.1
Scan saved at 15:36:08, on 05/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Eset\nod32krn.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
D:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
D:\Program Files\Eset\nod32kui.exe
D:\WINDOWS\System32\ctfmon.exe
D:\WINDOWS\System32\accntfs.exe
D:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DSLSTATEXE] D:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] D:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [BBDial] D:\Program Files\BT Voyager 105 ADSL Modem\BT Broadband.exe
O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [awv7RWbng] accntfs.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - D:\Program Files\Eset\nod32krn.exe

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 13 · 2005-03-06T09:08:09+00:00

Run Hijackthis and go to the process viewer by going to Config, Misc Tools, Process Viewer, to unload all instances of the following running processes;
D:\WINDOWS\System32\accntfs.exe

Go to D:\WINDOWS\System32 and delete the file manually.

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.

O4 - HKCU\..\Run: [awv7RWbng] accntfs.exe

Download CWShredder 2 from here. Run it and press the *fix,* not scan and allow it to clean the infection. Close all browser and explorer windows before hitting the fix button.

Post a new log when done.

Turnip 0 Light Poster · Answer 14 · 2005-03-06T16:36:49+00:00

Thanks Crunchie.
Did as you asked. CWShredder didn't find anything, it simply said not present for all checks.

I restarted and ran hjt again. The log is below. It looks clean to me, maybe someone else can see something. If not then we can close this thread. Thanks very much everyone for your help

Logfile of HijackThis v1.99.1
Scan saved at 02:18:31, on 06/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Eset\nod32krn.exe
D:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
D:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
D:\Program Files\Eset\nod32kui.exe
D:\WINDOWS\System32\ctfmon.exe
D:\PROGRA~1\Motive\ASSTCO~1\MOTIVE~1.EXE
D:\Program Files\BT Broadband Basic Help\bin\mad.exe
D:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\HJT\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DSLSTATEXE] D:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] D:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [BBDial] D:\Program Files\BT Voyager 105 ADSL Modem\BT Broadband.exe
O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - D:\Program Files\Eset\nod32krn.exe

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 15 · 2005-03-06T17:06:13+00:00

OK. Sorry about that. One of the sites I use to check the log entries showed one of them as being CWS related.
You be good to go then :).