Hard Drive Constantly Reading

Hi, My HDD is constantly being accessed, i.e. light intermittently flashing, then suddenly, after about 4 minutes I lose my internet connection. I have to reboot to regain access, then it happens all over again. Any idea what the problem could be?
Thank, Mike.

 

Hello mikeyewz,

Go into Task Manager > Process tab. You're have to track some of what's running down either by looking up the processes either through the links in this post http://www.windowsbbs.com/showthread.php?t=39425 or googling.

I would eliminate one suspect - Windows Update.

Windows Update runs a process wuauclt.exe for about 4/5 minutes at bootup and tries to connect to MS and then disappears.

Shutting off automatic updates will eliminate it.

This goes for your AV as well - disable auto updating and see if that's the problem.

Regards - Charles

 

The other thing I would check in task manager (on the Performance tab) is that the committed memory is less than the physical memory. It is possible for your OS to use more RAM than is present on the RAM memory chips connected to your motherboard. To achieve this, the OS starts using your hard disk as a RAM storage area. The result is that your PC keeps going, but runs more slowly because hard disk access is a lot slower than RAM memory chip access, and a lot of disk access. This behaviour is common in XP system running 256Mb RAM in my experience.

Reading the original post again: this would explain the disk access, but not the loss of internet connection unless the committed RAM is a lot more than the physical RAM, and your system is really struggling to keep up.

 

Can I just add that I have 2 Hard Drives, C and E. When I disconnect the C drive and just use E, then I do not have the problem.....could it be a virus in the C drive? I have run Avast, Ad-aware and Spybot S&D and it comes up with nothing.

 

Hello mikeyewz,

Well lets see if its a malware problem. Follow the instructions below.

Please download HijackThis! SetUp from http://downloads.malwareremoval.com/HJTsetup.exe
Save the file to your desktop.

Double-click the HijackThis! SetUp icon to begin the installation.

Follow the prompts for the defualt install location of:'C:\Program Files\HijackThis'.

Tick the 'Create a desktop' button when the option appears.

Select next, then allow HijackThis! to start.

Then press the [Scan] button.
You will notice the [Scan] button will turn into a [Save Log] button.
Click the [Save Log] button and notepad will open up with the contents of the scan.
Right-click in the saved log, and select 'copy'.

Then proceed to your original thread, unless otherwise instructed and click the '[Reply]' button and paste the saved contents to be reviewed.

Do not make any modifications to the log or perform any 'fixes' until told to do so.

Regards - Charles

 

Logfile of HijackThis v1.99.1
Scan saved at 23:47:22, on 28/01/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Qualcomm\Eudora\Eudora.exe
C:\Program Files\Adobe\Photoshop 7.0\Photoshop.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/iesearch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [dmywn.exe] C:\WINDOWS\System32\dmywn.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = E:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A8BFF52-8927-4317-824E-A707217A7E0F}: NameServer = 195.92.195.95 195.92.195.94
O17 - HKLM\System\CCS\Services\Tcpip\..\{C19ADB26-F6B6-45F4-9D22-0D64E5CCF0E5}: NameServer = 85.255.115.6,85.255.112.20
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.6 85.255.112.20
O17 - HKLM\System\CS2\Services\Tcpip\..\{0A8BFF52-8927-4317-824E-A707217A7E0F}: NameServer = 195.92.195.95 195.92.195.94
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.115.6 85.255.112.20
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.6 85.255.112.20
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

Hello mikeyewz,

I'm moving your thread to the malware removal section for a look by the experts.

This may a problem, but the references are not in english:
O4 - HKLM\..\Run: [dmywn.exe] C:\WINDOWS\System32\dmywn.exe

Regards - Charles

 

Hello and welcome to WindowsBBS Removing Spyware & Viruses forum.

Looks like a Wareout infection. Lets run the fix for it.


You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
Subratam
Bleeping Computing

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once rebooted please post the text that will open (report.txt) and a new Hijackthis log file into this thread.
If you get a file output similar to below:

Go here and run the fix appropriate to your version of Windows:

http://www.tech-forums.net/computer/topic/29806.html

Then re-run Fixwareout please, thanks.

 

An additional tool to use to see what's accessing the HD:

http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/processmonitor.mspx

Edited the link - thanks Tom.

Regards - Charles

 

Process Monitor while a very fine tool does provide a rather overwhelming amount of info for most users.

Previous link produces 'Bad Request'. Proper link here

 

Thank you very much for your help...


Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\0mdm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1mdm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xevol
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE

THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal

Other suspects.
Directory of C:\WINDOWS\system32

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.
Logfile of HijackThis v1.99.1
Scan saved at 22:16:39, on 30/01/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\TEMP\win44.tmp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/iesearch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [syswin] C:\WINDOWS\TEMP\win44.tmp.exe
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\dvoxcqpu.dll ",setvm
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A8BFF52-8927-4317-824E-A707217A7E0F}: NameServer = 195.92.195.95 195.92.195.94
O17 - HKLM\System\CCS\Services\Tcpip\..\{C19ADB26-F6B6-45F4-9D22-0D64E5CCF0E5}: NameServer = 85.255.115.6,85.255.112.20
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.6 85.255.112.20
O17 - HKLM\System\CS2\Services\Tcpip\..\{0A8BFF52-8927-4317-824E-A707217A7E0F}: NameServer = 195.92.195.95 195.92.195.94
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.115.6 85.255.112.20
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.6 85.255.112.20
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

Ok, lets finish up.

Download Atribunes ATF Cleaner

• Double-click ATF-Cleaner.exe to run the program.
• Tick the following boxes:
  • Windows Temp
  • Current User Temp
  • All User Temp
  • Cookies<<<---By deleting your cookies, you will have to re-enter any passwords and log-in info for any sites you are usually required to do so with.
  • Temporary Internet Files
  • History
  • Prefetch
  • Java Cache
• Click the [Empty Selected] button.

We'll empty the Recycle Bin later, once we know you're all cleaned up and nothing needs to be restored.

Then download the Killbox from here and save it to the desktop.

• Double-click the KillBox icon on your desktop to open it
• Select "Delete on Reboot "
• Then select "All files ".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\System32\dvoxcqpu.dll

Return to Killbox

• Go to the File menu, and choose "Paste from Clipboard ".
• Click the red-and-white [Delete File] button.
• Click "Yes" at the Delete on Reboot prompt. Click "No" at the 'Pending Operations' prompt.

Do not allow a reboot yet.


Open Hijackthis, select the [Do a system scan only] button and look over the following entries I have listed, check the boxes [] next to them and press the [Fix Checked] button. When you are doing this, make sure you have No IE windows, nor any other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

O4 - HKLM\..\Run: [syswin] C:\WINDOWS\TEMP\win44.tmp.exe

O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\dvoxcqpu.dll ",setvm


O17 - HKLM\System\CCS\Services\Tcpip\..\{C19ADB26-F6B6-45F4-9D22-0D64E5CCF0E5}: NameServer = 85.255.115.6,85.255.112.20

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.6 85.255.112.20

O17 - HKLM\System\CS2\Services\Tcpip\..\{0A8BFF52-8927-4317-824E-A707217A7E0F}: NameServer = 195.92.195.95 195.92.195.94

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.115.6 85.255.112.20

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.6 85.255.112.20


Reboot post a new HJT log back into this thread please.

 

Thanks again for your help.....I cannot seem to get rid of the following, it reappears everytime I log onto the net....

O17 - HKLM\System\CCS\Services\Tcpip\..\{0A8BFF52-8927-4317-824E-A707217A7E0F}: NameServer = 195.92.195.95 195.92.195.94

Also, my homepage is now always directed to MSN, even after I have changed it in Internet Options, and I am getting pop ups that I was not getting before.




Logfile of HijackThis v1.99.1
Scan saved at 09:55:53, on 31/01/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\hijackthis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A8BFF52-8927-4317-824E-A707217A7E0F}: NameServer = 195.92.195.95 195.92.195.94
O17 - HKLM\System\CS2\Services\Tcpip\..\{0A8BFF52-8927-4317-824E-A707217A7E0F}: NameServer = 195.92.195.95 195.92.195.94
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

That is a legit entry for your ISP. So you need that one.

What did you change your homepage to? And what kind of pop ups are you getting, are they for any specific product or lead to any specific site?

Lets look a bit deeper and see what we find.

Please download SilentRunners from here

Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run.
Silent Runners will ask if you want to skip the supplementary search.
Please select 'No' to include them.
Then select 'Yes' to confirm the search.
When the scan is finished, which may be several minutes, a message will pop up and a logfile will have been created on the desktop.

Please post the entire contents of this logfile created back into this thread for me to see.

 

My Homepage should be www.orange.co.uk, and I am being redirected to MSN, and occasionally when I go to any other site, a second window will open with Ebay ads. Also, I get popups for various Spyware and Antivirus software I am advised to download.


"Silent Runners.vbs ", revision R50, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++} "


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = " "C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"STManager" = " "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b" [ "THOMSON"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"SpeedTouch USB Diagnostics" = " "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon" [ "THOMSON Telecom Belgium"]
"Zone Labs Client" = " "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" " [ "Zone Labs, LLC"]
"TkBellExe" = " "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" [ "RealNetworks, Inc."]
"NeroCheck" = "C:\WINDOWS\System32\NeroCheck.exe" [ "Ahead Software Gmbh"]
"QuickTime Task" = " "C:\Program Files\QuickTime\qttask.exe" -atboottime" [ "Apple Computer, Inc."]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe" [ "Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{C0AC5542-A167-4748-BF42-9D1B09723A62}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\wvuvvvv.dll" [null data]
{F461A25A-C780-47BE-A265-A4CEA38CE5F8}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\nnlig.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension "
-> {HKLM...CLSID} = "Display Panning CPL Extension "
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext "
-> {HKLM...CLSID} = "HyperTerminal Icon Ext "
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" [ "Hilgraeve, Inc."]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast "
-> {HKLM...CLSID} = "avast "
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" [ "ALWIL Software"]
"{4CCEFB41-18FA-11D3-9EF3-00A0C9E897FD}" = "CorelDRAW Shell Extension Component "
-> {HKLM...CLSID} = "CorelDRAW Shell Extension Component "
\InProcServer32\(Default) = "C:\Program Files\Corel\Corel Graphics 11\DRAW\CDRVIEWER\CrlShell110.dll" [ "Corel Corporation"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler "
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}" = "Eudora's Shell Extension "
-> {HKLM...CLSID} = "Eudora's Shell Extension "
\InProcServer32\(Default) = "C:\Program Files\Qualcomm\Eudora\EuShlExt.dll" [ "Qualcomm Inc."]
"{75C735E0-9CE4-11cf-820B-00A0241B833F}" = "GLINT CPL Extension "
-> {HKLM...CLSID} = "GLINT CPL Extension "
\InProcServer32\(Default) = "3Dctrl.dll" [ "3Dlabs Incorporated"]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu "
-> {HKLM...CLSID} = "Portable Media Devices Menu "
\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player "
-> {HKLM...CLSID} = "RealOne Player Context Menu Class "
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" [ "RealNetworks, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}" = "Eudora's Shell Extension "
-> {HKLM...CLSID} = "Eudora's Shell Extension "
\InProcServer32\(Default) = "C:\Program Files\Qualcomm\Eudora\EuShlExt.dll" [ "Qualcomm Inc."]
<<!>> "{C0AC5542-A167-4748-BF42-9D1B09723A62}" = "*X" (unwritable string)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\wvuvvvv.dll" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
"System" = (value not set)

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> nnlig\DLLName = "C:\WINDOWS\System32\nnlig.dll" [null data]
<<!>> winnok32\DLLName = "winnok32.dll" [null data]
<<!>> wvuvvvv\DLLName = "wvuvvvv.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info "
-> {HKLM...CLSID} = "PDF Shell Extension "
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" [ "Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24} "
-> {HKLM...CLSID} = "avast "
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" [ "ALWIL Software"]
VIDEOTRANS\(Default) = "{C8CA0A66-AF32-4D5E-879E-F0809ACEDC55} "
-> {HKLM...CLSID} = "AmvTransform Class "
\InProcServer32\(Default) = "C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\AmvTransform.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA} "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA} "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24} "
-> {HKLM...CLSID} = "avast "
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" [ "ALWIL Software"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA} "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoActiveDesktop" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Desktop|Desktop / Active Desktop|
Disable Active Desktop}

"NoSaveSettings" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Desktop|
Don't save settings at exit}

"ClassicShell" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Windows Components|Windows Explorer|
Enable Classic Shell / Turn on Classic Shell}

"NoThemesTab" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"ForceActiveDesktopOn" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Desktop|Desktop / Active Desktop|
Enable Active Desktop}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoActiveDesktopChanges" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}

"DisableTaskMgr" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|System|Ctrl+Alt+Del Options|
Remove Task Manager}

"NoDispAppearancePage" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoColorChoice" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoSizeChoice" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoDispBackgroundPage" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Control Panel|Display|
Hide Desktop tab}

"NoDispScrSavPage" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoDispCPL" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Control Panel|Display|
Remove Display in Control Panel}

"NoVisualStyleChoice" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoDispSettingsPage" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"DisableTaskMgr" = (REG_DWORD) hex:0x00000000
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Startup items in "Mike Hughes" & "All Users" startup folders:
-------------------------------------------------------------

C:\Documents and Settings\Mike Hughes\Start Menu\Programs\Startup
"Adobe Gamma" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" [ "Adobe Systems, Inc."]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" [ "Adobe Systems, Inc."]
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" [ "Adobe Systems Incorporated"]
"InterVideo WinCinema Manager" -> shortcut to: "C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe" [empty string]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{8B68564D-53FD-4293-B80C-993A9F3988EE}" = "Wanadoo "
-> {HKLM...CLSID} = "Wanadoo "
\InProcServer32\(Default) = "C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll" [empty string]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console "
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBC} "
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_07 "
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll" [ "Sun Microsystems, Inc."]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings ")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL="http://www.wanadoo.co.uk "

Missing lines (compared with English-language version):
[Strings]: 2 lines


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

avast! Antivirus, avast! Antivirus, " "C:\Program Files\Alwil Software\Avast4\ashServ.exe" " [null data]
avast! iAVS4 Control Service, aswUpdSv, " "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe" " [null data]
avast! Mail Scanner, avast! Mail Scanner, " "C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" [ "ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, " "C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" [ "ALWIL Software"]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" [ "Zone Labs, LLC"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 172 seconds.
---------- (total run time: 289 seconds)

 

OK, looks like a Vundo infection, which was in the back of my mind. Lets attack that with VundoFix and see how ti fares. The developer recently changed the way it looks for these files based on input from various forums.

Please download VundoFix.exe to your desktop.

• Double-click *VundoFix.exe* to run it.
• Click the *Scan for Vundo* button.
• Once it's done scanning, click the *Remove Vundo* button.
• You will receive a prompt asking if you want to remove the files, click *YES*
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click *OK*.
• Please post the contents of C:\*vundofix.txt* and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the *Scan for Vundo* button." when
VundoFix appears at reboot.


After that has run, run Silent Runners again, then HJT and post all 3 logs back here for me to review.

 

Logfile of HijackThis v1.99.1
Scan saved at 00:20:54, on 01/02/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\WScript.exe
C:\Program Files\hijackthis\HijackThis.exe
C:\Program Files\Java\jre1.5.0_07\bin\jucheck.exe

O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - (no file)
O2 - BHO: (no name) - {6FB88B1A-9663-4FE0-A25A-0A0BB211C6C3} - C:\WINDOWS\System32\nnlig.dll (file missing)
O2 - BHO: (no name) - {C0AC5542-A167-4748-BF42-9D1B09723A62} - C:\WINDOWS\system32\wvuvvvv.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A8BFF52-8927-4317-824E-A707217A7E0F}: NameServer = 195.92.195.94 195.92.195.95
O17 - HKLM\System\CS2\Services\Tcpip\..\{0A8BFF52-8927-4317-824E-A707217A7E0F}: NameServer = 195.92.195.94 195.92.195.95
O20 - Winlogon Notify: winnok32 - C:\WINDOWS\SYSTEM32\winnok32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



VundoFix V6.3.5

Checking Java version...

Java version is 1.5.0.3

Java version is 1.5.0.7

Scan started at 00:07:14 01/02/2007

Listing files found while scanning....

C:\WINDOWS\system32\erwliymv.dll
C:\WINDOWS\System32\gilnn.bak1
C:\WINDOWS\System32\gilnn.bak2
C:\WINDOWS\System32\gilnn.ini
C:\WINDOWS\System32\nnlig.dll
C:\WINDOWS\system32\pdhexdie.exe
C:\WINDOWS\system32\rqrqoml.dll
C:\WINDOWS\system32\urqqpmn.dll
C:\WINDOWS\system32\vmyilwre.ini
C:\WINDOWS\system32\wvuvvvv.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\erwliymv.dll
C:\WINDOWS\system32\erwliymv.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\gilnn.bak1
C:\WINDOWS\System32\gilnn.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\gilnn.bak2
C:\WINDOWS\System32\gilnn.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\gilnn.ini
C:\WINDOWS\System32\gilnn.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\nnlig.dll
C:\WINDOWS\System32\nnlig.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pdhexdie.exe
C:\WINDOWS\system32\pdhexdie.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqrqoml.dll
C:\WINDOWS\system32\rqrqoml.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\urqqpmn.dll
C:\WINDOWS\system32\urqqpmn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vmyilwre.ini
C:\WINDOWS\system32\vmyilwre.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\wvuvvvv.dll
C:\WINDOWS\system32\wvuvvvv.dll Has been deleted!

Performing Repairs to the registry.
Done!


"Silent Runners.vbs ", revision R50, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++} "


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = " "C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"STManager" = " "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b" [ "THOMSON"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"SpeedTouch USB Diagnostics" = " "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon" [ "THOMSON Telecom Belgium"]
"Zone Labs Client" = " "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" " [ "Zone Labs, LLC"]
"TkBellExe" = " "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" [ "RealNetworks, Inc."]
"NeroCheck" = "C:\WINDOWS\System32\NeroCheck.exe" [ "Ahead Software Gmbh"]
"QuickTime Task" = " "C:\Program Files\QuickTime\qttask.exe" -atboottime" [ "Apple Computer, Inc."]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe" [ "Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{6FB88B1A-9663-4FE0-A25A-0A0BB211C6C3}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\nnlig.dll" [file not found]
{C0AC5542-A167-4748-BF42-9D1B09723A62}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\wvuvvvv.dll" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension "
-> {HKLM...CLSID} = "Display Panning CPL Extension "
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext "
-> {HKLM...CLSID} = "HyperTerminal Icon Ext "
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" [ "Hilgraeve, Inc."]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast "
-> {HKLM...CLSID} = "avast "
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" [ "ALWIL Software"]
"{4CCEFB41-18FA-11D3-9EF3-00A0C9E897FD}" = "CorelDRAW Shell Extension Component "
-> {HKLM...CLSID} = "CorelDRAW Shell Extension Component "
\InProcServer32\(Default) = "C:\Program Files\Corel\Corel Graphics 11\DRAW\CDRVIEWER\CrlShell110.dll" [ "Corel Corporation"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler "
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}" = "Eudora's Shell Extension "
-> {HKLM...CLSID} = "Eudora's Shell Extension "
\InProcServer32\(Default) = "C:\Program Files\Qualcomm\Eudora\EuShlExt.dll" [ "Qualcomm Inc."]
"{75C735E0-9CE4-11cf-820B-00A0241B833F}" = "GLINT CPL Extension "
-> {HKLM...CLSID} = "GLINT CPL Extension "
\InProcServer32\(Default) = "3Dctrl.dll" [ "3Dlabs Incorporated"]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu "
-> {HKLM...CLSID} = "Portable Media Devices Menu "
\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player "
-> {HKLM...CLSID} = "RealOne Player Context Menu Class "
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" [ "RealNetworks, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}" = "Eudora's Shell Extension "
-> {HKLM...CLSID} = "Eudora's Shell Extension "
\InProcServer32\(Default) = "C:\Program Files\Qualcomm\Eudora\EuShlExt.dll" [ "Qualcomm Inc."]
<<!>> "{C0AC5542-A167-4748-BF42-9D1B09723A62}" = "*W" (unwritable string)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\wvuvvvv.dll" [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
"System" = (value not set)

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> winnok32\DLLName = "winnok32.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info "
-> {HKLM...CLSID} = "PDF Shell Extension "
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" [ "Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24} "
-> {HKLM...CLSID} = "avast "
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" [ "ALWIL Software"]
VIDEOTRANS\(Default) = "{C8CA0A66-AF32-4D5E-879E-F0809ACEDC55} "
-> {HKLM...CLSID} = "AmvTransform Class "
\InProcServer32\(Default) = "C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\AmvTransform.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA} "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA} "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24} "
-> {HKLM...CLSID} = "avast "
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" [ "ALWIL Software"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA} "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoActiveDesktop" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Desktop|Desktop / Active Desktop|
Disable Active Desktop}

"NoSaveSettings" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Desktop|
Don't save settings at exit}

"ClassicShell" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Windows Components|Windows Explorer|
Enable Classic Shell / Turn on Classic Shell}

"NoThemesTab" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"ForceActiveDesktopOn" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Desktop|Desktop / Active Desktop|
Enable Active Desktop}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoActiveDesktopChanges" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}

"DisableTaskMgr" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|System|Ctrl+Alt+Del Options|
Remove Task Manager}

"NoDispAppearancePage" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoColorChoice" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoSizeChoice" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoDispBackgroundPage" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Control Panel|Display|
Hide Desktop tab}

"NoDispScrSavPage" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoDispCPL" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Control Panel|Display|
Remove Display in Control Panel}

"NoVisualStyleChoice" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoDispSettingsPage" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"DisableTaskMgr" = (REG_DWORD) hex:0x00000000
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Startup items in "Mike Hughes" & "All Users" startup folders:
-------------------------------------------------------------

C:\Documents and Settings\Mike Hughes\Start Menu\Programs\Startup
"Adobe Gamma" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" [ "Adobe Systems, Inc."]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" [ "Adobe Systems, Inc."]
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" [ "Adobe Systems Incorporated"]
"InterVideo WinCinema Manager" -> shortcut to: "C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe" [empty string]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{8B68564D-53FD-4293-B80C-993A9F3988EE}" = "Wanadoo "
-> {HKLM...CLSID} = "Wanadoo "
\InProcServer32\(Default) = "C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll" [empty string]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console "
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBC} "
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_07 "
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll" [ "Sun Microsystems, Inc."]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings ")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL="http://www.wanadoo.co.uk "

Missing lines (compared with English-language version):
[Strings]: 2 lines


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

avast! Antivirus, avast! Antivirus, " "C:\Program Files\Alwil Software\Avast4\ashServ.exe" " [null data]
avast! iAVS4 Control Service, aswUpdSv, " "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe" " [null data]
avast! Mail Scanner, avast! Mail Scanner, " "C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" [ "ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, " "C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" [ "ALWIL Software"]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" [ "Zone Labs, LLC"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 181 seconds.
---------- (total run time: 292 seconds)

 

Alrighty, that looks to have done the trick. Just got an errant files to remove. Nice work.


Download the Killbox from here and save it to the desktop.

• Double-click the KillBox icon on your desktop to open it
• Select "Delete on Reboot "
• Then select "All files ".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\SYSTEM32\winnok32.dll

Return to Killbox

• Go to the File menu, and choose "Paste from Clipboard ".
• Click the red-and-white [Delete File] button.
• Click "Yes" at the Delete on Reboot prompt. Click "No" at the 'Pending Operations' prompt.

Do not allow a reboot yet.


Open Hijackthis, select the [Do a system scan only] button and look over the following entries I have listed, check the boxes [] next to them and press the [Fix Checked] button. When you are doing this, make sure you have No IE windows, nor any other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - (no file)

O2 - BHO: (no name) - {6FB88B1A-9663-4FE0-A25A-0A0BB211C6C3} - C:\WINDOWS\System32\nnlig.dll (file missing)

O2 - BHO: (no name) - {C0AC5542-A167-4748-BF42-9D1B09723A62} - C:\WINDOWS\system32\wvuvvvv.dll (file missing)


O20 - Winlogon Notify: winnok32 - C:\WINDOWS\SYSTEM32\winnok32.dll


Reboot and run Silent Runners first, then HJT and post both logs back into this thread.

 

Hi, Unfortuanately, My homepage is still being redirected for www.orange.co.uk to MSN.

"Silent Runners.vbs ", revision R50, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++} "


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = " "C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"STManager" = " "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b" [ "THOMSON"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"SpeedTouch USB Diagnostics" = " "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon" [ "THOMSON Telecom Belgium"]
"Zone Labs Client" = " "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" " [ "Zone Labs, LLC"]
"TkBellExe" = " "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" [ "RealNetworks, Inc."]
"NeroCheck" = "C:\WINDOWS\System32\NeroCheck.exe" [ "Ahead Software Gmbh"]
"QuickTime Task" = " "C:\Program Files\QuickTime\qttask.exe" -atboottime" [ "Apple Computer, Inc."]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe" [ "Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension "
-> {HKLM...CLSID} = "Display Panning CPL Extension "
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext "
-> {HKLM...CLSID} = "HyperTerminal Icon Ext "
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" [ "Hilgraeve, Inc."]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast "
-> {HKLM...CLSID} = "avast "
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" [ "ALWIL Software"]
"{4CCEFB41-18FA-11D3-9EF3-00A0C9E897FD}" = "CorelDRAW Shell Extension Component "
-> {HKLM...CLSID} = "CorelDRAW Shell Extension Component "
\InProcServer32\(Default) = "C:\Program Files\Corel\Corel Graphics 11\DRAW\CDRVIEWER\CrlShell110.dll" [ "Corel Corporation"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler "
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}" = "Eudora's Shell Extension "
-> {HKLM...CLSID} = "Eudora's Shell Extension "
\InProcServer32\(Default) = "C:\Program Files\Qualcomm\Eudora\EuShlExt.dll" [ "Qualcomm Inc."]
"{75C735E0-9CE4-11cf-820B-00A0241B833F}" = "GLINT CPL Extension "
-> {HKLM...CLSID} = "GLINT CPL Extension "
\InProcServer32\(Default) = "3Dctrl.dll" [ "3Dlabs Incorporated"]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu "
-> {HKLM...CLSID} = "Portable Media Devices Menu "
\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player "
-> {HKLM...CLSID} = "RealOne Player Context Menu Class "
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" [ "RealNetworks, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}" = "Eudora's Shell Extension "
-> {HKLM...CLSID} = "Eudora's Shell Extension "
\InProcServer32\(Default) = "C:\Program Files\Qualcomm\Eudora\EuShlExt.dll" [ "Qualcomm Inc."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
"System" = (value not set)

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> winnok32\DLLName = "winnok32.dll" [file not found]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info "
-> {HKLM...CLSID} = "PDF Shell Extension "
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" [ "Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24} "
-> {HKLM...CLSID} = "avast "
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" [ "ALWIL Software"]
VIDEOTRANS\(Default) = "{C8CA0A66-AF32-4D5E-879E-F0809ACEDC55} "
-> {HKLM...CLSID} = "AmvTransform Class "
\InProcServer32\(Default) = "C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\AmvTransform.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA} "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA} "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24} "
-> {HKLM...CLSID} = "avast "
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" [ "ALWIL Software"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA} "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoActiveDesktop" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Desktop|Desktop / Active Desktop|
Disable Active Desktop}

"NoSaveSettings" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Desktop|
Don't save settings at exit}

"ClassicShell" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Windows Components|Windows Explorer|
Enable Classic Shell / Turn on Classic Shell}

"NoThemesTab" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"ForceActiveDesktopOn" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Desktop|Desktop / Active Desktop|
Enable Active Desktop}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoActiveDesktopChanges" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}

"DisableTaskMgr" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|System|Ctrl+Alt+Del Options|
Remove Task Manager}

"NoDispAppearancePage" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoColorChoice" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoSizeChoice" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoDispBackgroundPage" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Control Panel|Display|
Hide Desktop tab}

"NoDispScrSavPage" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoDispCPL" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Control Panel|Display|
Remove Display in Control Panel}

"NoVisualStyleChoice" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoDispSettingsPage" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"DisableTaskMgr" = (REG_DWORD) hex:0x00000000
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Startup items in "Mike Hughes" & "All Users" startup folders:
-------------------------------------------------------------

C:\Documents and Settings\Mike Hughes\Start Menu\Programs\Startup
"Adobe Gamma" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" [ "Adobe Systems, Inc."]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" [ "Adobe Systems, Inc."]
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" [ "Adobe Systems Incorporated"]
"InterVideo WinCinema Manager" -> shortcut to: "C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe" [empty string]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{8B68564D-53FD-4293-B80C-993A9F3988EE}" = "Wanadoo "
-> {HKLM...CLSID} = "Wanadoo "
\InProcServer32\(Default) = "C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll" [empty string]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console "
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBC} "
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_07 "
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll" [ "Sun Microsystems, Inc."]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings ")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL="http://www.wanadoo.co.uk "

Missing lines (compared with English-language version):
[Strings]: 2 lines


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

avast! Antivirus, avast! Antivirus, " "C:\Program Files\Alwil Software\Avast4\ashServ.exe" " [null data]
avast! iAVS4 Control Service, aswUpdSv, " "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe" " [null data]
avast! Mail Scanner, avast! Mail Scanner, " "C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" [ "ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, " "C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" [ "ALWIL Software"]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" [ "Zone Labs, LLC"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 163 seconds.
---------- (total run time: 247 seconds)





Logfile of HijackThis v1.99.1
Scan saved at 15:02:36, on 01/02/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jucheck.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\hijackthis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A8BFF52-8927-4317-824E-A707217A7E0F}: NameServer = 195.92.195.94 195.92.195.95
O17 - HKLM\System\CS2\Services\Tcpip\..\{0A8BFF52-8927-4317-824E-A707217A7E0F}: NameServer = 195.92.195.94 195.92.195.95
O20 - Winlogon Notify: winnok32 - winnok32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

OK, looks like we neutered the infection, with just a single entry in HJT to be fixed.

Your Silent Runners log indicates a homepage as you say it is supposed to be.

Does the Avast antivirus have any homepage\IE settings in it? And when you open IE, does the page come up as the UK page, then re-direct to the MSN page? Let us know.

Lets fix the single item remaining in HJT.

Open Hijackthis, select the [Do a system scan only] button and look over the following entries I have listed, check the boxes [] next to them and press the [Fix Checked] button. When you are doing this, make sure you have No IE windows, nor any other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

O20 - Winlogon Notify: winnok32 - winnok32.dll (file missing)


Reboot post a new HJT log back into this thread please.

We'll then address the lone registry entry.