1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

VOX, HGT Generic Trojan [HJT Log]

Discussion in 'Malware and Virus Removal Archive' started by xwire, 2006/07/24.

  1. 2006/07/24
    xwire

    xwire Inactive Thread Starter

    Joined:
    2006/07/24
    Messages:
    4
    Likes Received:
    0
    Hi,
    Recently my AVG virus checker picked up a trojan infection, identifying VOX Generic & HGT Generic. I know there are other threads dealing with these, but I understand that each infection pattern is different? AVG will not remove these although it will quarentine some continuously recreated files from /system32.
    I have removed the installed overlying dektop web page & run adaware & ewido in safe mode, plus the tren micro online scan. However, AVG is still popping up warnings and the files are still being creatyed in system32.

    My HJT log looks like:

    Logfile of HijackThis v1.99.1
    Scan saved at 15:11:22, on 24/07/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\M-Audio\Black Box\MAUSBBBInst.exe
    C:\WINDOWS\System32\wdfmgr.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Steinberg\MI4\MI4tray.exe
    C:\Program Files\M-Audio\Black Box\BlackBoxHelper.exe
    C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\Program Files\a-squared Anti-Malware\a2guard.exe
    C:\Program Files\a-squared Anti-Malware\a2scan.exe
    C:\HJT\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.iesearch.freeserve.com/iesearch/default.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://localhost/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/time/reg/hometime/home_btd2.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by evesham.com
    N3 - Netscape 7: user_pref( "browser.startup.homepage ", "http://home.netscape.com/ "); (C:\Documents and Settings\Graham Dallas\Application Data\Mozilla\Profiles\default\uke8m6da.slt\prefs.js)
    N3 - Netscape 7: user_pref( "browser.search.defaultengine ", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src "); (C:\Documents and Settings\Graham Dallas\Application Data\Mozilla\Profiles\default\uke8m6da.slt\prefs.js)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Accessibility Toolbar - {11352A67-0178-46B1-8855-D50B2F81C054} - C:\PROGRA~1\ACCESS~1\ACCESS~1.DLL (file missing)
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Workflow] D:\Workflow.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [MI4Tray] C:\Program Files\Steinberg\MI4\MI4tray.exe
    O4 - HKLM\..\Run: [Black Box Helper] C:\Program Files\M-Audio\Black Box\BlackBoxHelper.exe
    O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe "
    O4 - HKLM\..\Run: [eiyat.exe] C:\WINDOWS\system32\eiyat.exe
    O4 - Startup: desktop.inik
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/time/reg/hometime/home_btd2.htm
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125827388765
    O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - http://activex.microsoft.com/activex/controls/sdkupdate/sdkinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{289B4583-3832-4717-BB92-A6814FA1C390}: NameServer = 85.255.115.52,85.255.112.85
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3BB40F3F-5EBC-4A47-B851-AF27402DB3B7}: NameServer = 85.255.115.52,85.255.112.85
    O17 - HKLM\System\CCS\Services\Tcpip\..\{43E399A8-6857-4A1D-8C58-E25A362B79F5}: NameServer = 85.255.115.52,85.255.112.85
    O17 - HKLM\System\CCS\Services\Tcpip\..\{46DFB737-E91D-49AB-89DC-F11216155D29}: NameServer = 85.255.115.52,85.255.112.85
    O17 - HKLM\System\CCS\Services\Tcpip\..\{57CB3FA8-7FB9-4399-B44F-DAFB43A9B5E7}: NameServer = 85.255.115.52,85.255.112.85
    O17 - HKLM\System\CCS\Services\Tcpip\..\{58417FED-5B62-4A7A-A09E-ADA993E69BE7}: NameServer = 85.255.115.52,85.255.112.85
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7DD3BE62-6EFD-49CE-8C0E-D4ACC7E602F9}: NameServer = 85.255.115.52,85.255.112.85
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9E6B9C4A-E104-4FEB-91A0-058EE7242740}: NameServer = 85.255.115.52,85.255.112.85
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C00A0383-78DB-4149-B7E1-5563DC3A6C67}: NameServer = 85.255.115.52,85.255.112.85
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.52 85.255.112.85
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.52 85.255.112.85
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.52 85.255.112.85
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: M-Audio BlackBox Installer (MAudioBlackBoxService) - Avid Technology, Inc. - C:\Program Files\M-Audio\Black Box\MAUSBBBInst.exe
    O23 - Service: Ntl80ddbm - Unknown owner - (no file)
    O23 - Service: VMware Authorization Service (VMAuthdService) - Unknown owner - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
    O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\System32\vmnetdhcp.exe
    O23 - Service: VMware NAT Service - Unknown owner - C:\WINDOWS\System32\vmnat.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    Any help would be much appreciated,

    Xwire
     
    Last edited: 2006/07/24
    xwire,
    #1
  2. 2006/07/24
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    Xwire - Welcome to the Board :)

    There are signs of infections in your HJT log, but they are not readily identifiable. We shall need to step through a few stages to try and clean up for you....

    Please download VundoFix.exe to your desktop.

    Double-click VundoFix.exe to run it and check the box to Run VundoFix as a task.

    You will receive a message saying Vundofix will close and re-open in a minute or less. Click OK

    When VundoFix re-opens, click the Scan for Vundo button.

    Once it's done scanning and if anything is found click the Remove Vundo button.

    You will receive a prompt asking if you want to remove the files, click YES

    Once you click Yes your desktop will go blank as it starts removing Vundo.

    When completed, it will prompt that it will shutdown your computer, click OK.

    Reboot into Safe mode and scan again with HJT and place a check mark against these entries if present and click on Fix Selected.

    Reboot into Normal mode, scan again with HJT and post the VundoFix log located at C:\vundofix.txt and the HJT log here.

    Please confirm that you have the latest version of Ewido v 4.0.0.172
     
    PeteC,
    #2


  3. to hide this advert.

  4. 2006/07/24
    xwire

    xwire Inactive Thread Starter

    Joined:
    2006/07/24
    Messages:
    4
    Likes Received:
    0
    Hi,
    Thanks for the reply. I ran vundo, however it didn't find anything and just exited. Incidentally I also noticed that my IP settings had been changed to use specific specific DNS servers: 85.255.112.85 or 85.255.115.52.
    The files appearing in system32 are of the form {08878110-378A-4B06-8B8E-8DCD3A75F212}.exe

    My copy of ewido is the latest.

    Cheers,
    xwire
     
    xwire,
    #3
  5. 2006/07/24
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    My apologies - I see I omitted to specify which entries to fix in your HJT log :(

    So please reboot into Safe mode and scan again with HJT and place a check mark against these entries and click on Fix Selected....

    O4 - HKLM\..\Run: [eiyat.exe] C:\WINDOWS\system32\eiyat.exe
    O4 - Startup: desktop.inik

    Reboot into Normal mode and delete eiyat.exe from C:\WINDOWS\system32\ if it exists - you may need to enable viewing of hidden and protected system files.

    Scan again with HJT and post the HJT log here.

    I noted the 017 entries and was surprised to see so many, but they appear to be legit - RIPE Network
     
    PeteC,
    #4
  6. 2006/07/24
    xwire

    xwire Inactive Thread Starter

    Joined:
    2006/07/24
    Messages:
    4
    Likes Received:
    0
    Hi,
    Removed the .inik and eiyat.exe files. HJT log is now:

    Logfile of HijackThis v1.99.1
    Scan saved at 19:33:20, on 24/07/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\M-Audio\Black Box\MAUSBBBInst.exe
    C:\WINDOWS\System32\wdfmgr.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Steinberg\MI4\MI4tray.exe
    C:\Program Files\M-Audio\Black Box\BlackBoxHelper.exe
    C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\HJT\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.iesearch.freeserve.com/iesearch/default.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://localhost/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/time/reg/hometime/home_btd2.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by evesham.com
    N3 - Netscape 7: user_pref( "browser.startup.homepage ", "http://home.netscape.com/ "); (C:\Documents and Settings\Graham Dallas\Application Data\Mozilla\Profiles\default\uke8m6da.slt\prefs.js)
    N3 - Netscape 7: user_pref( "browser.search.defaultengine ", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src "); (C:\Documents and Settings\Graham Dallas\Application Data\Mozilla\Profiles\default\uke8m6da.slt\prefs.js)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Accessibility Toolbar - {11352A67-0178-46B1-8855-D50B2F81C054} - C:\PROGRA~1\ACCESS~1\ACCESS~1.DLL (file missing)
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Workflow] D:\Workflow.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [MI4Tray] C:\Program Files\Steinberg\MI4\MI4tray.exe
    O4 - HKLM\..\Run: [Black Box Helper] C:\Program Files\M-Audio\Black Box\BlackBoxHelper.exe
    O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe "
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe "
    O4 - Startup: desktop.inik
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/time/reg/hometime/home_btd2.htm
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125827388765
    O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - http://activex.microsoft.com/activex/controls/sdkupdate/sdkinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{289B4583-3832-4717-BB92-A6814FA1C390}: NameServer = 85.255.115.52,85.255.112.85
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3BB40F3F-5EBC-4A47-B851-AF27402DB3B7}: NameServer = 85.255.115.52,85.255.112.85
    O17 - HKLM\System\CCS\Services\Tcpip\..\{46DFB737-E91D-49AB-89DC-F11216155D29}: NameServer = 85.255.115.52,85.255.112.85
    O17 - HKLM\System\CCS\Services\Tcpip\..\{57CB3FA8-7FB9-4399-B44F-DAFB43A9B5E7}: NameServer = 85.255.115.52,85.255.112.85
    O17 - HKLM\System\CCS\Services\Tcpip\..\{58417FED-5B62-4A7A-A09E-ADA993E69BE7}: NameServer = 85.255.115.52,85.255.112.85
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7DD3BE62-6EFD-49CE-8C0E-D4ACC7E602F9}: NameServer = 85.255.115.52,85.255.112.85
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C00A0383-78DB-4149-B7E1-5563DC3A6C67}: NameServer = 85.255.115.52,85.255.112.85
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.52 85.255.112.85
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.52 85.255.112.85
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.52 85.255.112.85
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: M-Audio BlackBox Installer (MAudioBlackBoxService) - Avid Technology, Inc. - C:\Program Files\M-Audio\Black Box\MAUSBBBInst.exe
    O23 - Service: Ntl80ddbm - Unknown owner - (no file)
    O23 - Service: VMware Authorization Service (VMAuthdService) - Unknown owner - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
    O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\System32\vmnetdhcp.exe
    O23 - Service: VMware NAT Service - Unknown owner - C:\WINDOWS\System32\vmnat.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    I think thats made a difference as usually AVG gives me popup warnings as soon as I log in, & it didn't this time. I thought the DNS settings were wierd as all my net settings had been changed to be the same - even old dialups I haven't used for ages and my internal vmware net...

    Thanks,
    xwire
     
    xwire,
    #5
  7. 2006/07/24
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    You're welcome, but we may not be home and dry yet :)

    O4 - Startup: desktop.inik

    has reappeared - nothing on Google which is always worrying. I shall seek advice from a fellow moderator and come back to you when I have a response.
     
    PeteC,
    #6
  8. 2006/07/24
    xwire

    xwire Inactive Thread Starter

    Joined:
    2006/07/24
    Messages:
    4
    Likes Received:
    0
    Hi,
    I just had a quick look, and desktop.inik contained:

    [.ShellClassInfo]
    LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787

    Which is identical to another desktop.ini file i have. I deleted it manually this time, restarted and it hasn't reappeared. I'll keep an eye out though, just in case.
    Thank you very much for your help, it has been very much appreciated.
    xwire.
     
    xwire,
    #7
  9. 2006/07/24
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    OK, but I'll come back to you anyway if I get any info - I would like to know the source of it.
     
    PeteC,
    #8

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...