Jump to content


Photo

Small amount of space on drive C:


  • This topic is locked This topic is locked
27 replies to this topic

#1 Imaloser

Imaloser

    Member

  • Full Member
  • Pip
  • 80 posts

Posted 15 December 2005 - 11:32 AM

Hi! Thanks in advance for helping me.
My problem goes like this:
I have my winchester 'shared' drive C: and drive D:.
Capacity of C: is 4,87 GB. Before I turned off my computer I've deleted the temporary
internet files with internet explorer and mozilla firefox. Then runned CCleaner. I had 1,18 free space.
Two hours later I turned the computer on and there was only 1,11 GB free space. I've runned all these programs again but they didn't help. I searched what files have been created or modified today but found nothing just small files. Then in Windows directory I found some hidden folders. Their names were something like: "$uninstall$" but there were much more symbols. One of these directory contained 40 or more folders and every folder contained the same files. :wacko:
I thought this could be the problem (totally they were 144 Mb) so I deleted them but I still have 1,11 GB free space. :blink:
So I don't know what's up now.

Here's my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 18:27:23, on 2005.12.15.
Platform: Windows XP Szervizcsomag 2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\WINDOWS\Twain_32\FlatBed\HotKey.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
D:\Program Files\Ear Power Training Center\VideoClockTray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\calc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HTC\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hivatkozások
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Program Files\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [HotKey] C:\WINDOWS\Twain_32\FlatBed\HotKey.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: VideoClockTray.lnk = D:\Program Files\Ear Power Training Center\VideoClockTray.exe
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - D:\PROGRA~1\FLASHS~1.1\save.htm
O8 - Extra context menu item: Letöltés a FlashGet-tel - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: MINDEN letöltése a FlashGet-tel - D:\Program Files\FlashGet\jc_all.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - D:\PROGRA~1\FLASHS~1.1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - D:\PROGRA~1\FLASHS~1.1\save.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto-Protect szolgáltatás (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

#2 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,325 posts

Posted 22 December 2005 - 03:35 PM

Capacity of C: is 4,87 GB. Before I turned off my computer I've deleted the temporary
internet files with internet explorer and mozilla firefox. Then runned CCleaner. I had 1,18 free space.
Two hours later I turned the computer on and there was only 1,11 GB free space. I've runned all these programs again but they didn't help. I searched what files have been created or modified today but found nothing just small files. Then in Windows directory I found some hidden folders. Their names were something like: "$uninstall$" but there were much more symbols. One of these directory contained 40 or more folders and every folder contained the same files.


nothing suspicious found in your log.

To loose .07 space in free space is nothing to worry about.

The "$uninstall$" folders and files are updates you did with Microsoft. If you ever need to reinstall them the are at your disposal. ( I have many on my computer.)
of your Remove/delete these folders it will mean that you will have to reinsalll the updates should you ever need them.

Any other difficulties with your computer?
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#3 Imaloser

Imaloser

    Member

  • Full Member
  • Pip
  • 80 posts

Posted 23 December 2005 - 09:55 AM

Well, my fear is that C: slowly will run out of so much space that Windows won't work properly.
Even if I install a software on drive D: it takes up space on drive C:, when I uninstall it there's less space on C: than were before (even if I run CCleaner or clear out restore points). Why is that?

#4 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,325 posts

Posted 23 December 2005 - 02:22 PM

it takes up space on drive C:, when I uninstall it there's less space on C: than were before (even if I run CCleaner or clear out restore points). Why is that?


Is this recent?

Is d: a new partition or a Folder?

Something is wrong and I would like to know since when this is happening.

What change to your operating system did you do last?
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#5 Imaloser

Imaloser

    Member

  • Full Member
  • Pip
  • 80 posts

Posted 27 December 2005 - 03:52 PM

D: is a partition.

After using the net I always delete temporary internet files and run CCleaner and I always get another result. I don't know how much free space C: has "in real" because of this.
It happened yesterday that I left the computer alone for two hours, when there was 1,30 GB free space, there wasn't any application running and wasn't online when I returned it had only 1,28 GB. :scratchhead:
I can't remember since when this is happening I think I reinstalled Windows a half year ago.

#6 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,325 posts

Posted 28 December 2005 - 08:18 AM

Use your search engine to find out if new files are being created.

I do not have a windows XP to guide you with this but the search engine has and advance option were you can see all new files created in the timeframe you specify.
That may give you a clue as to what may be added to your computer.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#7 Imaloser

Imaloser

    Member

  • Full Member
  • Pip
  • 80 posts

Posted 02 January 2006 - 03:39 PM

Use your search engine to find out if new files are being created.


Do you mean I click on the 'Start' button then on 'Search' or some other method?

#8 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,325 posts

Posted 03 January 2006 - 01:33 PM

Yes, then select search Options. Work with it.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#9 Imaloser

Imaloser

    Member

  • Full Member
  • Pip
  • 80 posts

Posted 10 January 2006 - 04:26 PM

Well, in the last few day I checked it, but the files that are created or modified (on drive C: ) are usually around just 40 MB.

#10 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,325 posts

Posted 11 January 2006 - 09:46 AM

Well, in the last few day I checked it, but the files that are created or modified (on drive C: ) are usually around just 40 MB.


Where are the file situated. Do you recognize the files and are the of your making, or have you modified them?
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#11 Imaloser

Imaloser

    Member

  • Full Member
  • Pip
  • 80 posts

Posted 16 January 2006 - 02:40 PM

Sorry for the big delay, but I had some other things to do and didn't even have the time to turn on the computer.
But now looks like another virus has infected it. :blush:
A lot of new files appeared on both drive C: and D:, they look like this: filename.jpg.exe or filename.mp3.exe.
For example if there's a picture1.jpg file , in the same directory there's picture1.jpg.exe next to it. Looks like it only happened only with mp3 or jpg files (and not all of them but there's lot because I searched and found 15343 files like this).
I've tried to delete some of them, but there's more and more apperaring (and some of them can't even be deleted, removed or renamed.) I've run Spybot but it found nothing.

Here's the latest HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 21:38:15, on 2006.01.16.
Platform: Windows XP Szervizcsomag 2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\WINDOWS\Twain_32\FlatBed\HotKey.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
D:\Program Files\Ear Power Training Center\VideoClockTray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp\winamp.exe
C:\HTC\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hivatkozások
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Program Files\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [HotKey] C:\WINDOWS\Twain_32\FlatBed\HotKey.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: VideoClockTray.lnk = D:\Program Files\Ear Power Training Center\VideoClockTray.exe
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - D:\PROGRA~1\FLASHS~1.1\save.htm
O8 - Extra context menu item: Letöltés a FlashGet-tel - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: MINDEN letöltése a FlashGet-tel - D:\Program Files\FlashGet\jc_all.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - D:\PROGRA~1\FLASHS~1.1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - D:\PROGRA~1\FLASHS~1.1\save.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto-Protect szolgáltatás (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

#12 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,325 posts

Posted 16 January 2006 - 03:54 PM

Looks like you have a virus/worm that is changing your .jpg file to .jpg.exe

If this is the case you need to clean that computer now.

* Download and install CCleaner
Do not use it yet.

Please download Ewido Security Suite; it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido by double-clicking on the icon on your desktop.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates
Don't run it yet.
  • Reboot into Safe Mode: ( without networking support !)
  • To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.
  • Still in safe mode Start Ccleaner
    click "Options", click the "Advanced" tab
    Uncheck: "Only delete files older than 48 hrs.", click Ok
    Click "Cleaner" and click Run Cleaner (bottom right)
  • Open Ewido anti-malware
    Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan it will prompt you to clean files, click OK
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop
Close Ewido

Run HijackThis and post a new log along with the ewido report.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#13 Imaloser

Imaloser

    Member

  • Full Member
  • Pip
  • 80 posts

Posted 17 January 2006 - 01:43 PM

I have done it, but the exes haven't disappeared.
Look like it also infected some avi files.

HiJackThis log
:

Logfile of HijackThis v1.99.1
Scan saved at 20:37:46, on 2006.01.17.
Platform: Windows XP Szervizcsomag 2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\WINDOWS\Twain_32\FlatBed\HotKey.exe
C:\Program Files\Winamp\winampa.exe
D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
D:\Program Files\Ear Power Training Center\VideoClockTray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\notepad.exe
C:\HTC\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hivatkozások
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Program Files\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [HotKey] C:\WINDOWS\Twain_32\FlatBed\HotKey.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: VideoClockTray.lnk = D:\Program Files\Ear Power Training Center\VideoClockTray.exe
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - D:\PROGRA~1\FLASHS~1.1\save.htm
O8 - Extra context menu item: Letöltés a FlashGet-tel - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: MINDEN letöltése a FlashGet-tel - D:\Program Files\FlashGet\jc_all.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - D:\PROGRA~1\FLASHS~1.1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - D:\PROGRA~1\FLASHS~1.1\save.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto-Protect szolgáltatás (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe


Ewido log
:

---------------------------------------------------------
ewido anti-malware - Találati jelentés
---------------------------------------------------------

+ Készült: 20:26:30, 2006.01.17.
+ Jelentés-Ellenőrzőösszeg: 83056880

+ Keresés eredménye:

C:\Documents and Settings\NagymesterB.HUTOSZEKRENY\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-1109b54b-652bb4a8.zip/GetAccess.class -> Downloader.Java.OpenConnection.aj : Tisztítás mentéssel
C:\Documents and Settings\NagymesterB.HUTOSZEKRENY\Cookies\nagymesterb@burstnet[2].txt -> Spyware.Cookie.Burstnet : Tisztítás mentéssel
C:\Documents and Settings\NagymesterB.HUTOSZEKRENY\Cookies\nagymesterb@statcounter[2].txt -> Spyware.Cookie.Statcounter : Tisztítás mentéssel
:mozilla.17:D:\ckettospont\Documents and Settings\NagymesterB\Application Data\Mozilla\Firefox\Profiles\sih6aa43.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Tisztítás mentéssel
:mozilla.34:D:\ckettospont\Documents and Settings\NagymesterB\Application Data\Mozilla\Firefox\Profiles\sih6aa43.default\cookies.txt -> Spyware.Cookie.Overture : Tisztítás mentéssel
:mozilla.35:D:\ckettospont\Documents and Settings\NagymesterB\Application Data\Mozilla\Firefox\Profiles\sih6aa43.default\cookies.txt -> Spyware.Cookie.Atdmt : Tisztítás mentéssel
:mozilla.36:D:\ckettospont\Documents and Settings\NagymesterB\Application Data\Mozilla\Firefox\Profiles\sih6aa43.default\cookies.txt -> Spyware.Cookie.Questionmarket : Tisztítás mentéssel
:mozilla.42:D:\ckettospont\Documents and Settings\NagymesterB\Application Data\Mozilla\Firefox\Profiles\sih6aa43.default\cookies.txt -> Spyware.Cookie.Adorigin : Tisztítás mentéssel
:mozilla.43:D:\ckettospont\Documents and Settings\NagymesterB\Application Data\Mozilla\Firefox\Profiles\sih6aa43.default\cookies.txt -> Spyware.Cookie.Adorigin : Tisztítás mentéssel
:mozilla.44:D:\ckettospont\Documents and Settings\NagymesterB\Application Data\Mozilla\Firefox\Profiles\sih6aa43.default\cookies.txt -> Spyware.Cookie.Adorigin : Tisztítás mentéssel
:mozilla.48:D:\ckettospont\Documents and Settings\NagymesterB\Application Data\Mozilla\Firefox\Profiles\sih6aa43.default\cookies.txt -> Spyware.Cookie.Sexcounter : Tisztítás mentéssel
:mozilla.49:D:\ckettospont\Documents and Settings\NagymesterB\Application Data\Mozilla\Firefox\Profiles\sih6aa43.default\cookies.txt -> Spyware.Cookie.Sexcounter : Tisztítás mentéssel
:mozilla.56:D:\ckettospont\Documents and Settings\NagymesterB\Application Data\Mozilla\Firefox\Profiles\sih6aa43.default\cookies.txt -> Spyware.Cookie.Fastclick : Tisztítás mentéssel
:mozilla.57:D:\ckettospont\Documents and Settings\NagymesterB\Application Data\Mozilla\Firefox\Profiles\sih6aa43.default\cookies.txt -> Spyware.Cookie.Falkag : Tisztítás mentéssel
:mozilla.58:D:\ckettospont\Documents and Settings\NagymesterB\Application Data\Mozilla\Firefox\Profiles\sih6aa43.default\cookies.txt -> Spyware.Cookie.Falkag : Tisztítás mentéssel
:mozilla.59:D:\ckettospont\Documents and Settings\NagymesterB\Application Data\Mozilla\Firefox\Profiles\sih6aa43.default\cookies.txt -> Spyware.Cookie.Falkag : Tisztítás mentéssel
:mozilla.60:D:\ckettospont\Documents and Settings\NagymesterB\Application Data\Mozilla\Firefox\Profiles\sih6aa43.default\cookies.txt -> Spyware.Cookie.Falkag : Tisztítás mentéssel
:mozilla.61:D:\ckettospont\Documents and Settings\NagymesterB\Application Data\Mozilla\Firefox\Profiles\sih6aa43.default\cookies.txt -> Spyware.Cookie.Falkag : Tisztítás mentéssel
:mozilla.67:D:\ckettospont\Documents and Settings\NagymesterB\Application Data\Mozilla\Firefox\Profiles\sih6aa43.default\cookies.txt -> Spyware.Cookie.Casalemedia : Tisztítás mentéssel
:mozilla.68:D:\ckettospont\Documents and Settings\NagymesterB\Application Data\Mozilla\Firefox\Profiles\sih6aa43.default\cookies.txt -> Spyware.Cookie.Casalemedia : Tisztítás mentéssel
:mozilla.69:D:\ckettospont\Documents and Settings\NagymesterB\Application Data\Mozilla\Firefox\Profiles\sih6aa43.default\cookies.txt -> Spyware.Cookie.Casalemedia : Tisztítás mentéssel
:mozilla.70:D:\ckettospont\Documents and Settings\NagymesterB\Application Data\Mozilla\Firefox\Profiles\sih6aa43.default\cookies.txt -> Spyware.Cookie.Adserver : Tisztítás mentéssel
:mozilla.71:D:\ckettospont\Documents and Settings\NagymesterB\Application Data\Mozilla\Firefox\Profiles\sih6aa43.default\cookies.txt -> Spyware.Cookie.Adserver : Tisztítás mentéssel
:mozilla.72:D:\ckettospont\Documents and Settings\NagymesterB\Application Data\Mozilla\Firefox\Profiles\sih6aa43.default\cookies.txt -> Spyware.Cookie.Valuead : Tisztítás mentéssel
:mozilla.73:D:\ckettospont\Documents and Settings\NagymesterB\Application Data\Mozilla\Firefox\Profiles\sih6aa43.default\cookies.txt -> Spyware.Cookie.Valuead : Tisztítás mentéssel
:mozilla.74:D:\ckettospont\Documents and Settings\NagymesterB\Application Data\Mozilla\Firefox\Profiles\sih6aa43.default\cookies.txt -> Spyware.Cookie.Valuead : Tisztítás mentéssel
D:\ckettospont\Documents and Settings\NagymesterB\Local Settings\Temp\Cookies\nagymesterb@as-us.falkag[2].txt -> Spyware.Cookie.Falkag : Tisztítás mentéssel
D:\ckettospont\Documents and Settings\NagymesterB\Local Settings\Temp\Cookies\nagymesterb@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Tisztítás mentéssel
D:\ckettospont\Documents and Settings\NagymesterB\Local Settings\Temp\Cookies\nagymesterb@cs.sexcounter[2].txt -> Spyware.Cookie.Sexcounter : Tisztítás mentéssel
D:\ckettospont\Program Files\FlashGet\BACKUP\cd_install277.exe/cd_clint.dll -> Spyware.Cydoor : Tisztítás mentéssel


::Jelentés Vége

#14 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,325 posts

Posted 19 January 2006 - 08:33 AM

Looks like ewido came out clean.

Try this scan. Panda does not clean your system unless you have the paid version but it does find things that other dont.

* Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files us is detected, click the See Report button, then Save Report and save it to a convenient location.

Let me see the contents.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#15 Imaloser

Imaloser

    Member

  • Full Member
  • Pip
  • 80 posts

Posted 24 January 2006 - 04:25 PM

I've run Activescan and the exes have disappeared. :D


For drive C:\

Where are the file situated. Do you recognize the files and are the of your making, or have you modified them?


I don't know how could I post a list of the files that appear in the search.

Activescan log: I couldn't post it beacuse it's beyond the maximum charachter length. But I checked it lists all the exes files and says every one of them are disinfected.

#16 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,325 posts

Posted 25 January 2006 - 09:22 AM

Is everything OK?

If not run Panda again. This time I'm sure the log will be smaller. But if you feel satisfied that it's all clean let it go.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#17 Imaloser

Imaloser

    Member

  • Full Member
  • Pip
  • 80 posts

Posted 30 January 2006 - 04:29 PM

Yes, everything seems all right, but I' ve run it again to make sure.

Activescan log:


Incident Status Location

Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\NagymesterB.HUTOSZEKRENY\Cookies\nagymesterb@statcounter[1].txt
Adware:Adware/SaveNow Not disinfected C:\Program Files\RadLight\RadLight3\RPKi\RPK.exe
Spyware:Cookie/Belnk Not disinfected D:\ckettospont\Documents and Settings\NagymesterB\Local Settings\Temp\Cookies\nagymesterb@dist.belnk[2].txt
Spyware:Cookie/Maxserving Not disinfected D:\ckettospont\Documents and Settings\NagymesterB\Local Settings\Temp\Cookies\nagymesterb@maxserving[1].txt
Spyware:Cookie/Yadro Not disinfected D:\ckettospont\Documents and Settings\NagymesterB\Local Settings\Temp\Cookies\nagymesterb@yadro[2].txt




What should I do about drive C:\ ?
Now the free space is around 1,22 GB.

#18 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,325 posts

Posted 31 January 2006 - 08:02 AM

Find out more about your C and D shared drives.
http://www.winsys.co...nfiguration.php


If you can remove this program with the Add/Remove programs applet do so.

Then Open Windows explorer and delete this folder if found.

C:\Program Files\RadLight\

Restart the computer normally.

Submit a fresh HijackThis log for review.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#19 Imaloser

Imaloser

    Member

  • Full Member
  • Pip
  • 80 posts

Posted 05 February 2006 - 02:21 PM

C:\Program Files\RadLight\

Restart the computer normally.

Submit a fresh HijackThis log for review.


Should I really delete Radlight? Spybot always finds it also but there isn't any problem with it. :unsure:

Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 21:20:01, on 2006.02.05.
Platform: Windows XP Szervizcsomag 2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\WINDOWS\Twain_32\FlatBed\HotKey.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
D:\Program Files\Ear Power Training Center\VideoClockTray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
D:\Program Files\BitLord\BitLord.exe
D:\Program Files\Guitar Pro 4\GP4.exe
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\DOSBox-0.63\dosbox.exe
C:\HTC\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hivatkozások
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Program Files\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [HotKey] C:\WINDOWS\Twain_32\FlatBed\HotKey.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: VideoClockTray.lnk = D:\Program Files\Ear Power Training Center\VideoClockTray.exe
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - D:\PROGRA~1\FLASHS~1.1\save.htm
O8 - Extra context menu item: Letöltés a FlashGet-tel - D:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: MINDEN letöltése a FlashGet-tel - D:\Program Files\FlashGet\jc_all.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - D:\PROGRA~1\FLASHS~1.1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - D:\PROGRA~1\FLASHS~1.1\save.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://map2.index.hu...eX/mgaxctrl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto-Protect szolgáltatás (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

#20 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,325 posts

Posted 06 February 2006 - 08:32 AM

Should I really delete Radlight? Spybot always finds it also but there isn't any problem with it.


It's reported to be Ad-Aware, that is the reason Spybot will spot it.
Adware:Adware/SaveNow Not disinfected C:\Program Files\RadLight\RadLight3\RPKi\RPK.exe
Your call if you want to keep it.

Your log is clean of malware.

How did I get infected in the first place?

You usually get infected because your security settings are too low.

Here are a number of recommendations that will help tighten them, and which will contribute to making you a less likely victim:

1.) Watch what you download!
Many freeware programs, and P2P programs like Grokster, Imesh, Kazaa and others are amongst the most notorious, come with an enormous amount of bundled spyware that will eat system resources, slow down your system, clash with other installed software, or just plain crash your browser or even Windows itself. If you insist on using a P2P program, please read This Article written by Mike Healan of Spywareinfo.com fame. It is an updated and comprehensive article that gives in-depth detail about which P2P programs are "safe" to use.

2.) Go to Internet Explorer > Tools > Windows Update > Product Updates, and install ALL High-Priority Security Updates listed.
If you're running Windows XP, that of course includes the Service Pack 2! If you suspect your computer is infected with Malware of any type, we advise you to not install SP2 if you don't already have it. You can post a HijackThis log on our Forums to get free Expert help cleaning your machine. Once you are sure you have a clean system, it is highly recommended to install SP2 to help prevent against future infections.

It's important to always keep current with the latest security fixes from Microsoft.
Install those patches for Internet Explorer, and make sure your installation of Java VM is up-to-date. There are some well known security bugs with Microsoft Java VM which are exploited regularly by browser hijackers.

3.) Open Internet Explorer and go to Internet Options > Security > Internet, then press "Default Level", then OK.
  • Now press "Custom Level."
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".

Now you will be asked whether you want ActiveX objects to be executed and whether you want software to be installed.
Sites that you know for sure are above suspicion can be moved to the Trusted Zone in Internet Option > Security.

So why is ActiveX so dangerous that you have to increase the security for it?
When your browser runs an activex control, it is running an executable program. It's no different from doubleclicking an exe file on your hard drive.
Would you run just any random file downloaded off a web site without knowing what it is and what it does?

4.) Install Javacool's SpywareBlaster

It will protect you from most spy/foistware in it's database by blocking installation of their ActiveX objects.

Download and install, download the latest updates, and you'll see a list of all spyware programs covered by the program (NOTE: this is NOT spyware found on your computer)
Press "Enable All Protection", and you're done.
The spyware that you told Spywareblaster to set the "kill bit" for won't be a hazard to you any longer.
Although it won't protect you from every form of spyware known to man, it is a very potent extra layer of protection.
Don't forget to check for updates every week or so.

5.) Let's also not forget that Spybot Search & Destroy has the Immunize feature which works roughly the same way. Another feature within Spybot is the TeaTimer option. This option immediately detects known malicious processes wanting to start and terminates them. TeaTimer also detects when something wants to change some critical registry keys and gives you an option to allow them or not.

6.) Microsoft now offers their own free malicious software blocking tool. Windows AntiSpyware improves Internet browsing safety by guarding over fifty (50) ways spyware can enter your PC.

7.) Another excellent program by Javacool we recommend is SpywareGuard.
It provides a degree of real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method.

8.) IE-SPYAD puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. Another good hosts program is mvpshosts. This little program packs a powerful punch as it block ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial.

*It is important to note that all of the above programs/files can be run simultaneously on your system. They will work together in layers, so to speak, to help protect your computer. However, the following suggestions are designed to only run one of each. It is not a good idea to run more than one firewall, and one anti-virus program. Running more than one of these at a time can cause system crashes, high system usage and/or conflicts with each other.*

9.) It is critical that you use a firewall to protect your computer from hackers. We don't recommend the firewall that comes built in to Windows. It doesn't block everything that may try to get in, and the entire firewall is written to the registry. As various kinds of malware hack the Registry in order to disable the Windows firewall, it's far preferable to install one of the excellent third party solutions. Three good ones that are freeware to boot are ZoneAlarm, Kerioand Sygate

10.) An Anti-Virus product is a necessity. There are many excellent programs that you can purchase. However, we choose to advocate the use of free programs whenever possible. Some very good and easy-to-use free A/V programs are AVG, Avast, and AntiVir. It's a good idea to set these to receive automatic updates so you are always as fully protected as possible from the newest virus threats.

11.) Finally, after following up on all these recommendations, why not run Jason Levine's Browser Security Tests
They will provide you with an insight on how vulnerable you might still be to a number of common exploits.

Happy safe computing!!
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#21 Imaloser

Imaloser

    Member

  • Full Member
  • Pip
  • 80 posts

Posted 16 February 2006 - 10:29 AM

Ok, thanks for your help. I guess everything's fine now. I will try http://www.winsys.co...nfiguration.php, although it's a little bit hard for me to understand. :rolleyes:
Thanks for your help once again. I guess this topic can be locked now.

#22 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,325 posts

Posted 16 February 2006 - 10:44 AM

Is the computer running Ok?
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#23 Imaloser

Imaloser

    Member

  • Full Member
  • Pip
  • 80 posts

Posted 20 February 2006 - 02:11 PM

Yes, everything is fine, the only thing I don't get is what is with drive C:\. Now it has 1,14 GB.

#24 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,325 posts

Posted 20 February 2006 - 03:47 PM

Cut the log into one or more files.

Then post the next page into a new message.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#25 Imaloser

Imaloser

    Member

  • Full Member
  • Pip
  • 80 posts

Posted 27 February 2006 - 04:15 PM

Cut the log into one or more files.

Then post the next page into a new message.


What kind of log? ???

Activescan log was a long one, when the computer was infected it with those exe files.
It cleared them, I've run Activescan again and the log became much smaller, it's the one I posted on Jan 30 2006, 05:29.

#26 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,325 posts

Posted 28 February 2006 - 08:16 AM

I see nothing wrong in that log.

Unless you can identify some other problems I cannot help you anymore. Sorry.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#27 Imaloser

Imaloser

    Member

  • Full Member
  • Pip
  • 80 posts

Posted 02 March 2006 - 02:28 PM

It's ok. Thanks for the help anyway. :wave:

#28 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,325 posts

Posted 02 March 2006 - 02:57 PM

Since the issue appears to be resolved this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760




Member of UNITE
Support SpywareInfo Forum - click the button