help multiple e-mails

[tanzanos]

Zone alarm warns me that avast e-mail scanner service is trying to transmit e-mail messages:If I accept then avast starts to scand multiple e-mails?

Logfile of HijackThis v1.99.1
Scan saved at 12:57:49 PM, on 7/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SPAMfighter\SFAgent.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SAGEM\OTEnet-SAGEM Fast 800\dslmon.exe
C:\WINDOWS\Microsoft.NET\explorer.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\DOWNLOAD\spyware remover\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.metacrawl.ws
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yoby.net/sb/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yoby.net/sp/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENWW/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.metacrawl.ws
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SPAMfighter Agent] "C:\Program Files\SPAMfighter\SFAgent.exe" update delay 60
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\OTEnet-SAGEM Fast 800\dslmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.otenet.gr/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143975950781
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E2A73CD-5690-410B-A0EC-3425C8B56DBB}: NameServer = 195.170.0.1 195.170.2.2
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: DirectX Service (Nadug) - Unknown owner - C:\WINDOWS\system32\directx.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[DavidR]

avast isn't sending the emails it is scanning them as they pass through the Internet Mail localhost proxy. So something is seding emails from your system and because it is using email ports (25) that avast monitors they are scanned.

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode.
1.  If using winXP AVG anti-spyware (formerly Ewido). Or SUPERantispyware Or Spyware Terminator. 2. Ad-Aware SE Personal Edition
3. Spybot Search and Destroy
4. Spywareblaster Don't install this until you are clean.

This entry looks suspect, not a system file, not in my system32 folder:

O23 - Service: DirectX Service (Nadug) - Unknown owner - C:\WINDOWS\system32\directx.exe
See http://www.liutilities.com/products/wintaskspro/processlibrary/directx/.

Run HJT again, Fix the entry (tick the box on the left of it) and click Fix. Now add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software).

You may need to 'End Task' in Task Manager before trying to delete it.

Disable system restore and delete the file from the system32 folder (you now have a copy in the user files section of the chest.

[tanzanos]

Now that you mention it Zone alarm on startup informs me that Direct X istrying to close AVG. So you are probably right. I used highjack to remove the entry but it keeps apearing. I cann't get rid of it. HELP!

[DavidR]

I cann't get rid of it. HELP!

This doesn't tell us much, what have you tried ?

Did you try the above software, did you stop (end task) the process in Task Manager, etc. as above ?

[essexboy]

Please do the following

Download ComboFix from Here or Here to your Desktop.

• Double click combofix.exe and follow the prompts.
  
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
  

Note: Do not mouseclick combofix's window while its running. That may cause it to stall


THEN

Download WinPFind3u.exe  to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

• Close ALL OTHER PROGRAMS.
  
• Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
  
• Now click the Run Scan button on the toolbar.
  
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
  
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  

Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.

Please provide both logs.  Winpfind may need multiple posts

[Lisandro]

Maybe making a HijackThis log to post here and, specially, scan and submit to on-line analysis the RunScanner log would help to identify the problem and the solution.

[tanzanos]

Thank you all.
Yesterday I used spyware terminator and it removed the direct x (nadug) infection.
Today I had the same problem so I used Spybot search and destroy and it found a whole lot more and removed them. The system seems fine for now. If I get reinfected I shall do as you all advise and kill the !@#$%^&*() thing!

Again thanks guys!

[DavidR]

Your welcome, glad we could help.

[Lisandro]

The system seems fine for now.

The programs I've posted about before are for you to be sure you're clean...

[tanzanos]

Ok here it is I hope I am clean!

[theims4]

Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.

Please provide both logs.  Winpfind may need multiple posts

Here's what I got (and I am sending it all):

'log' file

"Kim" - 2007-07-04  7:23:39 - ComboFix 07-07-04.1 - Service Pack 2  


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\windev-793f-3d69.sys
C:\WINDOWS\system32\windev-peers.ini


(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))


-------\windev-793f-3d69


(((((((((((((((((((((((((   Files Created from 2007-06-04 to 2007-07-04  )))))))))))))))))))))))))))))))


2007-07-04 07:11   51,200   --a------   C:\WINDOWS\nircmd.exe
2007-07-03 16:22   21,840   -------t-   C:\WINDOWS\system32\SIntfNT.dll
2007-07-03 16:22   17,212   --a----t-   C:\WINDOWS\system32\SIntf32.dll
2007-07-03 16:22   12,067   --a----t-   C:\WINDOWS\system32\SIntf16.dll
2007-07-03 15:59   <DIR>   d--------   C:\SIERRA
2007-07-03 15:59   <DIR>   d--------   C:\Program Files\Sierra On-Line
2007-06-28 14:27   <DIR>   d--------   C:\DOCUME~1\Jim\APPLIC~1\Jasc Software Inc
2007-06-22 07:47   <DIR>   d--------   C:\DOCUME~1\Jim\APPLIC~1\gamelab
2007-06-22 07:47   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\gamelab
2007-06-21 06:05   <DIR>   d--------   C:\DOCUME~1\Gabe\APPLIC~1\Help
2007-06-14 03:00   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Playtonium Games
2007-06-12 18:44   361,984   --a------   C:\WINDOWS\system32\Kagaya.scr
2007-06-12 14:04   <DIR>   d--------   C:\DOCUME~1\Kim\APPLIC~1\InstallShield
2007-06-11 17:47   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\MinigolfVUG_TacoBell4
2007-06-11 17:46   <DIR>   d--------   C:\Program Files\Sierra Online
2007-06-11 17:46   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\minigolfVUG
2007-06-09 05:24   <DIR>   d--------   C:\Program Files\Zylom Games
2007-06-09 05:24   <DIR>   d--------   C:\DOCUME~1\Kim\APPLIC~1\Zylom
2007-06-07 07:16   159,744   --a------   C:\WINDOWS\system32\lfpng13n.dll
2007-06-04 13:49   <DIR>   d--------   C:\Program Files\Microsoft IntelliPoint


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-04 12:23:00   --------   d-----w   C:\DOCUME~1\Kim\APPLIC~1\AdobeUM
2007-06-23 15:17:41   --------   d-----w   C:\Program Files\MSN Games
2007-06-21 11:11:31   --------   d-----w   C:\Program Files\Infogrames Interactive
2007-06-19 18:38:20   --------   d--h--w   C:\Program Files\InstallShield Installation Information
2007-06-04 03:18:52   --------   d-----w   C:\Program Files\Yahoo!
2007-06-04 03:18:38   --------   d-----w   C:\Program Files\Common Files\AOL
2007-06-02 23:58:57   --------   d-----w   C:\Program Files\AIM6
2007-06-02 23:58:45   --------   d-----w   C:\Program Files\Viewpoint
2007-05-25 21:45:31   --------   d-----w   C:\Program Files\Barbie(tm)
2007-05-25 21:45:30   --------   d-----w   C:\Program Files\Common Files\Knowledge Adventure
2007-05-21 04:09:55   --------   d-----w   C:\Program Files\Maxis
2007-05-16 15:12:02   683,520   ----a-w   C:\WINDOWS\system32\inetcomm.dll
2007-05-13 10:31:03   --------   d-----w   C:\Program Files\directx
2007-05-07 16:05:15   612   ----a-w   C:\WINDOWS\EReg077.dat
2007-04-30 15:46:10   745,600   ----a-w   C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:35:28   95,872   ----a-w   C:\WINDOWS\system32\AVASTSS.scr
2007-04-25 21:34:57   69,632   ------w   C:\WINDOWS\system32\Clifford Uninstall.exe
2007-04-25 14:21:15   144,896   ------w   C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23   2,854,400   ------w   C:\WINDOWS\system32\msi.dll
2007-04-17 03:47:36   33,624   ------w   C:\WINDOWS\system32\wups.dll
2007-04-17 03:45:54   1,710,936   ------w   C:\WINDOWS\system32\wuaueng.dll
2007-04-17 03:45:48   549,720   ------w   C:\WINDOWS\system32\wuapi.dll
2007-04-17 03:45:42   325,976   ------w   C:\WINDOWS\system32\wucltui.dll
2007-04-17 03:45:36   203,096   ------w   C:\WINDOWS\system32\wuweb.dll
2007-04-17 03:45:28   92,504   ------w   C:\WINDOWS\system32\cdm.dll
2007-04-17 03:45:20   53,080   ------w   C:\WINDOWS\system32\wuauclt.exe
2007-04-17 03:45:20   43,352   ------w   C:\WINDOWS\system32\wups2.dll


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-01-12 21:38   63128   --a------   C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37E86881-4267-45ff-B982-05842081E63F}]
         C:\PROGRA~1\MARVEL~1\MARVEL01.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04   853672   --a------   C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
2004-03-15 01:04   118836   --a------   C:\WINDOWS\system32\dla\tfswshx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-03-14 03:43   501400   --a------   C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 15:42]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 16:54]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-11-10 14:36]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 12:52]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2005-02-03 19:38]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 10:42]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 15:45]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-05-28 02:38]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-11-21 20:09]
"CreateCD"="C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe" [2000-09-11 17:09]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"Sonic RecordNow!"="" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-10-24 16:53]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-03-27 15:22]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 08:56]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 16:17]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe


**************************************************************************

catchme 0.3.914 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-04 07:32:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-04  7:34:41 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-04 07:34

   --- E O F ---

The other page (WinPFind3) will be on the next post.

[pboyce]

I had this very same problem. My solution was to use AVG Anti-rootkit free software to find 'windev.sys' type files in my windows/system32 folder and delete them. These were rootkit files and so other AV software had no luck in finding them.

Paul

[essexboy]

Start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Win32 Services - Non-Microsoft Only]
YY -> (Nadug) DirectX Service [Win32_Own | Auto | Stopped] ->
[Registry - Non-Microsoft Only]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\{4E7BD74F-2B8D-469E-A28F-ED6DB680B92F} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
YN -> WebBrowser\\{4E7BD74F-2B8D-469E-C1FB-F86DA487AF38} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
YN -> WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> Reg Data - Key not found [Yahoo! Toolbar]
[Files/Folders - Created Within 30 days]
NY -> adidsl.ini -> %SystemRoot%\adidsl.ini
NY -> autoclk.exe -> %SystemRoot%\autoclk.exe
NY -> Fast800.ini -> %SystemRoot%\Fast800.ini
[Files/Folders - Modified Within 30 days]
NY -> popcinfo.dat -> %SystemRoot%\popcinfo.dat

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new WinPFind3u scan.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Please download the OTMoveIt http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\SIntfNT.dll
C:\WINDOWS\system32\SIntf32.dll
C:\WINDOWS\system32\SIntf16.dll

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new Hijack log.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


If you could reply with a new HJT log and an update on your system

[essexboy]

I had this very same problem. My solution was to use AVG Anti-rootkit free software to find 'windev.sys' type files in my windows/system32 folder and delete them. These were rootkit files and so other AV software had no luck in finding them.

Paul

Combofix killed it

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\windev-793f-3d69.sys
C:\WINDOWS\system32\windev-peers.ini


(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))