Computer Hope

Software => Computer viruses and spyware => Topic started by: cliffnook2000 on November 13, 2007, 04:02:45 AM

Title: Autoplay Autoplay HiJack This
Post by: cliffnook2000 on November 13, 2007, 04:02:45 AM: Hi All,
Am having trouble with Autoplay taking over my pc. This happens all the time and not just when discs are being used. Sometimes windows explorer will show as many as 15 instances of Autoplay all at the same time. I have posted a message on the XP site about this and was advised to use HijackThis and post the log file here in the hope that some of you smarter guys than me can help.
So here it is. I have had to chop a bit off as it was over 10000 characters long.
Anything else you need I can post seperately if needed.
Cheers Frank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/iesearch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
F3 - REG:win.ini: load=C:\OPLIMIT\ocraware.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O3 - Toolbar: SYSTRAN Web Translator 5.0 - {A5899B52-3AF9-4F56-85FE-AD7B3BE8490F} - C:\Program Files\SYSTRAN\5.0\Personal\IEPlugIn.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Agent] C:\Program Files\Medion\PowerCinema\My_TV\Agent.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\Classic PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: FAXRX.lnk = C:\Program Files\Brother\Brmfl06a\FAXRX.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearch.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: Casino-on-Net - {3015DB92-158E-4b77-9020-85C8E311FBB5} - C:\PROGRA~1\CASINO~1\Casino.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PacificPoker4 - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~2\pacificpoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Medion-UK - {725E17C7-2B9A-42BA-AAE2-754FA08120BD} - http://www.medion.co.uk (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {0F42F280-2D6E-4B19-95A9-18D8DADB9309} (BFLauncher Class) - http://www.betfred.com/company/gamessections/common/betfredlauncher.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {48C20DEE-B00A-11D4-9B2F-0060975D990E} (Hi2Lobby Class) - http://80.253.105.3/lobby/atlclient.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://mirror.worldwinner.com/games/v45/wordmojo/wordmojo.cab
O16 - DPF: {CF164902-C4C0-426a-87B3-FB140274E15F} (Dixons PSA) - http://www.gtwebcheck.com/pcworld/28/install/gtdowndi.cab
O16 - DPF: {F04F4F32-6457-401A-8169-D2773DDFF930} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_1uk.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9DEC5791-58D3-4F8D-9143-6A999B9C0C73}: NameServer = 195.92.195.90 195.92.195.91
O18 - Filter hijack: text/html - {8A8A75D8-C7AD-4C49-87E0-85601BD18621} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
Title: Re: Autoplay Autoplay HiJack This
Post by: patio on November 13, 2007, 06:14:57 AM: The chopped off info is needed as well...use 2 posts if need be.
Title: Re: Autoplay Autoplay HiJack This
Post by: cliffnook2000 on November 13, 2007, 06:55:26 AM: Ok, thanks.

This is the top part of the log. Hope it helps

Thanks

Frank

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:53:44, on 13/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\Dit.exe
C:\Program Files\Medion\PowerCinema\My_TV\Agent.exe
C:\Program Files\Classic PhoneTools\CapFax.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Brother\Brmfl06a\FAXRX.exe
C:\WINDOWS\DitExp.exe
C:\OPLIMIT\ocrawr32.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\PROGRA~1\SYSTRAN\5.0\Personal\SYSTRA~1.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Title: Re: Autoplay Autoplay HiJack This
Post by: evilfantasy on November 13, 2007, 09:04:41 AM: * Please download Combofix by sUBs. Place it on your Desktop. combofix.exe (http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe)
* Double click combofix.exe & follow the prompts. Enter 1 and press enter at the prompt.
* When finished, it shall produce a log for you. Attach that log in your next reply.
Combofix will create a backup to anything removed in C:\qoovox

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Title: Re: Autoplay Autoplay HiJack This
Post by: cliffnook2000 on November 13, 2007, 11:33:43 PM: Ok evilfantasy, thanks. Here goes......

The Autoplay box appeared for about 20 to 30 times whilst the AutoScan programme was running. At one stage the task bar showed windows explorer with a 6 in front of it. Presumably the number of instances the Autoplay was running.

Hope it makes sense to you.....Cheers Frank

ComboFix 07-11-08.3 - Cliffnook 2007-11-14 6:18:40.1 - NTFSx86
Running from: C:\Documents and Settings\Cliffnook\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Downloaded Program Files.\hotbar.inf

.
((((((((((((((((((((((((( Files Created from 2007-10-14 to 2007-11-14 )))))))))))))))))))))))))))))))
.

2007-11-14 06:16 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-14 05:54 <DIR> d-------- C:\WINDOWS\LastGood
2007-11-14 05:54 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-11-14 05:54 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-11-13 09:54 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2007-11-13 09:52 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-11-13 09:48 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-11-13 06:57 <DIR> d-------- C:\Documents and Settings\Cliffnook\SecurityScans
2007-11-13 06:56 <DIR> d-------- C:\Program Files\Microsoft Baseline Security Analyzer 2
2007-11-12 07:09 <DIR> d-------- C:\Documents and Settings\Cliffnook\Application Data\Oberon Media
2007-11-12 06:49 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-09 09:40 <DIR> d-------- C:\Documents and Settings\Cliffnook\Application Data\VSRevoGroup
2007-11-09 09:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\RFA_Backups
2007-11-07 06:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MinigolfAdventures
2007-11-05 06:50 <DIR> d-------- C:\Documents and Settings\Cliffnook\Application Data\ForgottenRiddles
2007-11-01 09:39 <DIR> d-------- C:\Program Files\NovaLogic
2007-10-31 06:22 <DIR> d-------- C:\Program Files\Oberon Media
2007-10-23 05:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Innovative Solutions
2007-10-22 06:14 <DIR> d-------- C:\Program Files\VS Revo Group
2007-10-22 06:11 <DIR> d-------- C:\Program Files\Your Uninstaller 2006
2007-10-22 06:11 <DIR> d-------- C:\Documents and Settings\Cliffnook\Application Data\URSoft
2007-10-19 06:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\iolo
2007-10-18 09:36 <DIR> d-------- C:\Program Files\CCleaner
2007-10-16 06:19 <DIR> d-------- C:\Program Files\Croteam

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-13 10:46 --------- d-----w C:\Program Files\SpywareBlaster
2007-11-13 10:41 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-12 07:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-12 07:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Oberon Media
2007-11-09 10:29 --------- d-----w C:\Program Files\Betfred Poker
2007-11-09 09:34 --------- d-----w C:\Program Files\Common Files\Oberon Media
2007-11-09 09:34 --------- d-----w C:\Documents and Settings\Cliffnook\Application Data\Pogo Games
2007-11-09 09:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2007-11-07 08:07 --------- d-----w C:\Program Files\Microsoft Money
2007-11-05 06:13 --------- d-----w C:\Documents and Settings\Cliffnook\Application Data\PlayFirst
2007-10-23 08:44 --------- d-----w C:\Program Files\PhotoDeluxe 2.0
2007-10-23 08:44 --------- d-----w C:\Program Files\Classic PhoneTools
2007-10-22 08:43 --------- d-----w C:\Documents and Settings\Cliffnook\Application Data\PokerChamps
2007-10-22 03:37 17,928 ----a-w C:\WINDOWS\system32\X3DAudio1_2.dll
2007-10-12 15:14 3,734,536 ----a-w C:\WINDOWS\system32\d3dx9_36.dll
2007-10-12 15:14 1,374,232 ----a-w C:\WINDOWS\system32\D3DCompiler_36.dll
2007-10-12 10:31 --------- d-----w C:\Documents and Settings\Cliffnook\Application Data\AstroMenace
2007-10-02 09:56 444,776 ----a-w C:\WINDOWS\system32\d3dx10_36.dll
2007-10-02 07:56 --------- d-----w C:\Program Files\Google
2007-10-01 05:47 --------- d-----w C:\Documents and Settings\Cliffnook\Application Data\VeniceMysteryData
2007-09-28 08:25 --------- d-----w C:\Program Files\Family Tree Maker 2006
2007-09-24 07:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\SugarGames
2007-09-20 12:16 --------- d-----w C:\Program Files\PacificPoker4
2007-09-20 12:12 --------- d-----w C:\Program Files\PacificPoker
2007-09-14 06:36 --------- d-----w C:\Documents and Settings\Cliffnook\Application Data\Big Fish Games
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-01 13:25 7,802 ----a-w C:\Documents and Settings\Cliffnook\Application Data\wklnhst.dat
2006-08-25 08:24 1,388 ----a-w C:\Documents and Settings\Cliffnook\Application Data\ViewerApp.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-06 14:16]
"nwiz"="nwiz.exe" [2003-10-06 14:16 C:\WINDOWS\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2002-08-15 10:46 C:\WINDOWS\SOUNDMAN.EXE]
"Dit"="Dit.exe" [2002-08-28 12:43 C:\WINDOWS\Dit.exe]
"NeroCheck"="C:\WINDOWS\System32\NeroCheck.exe" [2001-07-09 09:50]
"Agent"="C:\Program Files\Medion\PowerCinema\My_TV\Agent.exe" [2002-09-26 15:49]
"CapFax"="C:\Program Files\Classic PhoneTools\CapFax.EXE" [2001-12-10 16:34]
"POINTER"="point32.exe" []
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-09 23:11]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-10-26 05:37]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 11:38]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-12-17 23:20]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-04-12 08:54]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 09:22]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 13:25]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 13:45]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-06-28 06:46]
"SetDefPrt"="C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 17:02]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-06-29 11:18]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL" [2003-10-06 14:16]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 11:00]
"STManager"="C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" [2003-10-16 13:25]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []

C:\Documents and Settings\Cliffnook\Start Menu\Programs\Startup\
FAXRX.lnk - C:\Program Files\Brother\Brmfl06a\FAXRX.exe [2007-09-05 07:43:46]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearch.exe [2005-09-20 17:10:04]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2003-07-22 10:39:53]

R1 ATMhelpr;ATMhelpr;C:\WINDOWS\system32\drivers\ATMhelpr.sys
R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys
R3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys
R3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys
S2 UMAXPCLS;Print Port Scanner Driver;C:\WINDOWS\system32\DRIVERS\umaxpcls.sys
S3 Boonty Games;Boonty Games;"C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe"
S3 Cap7134;MEDION (7134) WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys
S3 IIUSBISP;USB Mass Storage for USB ISP;C:\WINDOWS\system32\Drivers\iiusbisp.sys
S3 Intels51;Creatix V.9X DSP Data Fax Modem;C:\WINDOWS\system32\DRIVERS\ctxs51.sys
S3 JL2005;JL2005A Toy Camera;C:\WINDOWS\system32\Drivers\toywdm.sys
S3 PhTVTune;MEDION TV-TUNER 7134 MK2/3;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-14 06:21:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-14 6:22:09
.
 --- E O F ---
Title: Re: Autoplay Autoplay HiJack This
Post by: evilfantasy on November 14, 2007, 12:02:46 AM: Please download ATF Cleaner by Atribune. ATF Cleaner.exe (http://www.atribune.org/ccount/click.php?id=1) This program does not require an installation. The executable actually runs the program.

NOTE: ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.
* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: Select All
* Click the Empty Selected button.

If you use Firefox browser
* Click Firefox at the top and choose: Select All
* Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
* Click Opera at the top and choose: Select All
* Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

==========

Please read carefully

Run the BitDefender Online Scanner (http://www.bitdefender.com/scan8/ie.html)
Agree to the license and then select Scan.
DO NOT CHANGE THE OPTIONS TO SHOW ALL FILES SCANNED.
That will make your logs huge and we don't need to see clean files.

Once Bitdefender completes the scan:
Click-on the Detected Problems tab.
Then select Click here to export the scan report.

When the window comes up to save the report, change the Save as type: box to:
Text (Tab Delimited) (*.txt) and then in the File name box enter change to bdscan then click Save.

This will save a file named bdscan.txt. I would suggest saving it to the Desktop so you can easily find it. (take notice of where you save it so you can find it later).
This bdcan.txt file will actually contain HTML code that we can easily view later while reviewing your log. All we have to do is rename the file to bdscan.html.

If you do not follow these step, you will have an incorrect log or worse a log summary which is useless to us.

Post the bdscan.txt file.

==========
Next post please add
BitDefender log
New HijackThis log

Tell me how things are now
Title: Re: Autoplay Autoplay HiJack This
Post by: cliffnook2000 on November 14, 2007, 06:10:23 AM: Ok ...Done all that but the files are a bit big and i'm probably going to need 4 replies to get them both across. Is this ok or is there a way to send as attachments?

Cheers Frank
Title: Re: Autoplay Autoplay HiJack This
Post by: patio on November 14, 2007, 06:36:38 AM: Frank you can use as many as are needed....
Title: Re: Autoplay Autoplay HiJack This
Post by: cliffnook2000 on November 14, 2007, 06:43:59 AM: Ok Patio...thanks.
Here goes then......bdscan.txt file will be first two posts and new HiJackThis will be next 2
<HTML>
<HEAD>
<TITLE>BitDefender Online Scanner -Scan Report</TITLE>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<meta name="generator" content="Namo WebEditor v5.0(Trial)">
</HEAD>
<BODY BGCOLOR=#FFFFFF leftmargin="10" marginwidth="0" topmargin="20" marginheight="0" >

<table align="center" border="0" cellpadding="0" cellspacing="0" width="90%">
<tr>
<td width="458">
BitDefender
Online Scanner
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>
<tr>
<td colspan="3" width="912">
Scan report generated
at: Wed, Nov 14, 2007 - 12:32:40
</td>
</tr>

 <tr>
<td width="458">
 
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

 <tr>
<td width="458">
Scan
path: A:\;C:\;D:\;E:\;F:\;G:\;H:\;I:\;J:\;K:\;L:\;
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

 <tr>
<td width="458">
 
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

<tr>
<td width="458">
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="451" colspan="2" bgcolor="#CCCCCC">
Statistics
</td>
</tr>
<tr>
<td width="57%">
Time
</td>
<td width="43%" align="right">
01:09:25
</td>
</tr>
<tr>
<td width="57%">
Files
</td>
<td width="43%" align="right">
285820
</td>
</tr>
<tr>
<td width="57%">
Folders
</td>
<td width="43%" align="right">
7494
</td>
</tr>
<tr>
<td width="57%">
Boot Sectors
</td>
<td width="43%" align="right">
5
</td>
</tr>
<tr>
<td width="57%">
Archives
</td>
<td width="43%" align="right">
8698
</td>
</tr>
<tr>
<td width="57%">
Packed Files
</td>
<td width="43%" align="right">
10319
</td>
</tr>
</table>
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

 <tr>
<td width="458">
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="451" colspan="2" bgcolor="#CCCCCC">
Results
</td>
</tr>
<tr>
<td width="57%">
Identified Viruses 
</td>
<td width="43%" align="right">
2
</td>
</tr>
<tr>
<td width="57%">
Infected Files 
</td>
<td width="43%" align="right">
2
</td>
</tr>
<tr>
<td width="57%">
Suspect Files 
</td>
<td width="43%" align="right">
0
</td>
</tr>
<tr>
<td width="57%">
Warnings
</td>
<td width="43%" align="right">
0
</td>
</tr>
<tr>
<td width="57%">
Disinfected
</td>
<td width="43%" align="right">
0
</td>
</tr>
<tr>
<td width="57%">
Deleted Files
</td>
<td width="43%" align="right">
2
</td>
</tr>
</table>
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

 <tr>
<td width="458">
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="451" colspan="2" bgcolor="#CCCCCC">
Engines Info
</td>
</tr>
<tr>
<td width="57%">
Virus Definitions
</td>
<td width="43%" align="right">
872698
</td>
</tr>
<tr>
<td width="57%">
Engine build
</td>
<td width="43%" align="right">
AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)
</td>
</tr>
<tr>
Title: Re: Autoplay Autoplay HiJack This
Post by: cliffnook2000 on November 14, 2007, 06:46:33 AM: <td width="57%">
Scan plugins
</td>
<td width="43%" align="right">
14
</td>
</tr>
<tr>
<td width="57%">
Archive plugins
</td>
<td width="43%" align="right">
38
</td>
</tr>
<tr>
<td width="57%">
Unpack plugins
</td>
<td width="43%" align="right">
7
</td>
</tr>
<tr>
<td width="57%">
E-mail plugins
</td>
<td width="43%" align="right">
6
</td>
</tr>
<tr>
<td width="57%">
System plugins
</td>
<td width="43%" align="right">
1
</td>
</tr>
</table>
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

 <tr>
<td width="458">
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="451" colspan="2" bgcolor="#CCCCCC">
Scan Settings
</td>
</tr>
<tr>
<td width="57%">
First Action
</td>
<td width="43%" align="right">
Disinfect
</td>
</tr>
<tr>
<td width="57%">
Second Action
</td>
<td width="43%" align="right">
Delete
</td>
</tr>
<tr>
<td width="57%">
Heuristics
</td>
<td width="43%" align="right">
Yes
</td>
</tr>
<tr>
<td width="57%">
Enable Warnings
</td>
<td width="43%" align="right">
Yes
</td>
</tr>
 <tr>
<td width="57%">
Scanned Extensions
</td>
<td width="43%" align="right">
*;
</td>
</tr>

<tr>
<td width="57%">
Exclude Extensions
</td>
<td width="43%" align="right">
 
</td>
</tr>
<tr>
<td width="57%">
Scan Emails
</td>
<td width="43%" align="right">
Yes
</td>
</tr>
<tr>
<td width="57%">
Scan Archives
</td>
<td width="43%" align="right">
Yes
</td>
</tr>
<tr>
<td width="57%">
Scan Packed
</td>
<td width="43%" align="right">
Yes
</td>
</tr>
<tr>
<td width="57%">
Scan Files
</td>
<td width="43%" align="right">
Yes
</td>
</tr>
<tr>
<td width="57%">
Scan Boot
</td>
<td width="43%" align="right">
Yes
</td>
</tr>
</table>
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

 <tr>
<td colspan=2>  
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="252" bgcolor="#CCCCCC">
Scanned File
</td>
<td width="195" bgcolor="#CCCCCC" align="right">
 Status
</td>
</tr>
<tr>
 <td width="57%">
 C:\WINDOWS\system32\70000041.exe
 </td>
 <td width="43%" align="left">
 Infected with: DeepScan:Generic.Malware.dld!!.0053513A
 </td>
</tr><tr>
 <td width="57%">
 C:\WINDOWS\system32\70000041.exe
 </td>
 <td width="43%" align="left">
 Disinfection failed
 </td>
</tr><tr>
 <td width="57%">
 C:\WINDOWS\system32\70000041.exe
 </td>
 <td width="43%" align="left">
 Deleted
 </td>
</tr><tr>
 <td width="57%">
 C:\WINDOWS\system32\gtdowndi_86.ocx
 </td>
 <td width="43%" align="left">
 Infected with: Trojan.Dloader.VP
 </td>
</tr><tr>
 <td width="57%">
 C:\WINDOWS\system32\gtdowndi_86.ocx
 </td>
 <td width="43%" align="left">
 Disinfection failed
 </td>
</tr><tr>
 <td width="57%">
 C:\WINDOWS\system32\gtdowndi_86.ocx
 </td>
 <td width="43%" align="left">
 Deleted
 </td>
</tr>
</table>
</td>

<td width="10%">
 
</td>
</tr>

 <tr>
<td width="458">
 
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

 <tr>
<td width="458">
 
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

</table>
 

</body>
</html>
Title: Re: Autoplay Autoplay HiJack This
Post by: cliffnook2000 on November 14, 2007, 06:47:44 AM: ogfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:57:33, on 14/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\Dit.exe
C:\Program Files\Medion\PowerCinema\My_TV\Agent.exe
C:\Program Files\Classic PhoneTools\CapFax.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\WINDOWS\DitExp.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\OPLIMIT\ocrawr32.exe
C:\Program Files\Brother\Brmfl06a\FAXRX.exe
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\SYSTRAN\5.0\Personal\SYSTRA~1.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Title: Re: Autoplay Autoplay HiJack This
Post by: cliffnook2000 on November 14, 2007, 06:57:35 AM: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O3 - Toolbar: SYSTRAN Web Translator 5.0 - {A5899B52-3AF9-4F56-85FE-AD7B3BE8490F} - C:\Program Files\SYSTRAN\5.0\Personal\IEPlugIn.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Agent] C:\Program Files\Medion\PowerCinema\My_TV\Agent.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\Classic PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: FAXRX.lnk = C:\Program Files\Brother\Brmfl06a\FAXRX.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearch.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: Casino-on-Net - {3015DB92-158E-4b77-9020-85C8E311FBB5} - C:\PROGRA~1\CASINO~1\Casino.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PacificPoker4 - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~2\pacificpoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Medion-UK - {725E17C7-2B9A-42BA-AAE2-754FA08120BD} - http://www.medion.co.uk (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {0F42F280-2D6E-4B19-95A9-18D8DADB9309} (BFLauncher Class) - http://www.betfred.com/company/gamessections/common/betfredlauncher.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {48C20DEE-B00A-11D4-9B2F-0060975D990E} (Hi2Lobby Class) - http://80.253.105.3/lobby/atlclient.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://mirror.worldwinner.com/games/v45/wordmojo/wordmojo.cab
O16 - DPF: {CF164902-C4C0-426a-87B3-FB140274E15F} (Dixons PSA) - http://www.gtwebcheck.com/pcworld/28/install/gtdowndi.cab
O16 - DPF: {F04F4F32-6457-401A-8169-D2773DDFF930} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_1uk.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9DEC5791-58D3-4F8D-9143-6A999B9C0C73}: NameServer = 195.92.195.91 195.92.195.90
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 10429 bytes

Hope i've done it right. If not I'll just have to give it another go.

Cheers Frank
Title: Re: Autoplay Autoplay HiJack This
Post by: evilfantasy on November 14, 2007, 08:35:16 AM: The Bitdefender removed a couple of nasties so we are getting there.

Couple of questions.

Wanadoo toolbar <---Is this something you installed and do you use it?

More info on this toolbar ---> Click here (http://www.emsisoft.com/en/malware/?Adware.Win32.Wanadoo+Toolbar)

Boonty Games <---Is this something you installed and do you use it?

More info on this ---> Click here (http://www.castlecops.com/o23list-1744.html)

I think it is best we remove these.

Also how are things now?
Title: Re: Autoplay Autoplay HiJack This
Post by: cliffnook2000 on November 14, 2007, 01:36:03 PM: Ok, to answer your questions.

My service provider is Wanadoo (now orange) and this was presumably installed when I first started using this service. I need a toolbar but it doesn't have to be this one.

Boonty games can go. It must be still there from when I downloaded a trial from the internet.

I will need some advice on how to get rid of these and what toolbar would you suggest instead

Unfortunately, although the pc does seem to be running faster, I have still the same problems with Autoplay.

You guys obviously know your business and I feel more confident now that we will get there in the end.

Thanks for all your help so far

Cheers Frank
Title: Re: Autoplay Autoplay HiJack This
Post by: evilfantasy on November 14, 2007, 01:43:00 PM: OK, lets tackle the Autoplay first. I wanted to make sure there was no malware to interfere with any fixes we attempt with it.

The Wanadoo I will look into but I do know the Boonty will involve some detailed removal instructions.

Anyway.....this should be pain free

Use the Autoplay Repair Wizard (http://www.microsoft.com/downloads/details.aspx?FamilyID=c680a7b6-e8fa-45c4-a171-1b389cfacdad&displaylang=en)

Let me know how that goes.
Title: Re: Autoplay Autoplay HiJack This
Post by: evilfantasy on November 14, 2007, 03:03:23 PM: I worked up this guide fro adding logs as attachments.

It will save me alot of scrolling.

Adding logs as an attachment

Save the log to somewhere you can easily find it. (usually the desktop)

To do this, from within the notepad go to the top of the page and select "File" > "Save As..." enter the file name and click "Save" Be sure the desktop is the location selected to save to.
Please save all files as Text Documents (.txt)

Posting the log

* Before putting text into the reply box select "Preview"
* Scroll down and select "Additional Options..."
* Click "Browse"
* Locate the file you want to attach and double click it to enter it into the window.
* If you have more than one log click "(more attachments)" and a new window will open for adding another log.
* You will need to enter a short message in the text box as well.
Title: Re: Autoplay Autoplay HiJack This
Post by: cliffnook2000 on November 15, 2007, 12:49:51 AM: Thanks evilfantasy but this was one of the first things I tried.
I have done another scan and the results tell me that my "C" drive does not support Autoplay and that my CD and DVD drives are ok.

Just to give you a bit more info. I have another pc at a different location which is having the same (maybe worse) Autoplay problems. As far as I can remember I have never shared files between the two pc's, although I have downloaded the same sort of junk from the internet.
I ran ATF-Cleaner and then BitDefender on that pc and BitDefender showed everything was clear, no viruses found.

I have decided not to download any more junk, particularly games, from the internet so anything you find referring to games can be got rid of. I see in the last HiJackThis log a couple of references to games..023Boonty (which you have already picked up on) and 016Worldwinner games. I thought I had uninstalled these but, in any case, they and any other game files can go.

I can get you a HiJackThis log of the other pc if it will help but it will be later on as that pc is at home. If you need the log, I can post it here or start another thread.

Cheers Frank
Title: Re: Autoplay Autoplay HiJack This
Post by: evilfantasy on November 15, 2007, 01:16:45 AM: OK, lets get rid of the Boonty and then work from there.

Enable Viewing Of Hidden System Files & Folders

1. Right Click Start.
2. Select Control Panel.
3. Select the Tools menu and click Folder Options.
4. Select the View Tab.
5. Under the Hidden files and folders heading select Show hidden files and folders.
6. Uncheck the Hide extensions for known file types option.
7. Uncheck the Hide protected operating system files (recommended) option.
8. Click Apply.
9. Click OK.

=====

Click Start -> Run - type SERVICES.MSC & then click on the OK button

1. Locate the service - Boonty Games
2. Double-click on it to open the Properties dialog.
- Change the Startup type to Disabled & then click on the Apply button
- Stop the service by using the Stop button.
3. Then start HiJackThis & go to Config... -> Misc.Tools -> Delete an NT service
4. In the popup box that appears, copy/paste BOONTY
5. Click on the OK button & answer No if prompted to reboot

Double click the My Computer icon on the desktop, then open C: and continue to navigate to this folder.

C:\Program Files\Common Files\BOONTY Shared <---delete this whole folder

Reboot the computer.

=====

Post a new HijackThis log
Title: Re: Autoplay Autoplay HiJack This
Post by: cliffnook2000 on November 15, 2007, 01:47:47 AM: I'm lost now....

Done everything you said up to copy/paste Boonty.

Where do I copy from and what do I copy.
Have been into the HiJackThis log and found the 023 Boonty file. Have tried copying/pasting the whole file, just the BOONTY part and just the part after C\. HiJackThis tells me it doesn't recognise the files....What am I doing wrong?
Title: Re: Autoplay Autoplay HiJack This
Post by: evilfantasy on November 15, 2007, 02:31:10 AM: Sorry that was a little vague.

Open HijackThis, don't select any scan options, instead:

Select "Open misc. tools section" then select "Delete an NT service" a popup box will open and copy paste (or type) BOONTY into that box and on the OK button & answer No if prompted to reboot.

Exit HijackThis

=====

Double click the My Computer icon on the desktop, then open C: and continue to navigate to this folder.

C:\Program Files\Common Files\BOONTY Shared <---delete this whole folder

Reboot the computer.

=====

Next post:
New HijackThis log
Title: Re: Autoplay Autoplay HiJack This
Post by: cliffnook2000 on November 15, 2007, 03:46:44 AM: Still not working........

Done everything exactly as you said and still get message box saying:

Service "BOONTY" was not found in the registry
Make sure you entered the name of the service correctly

I typed in BOONTY and then when that didn't work I copy/pasted BOONTY from the HiJackThis log and that didn't work either. Still got the same message.

I am I doing something wrong here?
Title: Re: Autoplay Autoplay HiJack This
Post by: evilfantasy on November 15, 2007, 04:02:20 AM: Post a new log and we will go from there.
Title: Re: Autoplay Autoplay HiJack This
Post by: cliffnook2000 on November 15, 2007, 04:15:06 AM: Ok...will be 2 posts though. File still too big

gfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:14:05, on 15/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\Dit.exe
C:\Program Files\Medion\PowerCinema\My_TV\Agent.exe
C:\Program Files\Classic PhoneTools\CapFax.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\WINDOWS\DitExp.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Brother\Brmfl06a\FAXRX.exe
C:\PROGRA~1\SYSTRAN\5.0\Personal\SYSTRA~1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Title: Re: Autoplay Autoplay HiJack This
Post by: cliffnook2000 on November 15, 2007, 04:16:23 AM: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O3 - Toolbar: SYSTRAN Web Translator 5.0 - {A5899B52-3AF9-4F56-85FE-AD7B3BE8490F} - C:\Program Files\SYSTRAN\5.0\Personal\IEPlugIn.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Agent] C:\Program Files\Medion\PowerCinema\My_TV\Agent.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\Classic PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: FAXRX.lnk = C:\Program Files\Brother\Brmfl06a\FAXRX.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearch.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: Casino-on-Net - {3015DB92-158E-4b77-9020-85C8E311FBB5} - C:\PROGRA~1\CASINO~1\Casino.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PacificPoker4 - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~2\pacificpoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Medion-UK - {725E17C7-2B9A-42BA-AAE2-754FA08120BD} - http://www.medion.co.uk (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {0F42F280-2D6E-4B19-95A9-18D8DADB9309} (BFLauncher Class) - http://www.betfred.com/company/gamessections/common/betfredlauncher.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {48C20DEE-B00A-11D4-9B2F-0060975D990E} (Hi2Lobby Class) - http://80.253.105.3/lobby/atlclient.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://mirror.worldwinner.com/games/v45/wordmojo/wordmojo.cab
O16 - DPF: {CF164902-C4C0-426a-87B3-FB140274E15F} (Dixons PSA) - http://www.gtwebcheck.com/pcworld/28/install/gtdowndi.cab
O16 - DPF: {F04F4F32-6457-401A-8169-D2773DDFF930} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_1uk.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9DEC5791-58D3-4F8D-9143-6A999B9C0C73}: NameServer = 195.92.195.91 195.92.195.90
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 10319 bytes
Title: Re: Autoplay Autoplay HiJack This
Post by: evilfantasy on November 15, 2007, 08:49:34 AM: I worked up this guide for adding logs as attachments.

It will save me alot of scrolling.

Adding logs as an attachment

Save the log to somewhere you can easily find it. (usually the desktop)

To do this, from within the notepad go to the top of the page and select "File" > "Save As..." enter the file name and click "Save" Be sure the desktop is the location selected to save to.
Please save all files as Text Documents (.txt)

Posting the log

* Before putting text into the reply box select "Preview"
* Scroll down and select "Additional Options..."
* Click "Browse"
* Locate the file you want to attach and double click it to enter it into the window.
* If you have more than one log click "(more attachments)" and a new window will open for adding another log.
* You will need to enter a short message in the text box as well.

=====

Run HJT and have it remove these entries

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O9 - Extra button: Medion-UK - {725E17C7-2B9A-42BA-AAE2-754FA08120BD} - http://www.medion.co.uk (file missing) (HKCU)
O16 - DPF: {0F42F280-2D6E-4B19-95A9-18D8DADB9309} (BFLauncher Class) - http://www.betfred.com/company/gamessections/common/betfredlauncher.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {48C20DEE-B00A-11D4-9B2F-0060975D990E} (Hi2Lobby Class) - http://80.253.105.3/lobby/atlclient.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://mirror.worldwinner.com/games/v45/wordmojo/wordmojo.cabO16 - DPF: {CF164902-C4C0-426a-87B3-FB140274E15F} (Dixons PSA) - http://www.gtwebcheck.com/pcworld/28/install/gtdowndi.cab

Close all windows and click "Fix checked"

=====

How To Create An Uninstall List

1. Start HijackThis
2. Click on the Misc Tools button
3. Click on the Open Uninstall Manager button.
4. Click on the Save list button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file.
5. Save it to your desktop
6. Add the uninstall_list.txt as an attachment in the next post.
Title: Re: Autoplay Autoplay HiJack This
Post by: cliffnook2000 on November 15, 2007, 11:15:27 PM: OK done all that.

Hope we are getting somewhere now

Cheers Frank

[saving disk space - old attachment deleted by admin]
Title: Re: Autoplay Autoplay HiJack This
Post by: evilfantasy on November 16, 2007, 01:45:54 AM: We can turn autoplay off all together. But this will mean that when you insert a CD or USB flash drive that you will not get any prompts. You may have to go to My Computer and launch it from there.

Let me know and I will work up the info.
Title: Re: Autoplay Autoplay HiJack This
Post by: evilfantasy on November 16, 2007, 02:26:03 AM: Uninstall in add/remove programs:

Betfair Poker
Casino-on-Net
Gold Miner Vegas
Internet Expedition <---This one is malicious
Java 2 Runtime Environment Standard Edition v1.3.1_01
Pacific Poker
Wanadoo Search Toolbar My suggestion is the Google Toolbar for a replacement.

Go to www.java.com and download the newest version of Java 6 Update 3

Follow this link (http://www.google.com/tools/firefox/toolbar/FT3/intl/en/index.html) for the Google Toolbar.

Run another Combofix scan and post the log as an attachment.
Title: Re: Autoplay Autoplay HiJack This
Post by: cliffnook2000 on November 16, 2007, 03:14:23 AM: Hi evilfantasy.....it would be great if I could just turn off Autoplay altogether as you suggest. In fact this is something I have been trying to do myself.
I subscribe to an online newsletter called Windows Secrets and the last edition gave an article on how to do this. I have copied the relevant part of the article below.
I tried this fix and it has made no difference whatsoever
If you could come up with something to stop Autoplay then that would be great.

Block AutoRun for all devices all the time

You might think that you could proect yourself from AutoRun by using two keys in the Registry known as NoDriveAutoRun and NoDriveTypeAutoRun.

However, self-described "low-budget hacker" Nick Brown points out that these keys can be overridden. A Registry key named MountPoints2 stores information about all USB flash drives and other removable media that have ever been connected to your computer. Brown says this cache overrides the Registry settings that turn off AutoRun.

The solution is to globally block autorun.inf files from executing, without trying to use the dialog boxes in XP and Vista to do this. Here's the procedure:

Step 1. Start Notepad or another text editor.

Step 2. Copy the following text from this page and paste it into your text editor (everything between the square brackets should be all on one line):

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

Step 3. Save the file with a name like NoAutoRun.reg, taking care to include the .reg extension.

Step 4. Right-click your .reg file and choose Merge. Confirm any warning prompts to add the information to the Registry.

The next time you insert a flash drive, CD, DVD, or other removable disc into your system, Windows will not execute the information in any autorun.inf file that may be present.

Naturally, taking these steps means that the next time you put a game or installer disc into your CD or DVD drive, its software won't launch automatically. You'll have to open a Windows Explorer window or use a command line to launch the desired executable.

The benefit is a big one: a rogue program that you never intended to launch won't silently take over your system if you happen to insert a Trojan-carrying disc into a drive.
Title: Re: Autoplay Autoplay HiJack This
Post by: evilfantasy on November 16, 2007, 03:42:13 AM: That is the same fix I was going to suggest.

Did you create the .reg file in notepad and merge it with the registry?

Let me know and we can go into the registry manually. It is a few more steps but easy enough.
Title: Re: Autoplay Autoplay HiJack This
Post by: cliffnook2000 on November 16, 2007, 07:56:24 AM: Ok...Done all that except when I tried to uninstall Internet Expedition a message box appeared.

The box was titled RegSvr32 and had a yellow warning triangle in it with the following text

LoadLibrary("C:\DocumentsandSettings\Cliffnook\LocalSettings\ApplicationData\microsoft\internetexplorer\V0.15dat") failed - The specified module could not be found

With regards to the Autoplay fix. I did exactly what it said in the instructions. The CD, DVD, and USB Flash Drives do not work with Autoplay now and I need to start them through my computer or windows explorer. This is no big deal but it doesnt seem to have solved the problem of Autoplay appearing.

Just to let you know that while the Combofix Autoscan was running there were no instances of Autoplay appearing instead of the dozens that appeared during my first Autoscan. So it looks as though we may be getting there.

[saving disk space - old attachment deleted by admin]
Title: Re: Autoplay Autoplay HiJack This
Post by: evilfantasy on November 16, 2007, 11:42:06 AM: Download Your Uninstaller! (http://fileforum.betanews.com/detail/Your_Uninstaller_2006/1031658821/1) This is not a free product but has full functions during the trial period.
You may need to boot to safe mode and try to uninstall Internet Expedition that way. Guide for booting to safe mode (http://www.computerhope.com/issues/chsafe.htm#02)

It seems like there has to be a drive trying to autoplay.
Download TweakUI (http://filehippo.com/download_tweakui/) (Freeware) Run TweakUI and expand My Computer, and then AutoPlay. Click on Drives and uncheck the drive letter that you no longer want to AutoPlay. Click on Apply. This may not do any good but it will (maybe) let us know what drive is trying to autoplay.

Download Panda Antirootkit (http://research.pandasoftware.com/blogs/images/AntiRootkit.zip)
Unzip it and run the PAVARK.exe file.
Tick the box that says In depth scan and follow the on screen instructions.
Let me know if it turns up anything.

After that please post a fresh HijackThis log.
Title: Re: Autoplay Autoplay HiJack This
Post by: cliffnook2000 on November 16, 2007, 11:42:47 PM: Already have TweakUI and disabled all drives for Autoplay.

Have used Your Uninstaller before and free 21 day trial up. Anything else I can use?

Have run the Panda Antirootkit and it shows nothing found.

Cheers Frank

[saving disk space - old attachment deleted by admin]
Title: Re: Autoplay Autoplay HiJack This
Post by: evilfantasy on November 16, 2007, 11:55:38 PM: Revo Uninstaller (http://www.revouninstaller.com/revo_uninstaller_free_download.html) is free and works much the same way. If this doesn't work we will use a more direct approach to get rid of it.

Also with Revo look for
Pacific Poker
Wanadoo Search Toolbar

They keep coming back in the Hijackthis log.
Title: Re: Autoplay Autoplay HiJack This
Post by: cliffnook2000 on November 17, 2007, 01:58:34 AM: Revo gave the same error message when trying to uninstall Internet Expedition

Pacific Poker and Wanadoo Search Toll bar are not listed as being there.
Title: Re: Autoplay Autoplay HiJack This
Post by: evilfantasy on November 17, 2007, 02:08:24 AM: Do you have your XP CD to try a repair install.
Title: Re: Autoplay Autoplay HiJack This
Post by: cliffnook2000 on November 17, 2007, 02:22:17 AM: I have the original XP CD but there is no option for a repair install.

I click the option for install and a message tells me that an install cannot be done because the version on my PC is newer than the one on the CD
Title: Re: Autoplay Autoplay HiJack This
Post by: evilfantasy on November 17, 2007, 02:29:11 AM: It must be an SP1 CD and you have upgraded to SP2.

When I google Internet Expedition and only get one search result for it.

I'm going to do some more googling and see what I can find.

It sounds like you and I are finding of the same solutions, only they aren't working ???
Title: Re: Autoplay Autoplay HiJack This
Post by: cliffnook2000 on November 17, 2007, 02:35:25 AM: You're right, I have upgraded to SP2

Thanks for all your efforts. Very much appreciated

Cheers Frank
Title: Re: Autoplay Autoplay HiJack This
Post by: evilfantasy on November 17, 2007, 10:58:11 AM: How to Manually Remove Programs from the Add or Remove Programs Tool (registry)

http://support.microsoft.com/kb/314481
Title: Re: Autoplay Autoplay HiJack This
Post by: Broni on November 17, 2007, 11:03:26 AM: Older, free version of "RegCleaner" will do it for you:
http://www.321download.com/LastFreeware/files/RegCleaner.zip
Title: Re: Autoplay Autoplay HiJack This
Post by: evilfantasy on November 17, 2007, 11:12:29 AM: We aren't trying to clean the registry.
Title: Re: Autoplay Autoplay HiJack This
Post by: Broni on November 17, 2007, 11:16:54 AM: "RegCleaner" has an option to remove dead Add/Remove entries.
Title: Re: Autoplay Autoplay HiJack This
Post by: evilfantasy on November 17, 2007, 11:19:56 AM: Again, not what we are trying to do.
Title: Re: Autoplay Autoplay HiJack This
Post by: cliffnook2000 on November 19, 2007, 12:11:06 AM: Ok evilfantasy....that seems to have got rid of internet expedition