Hi stephys, Welcome at Wilders. Did TDS-3 not remove these trojans or what exactly is the problem? You can post your HijackThis log following these instructions: Please go to http://www.tomcoyote.org/hjt/, and download 'Hijack This!'. Unzip, doubleclick HijackThis.exe, and hit "Scan". When the scan is finished, the "Scan" button will change into a "Save Log" button. Press that, save the log as a .txt file, and copy and paste its contents into your next post. Most of what it lists will be harmless, so do not fix anything yet. Regards, Pieter
Hi stephys, welcome in the forum from my part too. Make sure you update the TDS database before scanning. If you scan with TDS, in the bottom you'll find the alerts. rightclick on one of the finds and save as a textfile. This you'll find in the TDS-3 directory as Scandump.txt You might like to copy that in your next posting here and we'll try to help you with that too. Think your hijackthis scan can give some ideas to start with too. So please post them both!
Hello stephys, You can also try AutoStart Viewer http://www.diamondcs.com.au/index.php?page=asviewer - which is a free tool. This is able to show what programmes Auto start on your PC and the results can be saved as text, a copy of the text posted here may also help us decide if an entry needs to be deleted. HTH Pilli
Thanks Stephys: This is what you posted to me: We will see what the forum makes of it DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for --------------, 10-29-2003 c:\window\system32\autoexec.nt C:\WINDOW\system32\mscdexnt.exe C:\WINDOW\system32\redir.exe C:\WINDOW\system32\dosx.exe c:\window\system32\config.nt C:\WINDOW\system32\himem.sys c:\window\system.ini [drivers] timer=timer.drv c:\window\system.ini [boot]\shell C:\WINDOW\Explorer.exe c:\window\system.ini [boot]\scrnsave.exe C:\WINDOW\Webshots.scr HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell C:\WINDOW\Explorer.exe HKCU\Control Panel\Desktop\scrnsave.exe C:\WINDOW\Webshots.scr HKCR\vbsfile\shell\open\command\ C:\WINDOW\System32\WScript.exe "%1" %* HKCR\vbefile\shell\open\command\ C:\WINDOW\System32\WScript.exe "%1" %* HKCR\jsfile\shell\open\command\ C:\WINDOW\System32\WScript.exe "%1" %* HKCR\jsefile\shell\open\command\ C:\WINDOW\System32\WScript.exe "%1" %* HKCR\wshfile\shell\open\command\ C:\WINDOW\System32\WScript.exe "%1" %* HKCR\wsffile\shell\open\command\ C:\WINDOW\System32\WScript.exe "%1" %* HKLM\Software\Microsoft\Windows\CurrentVersion\Run\IgfxTray C:\WINDOW\System32\igfxtray.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HotKeysCmds C:\WINDOW\System32\hkcmd.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Lexmark X74-X75 C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MMTray C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DwlClient C:\Program Files\Common Files\Dell\EUSW\Support.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AdaptecDirectCD C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Run\POINTER point32.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sr1exe C:\Documents and Settings\All Users.WINDOW\Application Data\Dell\Alert\252\updtSup3.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MediaFace Integration C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Run\BCMSMMSG C:\WINDOW\BCMSMMSG.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Run\QuickTime Task C:\Program Files\QuickTime\qttask.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Syscpy C:\WINDOW\System32\syscpy.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Power Scan C:\Program Files\Power Scan\powerscan.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Run\85296267.exe C:\WINDOW\System32\85296267.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Anti-Trojan-Watch C:\Program Files\Anti-Trojan-55\ATWatch.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Run\RAV8Tray C:\Program Files\GeCAD\RAV8 Desktop\ravtray8.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run\msnmsgr C:\Program Files\MSN Messenger\msnmsgr.exe HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ C:\WINDOW\system32\SHELL32.dll C:\WINDOW\system32\SHELL32.dll C:\WINDOW\System32\webcheck.dll C:\WINDOW\System32\stobject.dll C:\Documents and Settings\Owner.JOEYSROOM\Start Menu\Programs\Startup\Webshots.lnk C:\Program Files\Webshots\WebshotsTray.exe C:\Documents and Settings\All Users.WINDOW\Start Menu\Programs\Startup\Digital Line Detect.lnk C:\Program Files\Digital Line Detect\DLG.exe C:\Documents and Settings\All Users.WINDOW\Start Menu\Programs\Startup\Modem User Guide.lnk C:\Program Files\Modem User Guide\index.htm C:\Documents and Settings\All Users.WINDOW\Start Menu\Programs\Startup\ravmon.exe.lnk C:\Program Files\GeCAD\RAV8 Desktop\ravmon.exe C:\Documents and Settings\All Users.WINDOW\Start Menu\Programs\Startup\ZoneAlarm.lnk C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute autocheck autochk * HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit C:\WINDOW\system32\userinit.exe HKLM\System\CurrentControlSet\Control\WOW\cmdline C:\WINDOW\system32\ntvdm.exe HKLM\System\CurrentControlSet\Control\WOW\wowcmdline C:\WINDOW\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386 HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ C:\WINDOW\system32\mswsock.dll C:\WINDOW\system32\rsvpsp.dll HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\ C:\WINDOW\system32\JAVASUP.VXD
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Syscpy C:\WINDOW\System32\syscpy.exe A worm, can you delete the entry and send a copy of the file to submit@diamondcs.com.au please. Zip it up and keep a copy, but delete the file on disk HKLM\Software\Microsoft\Windows\CurrentVersion\Run\85296267.exe C:\WINDOW\System32\85296267.exe Suspicious.. best to do the same as above
Hi stephsys, Could you please keep all the information in this thread? You sent several people (different) logs by PM and have gotten different advise because the logs did not correspond. Other then what I advised you to do with HijackThis, please click Start Run > msconfig and disable the two entries Gavin advised you to: C:\WINDOW\System32\syscpy.exe C:\WINDOW\System32\85296267.exe and: C:\Program Files\Power Scan\powerscan.exe Then reboot and delete the entire C:\Program Files\Power Scan folder (spyware), send the files Gavin requested and delete them after doing so. TIA, Pieter
Didnt receive these files yet, but can confirm the first one - syscpy.exe is fairly common. Its a proxy mail server someone is using to spam a lot Will look at them when I get a copy, hope cleaning these isn't causing any problems.