Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

not-a-virus:AdWare.Win32.SaveNow.bi

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

not-a-virus:AdWare.Win32.SaveNow.bi

Unread postby CharlieBalls » February 13th, 2007, 2:27 pm

Hello to all at the Malware Removal University

Unfortunately, I have had a spy-ware and virus problem for a while, it seems to be very unobtrusive so I have not bothered to do anything about it till today. It has got the point where I am looking for help, and it seems this is one of the best sites for advice!

I have been reading other posts and the advice you provide is excellent!

I have been having a problem with the file

not-a-virus:AdWare.Win32.SaveNow.bi

I have downloaded hijackthis and here are the results:

Logfile of HijackThis v1.99.1
Scan saved at 18:05:22, on 13/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\spoolsv.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\system32\nvraidservice.exe
G:\WINDOWS\CTHELPER.EXE
G:\WINDOWS\system32\CTXFIHLP.EXE
G:\WINDOWS\system32\rundll32.exe
G:\WINDOWS\system32\LVCOMSX.EXE
G:\Program Files\Common Files\Real\Update_OB\realsched.exe
G:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE
G:\WINDOWS\system32\RUNDLL32.EXE
G:\WINDOWS\SYSTEM32\CTXFISPI.EXE
G:\Program Files\QuickTime\qttask.exe
G:\Program Files\iTunes\iTunesHelper.exe
G:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
G:\Program Files\MSN Messenger\MsnMsgr.Exe
G:\Program Files\Messenger\msmsgs.exe
G:\Program Files\RivaTuner v2.0 RC 16.2\RivaTuner.exe
G:\WINDOWS\system32\CTsvcCDA.EXE
G:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
G:\Program Files\CyberLink\Shared Files\RichVideo.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\system32\ZoneLabs\vsmon.exe
G:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
G:\Program Files\iPod\bin\iPodService.exe
G:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
G:\WINDOWS\system32\wbem\unsecapp.exe
G:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
G:\Program Files\MSN Messenger\usnsvc.exe
G:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - G:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NVRaidService] G:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] G:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LVCOMSX] G:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [TkBellExe] "G:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "G:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [VVSN] G:\Program Files\VVSN\VVSN.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE G:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "G:\Program Files\RivaTuner v2.0 RC 16.2\RivaTuner.exe" /S
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "G:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "G:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [RemoteControl] "G:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "G:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MsnMsgr] "G:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "G:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: RivaTuner.lnk = G:\Program Files\RivaTuner v2.0 RC 16.2\RivaTuner.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = G:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - G:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - G:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - G:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - G:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - G:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - G:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - G:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - G:\WINDOWS\system32\ZoneLabs\vsmon.exe

I’m not sure I like the look of:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

But I’m too scared to delete it until I have further conformation.

Thanks for your time
CharlieBalls
Active Member
 
Posts: 3
Joined: February 13th, 2007, 1:33 pm
Location: North Yorkshire
Top
Advertisement
Register to Remove

Unread postby Trogan » February 13th, 2007, 5:00 pm

Hi CharlieBalls and welcome to Malware Removal! :)

Please do the following...

1. Click Start > Run > type in appwiz.cpl and hit enter. From the list uninstall the following, if present:

WhenU
SaveNow

2. Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [VVSN] G:\Program Files\VVSN\VVSN.exe

- Close ALL open windows (especially Internet Explorer!)
- Click Fix Checked
Close HiajckThis

3. Find and delete the following Folder:
  • G:\Program Files\VVSN <-- This folder
4. Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:

    • Scan using the following Anti-Virus database:
      Extended (if available otherwise Standard)

    • Scan Options:
      Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
      Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
5. I need to see another log from HijackThis.
  • Run Hijackthis.
  • Click on Open the Misc Tools section.
  • Next click on Open uninstall manager.
  • Press the Save list button.
  • Save the file to your desktop, with the default name of uninstall_list
  • Copy & Paste the entire contents of that file in your in your next post.
6. Please post the following...

1) Kaspersky report
2) Uninstall list
3) New HijackThis log
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London
Top

1) Kaspersky report 2) Uninstall list 3) New HijackThis

Unread postby CharlieBalls » February 14th, 2007, 7:59 am

OK then...

1) Kaspersky report, its quite long and the columns don't line up but I hope this is ok…

KASPERSKY ONLINE SCANNER REPORT
Wednesday, February 14, 2007 11:48:45 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 14/02/2007
Kaspersky Anti-Virus database records: 252660

Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
D:\
F:\
G:\
H:\
I:\
J:\
K:\
M:\

Scan Statistics
Total number of scanned objects 303658
Number of viruses found 0
Number of infected objects 0 / 0
Number of suspicious objects 0
Duration of the scan process 01:59:01

Infected Object Name Virus Name Last Action
G:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

G:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

G:\Documents and Settings\CM\Application Data\Autodesk\WebServices\ws_CommCntr_20070214_0.log Object is locked skipped

G:\Documents and Settings\CM\Application Data\Opera\Opera\mail\indexer\indexer.dat Object is locked skipped

G:\Documents and Settings\CM\Application Data\Opera\Opera\mail\lexicon\lexicon.dat Object is locked skipped

G:\Documents and Settings\CM\Application Data\Opera\Opera\mail\mailbase.dat Object is locked skipped

G:\Documents and Settings\CM\Cookies\index.dat Object is locked skipped

G:\Documents and Settings\CM\Local Settings\Application Data\Microsoft\Messenger\charlesmortimer28@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped

G:\Documents and Settings\CM\Local Settings\Application Data\Microsoft\Messenger\charlesmortimer28@hotmail.com\SharingMetadata\pending.dat Object is locked skipped

G:\Documents and Settings\CM\Local Settings\Application Data\Microsoft\Messenger\charlesmortimer28@hotmail.com\SharingMetadata\Working\database_CC_F1E4_CCF1_D3BE\dfsr.db Object is locked skipped

G:\Documents and Settings\CM\Local Settings\Application Data\Microsoft\Messenger\charlesmortimer28@hotmail.com\SharingMetadata\Working\database_CC_F1E4_CCF1_D3BE\fsr.log Object is locked skipped

G:\Documents and Settings\CM\Local Settings\Application Data\Microsoft\Messenger\charlesmortimer28@hotmail.com\SharingMetadata\Working\database_CC_F1E4_CCF1_D3BE\fsrtmp.log Object is locked skipped

G:\Documents and Settings\CM\Local Settings\Application Data\Microsoft\Messenger\charlesmortimer28@hotmail.com\SharingMetadata\Working\database_CC_F1E4_CCF1_D3BE\tmp.edb Object is locked skipped

G:\Documents and Settings\CM\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

G:\Documents and Settings\CM\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

G:\Documents and Settings\CM\Local Settings\Application Data\Microsoft\Windows Live Contacts\charlesmortimer28@hotmail.com\real\members.stg Object is locked skipped

G:\Documents and Settings\CM\Local Settings\Application Data\Microsoft\Windows Live Contacts\charlesmortimer28@hotmail.com\shadow\members.stg Object is locked skipped

G:\Documents and Settings\CM\Local Settings\History\History.IE5\index.dat Object is locked skipped

G:\Documents and Settings\CM\Local Settings\History\History.IE5\MSHist012007021420070215\index.dat Object is locked skipped

G:\Documents and Settings\CM\Local Settings\Temp\AHI53.tmp Object is locked skipped

G:\Documents and Settings\CM\Local Settings\Temp\UNDA1234.ac$ Object is locked skipped

G:\Documents and Settings\CM\Local Settings\Temp\UNDD091A.ac$ Object is locked skipped

G:\Documents and Settings\CM\Local Settings\Temp\~DF2517.tmp Object is locked skipped

G:\Documents and Settings\CM\Local Settings\Temp\~DF278A.tmp Object is locked skipped

G:\Documents and Settings\CM\Local Settings\Temp\~DFB233.tmp Object is locked skipped

G:\Documents and Settings\CM\Local Settings\Temp\~DFB32C.tmp Object is locked skipped

G:\Documents and Settings\CM\Local Settings\Temp\~DFFECE.tmp Object is locked skipped

G:\Documents and Settings\CM\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

G:\Documents and Settings\CM\My Documents\Office\R397\BREAK UP\1 - 3D.dwg Object is locked skipped

G:\Documents and Settings\CM\My Documents\Office\R397\BREAK UP\1 - 3D.dwl Object is locked skipped

G:\Documents and Settings\CM\My Documents\Office\R397\BREAK UP\2.dwg Object is locked skipped

G:\Documents and Settings\CM\My Documents\Office\R397\BREAK UP\2.dwl Object is locked skipped

G:\Documents and Settings\CM\NTUSER.DAT Object is locked skipped

G:\Documents and Settings\CM\ntuser.dat.LOG Object is locked skipped

G:\Documents and Settings\CM\UserData\index.dat Object is locked skipped

G:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

G:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

G:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

G:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

G:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

G:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

G:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

G:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

G:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

G:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

G:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

G:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\MailBuddy.log Object is locked skipped

G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

G:\System Volume Information\_restore{B42E4396-74DF-4883-A52B-7246A0D72552}\RP184\change.log Object is locked skipped

G:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

G:\WINDOWS\Internet Logs\DFI-SLI.ldb Object is locked skipped

G:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped

G:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped

G:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped

G:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped

G:\WINDOWS\SchedLgU.Txt Object is locked skipped

G:\WINDOWS\SoftwareDistribution\EventCache\{56E7C64D-F361-45B3-8D18-E76FEBE5FF80}.bin Object is locked skipped

G:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

G:\WINDOWS\Sti_Trace.log Object is locked skipped

G:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

G:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

G:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

G:\WINDOWS\system32\config\default Object is locked skipped

G:\WINDOWS\system32\config\default.LOG Object is locked skipped

G:\WINDOWS\system32\config\SAM Object is locked skipped

G:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

G:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

G:\WINDOWS\system32\config\SECURITY Object is locked skipped

G:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

G:\WINDOWS\system32\config\software Object is locked skipped

G:\WINDOWS\system32\config\software.LOG Object is locked skipped

G:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

G:\WINDOWS\system32\config\system Object is locked skipped

G:\WINDOWS\system32\config\system.LOG Object is locked skipped

G:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped

G:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped

G:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped

G:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped

G:\WINDOWS\system32\h323log.txt Object is locked skipped

G:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

G:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

G:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

G:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

G:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

G:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

G:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

G:\WINDOWS\Temp\ZLT0226e.TMP Object is locked skipped

G:\WINDOWS\Temp\ZLT02272.TMP Object is locked skipped

G:\WINDOWS\wiadebug.log Object is locked skipped

G:\WINDOWS\wiaservc.log Object is locked skipped

G:\WINDOWS\WindowsUpdate.log Object is locked skipped

H:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

I:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

J:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

J:\System Volume Information\_restore{B42E4396-74DF-4883-A52B-7246A0D72552}\RP184\change.log Object is locked skipped

K:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.


NEXT...


2) Uninstall list


Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.9
Apple Software Update
Auction Sentry
AutoCAD 2005 - English
AutoCAD 2007 - English
Autodesk DWF Viewer
Battlefield 2(TM)
Battlefield 2142
Creative Audio Console
Creative MediaSource
Creative System Information
DVD Decrypter (Remove Only)
DVD Shrink 3.2
EPSON Print CD
EPSON PRINT Image Framer Tool2.1
EPSON Printer Software
ESPR200 Software Guide
EVEREST Home Edition v2.20
FEAR
HijackThis 1.99.1
iTunes
Kaspersky Online Scanner
K-Lite Codec Pack 2.54 Full
Logitech SetPoint
Logitech® Camera Driver
MailFrontier Desktop
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Office Professional Edition 2003
Microsoft Office Project Standard 2003
Motherboard Monitor 5
MSXML 4.0 SP2 (KB927978)
Nero 6 Ultra Edition
NewsBin Pro 4.3
NVIDIA Drivers
Opera 9.10
PowerDVD
QuickPar 0.9
Race Driver 3
RealPlayer
RivaTuner v2.0 RC 16.2
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB929969)
SolidWorks 2005 SP0
Sound Blaster X-Fi
SpeedFan (remove only)
TeamSpeak 2 RC2
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Windows Installer 3.1 (KB893803)
Windows Installer Clean Up
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format Runtime
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
ZoneAlarm Security Suite


3) New HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 11:55:33, on 14/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\spoolsv.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\system32\nvraidservice.exe
G:\WINDOWS\CTHELPER.EXE
G:\WINDOWS\system32\CTXFIHLP.EXE
G:\WINDOWS\system32\rundll32.exe
G:\WINDOWS\system32\LVCOMSX.EXE
G:\Program Files\Common Files\Real\Update_OB\realsched.exe
G:\WINDOWS\SYSTEM32\CTXFISPI.EXE
G:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE
G:\WINDOWS\system32\RUNDLL32.EXE
G:\Program Files\QuickTime\qttask.exe
G:\Program Files\iTunes\iTunesHelper.exe
G:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
G:\Program Files\MSN Messenger\MsnMsgr.Exe
G:\Program Files\Messenger\msmsgs.exe
G:\Program Files\RivaTuner v2.0 RC 16.2\RivaTuner.exe
G:\WINDOWS\system32\CTsvcCDA.EXE
G:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
G:\Program Files\CyberLink\Shared Files\RichVideo.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\system32\ZoneLabs\vsmon.exe
G:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
G:\Program Files\iPod\bin\iPodService.exe
G:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
G:\WINDOWS\system32\wbem\unsecapp.exe
G:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
G:\Program Files\MSN Messenger\usnsvc.exe
G:\Program Files\Opera\Opera.exe
G:\Program Files\Internet Explorer\iexplore.exe
G:\Program Files\AutoCAD 2007\acad.exe
G:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe
G:\WINDOWS\system32\WISPTIS.EXE
G:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - G:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NVRaidService] G:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] G:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LVCOMSX] G:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [TkBellExe] "G:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "G:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE G:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "G:\Program Files\RivaTuner v2.0 RC 16.2\RivaTuner.exe" /S
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "G:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "G:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [RemoteControl] "G:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "G:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MsnMsgr] "G:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "G:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: RivaTuner.lnk = G:\Program Files\RivaTuner v2.0 RC 16.2\RivaTuner.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = G:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - G:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - G:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - G:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - G:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - G:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - G:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - G:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - G:\WINDOWS\system32\ZoneLabs\vsmon.exe

I hope this is ok, as I haven't restarted the computer today.

Thanks for your super quick response and I’ll hope to hear back from you in the near future.

Thanks again
CharlieBalls
Active Member
 
Posts: 3
Joined: February 13th, 2007, 1:33 pm
Location: North Yorkshire
Top

Unread postby Trogan » February 14th, 2007, 1:19 pm

Hi CharlieBalls

Logs are clean. Anymore problems?
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London
Top

THANKS

Unread postby CharlieBalls » February 14th, 2007, 6:05 pm

Yeah… everything seems fine!

This is the first time I have used HijackThis and on line scanning, as these programs are so easy to use, I will defiantly start to use these programs far more regularly as a monthly maintenance routine. I don't use internet explorer and have no need to use P2P sharing or Hacking sites so I'm generally going to be safe (ish).

If I get future issues, how do I self diagnose the problem? And what should I look out for in the future? And more to the point, how do you decide what is and what isn't a virus?

I understand the look of a report line like this is bad, due to it being the only line on the HijackThis log with (no name) and (no file)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

However, how did you know this was dodgy?

O4 - HKLM\..\Run: [VVSN] G:\Program Files\VVSN\VVSN.exe

It was showing as a Microsoft update in the program folder, I wouldn't delete this file dude to uncertainty whether my system needs it?

Thank you so much for your help and advice, it has been very quick and concise, if I ever get a problem in the future I know where to come!

All the best in the future

CharlieBalls
CharlieBalls
Active Member
 
Posts: 3
Joined: February 13th, 2007, 1:33 pm
Location: North Yorkshire
Top

Unread postby Trogan » February 15th, 2007, 2:21 pm

Hi CharlieBalls

This is the first time I have used HijackThis and on line scanning, as these programs are so easy to use, I will defiantly start to use these programs far more regularly as a monthly maintenance routine. I don't use internet explorer and have no need to use P2P sharing or Hacking sites so I'm generally going to be safe (ish).

If I get future issues, how do I self diagnose the problem? And what should I look out for in the future? And more to the point, how do you decide what is and what isn't a virus?

All is learnt through training. It is difficult to explain what could be what without training to gain the knowledge. As I'm sure you are aware, Malware Removal is a free training school. You are more than welcome to join. :)

However, how did you know this was dodgy?

O4 - HKLM\..\Run: [VVSN] G:\Program Files\VVSN\VVSN.exe

It was showing as a Microsoft update in the program folder, I wouldn't delete this file dude to uncertainty whether my system needs it?

Google and a few other sources tell me that the program and file belongs to WhenU. This is linked to what you said in your first post about not-a-virus:AdWare.Win32.SaveNow.bi

Thank you so much for your help and advice, it has been very quick and concise, if I ever get a problem in the future I know where to come!

You're welcome! :)

Do you have anymore questions or can we archive this?
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London
Top

Unread postby 'KotaGuy » February 19th, 2007, 12:40 am

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada
Top
Advertisement
Register to Remove
Topic locked
  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 304 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index