I'm still trying to find the virus I inadvertently(dimly) invited on my cpu yesterday(yesterday's Program added without my knowledge post?). I discovered the "HijackThis" program, which reveals all processes and gives you the choice to delete any that have been planted there against your will, if you are smart enough to know what belongs, and what doesn't. Below is my log... is there anything there that is a definite known virus, or something that is extremely suspicious? Thanks. Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Analog Devices\SoundMAX\Smtray.exe C:\WINDOWS\System32\Promon.exe C:\WINDOWS\System32\PDesk\PDesk.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Corel\Graphics8\Programs\MFIndexer.exe C:\Program Files\OpenOffice.org1.0.2\program\soffice.exe C:\Program Files\IBM\Power Management Utility\console\status.exe C:\WINDOWS\System32\mcshextm.exe C:\WINDOWS\System32\tsdextsn.exe C:\WINDOWS\System32\mgabg.exe C:\WINDOWS\System32\NMSSvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\IBM\Power Management Utility\Engine\paserver.exe C:\WINDOWS\System32\r_server.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\wuauclt.exe C:\Documents and Settings\alan\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe O4 - HKLM\..\Run: [Promon.exe] Promon.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\System32\PDesk\PDesk.exe /Autolaunch O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE O4 - HKLM\..\Run: [mcshextm] C:\WINDOWS\System32\mcshextm.exe O4 - HKLM\..\Run: [tsdextsn] C:\WINDOWS\System32\tsdextsn.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [iolo Task Agent] C:\Program Files\iolo\Common\Task Agent\Task_Agent.exe O4 - Startup: OpenOffice.org 1.0.2.lnk = C:\Program Files\OpenOffice.org1.0.2\program\quickstart.exe O4 - Startup: Power Management Log Viewer.lnk = ? O4 - Startup: Power Management Status Console.lnk = ? O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.lnk = C:\Corel\Graphics8\Programs\MFIndexer.exe O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37862.2771643519 O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175 O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175
the other day someone pointed out to me that if you know the approximate time that you loaded something you can do a search around that time period and see which files were modified.
Try a search of .exe files then sort it according to date modified or you can hit control, alt, delete which will bring up the processes or tasks running and you can look through that to see if some weird program is running, careful on this approach though.
Why not just run a virus scan? There are free web based ones on the net. Also download and run Spybot to get rid of any bullshit ad software that you accidently installed which is NOT considered a virus. peace axeman
Have you tried running spybot or ad-aware? They're free and would probably be the easiest way to find it. Be sure to update before you run it.
PcPitstop has Gator which is spyware.......Did you intentionally install PC Pitstop? You might want to uninstall it.
I have run several virus scans, and I run both Ad-Aware and Spybot several times each day, but what I'm trying to find are two files which continue to show up as WERULE when PitStop.com scans my system for running processes. They are obviously described differently in the HijackThis log, but they should be there somewhere. I'm pretty sure this is a virus I downloaded yesterday. Thanks. Alan