Here's what I did today :
First ran Norton antivirus ( always active and updated anyway ) : all clear.
Then tried Housecall online scan ( which I use to do about every other week ) : also ok.
Then the one from Panda : came up with 4 files
Virus:Trj/StartPage.FH Disinfected
D:\Documents and Settings\pj\Local settings\Temp\sp.html
Virus:Trj/Xoad.A Renamed
D:\Documents and Settings\pj\Local Settings\Temp\xwxload.exe
Virus:Trojan Horse Disinfected D:\ht.hta
Virus:Trj/Nethost.A Disinfected
D:\wmssys.exe
Then to the CA :
This one found
D:\...\video.asx ( HTML link replacer ) and
F:\..\Q3567836.exe ( win32.winshow.F )
which were removed.
Finally I ran RAV and again 4 items were detected :
xwxload_exe.vir (already renamed by Panda)
D:\WINNT\fairdailer.exe
D:\WINNT\Downloaded Program Files\diver32.exe
F:\TempInternet\Pil\TempInternetFiles\ContentIE5\W16ZENGT\exitpop[1].htm
Autoclean did not work, so I deleted all manually, exept diver32.exe which I can't find ( map options for hidden files and system files ok ).
For yr info on the drives :
First I had one HD with two partitions, Win2K installed.
Then I added another HD, with again new installation of Win2K.
Normally I boot from the latter, and the old HD becomes then D and F.
If other members of the family use the PC they boot from the old HD and have no access to the newest HD. That's why there are WINNT dir on different locations.
Here's the new HJT log :
Logfile of HijackThis v1.98.2
Scan saved at 20:21:09, on 06/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Tiny Personal Firewall\persfw.exe
C:\PROGRA~1\Alcatel\ENTERN~1\app\pppoeservice.exe
C:\PROGRA~1\Alcatel\ENTERN~1\app\EnterNet.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Hitware Popup Killer Lite\HitwarePKLite.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\RVS\WCOM\SYSTEM\ccui.exe
C:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\RVS\WCOM\SYSTEM\ccsrv.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CapMan.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\ElogErr.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\BROADC~1.EXE
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\SCRFS.exe
C:\PROGRA~1\SONYER~1\Mobile\MOBILE~1\EPMWOR~1.EXE
C:\Program Files\Legato\AgentSrv.EXE
C:\Program Files\Legato\CBSYSTRAY.EXE
C:\PROGRA~1\SONYER~1\Mobile\AUFILE~1.EXE
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\Ecfmserv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\SPYBOT~1\SDHelper.dll
O2 - BHO: RUPK - {604B283A-4E26-4504-98E7-72859F949547} - C:\PROGRA~1\HITWAR~1\sypcms.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\RunOnce: [MRUBlaster] C:\Program Files\MRU-Blaster\indexcleaner.exe -CC
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [HitwarePKLite] C:\Program Files\Hitware Popup Killer Lite\HitwarePKLite.exe
O4 - HKCU\..\RunOnce: [CommCenter] C:\Program Files\RVS\WCOM\SYSTEM\ccui.exe
O4 - Startup: Connected TaskBar Icon.LNK = C:\Program Files\Legato\CBSysTray.exe
O4 - Startup: Legato TaskBar Icon.LNK = C:\Program Files\Legato\CBSysTray.exe
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Phone Connection Monitor.lnk = C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab