Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
everytime i log onto my comp, something called evidence sanner 1.1 pops up and wants to scan my computer for 'porn?' and delete the evidence... i never downloaded any such program and have tried repetedly to delete it.. everytime i delete it from the system32 folder, it just reappears the next time i log in.. ive run spybot and ad-aware, but it doesn't show up.. i don't know what to do, it seems i've tried everything. if anyone has any info on how to get rid of this please let me know.
thanks :)
here is my hijackthis log file if it helps at all.
Logfile of HijackThis v1.97.7
Scan saved at 6:53:35 PM, on 11/28/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\program files\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\mkucfvsz.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\fkffcltr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dan\Local Settings\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exeO4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [hiyeueqr] C:\WINDOWS\mkucfvsz.exe
O4 - HKLM\..\Run: [WinFavorites] c:\program files\winfavorites\WinFavorites.exe1
O4 - HKLM\..\Run: [lxcyomem] C:\WINDOWS\System32\fkffcltr.exe
O4 - HKLM\..\Run: [MSNSysRestore] C:\WINDOWS\System32\pc32.exe bg
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.exe" /background
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cablet me know if it looks like anything bad. and if i can get rid of this 'evidence scan' from here.
thanks :)
0 
I am having the same problem. Running
windows 98SE, Ad-aware 6 and spybot
got rid of everything except this. I've tried
many things with no luck.Here is my Hijackthis log file:
Logfile of HijackThis v1.97.7
Scan saved at 2:23:33 PM, on 11/30/03
Platform: Windows 98 SE (Win9x
4.10.2222A)
MSIE: Internet Explorer v6.00 SP1
(6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.exe
C:\WINDOWS\SYSTEM\NAVAGENT32.EX
E
C:\PROGRAM FILES\COMMON
FILES\SYMANTEC
SHARED\CCEVTMGR.exe
C:\PROGRAM FILES\NORTON
SYSTEMWORKS\NORTON
CLEANSWEEP\CSINJECT.exe
C:\PROGRAM FILES\NORTON
SYSTEMWORKS\NORTON
UTILITIES\NPROTECT.exe
C:\PROGRAM FILES\COMMON
FILES\SYMANTEC
SHARED\SYMTRAY.exe
C:\WINDOWS\EXPLORER.exe
C:\PROGRAM FILES\COMMON
FILES\ADAPTEC
SHARED\CREATECD\CREATECD50.exe
C:\PROGRAM FILES\ROXIO\EASY CD
CREATOR 5\DIRECTCD\DIRECTCD.exe
C:\WINDOWS\RMYNHICQ.exe
C:\WINDOWS\SYSTEM\FVEXNHRJ.exe
C:\PROGRAM FILES\COMMON
FILES\SYMANTEC SHARED\CCAPP.exe
C:\PROGRAM FILES\MICROSOFT
OFFICE\OFFICE\OSA.exe
C:\PROGRAM FILES\MICROSOFT
OFFICE\OFFICE\FINDFAST.exe
C:\PROGRAM FILES\NORTON
SYSTEMWORKS\NORTON
CLEANSWEEP\CSINSM32.exe
C:\Program Files\Norton
SystemWorks\Norton
CleanSweep\Monwow.exe
C:\PROGRAM FILES\INTERNET
EXPLORER\IEXPLORE.exe
C:\WINDOWS\SYSTEM\DDHELP.exe
C:\PROGRAM
FILES\WINZIP\WINZIP32.exe
C:\PROGRAM
FILES\WINZIP\WZQKPICK.exe
C:\WINDOWS\TEMP\HIJACKTHIS.exe
R0 - HKCU\Software\Microsoft\Internet
Explorer\Main,Start Page =
http://www.saintjoes.com/ms_index.htm
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet
Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,SearchAssistant =
http://www.websearch.com/ie.aspx?tb_id
=50038
R3 - URLSearchHook: (no name) -
{8952A998-1E7E-4716-B23D-3DBE0391
0972} - (no file)
O2 - BHO: (no name) -
{EA10F72B-CE87-23CD-CA0C-E1EACD
BAACDD} - C:\windows\system\yzfkzyzl.dll
O2 - BHO: (no name) -
{8DA5DABA-9D05-C6DA-07BC-9C6AC33
402DD} - C:\windows\system\ebtoplgz.dll
O2 - BHO: NAV Helper -
{BDF3E430-B101-42AD-A544-FADC6B08
4872} - C:\Program Files\Norton
SystemWorks\Norton
AntiVirus\NavShExt.dll
O2 - BHO: (no name) -
{53707962-6F74-2D53-2644-206D79424
84F} -
C:\PROGRA~1\SPYBOT~1\SDHELPER.D
LL
O3 - Toolbar: &Radio -
{8E718888-423F-11D2-876E-00A0C908
2467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus -
{42CDD1BF-3FFB-4238-8AD1-7859DF00
B1D6} - C:\Program Files\Norton
SystemWorks\Norton
AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [CriticalUpdate]
C:\WINDOWS\SYSTEM\wucrtupd.exe
-startup
O4 - HKLM\..\Run: [Windows Print
Spooler] NavAgent32.exe
O4 - HKLM\..\Run: [CreateCD50]
"C:\Program Files\Common
Files\Adaptec
Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD]
"C:\Program Files\Roxio\Easy CD Creator
5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [olpczicv]
C:\WINDOWS\rmynhicq.exe
O4 - HKLM\..\Run: [iyycgiju]
C:\WINDOWS\SYSTEM\fvexnhrj.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program
Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program
Files\Common Files\Symantec
Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NPROTECT]
C:\Program Files\Norton
SystemWorks\Norton
Utilities\NPROTECT.exe
O4 - HKLM\..\RunServices:
[SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Windows
Print Spooler] NavAgent32.exe
O4 - HKLM\..\RunServices: [ccEvtMgr]
"C:\Program Files\Common
Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices:
[ScriptBlocking] "C:\Program
Files\Common Files\Symantec
Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices:
[CSINJECT.EXE] C:\Program Files\Norton
SystemWorks\Norton
CleanSweep\CSINJECT.exe
O4 - HKLM\..\RunServices: [NPROTECT]
C:\Program Files\Norton
SystemWorks\Norton
Utilities\NPROTECT.exe
O4 - HKLM\..\RunServices: [SymTray -
Norton SystemWorks] C:\Program
Files\Common Files\Symantec
Shared\SymTray.exe "Norton
SystemWorks"
O4 - Startup: Office Startup.lnk =
C:\Program Files\Microsoft
Office\Office\OSA.exe
O4 - Startup: Microsoft Find Fast.lnk =
C:\Program Files\Microsoft
Office\Office\FINDFAST.exe
O4 - Startup: CleanSweep Smart
Sweep-Internet Sweep.lnk = C:\Program
Files\Norton SystemWorks\Norton
CleanSweep\csinsm32.exe
O4 - Startup: WinZip Quick Pick.lnk =
C:\Program Files\WinZip\WZQKPICK.exe
O6 -
HKCU\Software\Policies\Microsoft\Interne
t Explorer\Restrictions present
O6 -
HKCU\Software\Policies\Microsoft\Interne
t Explorer\Control Panel present
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .pdf:
C:\PROGRA~1\INTERN~1\PLUGINS\npp
df32.dll
O16 - DPF:
{9F1C11AA-197B-4942-BA54-47A8489B
B47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/C
AB/x86/ansi/iuctl.CAB?37901.832569444
4
O16 - DPF:
{3E68E405-C6DE-49FF-83AE-41EE9F4C
36CE} (Office Update Installation Engine)
-
http://office.microsoft.com/officeupdate/co
ntent/opuc.cab
O16 - DPF:
{D27CDB6E-AE6D-11CF-96B8-4445535
40000} (Shockwave Flash Object) -
http://download.macromedia.com/pub/sh
ockwave/cabs/flash/swflash.cab
O16 - DPF:
{26E8361F-BCE7-4F75-A347-98C88B41
8322} -
http://dst.trafficsyndicate.com/Dnl/T_5003
8/QDow.cab
O16 - DPF:
{2BC66F54-93A8-11D3-BEB6-00105AA9
B6AE} (Symantec AntiVirus scanner) -
http://security.symantec.com/sscv6/Share
dContent/vc/bin/AvSniff.cab
O16 - DPF:
{644E432F-49D3-41A1-8DD5-E099162E
EEC5} (Symantec RuFSI Utility Class) -
http://security.symantec.com/sscv6/Share
dContent/common/bin/cabsa.cab
0
I know this is an old log.....
but it looks like a variation of peper to me
reply if a follow up is needed...
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
