Strange popup downloading something? data\phonelist.ph1
I'm not sure if this is the best place to ask this, because I'm getting this info secondhand and am not sure what we're looking at here. The way it was described to me was:
Looks like a Noton Security or A/V window popping up after logging on (Win XP, not sure if home or pro). The text of the popup from my friend is:
Source: pub/dial one
Monitor File.phoneexa1.ph1
Local file: Data\phonelist.ph1
I've googled all the words there and didn't come up with anything except the extension ph1 might be a perl script thing. (I found ph2 and ph3 listed but not ph1, actually).
My friend thinks something is downloading, but I'm not convinced he's right. So - details are sketchy. Hope you can help.
Rick
Looks like a Noton Security or A/V window popping up after logging on (Win XP, not sure if home or pro). The text of the popup from my friend is:
Source: pub/dial one
Monitor File.phoneexa1.ph1
Local file: Data\phonelist.ph1
I've googled all the words there and didn't come up with anything except the extension ph1 might be a perl script thing. (I found ph2 and ph3 listed but not ph1, actually).
My friend thinks something is downloading, but I'm not convinced he's right. So - details are sketchy. Hope you can help.
Rick
Tell your friendo to pass Ad-Aware
ASKER
Should've mentioned that - yes, we've run an in-depth scan with Adaware by following their tech support advice on doing a deep scan. Only cookies come up. I think his PC is clean
Hi!
Anytime you see "dial" - it is a big "Red Flag" - dialers!
Post a HijackThis log file here and someone will take a look.
Regards...
RF
Anytime you see "dial" - it is a big "Red Flag" - dialers!
Post a HijackThis log file here and someone will take a look.
Regards...
RF
ASKER
here's the HijackThis log:
==========================
Logfile of HijackThis v1.98.2
Scan saved at 10:57:16 AM, on 8/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Ahead\InCD\InCDsrv.e
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc3
C:\WINDOWS\System32\r_serv
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
C:\WINDOWS\System32\svchos
C:\Program Files\RealVNC\VNC4\WinVNC4
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.ex
C:\Program Files\Logitech\iTouch\iTou
C:\PROGRA~1\Logitech\MOUSE
C:\WINDOWS\System32\NILaun
C:\PROGRA~1\NavNT\vptray.e
C:\Program Files\Common Files\Real\Update_OB\reals
C:\WINDOWS\System32\spool\
C:\WINDOWS\System32\hphmon
C:\Program Files\Java\j2re1.4.2_04\bi
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\MsgSys
C:\WINDOWS\System32\RUNDLL
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\lotus\organize\easyc
C:\Program Files\lotus\smartctr\smart
C:\Program Files\AT&T Global Network Client\NetClient.exe
C:\Program Files\lotus\smartctr\suite
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\lotus\register\remin
C:\WINDOWS\System32\HPHipm
C:\PROGRA~1\MICROS~2\OFFIC
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EX
C:\Documents and Settings\Michael Reynolds\My Documents\my downloads\hijackthis\Hijac
R0 - HKCU\Software\Microsoft\In
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroC
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.ex
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTou
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSE
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaun
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.e
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bi
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTR
O4 - HKCU\..\RunOnce: [NetSP - restore database] "C:\Program Files\AT&T Global Network Client\NetSP.exe" -show
O4 - Startup: Lotus SmartSuite Release 9 Registration.lnk = C:\Program Files\lotus\register\remin
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\
O4 - Global Startup: Lotus Organizer EasyClip.lnk = C:\Program Files\lotus\organize\easyc
O4 - Global Startup: Lotus QuickStart.lnk = C:\Program Files\lotus\wordpro\ltssta
O4 - Global Startup: Lotus SmartCenter.lnk = C:\Program Files\lotus\smartctr\smart
O4 - Global Startup: Lotus SuiteStart.lnk = C:\Program Files\lotus\smartctr\suite
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.
O16 - DPF: {1C955F3B-5B32-4393-A05D-2
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0
O17 - HKLM\System\CCS\Services\T
==========================
Hmmmmm. What do you think?
==========================
Logfile of HijackThis v1.98.2
Scan saved at 10:57:16 AM, on 8/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Ahead\InCD\InCDsrv.e
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc3
C:\WINDOWS\System32\r_serv
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
C:\WINDOWS\System32\svchos
C:\Program Files\RealVNC\VNC4\WinVNC4
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.ex
C:\Program Files\Logitech\iTouch\iTou
C:\PROGRA~1\Logitech\MOUSE
C:\WINDOWS\System32\NILaun
C:\PROGRA~1\NavNT\vptray.e
C:\Program Files\Common Files\Real\Update_OB\reals
C:\WINDOWS\System32\spool\
C:\WINDOWS\System32\hphmon
C:\Program Files\Java\j2re1.4.2_04\bi
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\MsgSys
C:\WINDOWS\System32\RUNDLL
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\lotus\organize\easyc
C:\Program Files\lotus\smartctr\smart
C:\Program Files\AT&T Global Network Client\NetClient.exe
C:\Program Files\lotus\smartctr\suite
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\lotus\register\remin
C:\WINDOWS\System32\HPHipm
C:\PROGRA~1\MICROS~2\OFFIC
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EX
C:\Documents and Settings\Michael Reynolds\My Documents\my downloads\hijackthis\Hijac
R0 - HKCU\Software\Microsoft\In
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroC
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.ex
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTou
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSE
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaun
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.e
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bi
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTR
O4 - HKCU\..\RunOnce: [NetSP - restore database] "C:\Program Files\AT&T Global Network Client\NetSP.exe" -show
O4 - Startup: Lotus SmartSuite Release 9 Registration.lnk = C:\Program Files\lotus\register\remin
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\
O4 - Global Startup: Lotus Organizer EasyClip.lnk = C:\Program Files\lotus\organize\easyc
O4 - Global Startup: Lotus QuickStart.lnk = C:\Program Files\lotus\wordpro\ltssta
O4 - Global Startup: Lotus SmartCenter.lnk = C:\Program Files\lotus\smartctr\smart
O4 - Global Startup: Lotus SuiteStart.lnk = C:\Program Files\lotus\smartctr\suite
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.
O16 - DPF: {1C955F3B-5B32-4393-A05D-2
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0
O17 - HKLM\System\CCS\Services\T
==========================
Hmmmmm. What do you think?
ASKER
Increasing the point value. Would really appreciate some input on this strange problem.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
marcin79: we searched but did not find the files
rossfingal: Thank you, I will delete those. This is still a mystery. It may never be solved, but the fact that the file is not on the PC and you've helped clean the reg entries - I think it's safe to say the PC is ok. Plus, it is not dialling out by itself per phone records and experience. So I think that closes this question. Will be splitting points amongst you both. Thank you.
rossfingal: Thank you, I will delete those. This is still a mystery. It may never be solved, but the fact that the file is not on the PC and you've helped clean the reg entries - I think it's safe to say the PC is ok. Plus, it is not dialling out by itself per phone records and experience. So I think that closes this question. Will be splitting points amongst you both. Thank you.