Help is it a virus

[crop_circlemaker]

Hi All of a sudden I get a small alert window pop into the middle of the screen called "ENTER NETWORK PASSWORD"
then text saying "type your username and password"
Then there is three boxes with the details of my username etc and my password ****'d out. I can click "OK" or "CANCEL" or "CLOSE" but the box comes back. I am running Symantec virus protector and it finds nothing and Spybot and it shows there is a couple of items it can't correct unless I have admin profile.
Heres the log from Hijackthis:

Logfile of HijackThis v1.99.1

Scan saved at 17:17:35, on 09/06/2008
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\windows\SMINST\scheduler.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\PDF Complete\pdfsty.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\WinZip E-Mail Companion\loadwzco.exe
C:\windows\System32\igfxtray.exe
C:\windows\System32\hkcmd.exe
C:\windows\System32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Users\admin\Program Files\DNA\btdna.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\eMule\emule.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9e.exe
C:\Windows\explorer.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [URL="http://go.microsoft.com/fwlink/?LinkId=54896"]Live Search[/URL]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [URL="http://www2.btbroadbandoffice.com/"]BT broadband office[/URL]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [URL="http://go.microsoft.com/fwlink/?LinkId=69157"]MSN.com[/URL]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [URL="http://go.microsoft.com/fwlink/?LinkId=54896"]Live Search[/URL]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [URL="http://go.microsoft.com/fwlink/?LinkId=54896"]Live Search[/URL]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [URL="http://go.microsoft.com/fwlink/?LinkId=69157"]MSN.com[/URL]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [PDF Complete] "C:\Program Files\PDF Complete\pdfsty.exe"
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\HP\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [WinZip E-Mail Companion OEAPI] "C:\Program Files\WinZip E-Mail Companion\loadwzco.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Windows\system32\NeroCheck.exe
O4 - HKLM\..\RunOnce: [ST Recovery Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Users\admin\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix: 
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxdev.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SQL Server (MSSMLBIZ) (MSSQL$MSSMLBIZ) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ (file missing)
O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)

Any ideas? Thanks in advance
Wil

 

[ripbox]

in the advanced options/settings of spybot there is a check box that you can tick so you can run a scan at next boot... this should set a scan to run b4 windows boots and requires you to have admin rights.... dont forget to change to advanced mode first

 

[crop_circlemaker]

Thanks, just ran a-squared which picked up 120 bits spybot missed.

 

[sidney1st]

btdna.exe-------> CastleCops® BitTorrent DNA btdna.exe Startup and file information

 

[crop_circlemaker]

sid you are a star

 

[crop_circlemaker]

ok now I have removed the offending BTDNA.exe it hasn't made any difference. I get the stupid box popping up every 10 mins even if I have selected to remember the password. It is prompted by Outlook Explorer. Any ideas please?

 

[sidney1st]

Argh!! I did not think of Outlook. Which version do you use?
May be caused by AV?
Can you try Outllook in safe mode: Start, type: outlook.exe /safe in the Start Search box, and press ENTER.

 

[crop_circlemaker]

yes sorry I only just noticed it. its the 2007 release, can't for the life of me find what version number it is though. i am a little enexperienced but will try to articulate what you wish me to do. to start in safe mode (as a mac user i used to hold down shift, but i think-) i can just select it from the boot up sequence, correct? from there i can type in the executeable file ie "outlook.exe" sorry if I am not on the right track here as i say I am a little unexperienced at this kind of stuff, please confirm or correct. Thanks in advance

 

[sidney1st]

Click on the start button, then in the search bar type in: outlook.exe /safe
Press Enter, outlook should start in safe mode (do not confuse with vista safe mode)
If it works without the popup, the problem should come from another software like your antivirus for example.

 

[crop_circlemaker]

sorry i need further explaination as i don't quite follow. i click on the bottom left start button from my desktop, i select search and then click "for files or folders"? type outlook.exe /safe unfortunately I must be doing something wrong as it doesn't find anything.....shall i take this to pm? assuming I am able to do this, will it mean i have to start outlook like this each time to avoid the annoying popup. I am on a network and it is doing to the other pc as well.

 

[sidney1st]

OK, then you click on Start and run (on the right side), in the window, browse up to the folder where outlook stands, once the path is in there with outlook.exe at the end, add just: [space]/safe
Or modify your shortcut to open: outlook.exe /safe

 

[crop_circlemaker]

ok there is something going very wrong with what we are talking about, here as I see it: I turn my pc on, it loads up everything. I log in, I see my desktop. At the foot of the desktop is the grey bar which shows what programs are open and on the left of it is the start button, on the right is the startup icons and the time running. So having clicked on the start button (on the left of that grey bar) up comes a list of options - programs, settings, run, search etc. Are we talking about the same thing? Sorry to sound totally dumb here but I am getting a little confused. From here if I click 'Run' up comes a box with the following in it "C:\Program Files\DefilerPak\UnDefile.exe", so I then browse for outlook in C:\Program Files\Microsoft Office\Office12\" then there is a file called "OUTLOOK" which is when I click on properties an .exe

 

[crop_circlemaker]

and when I select it it shows in the Run selection as "C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" which if I add [space]/safe it gives me a window with it refering to a location which is unavailable. or having just tried it again it says windows cannot find 'C:\Program Files......\OUTLOOK.EXE /safe' make sure you typed the name correctly, and then try again.

 

[sidney1st]

Strange, as normally the "safe" switch should launch outlook with the Component Object Model (COM) add-ins turned off.
If you just run outlook with no switch, does it launch?

 

[crop_circlemaker]

i hope this is what you mean but - if i do the above and don't put the "[space] /safe" it launches happily enough. Is that what you mean?

 

[sidney1st]

Well, yes that is what i meant.
OK, then i have to start from scratch.... I'll come back to you.

 

[sidney1st]

Try this:
1/Tools menu in Outlook 2007, click Trust Center.
2/Click Add-ins, click COM Add-ins in the Manage list, and then click Go.
3/In the COM Add-Ins dialog box, click to clear the check boxes for any COM add-ins that you want to disable.
4/After you disable the add-ins, click OK, and close/restart Outlook.
5/Check.

 

[crop_circlemaker]

cool, thanks. have followed the instruction, I have the following listed as checked:
AveryAddIn.Connect
Business Contact Manager for Outlook
Microsoft Exchange Unified Messaging
Microsoft Office Sharepoint Server Colleague Import Add-in
Microsoft Outlook Mobile Service
Microsoft VBA for Outlook Addin
Windows Search Email Indexer
WinZip E-?Mail Companion
currently when I try to remove the "WinZip E-Mail Companion" I get the following message "The connected state of Office Add-Ins registered in HKEY_LOCAL_MACHINE cannot be changed"
From the list can you tell which of the checked items is making the box pop up?

 

[crop_circlemaker]

having gone back there is 2 i can turn off - these are:
Microsoft Exchange Unified Messaging
Microsoft Office Sharepoint Server Colleague Import Add-in
I take it its the 1st one? Although having gone through all this today I am not getting the message popping up.....strange things pcs.

 

[sidney1st]

Try the zip companion..... useless.
Open msconfig (Click Start, in the search bar type in: msconfig and press Enter.
In msconfig, click on the Startup tab and untick the line where the zip companion is.
Apply, close and reboot.
Then Check.