Jump to content

Build Theme!
  •  
  • Infected?

Photo

Losing focus back to desktop


  • Please log in to reply
9 replies to this topic

#1 dringpiece

dringpiece

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 20 September 2006 - 08:36 PM

Hi!

Since a week, when I start any full screen game and I'm connected to the internet, after a few seconds, the game focus back to the desktop but the game is still in the taskbar. I also lose focus from active window.

Someone in a newsgroup recommended to post a hijackthis log here to see if someone can help me. So there's my log file...

Logfile of HijackThis v1.99.1
Scan saved at 22:12:54, on 2006-09-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Fichiers communs\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\BitComet\BitComet.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Charles St-Laurent\Bureau\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nsv1ADE.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: BHO pour Compagnon Web Encarta - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Fichiers communs\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O3 - Toolbar: Compagnon Web Encarta - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Fichiers communs\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe
O4 - HKLM\..\Run: [ibs4f2e6] RUNDLL32.EXE w4e9093a.dll,n 0044f2e2000000024e9093a
O4 - HKLM\..\Run: [septpop06apsept] C:\program files\popupwithcast\septpop06apsept.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [tbon] C:\Program Files\TBONBin\tbon.exe /r
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Fichiers communs\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.sxload.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (Contrôleur de DownloadManager) - http://dlm.tools.aka...vex-2.0.6.4.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - mk:@MSITStore:C:\DOCUME~1\CHARLE~1\LOCALS~1\Temp\mma.chm::/joysavsht.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1133101833812
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1148946460171
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game06.zylom....gamesplayer.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.co...ty4PatcherX.cab
O16 - DPF: {D57262F5-9637-4E67-BC59-88C53EA76FC3} (ULcontrol Control) - http://pix.futuresho...ulcontrolxp.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Fichiers communs\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Fichiers communs\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Fichiers communs\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe

Can someone help me finding what goes wrong with my computer?

DringPiece

#2 Angelfire

Angelfire

    Silver Member

  • Authentic Member
  • PipPipPip
  • 371 posts

Posted 21 September 2006 - 06:50 AM

Hi I'm Angelfire777 and it'll be my pleasure to assist you in your problem. Reasearching Hijackthis logs could take sometime so please, be patient while I research a fix for you. Also, I have to let experts check my fixes first before bringing them to you. Please observe these while we work: 1.) Please stick with this thread until we are finished, do not start a new topic here or start a new thread at other forums. Do not worry, We were trained to help and never give up until we get you all fixed up. 2.) Stop if you have questions!! Never proceed if something is unclear to you. We don't want to start all over again. 3.) Avoid downloading other applications or other anti-spyware programs unless you really need to. 4.) Lastly, please be patient and never lose hope. Sometimes, it will take us several tries and posts to get something done. Sit back tight, I'll be back for you!

#3 dringpiece

dringpiece

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 21 September 2006 - 07:01 AM

Hi! I appreciate your reply. I will respect your recommendations, even if it is frustrating to see my computer acting strangely since a week. I tried my best to find what is wrong in my computer. I scanned my computer with many tools (spyware removers, antivirus programs) but all these tools failed and I still lose focus from full screen games and from active windows... I hope someone in this group will help me finding the way to eradicate this jksadfkjsdfsd spyware... DringPiece

#4 Angelfire

Angelfire

    Silver Member

  • Authentic Member
  • PipPipPip
  • 371 posts

Posted 22 September 2006 - 08:14 AM

Go to control panel > add/remove programs > Uninstall the items in bold if found.

1. think-adz (and similar)

Reboot
==========================
Please download Ewido to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
  • Install Ewido by double clicking the installer.
  • Follow the prompts. Make sure that Launch Ewido is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that Ewido is closed before installing the update.
==========================
Download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only
DO NOT USE IT YET
==========================
Please download Brute Force Uninstaller.
Unzip it to it’s own folder (c:\BFU)

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra Remover.

Save it in the folder you made earlier (c:\BFU).

Do not use it yet!!
==========================
Open hijackthis > choose scan only >place a checkmark against the boxes beside these entries in bold

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe
O4 - HKLM\..\Run: [ibs4f2e6] RUNDLL32.EXE w4e9093a.dll,n 0044f2e2000000024e9093a
O4 - HKLM\..\Run: [septpop06apsept] C:\program files\popupwithcast\septpop06apsept.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.sxload.com
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - mk:@MSITStore:C:\DOCUME~1\CHARLE~1\LOCALS~1\Temp\mma.chm::/joysavsht.cab
O18 - Filter: text/html - (no CLSID) - (no file)


close ALL browsers and Windows that are running, leave only hijackthis running then click "Fix Checked"
==========================
Reboot into Safe Mode

You may want to print these instructions here or save them in notepad since you'll work offline

To enter Safe Mode..

Click start > turn off computer > Restart > When you hear the computer beep once, begin tapping F8 rapidly > this will bring up a menu > use your keyboard to scroll to safe mode > hit enter
==========================
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose:Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click
  • No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE:If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
==========================
Open My Computer and navigate to the c:\BFU folder.

Start the Brute Force Uninstaller by doubleclicking BFU.exe
In the 'Scriptline to execute' field, copy and paste:

c:\bfu\alcanshorty.bfu
Press execute and let it do it’s job.
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.
==========================
Close ALL open Windows / Programs / Folders. Please start Ewido and run a full scan.
  • Click on Scanner
  • Click on the Settings tab.
    • Under How to act?
      Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      All checkboxes should be ticked.
    • Under Possibly unwanted software:
      All checkboxes should be ticked.
    • Under Reports:
      Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished:
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
  • When done, click the Save Scan Report button.
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
==========================
On your next reply, please include:
  • A Fresh Hijackthis log
  • ewido log
  • A detailed description on how your computer is behaving


#5 dringpiece

dringpiece

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 25 September 2006 - 04:30 AM

Hi,

I'm back from a weekend out of town. I scanned my computer yesterday evening, following your steps. Now my computer seems to work fine.

There's the fresh logs:

Logfile of HijackThis v1.99.1
Scan saved at 06:13:38, on 2006-09-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Fichiers communs\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Charles St-Laurent\Bureau\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nsv1ADE.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: BHO pour Compagnon Web Encarta - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Fichiers communs\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O3 - Toolbar: Compagnon Web Encarta - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Fichiers communs\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [tbon] C:\Program Files\TBONBin\tbon.exe /r
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Fichiers communs\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (Contrôleur de DownloadManager) - http://dlm.tools.aka...vex-2.0.6.4.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1133101833812
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1148946460171
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game06.zylom....gamesplayer.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.co...ty4PatcherX.cab
O16 - DPF: {D57262F5-9637-4E67-BC59-88C53EA76FC3} (ULcontrol Control) - http://pix.futuresho...ulcontrolxp.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Fichiers communs\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Fichiers communs\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Fichiers communs\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Fichiers communs\SolidWorks Shared\Service\SolidWorksLicensing.exe

And the ewido log:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 05:59:31 2006-09-25

+ Scan result:



C:\Documents and Settings\Charles St-Laurent\Mes documents\kazaa_setup.exe -> Adware.Altnet : Cleaned with backup (quarantined).
C:\Documents and Settings\Charles St-Laurent\Local Settings\Temp\gsplittm.sys -> Backdoor.Genlot.DX : Cleaned with backup (quarantined).
D:\backup\Net Buddy pro\netbdpro.exe/NetBuddy.exe -> Heuristic.Win32.Dialer : Cleaned with backup (quarantined).
C:\Program Files\ComPlus Applications\howynyc.html -> Hijacker.Small.jf : Cleaned with backup (quarantined).
C:\Documents and Settings\Charles St-Laurent\Local Settings\Temp\Cookies\charles st-laurent@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Program Files\Enigma Software Group\SpyHunter\Backup\charles st-laurent@primediabusiness.122.2o7[1].txt.dat/Documents and Settings/Charles St-Laurent/Cookies/charles st-laurent@primediabusiness.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Charles St-Laurent\Local Settings\Temp\Cookies\charles st-laurent@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\charles st-laurent@ads.addynamix[2].txt.bak -> TrackingCookie.Addynamix : Cleaned with backup (quarantined).
C:\Program Files\Enigma Software Group\SpyHunter\Backup\charles st-laurent@admarketplace[1].txt.dat/Documents and Settings/Charles St-Laurent/Cookies/charles st-laurent@admarketplace[1].txt -> TrackingCookie.Admarketplace : Cleaned with backup (quarantined).
C:\Program Files\Enigma Software Group\SpyHunter\Backup\charles st-laurent@admarketplace[2].txt.dat/Documents and Settings/Charles St-Laurent/Cookies/charles st-laurent@admarketplace[2].txt -> TrackingCookie.Admarketplace : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\charles st-laurent@adtech[2].txt.bak -> TrackingCookie.Adtech : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\charles st-laurent@advertising[1].txt.bak -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\charles st-laurent@atdmt[2].txt.bak -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\charles st-laurent@bfast[2].txt.bak -> TrackingCookie.Bfast : Cleaned with backup (quarantined).
C:\Program Files\Enigma Software Group\SpyHunter\Backup\charles st-laurent@bluestreak[1].txt.dat/Documents and Settings/Charles St-Laurent/Cookies/charles st-laurent@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\charles st-laurent@bluestreak[2].txt.bak -> TrackingCookie.Bluestreak : Cleaned with backup (quarantined).
C:\Program Files\Enigma Software Group\SpyHunter\Backup\charles st-laurent@burstnet[1].txt.dat/Documents and Settings/Charles St-Laurent/Cookies/charles st-laurent@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
C:\Program Files\Enigma Software Group\SpyHunter\Backup\charles st-laurent@burstnet[3].txt.dat/Documents and Settings/Charles St-Laurent/Cookies/charles st-laurent@burstnet[3].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
C:\Program Files\Enigma Software Group\SpyHunter\Backup\charles st-laurent@www.burstnet[2].txt.dat/Documents and Settings/Charles St-Laurent/Cookies/charles st-laurent@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
C:\Documents and Settings\Charles St-Laurent\Local Settings\Temp\Cookies\charles st-laurent@ad1.clickhype[1].txt -> TrackingCookie.Clickhype : Cleaned with backup (quarantined).
C:\Documents and Settings\Charles St-Laurent\Local Settings\Temp\Cookies\charles st-laurent@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\charles st-laurent@doubleclick[1].txt.bak -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Program Files\Enigma Software Group\SpyHunter\Backup\charles st-laurent@as-us.falkag[1].txt.dat/Documents and Settings/Charles St-Laurent/Cookies/charles st-laurent@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\charles st-laurent@fastclick[1].txt.bak -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
C:\Program Files\Enigma Software Group\SpyHunter\Backup\charles st-laurent@goldenpalace[2].txt.dat/Documents and Settings/Charles St-Laurent/Cookies/charles st-laurent@goldenpalace[2].txt -> TrackingCookie.Goldenpalace : Cleaned with backup (quarantined).
C:\Documents and Settings\Charles St-Laurent\Local Settings\Temp\Cookies\charles st-laurent@ehg-ati.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\Charles St-Laurent\Local Settings\Temp\Cookies\charles st-laurent@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\charles st-laurent@ehg-aarp.hitbox[2].txt.bak -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\charles st-laurent@ehg-dig.hitbox[1].txt.bak -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\charles st-laurent@hitbox[2].txt.bak -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\charles st-laurent@counter.hitslink[2].txt.bak -> TrackingCookie.Hitslink : Cleaned with backup (quarantined).
C:\Program Files\Enigma Software Group\SpyHunter\Backup\charles st-laurent@linksynergy[2].txt.dat/Documents and Settings/Charles St-Laurent/Cookies/charles st-laurent@linksynergy[2].txt -> TrackingCookie.Linksynergy : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\charles st-laurent@linksynergy[1].txt.bak -> TrackingCookie.Linksynergy : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\charles st-laurent@mediaplex[1].txt.bak -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\charles st-laurent@qksrv[2].txt.bak -> TrackingCookie.Qksrv : Cleaned with backup (quarantined).
C:\Program Files\Enigma Software Group\SpyHunter\Backup\charles st-laurent@ads.realcastmedia[2].txt.dat/Documents and Settings/Charles St-Laurent/Cookies/charles st-laurent@ads.realcastmedia[2].txt -> TrackingCookie.Realcastmedia : Cleaned with backup (quarantined).
C:\Program Files\Enigma Software Group\SpyHunter\Backup\charles st-laurent@ads1.revenue[2].txt.dat/Documents and Settings/Charles St-Laurent/Cookies/charles st-laurent@ads1.revenue[2].txt -> TrackingCookie.Revenue : Cleaned with backup (quarantined).
C:\Program Files\Enigma Software Group\SpyHunter\Backup\charles st-laurent@ads1.revenue[3].txt.dat/Documents and Settings/Charles St-Laurent/Cookies/charles st-laurent@ads1.revenue[3].txt -> TrackingCookie.Revenue : Cleaned with backup (quarantined).
C:\Program Files\Enigma Software Group\SpyHunter\Backup\charles st-laurent@revenue[2].txt.dat/Documents and Settings/Charles St-Laurent/Cookies/charles st-laurent@revenue[2].txt -> TrackingCookie.Revenue : Cleaned with backup (quarantined).
C:\Program Files\Enigma Software Group\SpyHunter\Backup\charles st-laurent@h.starware[2].txt.dat/Documents and Settings/Charles St-Laurent/Cookies/charles st-laurent@h.starware[2].txt -> TrackingCookie.Starware : Cleaned with backup (quarantined).
C:\Program Files\Enigma Software Group\SpyHunter\Backup\charles st-laurent@starware[2].txt.dat/Documents and Settings/Charles St-Laurent/Cookies/charles st-laurent@starware[2].txt -> TrackingCookie.Starware : Cleaned with backup (quarantined).
C:\Program Files\Enigma Software Group\SpyHunter\Backup\charles st-laurent@www.starware[1].txt.dat/Documents and Settings/Charles St-Laurent/Cookies/charles st-laurent@www.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\charles st-laurent@targetnet[1].txt.bak -> TrackingCookie.Targetnet : Cleaned with backup (quarantined).
C:\Program Files\Enigma Software Group\SpyHunter\Backup\charles st-laurent@media.top-banners[1].txt.dat/Documents and Settings/Charles St-Laurent/Cookies/charles st-laurent@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\charles st-laurent@weborama[1].txt.bak -> TrackingCookie.Weborama : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\charles st-laurent@statse.webtrendslive[2].txt.bak -> TrackingCookie.Webtrendslive : Cleaned with backup (quarantined).
C:\Program Files\Enigma Software Group\SpyHunter\Backup\charles st-laurent@yadro[1].txt.dat/Documents and Settings/Charles St-Laurent/Cookies/charles st-laurent@yadro[1].txt -> TrackingCookie.Yadro : Cleaned with backup (quarantined).
C:\Program Files\Enigma Software Group\SpyHunter\Backup\charles st-laurent@yadro[3].txt.dat/Documents and Settings/Charles St-Laurent/Cookies/charles st-laurent@yadro[3].txt -> TrackingCookie.Yadro : Cleaned with backup (quarantined).
C:\Documents and Settings\Charles St-Laurent\Local Settings\Temp\Cookies\charles st-laurent@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{78115315-CB31-4A61-8915-A12A264E8086}\RP655\A0183045.exe -> Trojan.Agent.ye : Cleaned with backup (quarantined).


::Report end

I will test my computer deeply this evening after work but now I have to go if I don't want to be late...

I really hope the problem is solved...

DringPiece

#6 Angelfire

Angelfire

    Silver Member

  • Authentic Member
  • PipPipPip
  • 371 posts

Posted 25 September 2006 - 06:23 AM

1.) Open hijackthis > choose scan only >place a checkmark against the boxes beside these entries in bold

O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nsv1ADE.dll

close your browsers and all open windows, then click "Fix Checked"

Reboot

2.) Open Windows Explorer by hitting your windows key + E at the same time.
*If you do not have a windows key, double click My computer > click the folders icon

Then navigate to these files and delete them:


C:\WINDOWS\System32\nsv1ADE.dll


3.) Empty your recycle bin


4.) Your Java is out of date....
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components.
  • Close any programmes you may have running, ESPECIALLY your web browser
  • Click Start > Control Panel
  • Click Add/Remove Programs
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove button.
  • Repeat as many times as necessary to remove all versions of Java.
  • Reboot your computer once all Java components are removed.
Then download Java Runtime Environment 5.0 Update 8, and install it to your computer.

On your next reply, please include:
  • A Fresh Hijackthis log
  • A detailed description on how your computer is behaving


#7 dringpiece

dringpiece

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 25 September 2006 - 05:47 PM

Hi!

As I said this morning, my computer seems to work fine. But to increase its security, I updated Java and I fixed the item in my hijackthis log. But I didn't find C:\WINDOWS\System32\nsv1ADE.dll anywhere in my computer so I didn't have to delete it.

There's a recent hijackthis log of my computer:

Logfile of HijackThis v1.99.1
Scan saved at 19:25:52, on 2006-09-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Fichiers communs\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Charles St-Laurent\Bureau\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: BHO pour Compagnon Web Encarta - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Fichiers communs\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O3 - Toolbar: Compagnon Web Encarta - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Fichiers communs\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [tbon] C:\Program Files\TBONBin\tbon.exe /r
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Fichiers communs\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (Contrôleur de DownloadManager) - http://dlm.tools.aka...vex-2.0.6.4.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1133101833812
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1148946460171
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game06.zylom....gamesplayer.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.co...ty4PatcherX.cab
O16 - DPF: {D57262F5-9637-4E67-BC59-88C53EA76FC3} (ULcontrol Control) - http://pix.futuresho...ulcontrolxp.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Fichiers communs\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Fichiers communs\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Fichiers communs\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Fichiers communs\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Fichiers communs\SolidWorks Shared\Service\SolidWorksLicensing.exe

I will want my girlfriend to try all her games to see if everything works fine in full screen mode. I hope I eradicated the malicious program on my computer (with your help, of course)...

DringPiece

#8 Angelfire

Angelfire

    Silver Member

  • Authentic Member
  • PipPipPip
  • 371 posts

Posted 09 October 2006 - 05:42 AM

Hi, I really apologize for this long delay in responding. I didn't get an email notification of your reply. I'll be back within 48 hours. Thanks.

#9 Angelfire

Angelfire

    Silver Member

  • Authentic Member
  • PipPipPip
  • 371 posts

Posted 10 October 2006 - 05:54 AM

Go to control panel > add/remove programs > Uninstall the items in bold if found.

1. TBONBin or Best offers

Reboot


Click Start > Run > Type in taskmgr.exe

Go to the Process tab then end these processes if you see them:

ALCMTR.EXE


Open Hijackthis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [tbon] C:\Program Files\TBONBin\tbon.exe /r


Close your browsers and all open windows except for Hijackthis, then click "Fix Checked."


Open Windows Explorer by hitting your Windows Key + E at the same time.
*If you do not have a Windows Key, double click My Computer > Click the folders icon

Then navigate to these files and delete them:

C:\WINDOWS\ALCMTR.EXE

Then navigate to these folders and delete them:

C:\Program Files\TBONBin

Empty your recycle bin.

Reboot and post a new Hijackthis log please.

#10 NonSuch

NonSuch

    MRU Administrator

  • MRU Teachers
  • 291 posts
  • MVP

Posted 24 October 2006 - 04:27 PM

Due to inactivity, this topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Include your post user name and detail why you need it reopened with a valid link to your post.
Any bad links or emails that are not from the original poster will be deleted without response.
Any emails without the subject "Reopen" will be deleted without being looked at.

If this is not your thread please start a New Topic.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users