Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91627 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Virus alert in taskbar


  • This topic is locked This topic is locked
24 replies to this topic

#1 BluNov

BluNov

    New Member

  • Authentic Member
  • Pip
  • 17 posts

Posted 09 June 2008 - 01:29 PM

Ok, had a virus on my machine and zone alarm got rid of it after a scan (well it said it did), but am still getting a virus alert in my task bar, My Music, My Documents and others are missing from my start menu and utilities such as task manager regedit are disable (when i try to access them they say the administrator disable them). The main.txt file from dss is pasted below


Deckard's System Scanner v20071014.68
Run by Greg on 2008-06-09 15:09:38
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
15: 2008-06-09 19:09:44 UTC - RP126 - Deckard's System Scanner Restore Point
14: 2008-06-09 19:04:44 UTC - RP125 - Removed Sony Ericsson PC Suite 1.20.173
13: 2008-06-09 19:02:42 UTC - RP124 - Remove CloneCD
12: 2008-06-08 16:43:32 UTC - RP123 - System Checkpoint
11: 2008-06-07 16:09:43 UTC - RP122 - Removed Assassin's Creed


-- First Restore Point --
1: 2008-05-29 01:50:47 UTC - RP112 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 5.17 GiB (less than 15%) free.


-- HijackThis (run as Greg.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 15:12: VIRUS ALERT!, on 6/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\tsnpstd3.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Greg\Desktop\dss.exe
C:\DOCUME~1\Greg\MYDOCU~1\hjt\Greg.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft....k/?LinkId=54843
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AddTask Class - {24F06550-65E3-4D1C-8CFE-839C296B5530} - C:\Program Files\real\IEeREAD.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: nmwegbsf - {8255476E-97F9-470F-9190-031DD1941B74} - C:\WINDOWS\nmwegbsf.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Documents and Settings\Greg\My Documents\My Program Flies\Winamp\winampa.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai...cat-no-eula.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.ms...ine/install.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll,wbsys.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WBSrv - C:\Documents and Settings\Greg\My Documents\My Program Flies\WindowBlinds\wbsrv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: erpobmsw - {96C92C6B-D40F-4E92-BDD0-FED61D9DF4B0} - C:\WINDOWS\erpobmsw.dll (file missing)
O21 - SSODL: adgpfoxs - {9446596D-5E12-4E71-BBD0-2E46220B0EC6} - C:\WINDOWS\adgpfoxs.dll (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


-- File Associations -----------------------------------------------------------

.js - JSFile - shell\open\command - NOTEPAD.EXE %1
.reg - regfile - shell\open\command - NOTEPAD.EXE %1
.scr - scrfile - shell\open\command - NOTEPAD.EXE %1
.vbs - VBSFile - shell\open\command - NOTEPAD.EXE %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S2 NVR0FLASHDev - c:\windows\nvflash.sys (file missing)
S3 GMSIPCI - d:\install\gmsipci.sys (file missing)
S3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
S3 RimUsb (BlackBerry Smartphone) - c:\windows\system32\drivers\rimusb.sys (file missing)
S3 SaiMini - c:\windows\system32\drivers\saimini.sys <Not Verified; Saitek; Configuration Software>
S3 SaiNtBus - c:\windows\system32\drivers\saibus.sys <Not Verified; Saitek; Configuration Software>
S3 SaiUFF0C - c:\windows\system32\drivers\saiuff0c.sys <Not Verified; Saitek; Configuration Software>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S4 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S4 ioloFileInfoList (iolo FileInfoList Service) - c:\program files\iolo\common\lib\ioloservicemanager.exe (file missing)
S4 ioloSystemService (iolo System Service) - c:\program files\iolo\common\lib\ioloservicemanager.exe (file missing)
S4 Nero BackItUp Scheduler 3 - c:\program files\nero\nero8\nero backitup\nbservice.exe
S4 RoxLiveShare9 (LiveShare P2P Server 9) - "c:\program files\common files\roxio shared\9.0\sharedcom\roxliveshare9.exe" (file missing)
S4 WLSetupSvc (Windows Live Setup Service) - "c:\program files\windows live\installer\wlsetupsvc.exe" <Not Verified; Microsoft Corporation; Windows Live installer>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-05-09 and 2008-06-09 -----------------------------

2008-06-09 13:53:10 0 d--h---c- C:\Documents and Settings\Administrator\Templates
2008-06-09 13:53:10 0 dr-----c- C:\Documents and Settings\Administrator\Start Menu
2008-06-09 13:53:10 0 dr-h---c- C:\Documents and Settings\Administrator\SendTo
2008-06-09 13:53:10 0 d--h---c- C:\Documents and Settings\Administrator\Recent
2008-06-09 13:53:10 0 d--h---c- C:\Documents and Settings\Administrator\PrintHood
2008-06-09 13:53:10 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-06-09 13:53:10 0 d--h---c- C:\Documents and Settings\Administrator\NetHood
2008-06-09 13:53:10 0 d------c- C:\Documents and Settings\Administrator\My Documents
2008-06-09 13:53:10 0 d--h---c- C:\Documents and Settings\Administrator\Local Settings
2008-06-09 13:53:10 0 d------c- C:\Documents and Settings\Administrator\Favorites
2008-06-09 13:53:10 0 d------c- C:\Documents and Settings\Administrator\Desktop
2008-06-09 13:53:10 0 d--hs--c- C:\Documents and Settings\Administrator\Cookies
2008-06-09 13:53:10 0 dr-h---c- C:\Documents and Settings\Administrator\Application Data
2008-06-09 13:53:10 0 d---s--c- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-09 13:42:48 0 d------c- C:\Windows XP Genuine License
2008-06-09 01:06:08 0 d------c- C:\Documents and Settings\Greg\Application Data\MailFrontier
2008-06-09 00:32:50 0 d------c- C:\WINDOWS\system32\ZoneLabs
2008-06-08 23:57:00 0 d------c- C:\Documents and Settings\Greg\Application Data\TmpRecentIcons
2008-06-08 21:24:10 0 d------c- C:\Program Files\VirtualDJ
2008-06-08 19:48:21 0 dr-h---c- C:\Documents and Settings\Greg\Recent
2008-06-03 14:29:30 0 d------c- C:\Program Files\SlySoft
2008-05-30 00:56:34 0 d------c- C:\Program Files\Guitar FX BOX 2.6
2008-05-30 00:01:47 0 d------c- C:\Documents and Settings\Greg\Application Data\Winamp
2008-05-29 23:43:01 211488 --ahs--c- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-29 23:43:01 17948704 --ahs--c- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-29 23:43:00 0 d------c- C:\Program Files\Kaspersky Lab
2008-05-29 23:43:00 0 d------c- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-29 23:41:30 0 d------c- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-05-29 04:14:47 0 d------c- C:\Documents and Settings\Greg\Application Data\Command & Conquer 3 Kane's Wrath
2008-05-24 22:42:06 0 d------c- C:\Program Files\NVIDIA Corporation
2008-05-24 20:22:45 0 d------c- C:\WINDOWS\nvidia icons
2008-05-24 18:29:47 0 d------c- C:\Documents and Settings\Greg\Application Data\Ubisoft
2008-05-24 18:25:33 0 d------c- C:\Documents and Settings\All Users\Application Data\Ubisoft
2008-05-24 02:53:14 120 --a----c- C:\WINDOWS\system32\bn.dll
2008-05-24 02:53:10 510 --a----c- C:\WINDOWS\system32\xtupdate.dat
2008-05-24 02:53:09 259584 --a----c- C:\WINDOWS\system32\xtbaksm.dat
2008-05-19 17:08:47 0 d-------- C:\Games
2008-05-18 22:25:40 0 d------c- C:\Documents and Settings\Pat\Application Data\iolo
2008-05-18 21:31:18 0 d------c- C:\Documents and Settings\LocalService\Application Data\iolo
2008-05-10 15:40:38 2560 --a----c- C:\WINDOWS\_MSRSTRT.EXE


-- Find3M Report ---------------------------------------------------------------

2008-06-09 15:05:35 0 d------c- C:\Program Files\Common Files\Teleca Shared
2008-06-09 13:44:29 0 d------c- C:\Documents and Settings\Greg\Application Data\uTorrent
2008-06-09 01:07:30 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-06-07 12:09:56 0 d--h---c- C:\Program Files\InstallShield Installation Information
2008-05-30 01:41:30 0 d------c- C:\Documents and Settings\Greg\Application Data\LimeWire
2008-05-30 00:45:33 0 d------c- C:\Program Files\Guitar FX BOX 2.7
2008-05-20 09:41:13 0 d------c- C:\Program Files\Microsoft Silverlight
2008-05-19 00:45:32 0 d------c- C:\Documents and Settings\Greg\Application Data\iolo
2008-05-07 14:33:59 0 d------c- C:\Program Files\PDF Editor 2
2008-05-07 14:27:02 74752 --a----c- C:\WINDOWS\cadkasdeinst01e.exe
2008-05-04 23:44:57 0 d------c- C:\Program Files\NetBeans 6.1 RC2
2008-05-02 22:46:00 1630208 --a----c- C:\WINDOWS\system32\nwiz.exe
2008-05-02 22:46:00 1019904 --a----c- C:\WINDOWS\system32\nvwimg.dll
2008-05-02 22:46:00 1703936 --a----c- C:\WINDOWS\system32\nvwdmcpl.dll
2008-05-02 22:46:00 466944 --a----c- C:\WINDOWS\system32\nvshell.dll
2008-05-02 22:46:00 1486848 --a----c- C:\WINDOWS\system32\nview.dll
2008-05-02 22:46:00 1339392 --a----c- C:\WINDOWS\system32\nvdspsch.exe
2008-05-02 22:46:00 442368 --a----c- C:\WINDOWS\system32\nvappbar.exe
2008-05-02 22:46:00 425984 --a----c- C:\WINDOWS\system32\keystone.exe
2008-05-02 02:30:06 0 d------c- C:\Documents and Settings\Greg\Application Data\Sierra Online
2008-04-30 17:40:22 0 d------c- C:\Program Files\Notepad++
2008-04-29 19:44:06 0 d------c- C:\Program Files\Real
2008-04-29 19:24:32 0 d------c- C:\Documents and Settings\Greg\Application Data\Vso
2008-04-29 19:24:32 33 --a----c- C:\Documents and Settings\Greg\Application Data\pcouffin.log
2008-04-29 19:24:31 47360 --a----c- C:\Documents and Settings\Greg\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-04-29 19:24:31 1144 --a----c- C:\Documents and Settings\Greg\Application Data\pcouffin.inf
2008-04-29 19:24:31 7887 --a----c- C:\Documents and Settings\Greg\Application Data\pcouffin.cat
2008-04-27 16:35:42 0 d------c- C:\Documents and Settings\Greg\Application Data\Adobe
2008-04-27 16:34:05 0 d------c- C:\Documents and Settings\Greg\Application Data\yoclient
2008-04-26 09:34:53 0 d------c- C:\Program Files\Java
2008-04-25 15:17:50 664 --a----c- C:\WINDOWS\system32\d3d9caps.dat
2008-04-23 16:03:55 0 d------c- C:\Program Files\Stardock Games
2008-04-19 09:18:34 0 d------c- C:\Program Files\Vstep
2008-04-18 22:49:19 0 d------c- C:\Program Files\Realtek AC97
2008-04-18 22:48:53 0 d------c- C:\Program Files\Setup Files
2008-04-18 22:45:51 0 d------c- C:\Program Files\MSI
2008-04-18 22:32:44 0 d------c- C:\Program Files\Windows Media Connect 2
2008-04-16 23:22:53 0 d------c- C:\Program Files\DAEMON Tools Pro
2008-04-14 20:36:20 0 d------c- C:\Program Files\Yahoo!
2008-04-14 20:28:03 0 d------c- C:\Program Files\Combined Community Codec Pack
2008-04-14 20:27:27 0 d------c- C:\Program Files\Google
2008-04-13 11:55:40 0 d------c- C:\Documents and Settings\Greg\Application Data\Yahoo!
2008-04-10 00:06:07 0 d------c- C:\Documents and Settings\Greg\Application Data\NCH Swift Sound
2008-04-10 00:05:08 0 d------c- C:\Program Files\AP Tuner
2008-04-09 23:57:27 0 d------c- C:\Program Files\OOBOX
2008-04-09 22:24:14 0 d------c- C:\Documents and Settings\Greg\Application Data\albumart
2008-03-28 00:04:17 22720 --a----c- C:\WINDOWS\system32\emptyregdb.dat
2008-03-12 07:50:00 0 --a----c- C:\newFile2
2008-03-11 02:05:53 25 --a----c- C:\newFile


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24F06550-65E3-4D1C-8CFE-839C296B5530}]
06/28/2007 17:25: VIRUS ALERT! 57344 -----c--- C:\Program Files\real\IEeREAD.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [11/17/2006 05:42: VIRUS ALERT! C:\WINDOWS\soundman.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [05/02/2008 22:46: VIRUS ALERT!]
"nwiz"="nwiz.exe" [05/02/2008 22:46: VIRUS ALERT! C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [05/02/2008 22:46: VIRUS ALERT!]
"tsnpstd3"="C:\WINDOWS\tsnpstd3.exe" [03/30/2007 17:44: VIRUS ALERT!]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [09/19/2006 09:07: VIRUS ALERT!]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [09/21/2007 03:10: VIRUS ALERT! C:\WINDOWS\KHALMNPR.Exe]
"WinampAgent"="C:\Documents and Settings\Greg\My Documents\My Program Flies\Winamp\winampa.exe" []
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [03/13/2008 23:11: VIRUS ALERT!]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 19:56: VIRUS ALERT!]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)
"DisableRegistryTools"=1 (0x1)
"NoDispCPL"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoToolbarCustomize"=1 (0x1)
"StartMenuLogoff"=1 (0x1)
"NoStartMenuMorePrograms"=1 (0x1)
"NoSetFolders"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"erpobmsw"= {96C92C6B-D40F-4E92-BDD0-FED61D9DF4B0} - C:\WINDOWS\erpobmsw.dll [ ]
"adgpfoxs"= {9446596D-5E12-4E71-BBD0-2E46220B0EC6} - C:\WINDOWS\adgpfoxs.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Documents and Settings\Greg\My Documents\My Program Flies\WindowBlinds\wbsrv.dll 06/04/2008 18:24: VIRUS ALERT! 210168 C:\Documents and Settings\Greg\My Documents\My Program Flies\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll,wbsys.dll


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
"C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP]
"C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadStudio]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
"C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
"C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
"C:\Program Files\uTorrent\uTorrent.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"Nero BackItUp Scheduler 3"=2 (0x2)
"LBTServ"=3 (0x3)
"IDriverT"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"ioloSystemService"=2 (0x2)
"ioloFileInfoList"=2 (0x2)
"AVP"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0324663d-bef4-11dc-9786-0019dbb0fd95}]
AutoRun\command- E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{728aada0-fc70-11dc-9cee-806d6172696f}]
AutoRun\command- D:\InstallCD.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{74d4fc30-b1c4-11dc-8de3-0019dbb0fd95}]
AutoRun\command- F:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{da9992fc-c89d-11dc-979c-0019dbb0fd95}]
Auto\command- E:\printer.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL printer.exe




-- End of Deckard's System Scanner: finished at 2008-06-09 15:13:42 ------------

Thanks in advance

Attached Files


    Advertisements

Register to Remove


#2 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 10 June 2008 - 11:37 PM

Hi BluNov,

It appears that you have two antivirus programs installed - Zone Alarm Security Suite and Kaspersky. Running one antivirus program is essential, but having two installed at the same time can cause conflicts, slow your system down and even cause stability problems without improving your security - even if it's disabled like Kaspersky is on your machine. You should have just one antivirus program installed and if you want an "2nd opinion", use an online scanner like Kaspersky's.

Before proceeding, please remove one of them via Start->Control Panel->Add/Remove Programs.
Please make sure you choose one currently capable of receiving updates, because an antivirus program without updates cannot protect your system effectively. If you have any problems, please stop and let me know.

------------------------------------------------------------------------

Please download Suspicious File Packer to your Desktop.
  • Right-click sfp.zip, choose Extract All... and extract sfp.exe to your Desktop
  • Double-click sfp.exe to start the program
  • Copy and Paste the following file list into the text box of the program:

    C:\WINDOWS\system32\bn.dll
    C:\WINDOWS\system32\xtupdate.dat
    C:\WINDOWS\system32\xtbaksm.dat

  • Now press the Continue button
  • A file called requested-files[YYYY-MM-DD_MM_ss].cab will appear on your Desktop.
  • Now open this page in your browser
  • Press Browse and browse to the requested-files[YYYY-MM-DD_MM_ss].cab file on your Desktop, fill in the other fields as appropriate then press Send File

------------------------------------------------------------------------

Open Notepad: press Start->Run, type notepad into the box and press OK
Select Format from the top menu and make sure Word Wrap is NOT checked.
Then, copy/paste the contents of the following code box into Notepad:
@echo off
dir "c:\printer.exe" /a /s >> "%userprofile%\desktop\look.txt"
dir "C:\Documents and Settings\Greg\Application Data\TmpRecentIcons" /a /s >> "%userprofile%\desktop\look.txt"
del runme.bat
Select File and Save as
Save it to your Desktop as "runme.bat" (you MUST type the quotes)
Locate runme.bat on your Desktop and double-click it.
A black box should open and close after a short time, this is normal.
Another text file should appear on your Desktop called look.txt, do not open it until the black box has closed.
Post the contents of this file in your next response.

------------------------------------------------------------------------

Download SmitfraudFix (by S!Ri) to your Desktop (right-click the link, select Save Target As..., select your Desktop and press Save):
http://siri.urz.free...mitfraudFix.exe

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

IMPORTANT: Do NOT run any other options until you are asked to do so!

If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C: ), and launch from there.

Note: process.exe is detected by some antivirus programs as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. Further info is available here.

------------------------------------------------------------------------

Once complete, please post the look.txt output, the SmitfraudFix report and a new HijackThis log.

Edited by silver, 19 June 2008 - 12:55 AM.
upload link removed

ASAP & UNITE Member

#3 BluNov

BluNov

    New Member

  • Authentic Member
  • Pip
  • 17 posts

Posted 11 June 2008 - 10:33 AM

Ok sorry for the delay.... First the look.txt from sfp.exe Volume in drive C has no label. Volume Serial Number is 2493-73AA Volume in drive C has no label. Volume Serial Number is 2493-73AA Directory of C:\Documents and Settings\Greg\Application Data\TmpRecentIcons 06/08/2008 23:57: VIRUS ALERT! <DIR> . 06/08/2008 23:57: VIRUS ALERT! <DIR> .. 06/08/2008 21:24: VIRUS ALERT! 694 Virtual DJ.lnk 1 File(s) 694 bytes Total Files Listed: 1 File(s) 694 bytes 2 Dir(s) 798,068,736 bytes free

#4 BluNov

BluNov

    New Member

  • Authentic Member
  • Pip
  • 17 posts

Posted 11 June 2008 - 10:34 AM

The rapport.txt from SmithfruadFix SmitFraudFix v2.323 Scan done at 12:29:46.70, Wed 06/11/2008 Run from C:\Documents and Settings\Greg\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» Process C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\tsnpstd3.exe C:\WINDOWS\vsnpstd3.exe C:\WINDOWS\system32\ctfmon.exe C:\Documents and Settings\Greg\My Documents\My Program Flies\Firefox\firefox.exe C:\Documents and Settings\Greg\Desktop\sfp\sfp.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\system32\cidaemon.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\wscntfy.exe C:\Documents and Settings\Greg\Desktop\SmitfraudFix\Policies.exe C:\WINDOWS\system32\cmd.exe »»»»»»»»»»»»»»»»»»»»»»»» hosts »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Greg »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Greg\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Greg\FAVORI~1 C:\DOCUME~1\Greg\FAVORI~1\Error Cleaner.url FOUND ! C:\DOCUME~1\Greg\FAVORI~1\Privacy Protector.url FOUND ! C:\DOCUME~1\Greg\FAVORI~1\Spyware?Malware Protection.url FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" »»»»»»»»»»»»»»»»»»»»»»»» IEDFix !!!Attention, following keys are not inevitably infected!!! IEDFix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» VACFix !!!Attention, following keys are not inevitably infected!!! VACFix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» 404Fix !!!Attention, following keys are not inevitably infected!!! 404Fix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_Dlls"="wbsys.dll" »»»»»»»»»»»»»»»»»»»»»»»» Winlogon !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "Userinit"="C:\\WINDOWS\\system32\\userinit.exe," "System"="" »»»»»»»»»»»»»»»»»»»»»»»» Rustock »»»»»»»»»»»»»»»»»»»»»»»» DNS Description: NVIDIA nForce Networking Controller - Packet Scheduler Miniport DNS Server Search Order: 192.168.2.1 HKLM\SYSTEM\CCS\Services\Tcpip\..\{578D0543-6261-4F50-8247-E1EF4B5B8C0E}: DhcpNameServer=192.168.2.1 HKLM\SYSTEM\CS1\Services\Tcpip\..\{578D0543-6261-4F50-8247-E1EF4B5B8C0E}: DhcpNameServer=192.168.2.1 HKLM\SYSTEM\CS2\Services\Tcpip\..\{578D0543-6261-4F50-8247-E1EF4B5B8C0E}: DhcpNameServer=192.168.2.1 HKLM\SYSTEM\CS3\Services\Tcpip\..\{578D0543-6261-4F50-8247-E1EF4B5B8C0E}: DhcpNameServer=192.168.2.1 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End

#5 BluNov

BluNov

    New Member

  • Authentic Member
  • Pip
  • 17 posts

Posted 11 June 2008 - 10:38 AM

Last the new hjt report

Deckard's System Scanner v20071014.68
Run by Greg on 2008-06-11 12:37:02
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 0.69 GiB (less than 15%) free.


-- HijackThis (run as Greg.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 12:37:08, on 6/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\tsnpstd3.exe
C:\WINDOWS\vsnpstd3.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Greg\My Documents\My Program Flies\Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Greg\Desktop\SmitfraudFix\Policies.exe
C:\Documents and Settings\Greg\Desktop\dss.exe
C:\DOCUME~1\Greg\MYDOCU~1\hjt\Greg.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft....k/?LinkId=54843
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AddTask Class - {24F06550-65E3-4D1C-8CFE-839C296B5530} - C:\Program Files\real\IEeREAD.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: nmwegbsf - {8255476E-97F9-470F-9190-031DD1941B74} - C:\WINDOWS\nmwegbsf.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Documents and Settings\Greg\My Documents\My Program Flies\Winamp\winampa.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai...cat-no-eula.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.ms...ine/install.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WBSrv - C:\Documents and Settings\Greg\My Documents\My Program Flies\WindowBlinds\wbsrv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: erpobmsw - {96C92C6B-D40F-4E92-BDD0-FED61D9DF4B0} - C:\WINDOWS\erpobmsw.dll (file missing)
O21 - SSODL: adgpfoxs - {9446596D-5E12-4E71-BBD0-2E46220B0EC6} - C:\WINDOWS\adgpfoxs.dll (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


-- Files created between 2008-05-11 and 2008-06-11 -----------------------------

2008-06-11 12:29:50 1274 --a----c- C:\WINDOWS\system32\tmp.reg
2008-06-11 12:06:10 625440 --ahs--c- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-11 02:21:56 0 d------c- C:\WINDOWS\LastGood.Tmp
2008-06-10 00:48:05 0 d--h---c- C:\Documents and Settings\All Users\Application Data\{0E8E33D8-193A-414A-A909-0F101A142D26}
2008-06-09 21:42:32 0 d------c- C:\Program Files\Minilyrics
2008-06-09 15:58:34 0 d------c- C:\Program Files\Eschalon Book 1
2008-06-09 13:53:10 0 d--h---c- C:\Documents and Settings\Administrator\Templates
2008-06-09 13:53:10 0 dr-----c- C:\Documents and Settings\Administrator\Start Menu
2008-06-09 13:53:10 0 dr-h---c- C:\Documents and Settings\Administrator\SendTo
2008-06-09 13:53:10 0 d--h---c- C:\Documents and Settings\Administrator\Recent
2008-06-09 13:53:10 0 d--h---c- C:\Documents and Settings\Administrator\PrintHood
2008-06-09 13:53:10 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-06-09 13:53:10 0 d--h---c- C:\Documents and Settings\Administrator\NetHood
2008-06-09 13:53:10 0 d------c- C:\Documents and Settings\Administrator\My Documents
2008-06-09 13:53:10 0 d--h---c- C:\Documents and Settings\Administrator\Local Settings
2008-06-09 13:53:10 0 d------c- C:\Documents and Settings\Administrator\Favorites
2008-06-09 13:53:10 0 d------c- C:\Documents and Settings\Administrator\Desktop
2008-06-09 13:53:10 0 d--hs--c- C:\Documents and Settings\Administrator\Cookies
2008-06-09 13:53:10 0 dr-h---c- C:\Documents and Settings\Administrator\Application Data
2008-06-09 13:53:10 0 d---s--c- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-09 13:42:48 0 d------c- C:\Windows XP Genuine License
2008-06-09 01:06:08 0 d------c- C:\Documents and Settings\Greg\Application Data\MailFrontier
2008-06-09 00:32:50 0 d------c- C:\WINDOWS\system32\ZoneLabs
2008-06-08 23:57:00 0 d------c- C:\Documents and Settings\Greg\Application Data\TmpRecentIcons
2008-06-08 21:24:10 0 d------c- C:\Program Files\VirtualDJ
2008-06-08 19:48:21 0 dr-h---c- C:\Documents and Settings\Greg\Recent
2008-06-03 14:29:30 0 d------c- C:\Program Files\SlySoft
2008-05-30 00:56:34 0 d------c- C:\Program Files\Guitar FX BOX 2.6
2008-05-30 00:01:47 0 d------c- C:\Documents and Settings\Greg\Application Data\Winamp
2008-05-29 23:43:01 211488 --ahs--c- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-29 23:41:30 0 d------c- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-05-29 04:14:47 0 d------c- C:\Documents and Settings\Greg\Application Data\Command & Conquer 3 Kane's Wrath
2008-05-24 22:42:06 0 d------c- C:\Program Files\NVIDIA Corporation
2008-05-24 20:22:45 0 d------c- C:\WINDOWS\nvidia icons
2008-05-24 18:29:47 0 d------c- C:\Documents and Settings\Greg\Application Data\Ubisoft
2008-05-24 18:25:33 0 d------c- C:\Documents and Settings\All Users\Application Data\Ubisoft
2008-05-24 02:53:14 120 --a----c- C:\WINDOWS\system32\bn.dll
2008-05-24 02:53:10 510 --a----c- C:\WINDOWS\system32\xtupdate.dat
2008-05-24 02:53:09 259584 --a----c- C:\WINDOWS\system32\xtbaksm.dat
2008-05-19 17:08:47 0 d-------- C:\Games
2008-05-18 22:25:40 0 d------c- C:\Documents and Settings\Pat\Application Data\iolo
2008-05-18 21:31:18 0 d------c- C:\Documents and Settings\LocalService\Application Data\iolo


-- Find3M Report ---------------------------------------------------------------

2008-06-10 18:45:10 0 d------c- C:\Documents and Settings\Greg\Application Data\uTorrent
2008-06-09 15:05:35 0 d------c- C:\Program Files\Common Files\Teleca Shared
2008-06-09 01:07:30 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-06-07 12:09:56 0 d--h---c- C:\Program Files\InstallShield Installation Information
2008-05-30 01:41:30 0 d------c- C:\Documents and Settings\Greg\Application Data\LimeWire
2008-05-30 00:45:33 0 d------c- C:\Program Files\Guitar FX BOX 2.7
2008-05-20 09:44:38 2560 --a----c- C:\WINDOWS\_MSRSTRT.EXE
2008-05-20 09:41:13 0 d------c- C:\Program Files\Microsoft Silverlight
2008-05-19 00:45:32 0 d------c- C:\Documents and Settings\Greg\Application Data\iolo
2008-05-07 14:33:59 0 d------c- C:\Program Files\PDF Editor 2
2008-05-07 14:27:02 74752 --a----c- C:\WINDOWS\cadkasdeinst01e.exe
2008-05-04 23:44:57 0 d------c- C:\Program Files\NetBeans 6.1 RC2
2008-05-02 22:46:00 1630208 --a----c- C:\WINDOWS\system32\nwiz.exe
2008-05-02 22:46:00 1019904 --a----c- C:\WINDOWS\system32\nvwimg.dll
2008-05-02 22:46:00 1703936 --a----c- C:\WINDOWS\system32\nvwdmcpl.dll
2008-05-02 22:46:00 466944 --a----c- C:\WINDOWS\system32\nvshell.dll
2008-05-02 22:46:00 1486848 --a----c- C:\WINDOWS\system32\nview.dll
2008-05-02 22:46:00 1339392 --a----c- C:\WINDOWS\system32\nvdspsch.exe
2008-05-02 22:46:00 442368 --a----c- C:\WINDOWS\system32\nvappbar.exe
2008-05-02 22:46:00 425984 --a----c- C:\WINDOWS\system32\keystone.exe
2008-05-02 02:30:06 0 d------c- C:\Documents and Settings\Greg\Application Data\Sierra Online
2008-04-30 17:40:22 0 d------c- C:\Program Files\Notepad++
2008-04-29 19:44:06 0 d------c- C:\Program Files\Real
2008-04-29 19:24:32 0 d------c- C:\Documents and Settings\Greg\Application Data\Vso
2008-04-29 19:24:32 33 --a----c- C:\Documents and Settings\Greg\Application Data\pcouffin.log
2008-04-29 19:24:31 47360 --a----c- C:\Documents and Settings\Greg\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-04-29 19:24:31 1144 --a----c- C:\Documents and Settings\Greg\Application Data\pcouffin.inf
2008-04-29 19:24:31 7887 --a----c- C:\Documents and Settings\Greg\Application Data\pcouffin.cat
2008-04-27 16:35:42 0 d------c- C:\Documents and Settings\Greg\Application Data\Adobe
2008-04-27 16:34:05 0 d------c- C:\Documents and Settings\Greg\Application Data\yoclient
2008-04-26 09:34:53 0 d------c- C:\Program Files\Java
2008-04-25 15:17:50 664 --a----c- C:\WINDOWS\system32\d3d9caps.dat
2008-04-23 16:03:55 0 d------c- C:\Program Files\Stardock Games
2008-04-19 09:18:34 0 d------c- C:\Program Files\Vstep
2008-04-18 22:49:19 0 d------c- C:\Program Files\Realtek AC97
2008-04-18 22:48:53 0 d------c- C:\Program Files\Setup Files
2008-04-18 22:45:51 0 d------c- C:\Program Files\MSI
2008-04-18 22:32:44 0 d------c- C:\Program Files\Windows Media Connect 2
2008-04-16 23:22:53 0 d------c- C:\Program Files\DAEMON Tools Pro
2008-04-14 20:36:20 0 d------c- C:\Program Files\Yahoo!
2008-04-14 20:28:03 0 d------c- C:\Program Files\Combined Community Codec Pack
2008-04-14 20:27:27 0 d------c- C:\Program Files\Google
2008-04-13 11:55:40 0 d------c- C:\Documents and Settings\Greg\Application Data\Yahoo!
2008-03-28 00:04:17 22720 --a----c- C:\WINDOWS\system32\emptyregdb.dat
2008-03-12 07:50:00 0 --a----c- C:\newFile2
2008-03-11 02:05:53 25 --a----c- C:\newFile


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24F06550-65E3-4D1C-8CFE-839C296B5530}]
06/28/2007 17:25 57344 -----c--- C:\Program Files\real\IEeREAD.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [11/17/2006 05:42 C:\WINDOWS\soundman.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [05/02/2008 22:46]
"nwiz"="nwiz.exe" [05/02/2008 22:46 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [05/02/2008 22:46]
"tsnpstd3"="C:\WINDOWS\tsnpstd3.exe" [03/30/2007 17:44]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [09/19/2006 09:07]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [09/21/2007 03:10 C:\WINDOWS\KHALMNPR.Exe]
"WinampAgent"="C:\Documents and Settings\Greg\My Documents\My Program Flies\Winamp\winampa.exe" []
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [03/13/2008 23:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 19:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"erpobmsw"= {96C92C6B-D40F-4E92-BDD0-FED61D9DF4B0} - C:\WINDOWS\erpobmsw.dll [ ]
"adgpfoxs"= {9446596D-5E12-4E71-BBD0-2E46220B0EC6} - C:\WINDOWS\adgpfoxs.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Documents and Settings\Greg\My Documents\My Program Flies\WindowBlinds\wbsrv.dll 06/04/2008 18:24 210168 C:\Documents and Settings\Greg\My Documents\My Program Flies\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
"C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP]
"C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadStudio]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
"C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
"C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
"C:\Program Files\uTorrent\uTorrent.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"Nero BackItUp Scheduler 3"=2 (0x2)
"LBTServ"=3 (0x3)
"IDriverT"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"ioloSystemService"=2 (0x2)
"ioloFileInfoList"=2 (0x2)
"AVP"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0324663d-bef4-11dc-9786-0019dbb0fd95}]
AutoRun\command- E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{728aada0-fc70-11dc-9cee-806d6172696f}]
AutoRun\command- D:\InstallCD.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{74d4fc30-b1c4-11dc-8de3-0019dbb0fd95}]
AutoRun\command- F:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{da9992fc-c89d-11dc-979c-0019dbb0fd95}]
Auto\command- E:\printer.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL printer.exe




-- End of Deckard's System Scanner: finished at 2008-06-11 12:37:36 ------------

#6 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 11 June 2008 - 09:24 PM

Hi BluNov,

Please print/save a copy of the following instructions because we will be using Safe Mode, during which time you won't have access to the internet.

Reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

------------------------------------------------------------------------

Please open Start->Control Panel->Add/Remove Programs, and remove the following:

Java™ 6 Update 3
Java™ 6 Update 5
Java™ SE Development Kit 6 Update 3

These are out of date and now a security risk, you can get the latest update (Java Runtime Environment (JRE) 6 Update 6) from here

You have µTorrent and Limewire, P2P file sharing programs installed on your computer. These programs do not come bundled with malware as some similar programs do, but peer-to-peer file sharing networks are one of the biggest sources of malware we see. Anything downloaded from them cannot be trusted to be clean, because even if the file appears to be what it claims to be, it can have malware embedded in it.
I strongly recommend you remove these via Add/Remove Programs.

------------------------------------------------------------------------

Now open HijackThis (not DSS), select Open the Misc Tools section
Press the Open Uninstall Manager... button
Scroll down the list and find this entry:

WebVideo Support

Click it to highlight it, then press Delete this entry
Then press Back, Scan and place a checkmark next to the following lines:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: nmwegbsf - {8255476E-97F9-470F-9190-031DD1941B74} - C:\WINDOWS\nmwegbsf.dll (file missing)
O21 - SSODL: erpobmsw - {96C92C6B-D40F-4E92-BDD0-FED61D9DF4B0} - C:\WINDOWS\erpobmsw.dll (file missing)
O21 - SSODL: adgpfoxs - {9446596D-5E12-4E71-BBD0-2E46220B0EC6} - C:\WINDOWS\adgpfoxs.dll (file missing)

Then close all open windows apart from HijackThis, press Fix checked, OK the prompt and close HijackThis.

------------------------------------------------------------------------

Fix file associations with DSS:
  • Make sure DSS.exe is on your Desktop
  • Next press Start->Run, copy/paste the following command into the box and press OK:

    "%userprofile%\desktop\dss.exe" /daft

  • Press OK to the disclaimer(s) and then press Scan
  • Place checkmarks in all the boxes that appear and press Fix
  • Then close Deckard's System Scanner

------------------------------------------------------------------------

Open Notepad: press Start->Run, type notepad into the box and press OK
Select Format from the top menu and make sure Word Wrap is NOT checked.
Then, copy/paste the contents of the following code box into Notepad:
@echo off
dir C:\xbqmfsed.exe /a /s >> results.txt 2>>&1
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" >> results.txt 2>>&1
del runme.bat
Select File and Save as
Save it to your Desktop as "runme.bat" (you MUST type the quotes)
Locate runme.bat on your Desktop and double-click it.
A black box should open and close after a short time, this is normal.
Another text file should appear on your Desktop called results.txt, do not open it until the black box has closed.
Post the contents of this file in your next response.

------------------------------------------------------------------------

Once complete, please post the new SmitfraudFix report, the results.txt output and a new HijackThis log.
ASAP & UNITE Member

#7 BluNov

BluNov

    New Member

  • Authentic Member
  • Pip
  • 17 posts

Posted 11 June 2008 - 11:25 PM

I followed all the instructions, however when i reach the part to delete the WebVideo Support am unable to locate it...is there a reason for this or I am leaving out something. P.S. I also inserted a pic of hijackThis to show that WebVideo is not on the list.

Attached Thumbnails

  • hjt.JPG


#8 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 11 June 2008 - 11:35 PM

That's not a problem because it looks to have already been removed, please continue with the instructions.
ASAP & UNITE Member

#9 BluNov

BluNov

    New Member

  • Authentic Member
  • Pip
  • 17 posts

Posted 12 June 2008 - 12:01 AM

OK... I Am also not finding this entry

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2

I have inserted an updated log...

Attached Files



#10 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 12 June 2008 - 02:39 AM

I Am also not finding this entry

That;s OK too :) please finish the instructions and make a new HijackThis log once complete. Please post the logs in your response as you have done previously rather than attach them.
ASAP & UNITE Member

    Advertisements

Register to Remove


#11 BluNov

BluNov

    New Member

  • Authentic Member
  • Pip
  • 17 posts

Posted 12 June 2008 - 04:11 AM

First thanks for all the help....ok the SmitfraudFix report SmitFraudFix v2.323 Scan done at 6:11:49.87, Thu 06/12/2008 Run from C:\Documents and Settings\Greg\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» Process C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\tsnpstd3.exe C:\WINDOWS\vsnpstd3.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\system32\cidaemon.exe C:\Documents and Settings\Greg\My Documents\My Program Flies\Firefox\firefox.exe C:\WINDOWS\system32\msiexec.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\cmd.exe »»»»»»»»»»»»»»»»»»»»»»»» hosts »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Greg »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Greg\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Greg\FAVORI~1 »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components »»»»»»»»»»»»»»»»»»»»»»»» IEDFix !!!Attention, following keys are not inevitably infected!!! IEDFix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» VACFix !!!Attention, following keys are not inevitably infected!!! VACFix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» 404Fix !!!Attention, following keys are not inevitably infected!!! 404Fix Credits: Malware Analysis & Diagnostic Code: S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_Dlls"="C:\\PROGRA~1\\KASPER~1\\KASPER~1.0\\adialhk.dll" »»»»»»»»»»»»»»»»»»»»»»»» Winlogon !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "Userinit"="C:\\WINDOWS\\system32\\userinit.exe," "System"="" »»»»»»»»»»»»»»»»»»»»»»»» Rustock »»»»»»»»»»»»»»»»»»»»»»»» DNS Description: NVIDIA nForce Networking Controller - Packet Scheduler Miniport DNS Server Search Order: 192.168.2.1 HKLM\SYSTEM\CCS\Services\Tcpip\..\{578D0543-6261-4F50-8247-E1EF4B5B8C0E}: DhcpNameServer=192.168.2.1 HKLM\SYSTEM\CS1\Services\Tcpip\..\{578D0543-6261-4F50-8247-E1EF4B5B8C0E}: DhcpNameServer=192.168.2.1 HKLM\SYSTEM\CS2\Services\Tcpip\..\{578D0543-6261-4F50-8247-E1EF4B5B8C0E}: DhcpNameServer=192.168.2.1 HKLM\SYSTEM\CS3\Services\Tcpip\..\{578D0543-6261-4F50-8247-E1EF4B5B8C0E}: DhcpNameServer=192.168.2.1 HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End

#12 BluNov

BluNov

    New Member

  • Authentic Member
  • Pip
  • 17 posts

Posted 12 June 2008 - 04:12 AM

the result.txt Volume in drive C has no label. Volume Serial Number is 2493-73AA File Not Found ! REG.EXE VERSION 3.0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion DevicePath REG_EXPAND_SZ %SystemRoot%\inf MediaPathUnexpanded REG_EXPAND_SZ %SystemRoot%\Media SM_GamesName REG_SZ Games SM_ConfigureProgramsName REG_SZ Set Program Access and Defaults ProgramFilesDir REG_SZ C:\Program Files CommonFilesDir REG_SZ C:\Program Files\Common Files ProductId REG_SZ 55274-640-8365391-23364 WallPaperDir REG_EXPAND_SZ %SystemRoot%\Web\Wallpaper MediaPath REG_SZ C:\WINDOWS\Media ProgramFilesPath REG_EXPAND_SZ %ProgramFiles% PF_AccessoriesName REG_SZ Accessories SM_AccessoriesName REG_SZ Accessories HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CSCSettings HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DIFx HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Dynamic Directory HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Extensions HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\GameUX HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\H323TSP HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Hints HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\IPConfTSP HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MCD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Media Center HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MS-DOS Emulation HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\NetCache HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Nls HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OptimalLayout HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PreviewHandlers HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PropertySystem HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellScrap HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SMDEn HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\StillImage HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Syncmgr HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Unimodem HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\VxD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WebCheck HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate

#13 BluNov

BluNov

    New Member

  • Authentic Member
  • Pip
  • 17 posts

Posted 12 June 2008 - 04:14 AM

finally the hjt log file
Logfile of HijackThis v1.99.1
Scan saved at 06:15:09, on 6/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\tsnpstd3.exe
C:\WINDOWS\vsnpstd3.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Greg\My Documents\My Program Flies\Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CCleaner\ccleaner.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft....k/?LinkId=54843
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AddTask Class - {24F06550-65E3-4D1C-8CFE-839C296B5530} - C:\Program Files\real\IEeREAD.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Documents and Settings\Greg\My Documents\My Program Flies\Winamp\winampa.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai...cat-no-eula.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.ms...ine/install.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#14 silver

silver

    Malware Expert Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,994 posts

Posted 12 June 2008 - 04:27 AM

Hi BluNov,

That looks a lot better :) has the Virus alert disappeared from the taskbar yet?
Also, please select Start->Control Panel->System and look under "Registered to" - does it say VIRUS ALERT?

Backup Your Registry:
  • Download ERUNT to your Desktop (right-click the link, select Save Target As..., select your Desktop and press Save)
  • Right-click erunt.zip, choose Extract All... and follow the prompts to unzip the program
  • Open the erunt folder on your Desktop and double-click ERUNT.exe to start the program
  • OK all the prompts to back up your registry to the default location.
Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe

Then, open Notepad (press Start->Run, enter notepad and press OK)
Copy everything inside the code box below (Starting with REGEDIT4) and paste it into a new notepad file.
Note: Please copy and paste all the text at once, and check that there is NO blank line above REGEDIT4 and one blank line at the bottom.
REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{da9992fc-c89d-11dc-979c-0019dbb0fd95}]
Select File and Save as
Save it to your Desktop as "fix.reg" (you MUST type the quotes)
Locate fix.reg on your Desktop, if you did it right it should look like this:Posted Image
Double-click it, when it asks if you want to merge with the registry, click Yes.
You can then delete fix.reg

------------------------------------------------------------------------

Open the ESET Online Scanner in Internet Explorer
  • Tick the box next to YES, I accept the Terms of Use. and click Start
  • Allow the ActiveX control to be installed by Internet Explorer
  • Once the ActiveX has finished loading click Start to initialize and update the scanner
  • When the Computer scan screen appears, leave Remove found threats UN-checked, but check the box next to Scan unwanted applications. Then click Scan to begin the scan.
  • Once complete and the summary page appears, press Start->Run, copy/paste the following command into the box and press OK:

    notepad "C:\Program Files\EsetOnlineScanner\log.txt"

  • The log file should now appear in Notepad, copy and paste the contents in your next response.

------------------------------------------------------------------------

Once complete, please post the Eset scan results and a new HijackThis log. Also, let me know how your computer is running now.
ASAP & UNITE Member

#15 BluNov

BluNov

    New Member

  • Authentic Member
  • Pip
  • 17 posts

Posted 13 June 2008 - 12:41 AM

Ok all the apparent original problems seem to be gone and I go as far as to say my PC seems to be working better than before :thumbup:, so thanks a mill.

Eset Scanner log:
# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3180 (20080612)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=1b5112e87ad45e408c3b5995bc4697ab
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-06-12 01:38:03
# local_time=2008-06-12 09:38:03 (-0400, SA Western Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=537937
# found=0
# scan_time=8164

and the new hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 02:36:51, on 6/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\tsnpstd3.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Documents and Settings\Greg\My Documents\My Program Flies\Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft....k/?LinkId=54843
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AddTask Class - {24F06550-65E3-4D1C-8CFE-839C296B5530} - C:\Program Files\real\IEeREAD.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Documents and Settings\Greg\My Documents\My Program Flies\Winamp\winampa.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai...cat-no-eula.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.ms...ine/install.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

One thing ZoneAlarm is picking up a not-a-virus:RiskTool.Win32.Reboot.f as a virus. Is this a virus or is it it part of the software tools?

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users