zizou Report post Posted August 24, 2006 I don't know exactly how but i am infected with this virus or trojan thing that is eating up lots of my memory. My computer now recognises my total memory available as half of what is really available. It is a WINLOGON.EXE process that keeps appearing in my task manager and msconfig. Impossible to end the process in task manager as it has somehow disguised itself as a critical system process like the real winlogon.exe. When i uncheck it in msconfig and reboot, it just keeps coming back both in my process list and msconfig. I have tried ad-aware, spybot, panda and trendmicro online scans, but none have done the trick. I even tried to use Killbox to end the process, but when i did that the computer immediately goes to a BSOD and reboots. Oh and yes, even though the process is supposedly from a WINLOGON.exe file residing in my C:\Windows directory (as i saw from msconfig), i was unable to locate any such file in the directory. Lots of help needed! Share this post Link to post Share on other sites
zizou Report post Posted August 24, 2006 here is my HijackThis log Logfile of HijackThis v1.99.1 Scan saved at 8:42:35 PM, on 8/24/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.exe D:\Program Files\ewido anti-spyware 4.0\guard.exe C:\WINDOWS\WINLOGON.EXE C:\WINDOWS\System32\wdfmgr.exe D:\program files\powerstrip\pstrip.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\MSN Messenger\msnmsgr.exe D:\Program Files\tvants\Tvants.exe D:\Program Files\Opera\Opera.exe D:\Program Files\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.singnet.com.sg:8080 F2 - REG:system.ini: Shell=Explorer.exe 1 F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,C:\WINDOWS\system32\internst.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [PowerStrip] d:\program files\powerstrip\pstrip.exe O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\WINLOGON.EXE O4 - HKLM\..\RunServices: [Torjan Program] C:\WINDOWS\WINLOGON.EXE O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1152324366890 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{BEBB5088-E13A-4229-BA55-73E392119993}: NameServer = 165.21.83.88,165.21.100.88 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: wineij32 - wineij32.dll (file missing) O23 - Service: Diskeeper - Diskeeper Corporation - D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe Share this post Link to post Share on other sites
FZWG Report post Posted August 25, 2006 (edited) Looks as if Infostealer.Wowcraft.D Trojaninstalled on the computer. It is known for stealing sensitive information related to online games and sending it to a remote attacker. ==== Please download Ewido Anti-Malware: http://www.ewido.net/en/download/ Locate the icon on the Desktop and double-click it to launch the set up program. Once the setup is complete run Ewido to update the definition files. On the main screen select Update, and then select the Update Now link. Next, select the Start Update button (The update starts and a progress bar shows the updates installed.) Once the update completes select: Scanner (the top of the screen) Select the Settings tab Once in the Settings screen click on: Recommended actions Select: Quarantine Under: Reports, select: Automatically generate report after every scan Un-Select: Only if threats were found Close Ewido for now. ==== Download ATF Cleaner: http://www.atribune.org/ccount/click.php?id=1 ==== Run HijackThis, Scan Check box for: F2 - REG:system.ini: Shell=Explorer.exe 1 F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,C:\WINDOWS\system32\internst.exe O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\WINLOGON.EXE O4 - HKLM\..\RunServices: [Torjan Program] C:\WINDOWS\WINLOGON.EXE O20 - Winlogon Notify: wineij32 - wineij32.dll (file missing) Select: Fix checked ==== ==== Copy all the files below (CTRL+C) and paste (CTRL+V) them to Notepad (Start > Run, type in: notepad): C:\WINDOWS\system32\internst.exe C:\WINDOWS\WINLOGON.EXE Next, download Killbox: http://www.downloads.subratam.org/KillBox.zip Place it in a folder on the Desktop. Extract Pocket KillBox from the zip file Double-click on the red circle with white X to run it. At the main screen of KillBox, select the option: Delete on Reboot Open the Notepad file saved earlier and copy the files to the clipboard (Highlight all (Ctrl+A) and Copy (Ctrl + C). In Killbox, go to the File menu, and choose: Paste from Clipboard Then select: All Files (button) Now, press the button with a red circle and a white X (Delete File button) KillBox will alert you the files will be deleted on next reboot, click Yes When asked to Reboot, select Yes, however, do so to Safe Mode as follows... ==== When the machine starts again, tap the F8 key repeatedly. You are presented with a Windows XP Advanced Options menu. Select the option for Safe Mode using the arrow keys. Press Enter to boot into Safe Mode. ==== Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button When done a prompt appears informing of such. ==== Launch Ewido once again Select: Scanner (at the top) Select the Scan tab Click on: Complete System Scan Ewido begins the scanning process, and it may take a while. Please do not open any other windows or programs while ewido is scanning, it may interfere with the scanning process!! Once the scan is complete, Ewido lists any infections found. It also automatically sets the recommended action. Click: Apply all actions Ewido will then display: All actions have been applied Next select: Reports (at the top) Select: Save report as (lower left of the screen) Save the report to a text file in a location where you can find it! Close Ewido. ==== Restart the computer. ==== Download ComboFix to the Desktop: http://download.bleepingcomputer.com/sUBs/combofix.exe Double-click combofix.exe Follow the prompts. (Don't click on the window while the program is running, it may cause your system to hang.) A log, combofix.txt is produced. ==== You are not running an AntiVirus program or a Firewall. Must like to live dangerously!!! Please take action now to install an AV program! There are free programs you can download: Grisoft’s AVG Anti-virus Free Edition: http://free.grisoft.com/freeweb.php avast! 4 Home: http://www.avast.com/eng/avast_4_home.html AntiVir Personal Edition: http://www.free-av.com/ ==== Please provide the Ewido report, the combofix.txt, and a new HijackThis log in your response. Edited August 25, 2006 by FZWG Share this post Link to post Share on other sites
zizou Report post Posted August 25, 2006 Wow, thx alot for the reply.. I will try it as soon as possible Share this post Link to post Share on other sites
FZWG Report post Posted August 25, 2006 Whenever you are ready. Making a copy of the instructions makes them easier to follow since this page may not be available during part of the process. You can also copy them to Notepad (Start > Run, type in: notepad) Also, made an edit! After using KillBox and rebooting, please do so to Safe Mode and just follow the rest.... Share this post Link to post Share on other sites
zizou Report post Posted August 25, 2006 (edited) I have good news and bad news. The good is that WINLOGON.EXE seems to have disappeared from the running processes list. The bad news is that now i have problems starting programs. When i try to open .exe programs, it will ask me to choose the program i want to open with, like in the picture below, instead of starting up the program right away. It even affects msconfig and regedit, etc. Edited August 25, 2006 by zizou Share this post Link to post Share on other sites
zizou Report post Posted August 25, 2006 Anyway, here's the Ewido report: C:\Program Files\Internet Explorer\sys4.exe -> Downloader.Adload.eh : Cleaned with backup (quarantined). C:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP35\A0008007.exe -> Downloader.Small.dgc : Cleaned with backup (quarantined). C:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP35\A0008008.exe -> Downloader.Small.dgc : Cleaned with backup (quarantined). C:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008077.exe -> Downloader.Small.dgc : Cleaned with backup (quarantined). C:\WINDOWS\system32\intranet.exe -> Downloader.Small.dgc : Cleaned with backup (quarantined). C:\!KillBox\internst.exe -> Logger.Agent.oi : Cleaned with backup (quarantined). C:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008037.exe -> Logger.Agent.oi : Cleaned with backup (quarantined). C:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008071.dll -> Logger.Agent.oi : Cleaned with backup (quarantined). C:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008082.exe -> Logger.Agent.oi : Cleaned with backup (quarantined). C:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008089.dll -> Logger.Agent.oi : Cleaned with backup (quarantined). C:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008103.dll -> Logger.Agent.oi : Cleaned with backup (quarantined). C:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008129.dll -> Logger.Agent.oi : Cleaned with backup (quarantined). C:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008137.DLL -> Logger.Agent.oi : Cleaned with backup (quarantined). C:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008152.dll -> Logger.Agent.oi : Cleaned with backup (quarantined). C:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008161.dll -> Logger.Agent.oi : Cleaned with backup (quarantined). C:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008168.dll -> Logger.Agent.oi : Cleaned with backup (quarantined). C:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008204.DLL -> Logger.Agent.oi : Cleaned with backup (quarantined). C:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP37\A0008255.exe -> Logger.Agent.oi : Cleaned with backup (quarantined). C:\WINDOWS\system32\myrx.dll -> Logger.Agent.oi : Cleaned with backup (quarantined). C:\Program Files\Internet Explorer\dll4.exe -> Logger.Agent.om : Cleaned with backup (quarantined). C:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008041.exe -> Logger.Agent.om : Cleaned with backup (quarantined). C:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008081.exe -> Logger.Agent.om : Cleaned with backup (quarantined). D:\Program Files\Hacking\GM51.exe -> Not-A-Virus.EmailFlooder.Win32.GhostMail.51 : Ignored and added to exceptions D:\Program Files\Hacking\Msn freezer\IceCold ReLoaded.exe -> Not-A-Virus.HackTool.Win32.Homac : Ignored and added to exceptions :mozilla.26:C:\Documents and Settings\krp\Application Data\Mozilla\Firefox\Profiles\4yxrjoqi.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined). :mozilla.10:C:\Documents and Settings\krp\Application Data\Mozilla\Firefox\Profiles\4yxrjoqi.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined). :mozilla.11:C:\Documents and Settings\krp\Application Data\Mozilla\Firefox\Profiles\4yxrjoqi.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined). :mozilla.12:C:\Documents and Settings\krp\Application Data\Mozilla\Firefox\Profiles\4yxrjoqi.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined). C:\!KillBox\WINLOGON.EXE -> Trojan.Lineage.agz : Cleaned with backup (quarantined). C:\!KillBox\Winlogon.exe( 1) -> Trojan.Lineage.agz : Cleaned with backup (quarantined). C:\Program Files\Common Files\iexplore.pif -> Trojan.Lineage.agz : Cleaned with backup (quarantined). C:\Program Files\Internet Explorer\dll1.exe -> Trojan.Lineage.agz : Cleaned with backup (quarantined). C:\Program Files\Internet Explorer\iexplore.com -> Trojan.Lineage.agz : Cleaned with backup (quarantined). C:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008014.EXE -> Trojan.Lineage.agz : Cleaned with backup (quarantined). C:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008040.exe -> Trojan.Lineage.agz : Cleaned with backup (quarantined). C:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008080.exe -> Trojan.Lineage.agz : Cleaned with backup (quarantined). C:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008157.EXE -> Trojan.Lineage.agz : Cleaned with backup (quarantined). C:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008191.com -> Trojan.Lineage.agz : Cleaned with backup (quarantined). C:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008193.com -> Trojan.Lineage.agz : Cleaned with backup (quarantined). C:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP37\A0008256.EXE -> Trojan.Lineage.agz : Cleaned with backup (quarantined). C:\WINDOWS\1.com -> Trojan.Lineage.agz : Cleaned with backup (quarantined). C:\WINDOWS\Debug\DebugProgram.exe -> Trojan.Lineage.agz : Cleaned with backup (quarantined). C:\WINDOWS\ExERoute.exe -> Trojan.Lineage.agz : Cleaned with backup (quarantined). C:\WINDOWS\WINLOGON.EXE -> Trojan.Lineage.agz : Cleaned with backup (quarantined). C:\WINDOWS\explorer.com -> Trojan.Lineage.agz : Cleaned with backup (quarantined). C:\WINDOWS\finder.com -> Trojan.Lineage.agz : Cleaned with backup (quarantined). C:\WINDOWS\system32\MSCONFIG.COM -> Trojan.Lineage.agz : Cleaned with backup (quarantined). C:\WINDOWS\system32\command.pif -> Trojan.Lineage.agz : Cleaned with backup (quarantined). C:\WINDOWS\system32\dxdiag.com -> Trojan.Lineage.agz : Cleaned with backup (quarantined). C:\WINDOWS\system32\finder.com -> Trojan.Lineage.agz : Cleaned with backup (quarantined). C:\WINDOWS\system32\regedit.com -> Trojan.Lineage.agz : Cleaned with backup (quarantined). C:\WINDOWS\system32\rundll32.com -> Trojan.Lineage.agz : Cleaned with backup (quarantined). D:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP35\A0007759.pif -> Trojan.Lineage.agz : Cleaned with backup (quarantined). D:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP35\A0007814.pif -> Trojan.Lineage.agz : Cleaned with backup (quarantined). D:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP35\A0007823.pif -> Trojan.Lineage.agz : Cleaned with backup (quarantined). D:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008039.pif -> Trojan.Lineage.agz : Cleaned with backup (quarantined). D:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008073.pif -> Trojan.Lineage.agz : Cleaned with backup (quarantined). D:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008091.pif -> Trojan.Lineage.agz : Cleaned with backup (quarantined). D:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008105.pif -> Trojan.Lineage.agz : Cleaned with backup (quarantined). D:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008131.pif -> Trojan.Lineage.agz : Cleaned with backup (quarantined). D:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008140.pif -> Trojan.Lineage.agz : Cleaned with backup (quarantined). D:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008154.pif -> Trojan.Lineage.agz : Cleaned with backup (quarantined). D:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008163.pif -> Trojan.Lineage.agz : Cleaned with backup (quarantined). D:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008170.pif -> Trojan.Lineage.agz : Cleaned with backup (quarantined). D:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP37\A0008245.pif -> Trojan.Lineage.agz : Cleaned with backup (quarantined). D:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP37\A0008260.pif -> Trojan.Lineage.agz : Cleaned with backup (quarantined). D:\pagefile.pif -> Trojan.Lineage.agz : Cleaned with backup (quarantined). [832] C:\WINDOWS\WINLOGON.EXE -> Trojan.Lineage.agz : Error during cleaning. ::Report end Share this post Link to post Share on other sites
zizou Report post Posted August 25, 2006 And here's the HJT log: Logfile of HijackThis v1.99.1 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.exe D:\Program Files\ewido anti-spyware 4.0\guard.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\NOTEPAD.EXE D:\Program Files\Opera\Opera.exe D:\Program Files\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.singnet.com.sg:8080 F2 - REG:system.ini: Shell=Explorer.exe 1 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06 \bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [PowerStrip] d:\program files\powerstrip\pstrip.exe O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10 \EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06 \bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1152324366890 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{BEBB5088-E13A-4229-BA55-73E392119993}: NameServer = 165.21.83.88,165.21.100.88 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: Diskeeper - Diskeeper Corporation - D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\Program Files\ewido anti- spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe Share this post Link to post Share on other sites
zizou Report post Posted August 25, 2006 And manually opening ComboFix and regedit, i managed to get a log: ComboFix 06.08.24 - Running from: C:\Documents and Settings\krp (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\components ((((((((((((((((((((((((((((((( Files Created from 2008-24-06 to 2008/25/2006 )))))))))))))))))))))))))))))))))) No new files created in this timespan (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2011/17/2004 07:05 PM 2297664 --a------ C:\WINDOWS\system32\drivers\ALCXWDM.SYS 2011/10/2004 06:32 AM 21968 --a------ C:\WINDOWS\system32\drivers\PStrip.sys 2010/05/2004 04:38 PM 33280 -ra------ C:\WINDOWS\system32\drivers\NVENETFD.sys 2010/05/2004 04:38 PM 12928 -ra------ C:\WINDOWS\system32\drivers\nvnetbus.sys 2010/05/2004 04:37 PM 98048 -ra------ C:\WINDOWS\system32\drivers\nvnrm.sys 2010/05/2004 04:37 PM 209024 -ra------ C:\WINDOWS\system32\drivers\nvsnpu.sys 2009/02/2004 03:24 PM 82816 -ra------ C:\WINDOWS\system32\drivers\nvatabus.sys 2009/01/2005 11:03 AM 5888 --------- C:\WINDOWS\system32\drivers\imagedrv.sys 2009/01/2005 11:03 AM 127488 --------- C:\WINDOWS\system32\drivers\imagesrv.sys (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PowerStrip"="d:\\program files\\powerstrip\\pstrip.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] "dontdisplaylastusername"=dword:00000000 "legalnoticecaption"="" "legalnoticetext"="" "shutdownwithoutlogon"=dword:00000001 "undockwithoutlogon"=dword:00000001 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] "DisableRegistryTools"=dword:00000000 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000000 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sharedtaskscheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk" "backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup" "location"="Common Startup" "command"="D:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE " "item"="Adobe Reader Speed Launch" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^IE-Bar.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\IE-Bar.lnk" "backup"="C:\\WINDOWS\\pss\\IE-Bar.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\COMMON~1\\IE-Bar\\iebar.exe " "item"="IE-Bar" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk" "backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup" "location"="Common Startup" "command"="D:\\PROGRA~1\\MICROS~1\\Office10\\OSA.EXE -b -l" "item"="Microsoft Office" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^krp^Start Menu^Programs^Startup^Diskeeper 10 Professional Edition Registration.lnk] "path"="C:\\Documents and Settings\\krp\\Start Menu\\Programs\\Startup\\Diskeeper 10 Professional Edition Registration.lnk" "backup"="C:\\WINDOWS\\pss\\Diskeeper 10 Professional Edition Registration.lnkStartup" "location"="Startup" "command"="D:\\PROGRA~1\\DISKEE~1\\DISKEE~2\\ESIREG~1.EXE /remind /language=ENU /PRNM=\"Diskeeper 10 Professional Edition\"" "item"="Diskeeper 10 Professional Edition Registration" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^krp^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk] "path"="C:\\Documents and Settings\\krp\\Start Menu\\Programs\\Startup\\OpenOffice.org 2.0.lnk" "backup"="C:\\WINDOWS\\pss\\OpenOffice.org 2.0.lnkStartup" "location"="Startup" "command"="C:\\PROGRA~1\\OPENOF~1.0\\program\\QUICKS~1.EXE " "item"="OpenOffice.org 2.0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^krp^Start Menu^Programs^Startup^³¬¼¶²¥°Ô.lnk] "path"="C:\\Documents and Settings\\krp\\Start Menu\\Programs\\Startup\\³¬¼¶²¥°Ô.lnk" "backup"="C:\\WINDOWS\\pss\\³¬¼¶²¥°Ô.lnkStartup" "location"="Startup" "command"="D:\\Program Files\\pcast\\PodcastbarMini\\PodcastBarMiniStarter.exe " "item"="³¬¼¶²¥°Ô" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\!ewido] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="ewido" "hkey"="HKLM" "command"="\"D:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\2e85ba53.exe] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="2e85ba53" "hkey"="HKLM" "command"="C:\\WINDOWS\\System32\\2e85ba53.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\BootSkin Startup Jobs] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="BootSkin" "hkey"="HKLM" "command"="\"D:\\PROGRA~1\\BOOTSKIN\\BootSkin.exe\" /StartupJobs" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DAEMON Tools-1033] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="daemon" "hkey"="HKLM" "command"="\"D:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DiskeeperSystray] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="DkIcon" "hkey"="HKLM" "command"="\"D:\\Program Files\\Diskeeper Corporation\\Diskeeper\\DkIcon.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\IMJPMIG8.1] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="IMJPMIG" "hkey"="HKLM" "command"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\iTunesHelper] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="iTunesHelper" "hkey"="HKLM" "command"="\"D:\\Program Files\\iTunes\\iTunesHelper.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\KernelFaultCheck] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="dumprep 0 -k" "hkey"="HKLM" "command"="%systemroot%\\system32\\dumprep 0 -k" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Load] "key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows" "item"="f4cid0f" "hkey"="HKCU" "command"="C:\\WINDOWS\\f4cid0f.exe" "inimapping"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\LogonStudio] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="logonstudio" "hkey"="HKLM" "command"="\"D:\\Program Files\\WinCustomize\\LogonStudio\\logonstudio.exe\" /RANDOM" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="msmsgs" "hkey"="HKCU" "command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\msnsyslog] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="msnpolym" "hkey"="HKLM" "command"="C:\\WINDOWS\\msnpolym.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NeroFilterCheck] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="NeroCheck" "hkey"="HKLM" "command"="C:\\WINDOWS\\system32\\NeroCheck.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NvCplDaemon] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="NvCpl" "hkey"="HKLM" "command"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NvMediaCenter] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="NvMcTray" "hkey"="HKLM" "command"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\nwiz] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="nwiz" "hkey"="HKLM" "command"="nwiz.exe /install" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\pbmini] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="PodcastBarMiniStater" "hkey"="HKCU" "command"="D:\\Program Files\\pcast\\PodcastbarMini\\PodcastBarMiniStater.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PCPitstop Optimize Registration Reminder] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="Reminder" "hkey"="HKLM" "command"="D:\\Program Files\\PCPitstop\\Optimize\\Reminder.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PHIME2002A] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="TINTSETP" "hkey"="HKLM" "command"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PHIME2002ASync] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="TINTSETP" "hkey"="HKLM" "command"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PWRISOVM.EXE] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="PWRISOVM" "hkey"="HKLM" "command"="D:\\Program Files\\PowerISO\\PWRISOVM.EXE" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="qttask" "hkey"="HKLM" "command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Rapget] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="rapget" "hkey"="HKLM" "command"="D:\\Program Files\\Download toolz\\Rapget\\rapget.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\RemoteControl] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="PDVDServ" "hkey"="HKLM" "command"="\"D:\\Program Files\\CyberLink DVD Solution\\PowerDVD\\PDVDServ.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SoundMan] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="SOUNDMAN" "hkey"="HKLM" "command"="SOUNDMAN.EXE" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Steam] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="" "hkey"="HKCU" "command"="" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\STYLEXP] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="StyleXP" "hkey"="HKCU" "command"="C:\\Program Files\\TGTSoft\\StyleXP\\StyleXP.exe -Hide" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SunJavaUpdateSched] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="jusched" "hkey"="HKLM" "command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\TkBellExe] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="realsched" "hkey"="HKLM" "command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Torjan Program] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="WINLOGON" "hkey"="HKLM" "command"="C:\\WINDOWS\\WINLOGON.EXE" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Toso] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="taskmgr" "hkey"="HKCU" "command"="\"C:\\WINDOWS\\System32\\ECURIT~1\\taskmgr.exe\" -vt yazb" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\updateMgr] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="AdobeUpdateManager" "hkey"="HKCU" "command"="\"D:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_7" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\WMC_AutoUpdate] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="" "hkey"="HKLM" "command"="" "inimapping"="0" Completion time: Fri 08/25/2006 23:44:32.64 ComboFix.txt Share this post Link to post Share on other sites
FZWG Report post Posted August 25, 2006 Download the following XP File Association Fix: http://www.dougknox.com/xp/fileassoc/xp_regfile.zip Extract it to the Desktop to a folder of its own To run, double Click on the exe file in the folder. Follow the prompts Restart the computer. Check to see if you can now open programs. ==== Will get back with you later on the malware issue. Share this post Link to post Share on other sites
zizou Report post Posted August 25, 2006 Download the following XP File Association Fix: http://www.dougknox.com/xp/fileassoc/xp_regfile.zip Extract it to the Desktop to a folder of its own To run, double Click on the exe file in the folder. Follow the prompts Restart the computer. Check to see if you can now open programs. ==== Will get back with you later on the malware issue. That didn't help, but i fixed it on my own anyway. Share this post Link to post Share on other sites
FZWG Report post Posted August 26, 2006 Still no AntiVirus program…not good. ==== You can remove the files from the Ewido Quarantine: -Launch Ewido and click the Infections button. -Click the Quarantine tab -Choose: Select All -Click: Remove finally -A window pops asking "Are you sure you want to remove the selected files...??" -Select: Yes ==== Next, launch Notepad, (Start > Run, type in: notepad) Copy/paste all the blue REGEDIT below to it REGEDIT4 [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^IE-Bar.lnk] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^krp^Start Menu^Programs^Startup^³¬¼¶²¥°Ô.lnk] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\2e85ba53.exe] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Load] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\pbmini] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Torjan Program] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Toso] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\WMC_AutoUpdate] In Notepad, go to File (upper menu bar), and select: Save as In the Save as prompt: Save in: Desktop File Name: delete.reg Save as Type: All files Click: Save Exit out of Notepad. Back on the Desktop, double-click on the delete.reg file just saved and click on Yes when asked to merge the information into the Registry. ==== Run HijackThis, Scan Check box for: F2 - REG:system.ini: Shell=Explorer.exe 1 Select: Fix checked ==== Restart the computer in Safe Mode. When the machine starts again, tap the F8 key repeatedly. You are presented with a Windows XP Advanced Options menu. Select the option for Safe Mode using the arrow keys. Press Enter to boot into Safe Mode. ==== Copy all the files below (CTRL+C) and paste (CTRL+V) them to Notepad (Start > Run, type in: notepad): C:\WINDOWS\WINLOGON.EXE C:\PROGRA~1\COMMON~1\IE-Bar D:\Program Files\pcast C:\WINDOWS\System32\2e85ba53.exe C:\WINDOWS\f4cid0f.exe C:\WINDOWS\\System32\ECURIT~1 D:\Program Files\Hacking\GM51.exe D:\Program Files\Hacking\Msn freezer\IceCold ReLoaded.exe Run KillBox by double-clicking on the red circle with white X At the main screen of KillBox, select the option: Delete on Reboot Open the Notepad file saved earlier and copy the files to the clipboard (Highlight all (Ctrl+A) and Copy (Ctrl + C). In Killbox, go to the File menu, and choose: Paste from Clipboard Then select: All Files (button) Now, press the button with a red circle and a white X (Delete File button) KillBox will alert you the files will be deleted on next reboot, click: Yes When asked to Reboot, select Yes ==== Run ComboFix once again ==== Also run HijackThis ==== Please provide the new combofix.txt, and a new HijackThis log in your response. Share this post Link to post Share on other sites
zizou Report post Posted August 27, 2006 Here is the comboFix log: ((((((((((((((((((((((((((((((( Files Created from 2006-07-27 to 2006-08-27 )))))))))))))))))))))))))))))))))) 2006-08-27 10:38 15,872 -r-hs---- C:\WINDOWS\system32\Downdll.dll 2006-07-27 17:19 65,536 --a------ C:\WINDOWS\IFinst27.exe (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-08-19 21:07 -------- d-------- C:\Documents and Settings\krp\Application Data\SopCast 2006-08-19 10:14 4280832 --a------ C:\WINDOWS\system32\logonuiX.exe 2006-06-25 22:12 5435392 --a------ C:\WINDOWS\system32\nvoglnt.dll 2006-06-23 02:19 98304 --a------ C:\WINDOWS\system32\nvapi.dll 2006-06-23 02:19 86016 --a------ C:\WINDOWS\system32\nvmctray.dll 2006-06-23 02:19 81920 --a------ C:\WINDOWS\system32\nvwddi.dll 2006-06-23 02:19 7581696 --a------ C:\WINDOWS\system32\nvcpl.dll 2006-06-23 02:19 573440 --a------ C:\WINDOWS\system32\nvhwvid.dll 2006-06-23 02:19 466944 --a------ C:\WINDOWS\system32\nvshell.dll 2006-06-23 02:19 45056 --a------ C:\WINDOWS\system32\nvmccsrs.dll 2006-06-23 02:19 442368 --a------ C:\WINDOWS\system32\nvappbar.exe 2006-06-23 02:19 425984 --a------ C:\WINDOWS\system32\keystone.exe 2006-06-23 02:19 3998592 --a------ C:\WINDOWS\system32\nv4_disp.dll 2006-06-23 02:19 35840 --a------ C:\WINDOWS\system32\nvcodins.dll 2006-06-23 02:19 35840 --a------ C:\WINDOWS\system32\nvcod.dll 2006-06-23 02:19 286720 --a------ C:\WINDOWS\system32\nvnt4cpl.dll 2006-06-23 02:19 229376 --a------ C:\WINDOWS\system32\nvmccs.dll 2006-06-23 02:19 208896 --a------ C:\WINDOWS\system32\nvudisp.exe 2006-06-23 02:19 1662976 --a------ C:\WINDOWS\system32\nvwdmcpl.dll 2006-06-23 02:19 1519616 --a------ C:\WINDOWS\system32\nwiz.exe 2006-06-23 02:19 147456 --a------ C:\WINDOWS\system32\nvcolor.exe 2006-06-23 02:19 1466368 --a------ C:\WINDOWS\system32\nview.dll 2006-06-23 02:19 143426 --a------ C:\WINDOWS\system32\nvsvc32.exe 2006-06-23 02:19 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe 2006-06-23 02:19 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll 2006-06-15 21:53 356352 --a------ C:\WINDOWS\eSellerateEngine.dll 2006-06-01 19:09 208896 --a------ C:\WINDOWS\system32\nvusmb.exe 2006-06-01 19:09 208896 --a------ C:\WINDOWS\system32\nvunrm.exe 2006-06-01 19:09 208896 --a------ C:\WINDOWS\system32\NVUNINST.EXE 2006-06-01 19:09 208896 --a------ C:\WINDOWS\system32\nvuide.exe 2006-06-01 09:57 1224704 --a------ C:\WINDOWS\system32\pCastCtl.dll 2006-05-30 09:54 0 --a------ C:\WINDOWS\system32\edfimg_17401.exe 2006-05-30 09:20 0 --a------ C:\WINDOWS\system32\hqghumea.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PowerStrip"="d:\\program files\\powerstrip\\pstrip.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system] "dontdisplaylastusername"=dword:00000000 "legalnoticecaption"="" "legalnoticetext"="" "shutdownwithoutlogon"=dword:00000001 "undockwithoutlogon"=dword:00000001 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000000 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sharedtaskscheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk" "backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup" "location"="Common Startup" "command"="D:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE " "item"="Adobe Reader Speed Launch" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk" "backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup" "location"="Common Startup" "command"="D:\\PROGRA~1\\MICROS~1\\Office10\\OSA.EXE -b -l" "item"="Microsoft Office" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^krp^Start Menu^Programs^Startup^Diskeeper 10 Professional Edition Registration.lnk] "path"="C:\\Documents and Settings\\krp\\Start Menu\\Programs\\Startup\\Diskeeper 10 Professional Edition Registration.lnk" "backup"="C:\\WINDOWS\\pss\\Diskeeper 10 Professional Edition Registration.lnkStartup" "location"="Startup" "command"="D:\\PROGRA~1\\DISKEE~1\\DISKEE~2\\ESIREG~1.EXE /remind /language=ENU /PRNM=\"Diskeeper 10 Professional Edition\"" "item"="Diskeeper 10 Professional Edition Registration" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^krp^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk] "path"="C:\\Documents and Settings\\krp\\Start Menu\\Programs\\Startup\\OpenOffice.org 2.0.lnk" "backup"="C:\\WINDOWS\\pss\\OpenOffice.org 2.0.lnkStartup" "location"="Startup" "command"="C:\\PROGRA~1\\OPENOF~1.0\\program\\QUICKS~1.EXE " "item"="OpenOffice.org 2.0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\!ewido] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="ewido" "hkey"="HKLM" "command"="\"D:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\BootSkin Startup Jobs] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="BootSkin" "hkey"="HKLM" "command"="\"D:\\PROGRA~1\\BOOTSKIN\\BootSkin.exe\" /StartupJobs" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DAEMON Tools-1033] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="daemon" "hkey"="HKLM" "command"="\"D:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DiskeeperSystray] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="DkIcon" "hkey"="HKLM" "command"="\"D:\\Program Files\\Diskeeper Corporation\\Diskeeper\\DkIcon.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\IMJPMIG8.1] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="IMJPMIG" "hkey"="HKLM" "command"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\iTunesHelper] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="iTunesHelper" "hkey"="HKLM" "command"="\"D:\\Program Files\\iTunes\\iTunesHelper.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\KernelFaultCheck] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="dumprep 0 -k" "hkey"="HKLM" "command"="%systemroot%\\system32\\dumprep 0 -k" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\LogonStudio] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="logonstudio" "hkey"="HKLM" "command"="\"D:\\Program Files\\WinCustomize\\LogonStudio\\logonstudio.exe\" /RANDOM" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="msmsgs" "hkey"="HKCU" "command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\msnsyslog] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="msnpolym" "hkey"="HKLM" "command"="C:\\WINDOWS\\msnpolym.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NeroFilterCheck] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="NeroCheck" "hkey"="HKLM" "command"="C:\\WINDOWS\\system32\\NeroCheck.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NvCplDaemon] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="NvCpl" "hkey"="HKLM" "command"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NvMediaCenter] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="NvMcTray" "hkey"="HKLM" "command"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\nwiz] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="nwiz" "hkey"="HKLM" "command"="nwiz.exe /install" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PCPitstop Optimize Registration Reminder] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="Reminder" "hkey"="HKLM" "command"="D:\\Program Files\\PCPitstop\\Optimize\\Reminder.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PHIME2002A] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="TINTSETP" "hkey"="HKLM" "command"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PHIME2002ASync] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="TINTSETP" "hkey"="HKLM" "command"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PWRISOVM.EXE] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="PWRISOVM" "hkey"="HKLM" "command"="D:\\Program Files\\PowerISO\\PWRISOVM.EXE" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="qttask" "hkey"="HKLM" "command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Rapget] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="rapget" "hkey"="HKLM" "command"="D:\\Program Files\\Download toolz\\Rapget\\rapget.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\RemoteControl] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="PDVDServ" "hkey"="HKLM" "command"="\"D:\\Program Files\\CyberLink DVD Solution\\PowerDVD\\PDVDServ.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SoundMan] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="SOUNDMAN" "hkey"="HKLM" "command"="SOUNDMAN.EXE" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Steam] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="" "hkey"="HKCU" "command"="" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\STYLEXP] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="StyleXP" "hkey"="HKCU" "command"="C:\\Program Files\\TGTSoft\\StyleXP\\StyleXP.exe -Hide" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SunJavaUpdateSched] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="jusched" "hkey"="HKLM" "command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\TkBellExe] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="realsched" "hkey"="HKLM" "command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\updateMgr] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="AdobeUpdateManager" "hkey"="HKCU" "command"="\"D:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_7" "inimapping"="0" Completion time: 06-08-27 10:49:51.07 ComboFix2.txt ComboFix.txt Share this post Link to post Share on other sites
zizou Report post Posted August 27, 2006 Here is the HJT log: Logfile of HijackThis v1.99.1 Scan saved at 10:51, on 06-08-27 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE D:\program files\powerstrip\pstrip.exe D:\Program Files\ewido anti-spyware 4.0\guard.exe C:\WINDOWS\winupdate.exe C:\WINDOWS\System32\svchost.exe D:\Program Files\Opera\Opera.exe D:\Program Files\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.singnet.com.sg:8080 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: (no name) - {E730189A-9973-4121-B046-AD1C161EC3AF} - C:\WINDOWS\system32\37211.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [PowerStrip] d:\program files\powerstrip\pstrip.exe O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1152324366890 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{BEBB5088-E13A-4229-BA55-73E392119993}: NameServer = 165.21.83.88,165.21.100.88 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: Diskeeper - Diskeeper Corporation - D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Update Service For Windows (winupdate) - Unknown owner - C:\WINDOWS\winupdate.exe Share this post Link to post Share on other sites
zizou Report post Posted August 27, 2006 (edited) Btw i am behind a router (which is a firewall by itself), and i frequently use online anti-virus scans like Panda and Housecall, so i don't feel i need any anti-virus programs. PS: D:\Program Files\pcast D:\Program Files\Hacking\GM51.exe D:\Program Files\Hacking\Msn freezer\IceCold ReLoaded.exe The above files are legitimate so there's no need to remove them. Edited August 27, 2006 by zizou Share this post Link to post Share on other sites
FZWG Report post Posted August 27, 2006 It is your choice to go without an AntiVirus program. If you think it works, do you realize that every time you post a log there is new malware on it? I am also behind a router and use online virus scans. There is no way I would be without a real time AV program Also, a software Firewall provides the ability to restrict malevolent outgoing traffic from your computer. ==== C:\\Program Files\\PCAST\\PodcastbarMini\\PodcastBarMiniStater.exe http://www3.ca.com/securityadvisor/pest/Pe...px?id=453098354 HackTools? D:\Program Files\Hacking\GM51.exe D:\Program Files\Hacking\Msn freezer\IceCold ReLoaded.exe ==== One of the O23 Services on the HijackThis log looks suspicious. There is a legit Windows Server Update Service, but not sure this is the case. Please do a Jotti Malware Scan: http://virusscan.jotti.org In File to upload and scan, browse to the following: C:\WINDOWS\winupdate.exe Then, press: Submit When the scan completes, copy the report, and post the results. If Jotti's Malware scan is busy, you can also use this one Virus Total: http://www.virustotal.com/flash/index_en.html ==== Run HijackThis, Scan Check box for: O2 - BHO: (no name) - {E730189A-9973-4121-B046-AD1C161EC3AF} - C:\WINDOWS\system32\37211.dll Select: Fix checked ==== Next, enable the viewing of Hidden Files and Folders as follows: -At your Desktop, go to Start>My Computer -Select the Tools menu and then Folder Options -After the new window appears select the View tab -Select: Display the contents of system folders -Under the Hidden files and folders section select: Show hidden files and folders -Remove the checkmark from Hide file extensions for known file types -Remove the checkmark from Hide protected operating system files (Recommended) -Press the Apply button Click OK Then, reboot to Safe Mode as follows: -Restart your computer. -When the machine first starts again, tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu. -Select the option for Safe Mode using the arrow keys. -Press Enter to boot into Safe Mode. ==== Search for and, if found, delete the following file (bold): C:\WINDOWS\system32\37211.dll ==== Restart the computer. ==== Run HijackThis once again, and post a new log along with the information from the file scan. Share this post Link to post Share on other sites
zizou Report post Posted August 27, 2006 Well i did a ewido scan and it detected winupdate.exe as a malicious adware, so i removed it. I am also unable to find the 37211.dll file. So here's the HJT log Logfile of HijackThis v1.99.1 Scan saved at 13:40, on 06-08-27 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE D:\program files\powerstrip\pstrip.exe D:\Program Files\ewido anti-spyware 4.0\guard.exe C:\WINDOWS\System32\svchost.exe D:\Program Files\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.singnet.com.sg:8080 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [PowerStrip] d:\program files\powerstrip\pstrip.exe O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1152324366890 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{BEBB5088-E13A-4229-BA55-73E392119993}: NameServer = 165.21.83.88,165.21.100.88 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: Diskeeper - Diskeeper Corporation - D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Update Service For Windows (winupdate) - Unknown owner - C:\WINDOWS\winupdate.exe (file missing) Share this post Link to post Share on other sites
zizou Report post Posted August 27, 2006 Well, one of the reasons to my reluctance to install anti-virus programs is that they take up resources and they conflict with many programs. Moreover, my computer was absolutely fine and clean before i disconnected the router and connected to the internet via my modem only. This, i believe, was what caused my computer to be attacked so severely. Btw, pcast is a tv streaming program. I don't think it's the podcastbar thing. I uninstalled pcast long ago. Share this post Link to post Share on other sites
FZWG Report post Posted August 27, 2006 Are you familiar with: singnet.com.sg? If not, post back. ==== Click Start > Run and type in: services.msc Click OK In the Services window find: winupdate Select/highlight and right click the entry, and choose: Properties On the General tab, under Service Status click the Stop button Beside: Startup Type, in the drop menu, select: Disabled Click Apply, then OK ==== Run HijackThis, Scan Check box for: O23 - Service: Update Service For Windows (winupdate) - Unknown owner - C:\WINDOWS\winupdate.exe (file missing) Select: Fix checked On the AV issue…been using AVG Grisoft for years. It is not a resource hog, cuts to the chase, and gets the job done. Would strongly recommend you give an AV program a whirl. ==== After doing the above, if you are not having malware problems, you are good to go! ==== Please read the following. They are some suggestions to remain malware free: Tony Klein’s article 'How Did I Get Infected In The First Place' http://forums.spywareinfo.com/index.php?showtopic=60955 ==== Thank you for your patience, and performing the procedures requested. If you have any questions or comments, post back. Otherwise... Good luck!! Share this post Link to post Share on other sites
zizou Report post Posted August 28, 2006 (edited) Ok i guess i am gd to go then! I can't say thanks enough for what you have done. I would have been so lost! Thx for YOUR patience and guidance!!! CHEERS! Edited August 28, 2006 by zizou Share this post Link to post Share on other sites
FZWG Report post Posted August 28, 2006 (edited) Glad to help! Edit: Can't spell today... Edited August 28, 2006 by FZWG Share this post Link to post Share on other sites