Jump to content
Sign in to follow this  
zizou

WINLOGON.EXE virus. URGENT HELP NEEDED.

Recommended Posts

I don't know exactly how but i am infected with this virus or trojan thing that is eating up lots of my memory. My computer now recognises my total memory available as half of what is really available.

 

It is a WINLOGON.EXE process that keeps appearing in my task manager and msconfig. Impossible to end the process in task manager as it has somehow disguised itself as a critical system process like the real winlogon.exe. When i uncheck it in msconfig and reboot, it just keeps coming back both in my process list and msconfig.

 

I have tried ad-aware, spybot, panda and trendmicro online scans, but none have done the trick. I even tried to use Killbox to end the process, but when i did that the computer immediately goes to a BSOD and reboots.

 

Oh and yes, even though the process is supposedly from a WINLOGON.exe file residing in my C:\Windows directory (as i saw from msconfig), i was unable to locate any such file in the directory.

 

Lots of help needed!

Share this post


Link to post
Share on other sites

here is my HijackThis log

 

 

Logfile of HijackThis v1.99.1

Scan saved at 8:42:35 PM, on 8/24/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.exe

D:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\WINDOWS\WINLOGON.EXE

C:\WINDOWS\System32\wdfmgr.exe

D:\program files\powerstrip\pstrip.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

D:\Program Files\tvants\Tvants.exe

D:\Program Files\Opera\Opera.exe

D:\Program Files\HJT\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.singnet.com.sg:8080

F2 - REG:system.ini: Shell=Explorer.exe 1

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,C:\WINDOWS\system32\internst.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [PowerStrip] d:\program files\powerstrip\pstrip.exe

O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\WINLOGON.EXE

O4 - HKLM\..\RunServices: [Torjan Program] C:\WINDOWS\WINLOGON.EXE

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1152324366890

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{BEBB5088-E13A-4229-BA55-73E392119993}: NameServer = 165.21.83.88,165.21.100.88

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: wineij32 - wineij32.dll (file missing)

O23 - Service: Diskeeper - Diskeeper Corporation - D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Share this post


Link to post
Share on other sites

Looks as if Infostealer.Wowcraft.D Trojaninstalled on the computer. It is known for stealing sensitive information related to online games and sending it to a remote attacker.

 

====

Please download Ewido Anti-Malware:

http://www.ewido.net/en/download/

Locate the icon on the Desktop and double-click it to launch the set up program.

Once the setup is complete run Ewido to update the definition files.

On the main screen select Update, and then select the Update Now link.

Next, select the Start Update button

(The update starts and a progress bar shows the updates installed.)

 

Once the update completes select: Scanner (the top of the screen)

Select the Settings tab

Once in the Settings screen click on: Recommended actions

Select: Quarantine

Under: Reports, select: Automatically generate report after every scan

Un-Select: Only if threats were found

Close Ewido for now.

 

====

Download ATF Cleaner:

http://www.atribune.org/ccount/click.php?id=1

 

====

Run HijackThis, Scan

Check box for:

 

F2 - REG:system.ini: Shell=Explorer.exe 1

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,C:\WINDOWS\system32\internst.exe

 

O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\WINLOGON.EXE

O4 - HKLM\..\RunServices: [Torjan Program] C:\WINDOWS\WINLOGON.EXE

 

O20 - Winlogon Notify: wineij32 - wineij32.dll (file missing)

 

Select: Fix checked

 

====

====

Copy all the files below (CTRL+C) and paste (CTRL+V) them to Notepad

(Start > Run, type in: notepad):

 

C:\WINDOWS\system32\internst.exe

C:\WINDOWS\WINLOGON.EXE

 

Next, download Killbox:

http://www.downloads.subratam.org/KillBox.zip

Place it in a folder on the Desktop.

Extract Pocket KillBox from the zip file

Double-click on the red circle with white X to run it.

 

At the main screen of KillBox, select the option: Delete on Reboot

Open the Notepad file saved earlier and copy the files to the clipboard

(Highlight all (Ctrl+A) and Copy (Ctrl + C).

 

In Killbox, go to the File menu, and choose: Paste from Clipboard

Then select: All Files (button)

Now, press the button with a red circle and a white X (Delete File button)

KillBox will alert you the files will be deleted on next reboot, click Yes

When asked to Reboot, select Yes, however, do so to Safe Mode as follows...

 

====

When the machine starts again, tap the F8 key repeatedly.

You are presented with a Windows XP Advanced Options menu.

Select the option for Safe Mode using the arrow keys.

Press Enter to boot into Safe Mode.

 

====

Double-click ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button

 

When done a prompt appears informing of such.

 

====

Launch Ewido once again

Select: Scanner (at the top)

Select the Scan tab

Click on: Complete System Scan

Ewido begins the scanning process, and it may take a while.

Please do not open any other windows or programs while ewido is scanning, it may interfere with the scanning process!!

 

Once the scan is complete, Ewido lists any infections found.

It also automatically sets the recommended action.

Click: Apply all actions

Ewido will then display: All actions have been applied

 

Next select: Reports (at the top)

Select: Save report as (lower left of the screen)

Save the report to a text file in a location where you can find it!

Close Ewido.

 

====

Restart the computer.

 

====

Download ComboFix to the Desktop:

http://download.bleepingcomputer.com/sUBs/combofix.exe

Double-click combofix.exe

Follow the prompts.

(Don't click on the window while the program is running, it may cause your system to hang.)

 

A log, combofix.txt is produced.

 

====

You are not running an AntiVirus program or a Firewall.

Must like to live dangerously!!!

 

Please take action now to install an AV program! There are free programs you can download:

 

Grisoft’s AVG Anti-virus Free Edition: http://free.grisoft.com/freeweb.php

 

avast! 4 Home: http://www.avast.com/eng/avast_4_home.html

 

AntiVir Personal Edition: http://www.free-av.com/

 

 

====

Please provide the Ewido report, the combofix.txt, and a new HijackThis log in your response.

Edited by FZWG

Share this post


Link to post
Share on other sites

Whenever you are ready.

 

Making a copy of the instructions makes them easier to follow since this page may not be available during part of the process. You can also copy them to Notepad (Start > Run, type in: notepad)

 

Also, made an edit!

 

After using KillBox and rebooting, please do so to Safe Mode and just follow the rest....

Share this post


Link to post
Share on other sites

I have good news and bad news.

 

The good is that WINLOGON.EXE seems to have disappeared from the running processes list.

 

The bad news is that now i have problems starting programs. When i try to open .exe programs, it will ask me to choose the program i want to open with, like in the picture below, instead of starting up the program right away. It even affects msconfig and regedit, etc.

 

Posted Image

Edited by zizou

Share this post


Link to post
Share on other sites

Anyway, here's the Ewido report:

 

C:\Program Files\Internet Explorer\sys4.exe -> Downloader.Adload.eh : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP35\A0008007.exe -> Downloader.Small.dgc : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP35\A0008008.exe -> Downloader.Small.dgc : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008077.exe -> Downloader.Small.dgc : Cleaned with backup (quarantined).

C:\WINDOWS\system32\intranet.exe -> Downloader.Small.dgc : Cleaned with backup (quarantined).

C:\!KillBox\internst.exe -> Logger.Agent.oi : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008037.exe -> Logger.Agent.oi : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008071.dll -> Logger.Agent.oi : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008082.exe -> Logger.Agent.oi : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008089.dll -> Logger.Agent.oi : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008103.dll -> Logger.Agent.oi : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008129.dll -> Logger.Agent.oi : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008137.DLL -> Logger.Agent.oi : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008152.dll -> Logger.Agent.oi : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008161.dll -> Logger.Agent.oi : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008168.dll -> Logger.Agent.oi : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008204.DLL -> Logger.Agent.oi : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP37\A0008255.exe -> Logger.Agent.oi : Cleaned with backup (quarantined).

C:\WINDOWS\system32\myrx.dll -> Logger.Agent.oi : Cleaned with backup (quarantined).

C:\Program Files\Internet Explorer\dll4.exe -> Logger.Agent.om : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008041.exe -> Logger.Agent.om : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008081.exe -> Logger.Agent.om : Cleaned with backup (quarantined).

D:\Program Files\Hacking\GM51.exe -> Not-A-Virus.EmailFlooder.Win32.GhostMail.51 : Ignored and added to exceptions

D:\Program Files\Hacking\Msn freezer\IceCold ReLoaded.exe -> Not-A-Virus.HackTool.Win32.Homac : Ignored and added to exceptions

:mozilla.26:C:\Documents and Settings\krp\Application Data\Mozilla\Firefox\Profiles\4yxrjoqi.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).

:mozilla.10:C:\Documents and Settings\krp\Application Data\Mozilla\Firefox\Profiles\4yxrjoqi.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).

:mozilla.11:C:\Documents and Settings\krp\Application Data\Mozilla\Firefox\Profiles\4yxrjoqi.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).

:mozilla.12:C:\Documents and Settings\krp\Application Data\Mozilla\Firefox\Profiles\4yxrjoqi.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).

C:\!KillBox\WINLOGON.EXE -> Trojan.Lineage.agz : Cleaned with backup (quarantined).

C:\!KillBox\Winlogon.exe( 1) -> Trojan.Lineage.agz : Cleaned with backup (quarantined).

C:\Program Files\Common Files\iexplore.pif -> Trojan.Lineage.agz : Cleaned with backup (quarantined).

C:\Program Files\Internet Explorer\dll1.exe -> Trojan.Lineage.agz : Cleaned with backup (quarantined).

C:\Program Files\Internet Explorer\iexplore.com -> Trojan.Lineage.agz : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008014.EXE -> Trojan.Lineage.agz : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008040.exe -> Trojan.Lineage.agz : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008080.exe -> Trojan.Lineage.agz : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008157.EXE -> Trojan.Lineage.agz : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008191.com -> Trojan.Lineage.agz : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008193.com -> Trojan.Lineage.agz : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP37\A0008256.EXE -> Trojan.Lineage.agz : Cleaned with backup (quarantined).

C:\WINDOWS\1.com -> Trojan.Lineage.agz : Cleaned with backup (quarantined).

C:\WINDOWS\Debug\DebugProgram.exe -> Trojan.Lineage.agz : Cleaned with backup (quarantined).

C:\WINDOWS\ExERoute.exe -> Trojan.Lineage.agz : Cleaned with backup (quarantined).

C:\WINDOWS\WINLOGON.EXE -> Trojan.Lineage.agz : Cleaned with backup (quarantined).

C:\WINDOWS\explorer.com -> Trojan.Lineage.agz : Cleaned with backup (quarantined).

C:\WINDOWS\finder.com -> Trojan.Lineage.agz : Cleaned with backup (quarantined).

C:\WINDOWS\system32\MSCONFIG.COM -> Trojan.Lineage.agz : Cleaned with backup (quarantined).

C:\WINDOWS\system32\command.pif -> Trojan.Lineage.agz : Cleaned with backup (quarantined).

C:\WINDOWS\system32\dxdiag.com -> Trojan.Lineage.agz : Cleaned with backup (quarantined).

C:\WINDOWS\system32\finder.com -> Trojan.Lineage.agz : Cleaned with backup (quarantined).

C:\WINDOWS\system32\regedit.com -> Trojan.Lineage.agz : Cleaned with backup (quarantined).

C:\WINDOWS\system32\rundll32.com -> Trojan.Lineage.agz : Cleaned with backup (quarantined).

D:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP35\A0007759.pif -> Trojan.Lineage.agz : Cleaned with backup (quarantined).

D:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP35\A0007814.pif -> Trojan.Lineage.agz : Cleaned with backup (quarantined).

D:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP35\A0007823.pif -> Trojan.Lineage.agz : Cleaned with backup (quarantined).

D:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008039.pif -> Trojan.Lineage.agz : Cleaned with backup (quarantined).

D:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008073.pif -> Trojan.Lineage.agz : Cleaned with backup (quarantined).

D:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008091.pif -> Trojan.Lineage.agz : Cleaned with backup (quarantined).

D:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008105.pif -> Trojan.Lineage.agz : Cleaned with backup (quarantined).

D:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008131.pif -> Trojan.Lineage.agz : Cleaned with backup (quarantined).

D:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008140.pif -> Trojan.Lineage.agz : Cleaned with backup (quarantined).

D:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008154.pif -> Trojan.Lineage.agz : Cleaned with backup (quarantined).

D:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008163.pif -> Trojan.Lineage.agz : Cleaned with backup (quarantined).

D:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP36\A0008170.pif -> Trojan.Lineage.agz : Cleaned with backup (quarantined).

D:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP37\A0008245.pif -> Trojan.Lineage.agz : Cleaned with backup (quarantined).

D:\System Volume Information\_restore{9F61EF6F-E555-490A-ADBA-1096B5AE2A1A}\RP37\A0008260.pif -> Trojan.Lineage.agz : Cleaned with backup (quarantined).

D:\pagefile.pif -> Trojan.Lineage.agz : Cleaned with backup (quarantined).

[832] C:\WINDOWS\WINLOGON.EXE -> Trojan.Lineage.agz : Error during cleaning.

 

 

::Report end

Share this post


Link to post
Share on other sites

And here's the HJT log:

 

Logfile of HijackThis v1.99.1

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.exe

D:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\NOTEPAD.EXE

D:\Program Files\Opera\Opera.exe

D:\Program Files\HJT\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =

 

proxy.singnet.com.sg:8080

F2 - REG:system.ini: Shell=Explorer.exe 1

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program

 

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06

 

\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

 

files\google\googletoolbar1.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

 

files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [PowerStrip] d:\program files\powerstrip\pstrip.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program

 

Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://C:\Program

 

Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program

 

Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10

 

\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program

 

Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06

 

\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

 

Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

 

Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

 

Files\Messenger\msmsgs.exe

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) -

 

http://pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

 

http://update.microsoft.com/windowsupdate/...b?1152324366890

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

 

http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{BEBB5088-E13A-4229-BA55-73E392119993}: NameServer =

 

165.21.83.88,165.21.100.88

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll"

 

(file missing)

O23 - Service: Diskeeper - Diskeeper Corporation - D:\Program Files\Diskeeper

 

Corporation\Diskeeper\DkService.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\Program Files\ewido anti-

 

spyware 4.0\guard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common

 

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Share this post


Link to post
Share on other sites

And manually opening ComboFix and regedit, i managed to get a log:

 

 

ComboFix 06.08.24 - Running from: C:\Documents and Settings\krp

 

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\WINDOWS\system32\components

 

 

((((((((((((((((((((((((((((((( Files Created from 2008-24-06 to 2008/25/2006 ))))))))))))))))))))))))))))))))))

 

 

No new files created in this timespan

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

2011/17/2004 07:05 PM 2297664 --a------ C:\WINDOWS\system32\drivers\ALCXWDM.SYS

2011/10/2004 06:32 AM 21968 --a------ C:\WINDOWS\system32\drivers\PStrip.sys

2010/05/2004 04:38 PM 33280 -ra------ C:\WINDOWS\system32\drivers\NVENETFD.sys

2010/05/2004 04:38 PM 12928 -ra------ C:\WINDOWS\system32\drivers\nvnetbus.sys

2010/05/2004 04:37 PM 98048 -ra------ C:\WINDOWS\system32\drivers\nvnrm.sys

2010/05/2004 04:37 PM 209024 -ra------ C:\WINDOWS\system32\drivers\nvsnpu.sys

2009/02/2004 03:24 PM 82816 -ra------ C:\WINDOWS\system32\drivers\nvatabus.sys

2009/01/2005 11:03 AM 5888 --------- C:\WINDOWS\system32\drivers\imagedrv.sys

2009/01/2005 11:03 AM 127488 --------- C:\WINDOWS\system32\drivers\imagesrv.sys

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

*Note* empty entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PowerStrip"="d:\\program files\\powerstrip\\pstrip.exe"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

"Installed"="1"

"NoChange"="1"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]

"dontdisplaylastusername"=dword:00000000

"legalnoticecaption"=""

"legalnoticetext"=""

"shutdownwithoutlogon"=dword:00000001

"undockwithoutlogon"=dword:00000001

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]

"DisableRegistryTools"=dword:00000000

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]

"DeskHtmlVersion"=dword:00000110

"DeskHtmlMinorVersion"=dword:00000005

"Settings"=dword:00000001

"GeneralFlags"=dword:00000000

 

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sharedtaskscheduler]

"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"

"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]

"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"

"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"

"location"="Common Startup"

"command"="D:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "

"item"="Adobe Reader Speed Launch"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^IE-Bar.lnk]

"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\IE-Bar.lnk"

"backup"="C:\\WINDOWS\\pss\\IE-Bar.lnkCommon Startup"

"location"="Common Startup"

"command"="C:\\PROGRA~1\\COMMON~1\\IE-Bar\\iebar.exe "

"item"="IE-Bar"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"

"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"

"location"="Common Startup"

"command"="D:\\PROGRA~1\\MICROS~1\\Office10\\OSA.EXE -b -l"

"item"="Microsoft Office"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^krp^Start Menu^Programs^Startup^Diskeeper 10 Professional Edition Registration.lnk]

"path"="C:\\Documents and Settings\\krp\\Start Menu\\Programs\\Startup\\Diskeeper 10 Professional Edition Registration.lnk"

"backup"="C:\\WINDOWS\\pss\\Diskeeper 10 Professional Edition Registration.lnkStartup"

"location"="Startup"

"command"="D:\\PROGRA~1\\DISKEE~1\\DISKEE~2\\ESIREG~1.EXE /remind /language=ENU /PRNM=\"Diskeeper 10 Professional Edition\""

"item"="Diskeeper 10 Professional Edition Registration"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^krp^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]

"path"="C:\\Documents and Settings\\krp\\Start Menu\\Programs\\Startup\\OpenOffice.org 2.0.lnk"

"backup"="C:\\WINDOWS\\pss\\OpenOffice.org 2.0.lnkStartup"

"location"="Startup"

"command"="C:\\PROGRA~1\\OPENOF~1.0\\program\\QUICKS~1.EXE "

"item"="OpenOffice.org 2.0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^krp^Start Menu^Programs^Startup^³¬¼¶²¥°Ô.lnk]

"path"="C:\\Documents and Settings\\krp\\Start Menu\\Programs\\Startup\\³¬¼¶²¥°Ô.lnk"

"backup"="C:\\WINDOWS\\pss\\³¬¼¶²¥°Ô.lnkStartup"

"location"="Startup"

"command"="D:\\Program Files\\pcast\\PodcastbarMini\\PodcastBarMiniStarter.exe "

"item"="³¬¼¶²¥°Ô"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\!ewido]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="ewido"

"hkey"="HKLM"

"command"="\"D:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\2e85ba53.exe]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="2e85ba53"

"hkey"="HKLM"

"command"="C:\\WINDOWS\\System32\\2e85ba53.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\BootSkin Startup Jobs]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="BootSkin"

"hkey"="HKLM"

"command"="\"D:\\PROGRA~1\\BOOTSKIN\\BootSkin.exe\" /StartupJobs"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DAEMON Tools-1033]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="daemon"

"hkey"="HKLM"

"command"="\"D:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DiskeeperSystray]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="DkIcon"

"hkey"="HKLM"

"command"="\"D:\\Program Files\\Diskeeper Corporation\\Diskeeper\\DkIcon.exe\""

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\IMJPMIG8.1]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="IMJPMIG"

"hkey"="HKLM"

"command"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\iTunesHelper]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="iTunesHelper"

"hkey"="HKLM"

"command"="\"D:\\Program Files\\iTunes\\iTunesHelper.exe\""

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\KernelFaultCheck]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="dumprep 0 -k"

"hkey"="HKLM"

"command"="%systemroot%\\system32\\dumprep 0 -k"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Load]

"key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows"

"item"="f4cid0f"

"hkey"="HKCU"

"command"="C:\\WINDOWS\\f4cid0f.exe"

"inimapping"="1"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\LogonStudio]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="logonstudio"

"hkey"="HKLM"

"command"="\"D:\\Program Files\\WinCustomize\\LogonStudio\\logonstudio.exe\" /RANDOM"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="msmsgs"

"hkey"="HKCU"

"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\msnsyslog]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="msnpolym"

"hkey"="HKLM"

"command"="C:\\WINDOWS\\msnpolym.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NeroFilterCheck]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="NeroCheck"

"hkey"="HKLM"

"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NvCplDaemon]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="NvCpl"

"hkey"="HKLM"

"command"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NvMediaCenter]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="NvMcTray"

"hkey"="HKLM"

"command"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\nwiz]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="nwiz"

"hkey"="HKLM"

"command"="nwiz.exe /install"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\pbmini]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="PodcastBarMiniStater"

"hkey"="HKCU"

"command"="D:\\Program Files\\pcast\\PodcastbarMini\\PodcastBarMiniStater.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PCPitstop Optimize Registration Reminder]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="Reminder"

"hkey"="HKLM"

"command"="D:\\Program Files\\PCPitstop\\Optimize\\Reminder.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PHIME2002A]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="TINTSETP"

"hkey"="HKLM"

"command"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PHIME2002ASync]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="TINTSETP"

"hkey"="HKLM"

"command"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PWRISOVM.EXE]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="PWRISOVM"

"hkey"="HKLM"

"command"="D:\\Program Files\\PowerISO\\PWRISOVM.EXE"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="qttask"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Rapget]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="rapget"

"hkey"="HKLM"

"command"="D:\\Program Files\\Download toolz\\Rapget\\rapget.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\RemoteControl]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="PDVDServ"

"hkey"="HKLM"

"command"="\"D:\\Program Files\\CyberLink DVD Solution\\PowerDVD\\PDVDServ.exe\""

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SoundMan]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="SOUNDMAN"

"hkey"="HKLM"

"command"="SOUNDMAN.EXE"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Steam]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"=""

"hkey"="HKCU"

"command"=""

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\STYLEXP]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="StyleXP"

"hkey"="HKCU"

"command"="C:\\Program Files\\TGTSoft\\StyleXP\\StyleXP.exe -Hide"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SunJavaUpdateSched]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="jusched"

"hkey"="HKLM"

"command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\TkBellExe]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="realsched"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Torjan Program]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="WINLOGON"

"hkey"="HKLM"

"command"="C:\\WINDOWS\\WINLOGON.EXE"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Toso]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="taskmgr"

"hkey"="HKCU"

"command"="\"C:\\WINDOWS\\System32\\ECURIT~1\\taskmgr.exe\" -vt yazb"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\updateMgr]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="AdobeUpdateManager"

"hkey"="HKCU"

"command"="\"D:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_7"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\WMC_AutoUpdate]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"=""

"hkey"="HKLM"

"command"=""

"inimapping"="0"

 

 

 

Completion time: Fri 08/25/2006 23:44:32.64

ComboFix.txt

Share this post


Link to post
Share on other sites

Download the following XP File Association Fix:

http://www.dougknox.com/xp/fileassoc/xp_regfile.zip

Extract it to the Desktop to a folder of its own

To run, double Click on the exe file in the folder.

Follow the prompts

 

Restart the computer.

 

Check to see if you can now open programs.

 

====

Will get back with you later on the malware issue.

Share this post


Link to post
Share on other sites

Download the following XP File Association Fix:

http://www.dougknox.com/xp/fileassoc/xp_regfile.zip

Extract it to the Desktop to a folder of its own

To run, double Click on the exe file in the folder.

Follow the prompts

 

Restart the computer.

 

Check to see if you can now open programs.

 

====

Will get back with you later on the malware issue.

 

That didn't help, but i fixed it on my own anyway. ;)

Share this post


Link to post
Share on other sites

Still no AntiVirus program…not good.

 

====

You can remove the files from the Ewido Quarantine:

-Launch Ewido and click the Infections button.

-Click the Quarantine tab

-Choose: Select All

-Click: Remove finally

-A window pops asking "Are you sure you want to remove the selected files...??"

-Select: Yes

 

====

Next, launch Notepad, (Start > Run, type in: notepad)

Copy/paste all the blue REGEDIT below to it

 

REGEDIT4

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^IE-Bar.lnk]

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^krp^Start Menu^Programs^Startup^³¬¼¶²¥°Ô.lnk]

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\2e85ba53.exe]

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Load]

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\pbmini]

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Torjan Program]

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Toso]

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\WMC_AutoUpdate]

 

In Notepad, go to File (upper menu bar), and select: Save as

In the Save as prompt:

Save in: Desktop

File Name: delete.reg

Save as Type: All files

Click: Save

Exit out of Notepad.

 

Back on the Desktop, double-click on the delete.reg file just saved and click on Yes when asked to merge the information into the Registry.

 

====

Run HijackThis, Scan

Check box for:

 

F2 - REG:system.ini: Shell=Explorer.exe 1

 

Select: Fix checked

 

====

Restart the computer in Safe Mode.

When the machine starts again, tap the F8 key repeatedly.

You are presented with a Windows XP Advanced Options menu.

Select the option for Safe Mode using the arrow keys.

Press Enter to boot into Safe Mode.

 

====

Copy all the files below (CTRL+C) and paste (CTRL+V) them to Notepad

(Start > Run, type in: notepad):

 

C:\WINDOWS\WINLOGON.EXE

C:\PROGRA~1\COMMON~1\IE-Bar

D:\Program Files\pcast

C:\WINDOWS\System32\2e85ba53.exe

C:\WINDOWS\f4cid0f.exe

C:\WINDOWS\\System32\ECURIT~1

D:\Program Files\Hacking\GM51.exe

D:\Program Files\Hacking\Msn freezer\IceCold ReLoaded.exe

 

 

Run KillBox by double-clicking on the red circle with white X

 

At the main screen of KillBox, select the option: Delete on Reboot

Open the Notepad file saved earlier and copy the files to the clipboard

(Highlight all (Ctrl+A) and Copy (Ctrl + C).

 

In Killbox, go to the File menu, and choose: Paste from Clipboard

Then select: All Files (button)

Now, press the button with a red circle and a white X (Delete File button)

KillBox will alert you the files will be deleted on next reboot, click: Yes

When asked to Reboot, select Yes

 

====

Run ComboFix once again

 

====

Also run HijackThis

 

====

Please provide the new combofix.txt, and a new HijackThis log in your response.

Share this post


Link to post
Share on other sites

Here is the comboFix log:

 

((((((((((((((((((((((((((((((( Files Created from 2006-07-27 to 2006-08-27 ))))))))))))))))))))))))))))))))))

 

 

2006-08-27 10:38 15,872 -r-hs---- C:\WINDOWS\system32\Downdll.dll

2006-07-27 17:19 65,536 --a------ C:\WINDOWS\IFinst27.exe

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

2006-08-19 21:07 -------- d-------- C:\Documents and Settings\krp\Application Data\SopCast

2006-08-19 10:14 4280832 --a------ C:\WINDOWS\system32\logonuiX.exe

2006-06-25 22:12 5435392 --a------ C:\WINDOWS\system32\nvoglnt.dll

2006-06-23 02:19 98304 --a------ C:\WINDOWS\system32\nvapi.dll

2006-06-23 02:19 86016 --a------ C:\WINDOWS\system32\nvmctray.dll

2006-06-23 02:19 81920 --a------ C:\WINDOWS\system32\nvwddi.dll

2006-06-23 02:19 7581696 --a------ C:\WINDOWS\system32\nvcpl.dll

2006-06-23 02:19 573440 --a------ C:\WINDOWS\system32\nvhwvid.dll

2006-06-23 02:19 466944 --a------ C:\WINDOWS\system32\nvshell.dll

2006-06-23 02:19 45056 --a------ C:\WINDOWS\system32\nvmccsrs.dll

2006-06-23 02:19 442368 --a------ C:\WINDOWS\system32\nvappbar.exe

2006-06-23 02:19 425984 --a------ C:\WINDOWS\system32\keystone.exe

2006-06-23 02:19 3998592 --a------ C:\WINDOWS\system32\nv4_disp.dll

2006-06-23 02:19 35840 --a------ C:\WINDOWS\system32\nvcodins.dll

2006-06-23 02:19 35840 --a------ C:\WINDOWS\system32\nvcod.dll

2006-06-23 02:19 286720 --a------ C:\WINDOWS\system32\nvnt4cpl.dll

2006-06-23 02:19 229376 --a------ C:\WINDOWS\system32\nvmccs.dll

2006-06-23 02:19 208896 --a------ C:\WINDOWS\system32\nvudisp.exe

2006-06-23 02:19 1662976 --a------ C:\WINDOWS\system32\nvwdmcpl.dll

2006-06-23 02:19 1519616 --a------ C:\WINDOWS\system32\nwiz.exe

2006-06-23 02:19 147456 --a------ C:\WINDOWS\system32\nvcolor.exe

2006-06-23 02:19 1466368 --a------ C:\WINDOWS\system32\nview.dll

2006-06-23 02:19 143426 --a------ C:\WINDOWS\system32\nvsvc32.exe

2006-06-23 02:19 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe

2006-06-23 02:19 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll

2006-06-15 21:53 356352 --a------ C:\WINDOWS\eSellerateEngine.dll

2006-06-01 19:09 208896 --a------ C:\WINDOWS\system32\nvusmb.exe

2006-06-01 19:09 208896 --a------ C:\WINDOWS\system32\nvunrm.exe

2006-06-01 19:09 208896 --a------ C:\WINDOWS\system32\NVUNINST.EXE

2006-06-01 19:09 208896 --a------ C:\WINDOWS\system32\nvuide.exe

2006-06-01 09:57 1224704 --a------ C:\WINDOWS\system32\pCastCtl.dll

2006-05-30 09:54 0 --a------ C:\WINDOWS\system32\edfimg_17401.exe

2006-05-30 09:20 0 --a------ C:\WINDOWS\system32\hqghumea.dll

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

*Note* empty entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PowerStrip"="d:\\program files\\powerstrip\\pstrip.exe"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

"Installed"="1"

"NoChange"="1"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]

"dontdisplaylastusername"=dword:00000000

"legalnoticecaption"=""

"legalnoticetext"=""

"shutdownwithoutlogon"=dword:00000001

"undockwithoutlogon"=dword:00000001

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]

"DeskHtmlVersion"=dword:00000110

"DeskHtmlMinorVersion"=dword:00000005

"Settings"=dword:00000001

"GeneralFlags"=dword:00000000

 

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]

"NoDriveTypeAutoRun"=dword:00000091

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sharedtaskscheduler]

"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"

"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]

"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"

"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"

"location"="Common Startup"

"command"="D:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "

"item"="Adobe Reader Speed Launch"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"

"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"

"location"="Common Startup"

"command"="D:\\PROGRA~1\\MICROS~1\\Office10\\OSA.EXE -b -l"

"item"="Microsoft Office"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^krp^Start Menu^Programs^Startup^Diskeeper 10 Professional Edition Registration.lnk]

"path"="C:\\Documents and Settings\\krp\\Start Menu\\Programs\\Startup\\Diskeeper 10 Professional Edition Registration.lnk"

"backup"="C:\\WINDOWS\\pss\\Diskeeper 10 Professional Edition Registration.lnkStartup"

"location"="Startup"

"command"="D:\\PROGRA~1\\DISKEE~1\\DISKEE~2\\ESIREG~1.EXE /remind /language=ENU /PRNM=\"Diskeeper 10 Professional Edition\""

"item"="Diskeeper 10 Professional Edition Registration"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^krp^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]

"path"="C:\\Documents and Settings\\krp\\Start Menu\\Programs\\Startup\\OpenOffice.org 2.0.lnk"

"backup"="C:\\WINDOWS\\pss\\OpenOffice.org 2.0.lnkStartup"

"location"="Startup"

"command"="C:\\PROGRA~1\\OPENOF~1.0\\program\\QUICKS~1.EXE "

"item"="OpenOffice.org 2.0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\!ewido]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="ewido"

"hkey"="HKLM"

"command"="\"D:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\BootSkin Startup Jobs]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="BootSkin"

"hkey"="HKLM"

"command"="\"D:\\PROGRA~1\\BOOTSKIN\\BootSkin.exe\" /StartupJobs"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DAEMON Tools-1033]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="daemon"

"hkey"="HKLM"

"command"="\"D:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DiskeeperSystray]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="DkIcon"

"hkey"="HKLM"

"command"="\"D:\\Program Files\\Diskeeper Corporation\\Diskeeper\\DkIcon.exe\""

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\IMJPMIG8.1]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="IMJPMIG"

"hkey"="HKLM"

"command"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\iTunesHelper]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="iTunesHelper"

"hkey"="HKLM"

"command"="\"D:\\Program Files\\iTunes\\iTunesHelper.exe\""

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\KernelFaultCheck]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="dumprep 0 -k"

"hkey"="HKLM"

"command"="%systemroot%\\system32\\dumprep 0 -k"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\LogonStudio]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="logonstudio"

"hkey"="HKLM"

"command"="\"D:\\Program Files\\WinCustomize\\LogonStudio\\logonstudio.exe\" /RANDOM"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="msmsgs"

"hkey"="HKCU"

"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\msnsyslog]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="msnpolym"

"hkey"="HKLM"

"command"="C:\\WINDOWS\\msnpolym.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NeroFilterCheck]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="NeroCheck"

"hkey"="HKLM"

"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NvCplDaemon]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="NvCpl"

"hkey"="HKLM"

"command"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NvMediaCenter]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="NvMcTray"

"hkey"="HKLM"

"command"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\nwiz]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="nwiz"

"hkey"="HKLM"

"command"="nwiz.exe /install"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PCPitstop Optimize Registration Reminder]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="Reminder"

"hkey"="HKLM"

"command"="D:\\Program Files\\PCPitstop\\Optimize\\Reminder.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PHIME2002A]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="TINTSETP"

"hkey"="HKLM"

"command"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PHIME2002ASync]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="TINTSETP"

"hkey"="HKLM"

"command"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PWRISOVM.EXE]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="PWRISOVM"

"hkey"="HKLM"

"command"="D:\\Program Files\\PowerISO\\PWRISOVM.EXE"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="qttask"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Rapget]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="rapget"

"hkey"="HKLM"

"command"="D:\\Program Files\\Download toolz\\Rapget\\rapget.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\RemoteControl]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="PDVDServ"

"hkey"="HKLM"

"command"="\"D:\\Program Files\\CyberLink DVD Solution\\PowerDVD\\PDVDServ.exe\""

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SoundMan]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="SOUNDMAN"

"hkey"="HKLM"

"command"="SOUNDMAN.EXE"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Steam]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"=""

"hkey"="HKCU"

"command"=""

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\STYLEXP]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="StyleXP"

"hkey"="HKCU"

"command"="C:\\Program Files\\TGTSoft\\StyleXP\\StyleXP.exe -Hide"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SunJavaUpdateSched]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="jusched"

"hkey"="HKLM"

"command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\TkBellExe]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="realsched"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\updateMgr]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="AdobeUpdateManager"

"hkey"="HKCU"

"command"="\"D:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_7"

"inimapping"="0"

 

 

 

Completion time: 06-08-27 10:49:51.07

ComboFix2.txt

ComboFix.txt

Share this post


Link to post
Share on other sites

Here is the HJT log:

 

Logfile of HijackThis v1.99.1

Scan saved at 10:51, on 06-08-27

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

D:\program files\powerstrip\pstrip.exe

D:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\WINDOWS\winupdate.exe

C:\WINDOWS\System32\svchost.exe

D:\Program Files\Opera\Opera.exe

D:\Program Files\HJT\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.singnet.com.sg:8080

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: (no name) - {E730189A-9973-4121-B046-AD1C161EC3AF} - C:\WINDOWS\system32\37211.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [PowerStrip] d:\program files\powerstrip\pstrip.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1152324366890

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{BEBB5088-E13A-4229-BA55-73E392119993}: NameServer = 165.21.83.88,165.21.100.88

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O23 - Service: Diskeeper - Diskeeper Corporation - D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Update Service For Windows (winupdate) - Unknown owner - C:\WINDOWS\winupdate.exe

Share this post


Link to post
Share on other sites

Btw i am behind a router (which is a firewall by itself), and i frequently use online anti-virus scans like Panda and Housecall, so i don't feel i need any anti-virus programs.

 

PS: D:\Program Files\pcast

D:\Program Files\Hacking\GM51.exe

D:\Program Files\Hacking\Msn freezer\IceCold ReLoaded.exe

 

The above files are legitimate so there's no need to remove them.

Edited by zizou

Share this post


Link to post
Share on other sites

It is your choice to go without an AntiVirus program. If you think it works, do you realize that every time you post a log there is new malware on it?

 

I am also behind a router and use online virus scans. There is no way I would be without a real time AV program

 

Also, a software Firewall provides the ability to restrict malevolent outgoing traffic from your computer.

 

====

C:\\Program Files\\PCAST\\PodcastbarMini\\PodcastBarMiniStater.exe

http://www3.ca.com/securityadvisor/pest/Pe...px?id=453098354

 

HackTools?

D:\Program Files\Hacking\GM51.exe

D:\Program Files\Hacking\Msn freezer\IceCold ReLoaded.exe

 

====

One of the O23 Services on the HijackThis log looks suspicious.

There is a legit Windows Server Update Service, but not sure this is the case.

 

Please do a Jotti Malware Scan:

http://virusscan.jotti.org

 

In File to upload and scan, browse to the following:

C:\WINDOWS\winupdate.exe

 

Then, press: Submit

When the scan completes, copy the report, and post the results.

 

If Jotti's Malware scan is busy, you can also use this one

 

Virus Total:

http://www.virustotal.com/flash/index_en.html

 

====

Run HijackThis, Scan

Check box for:

 

O2 - BHO: (no name) - {E730189A-9973-4121-B046-AD1C161EC3AF} - C:\WINDOWS\system32\37211.dll

 

Select: Fix checked

 

====

Next, enable the viewing of Hidden Files and Folders as follows:

-At your Desktop, go to Start>My Computer

-Select the Tools menu and then Folder Options

-After the new window appears select the View tab

-Select: Display the contents of system folders

-Under the Hidden files and folders section select: Show hidden files and folders

-Remove the checkmark from Hide file extensions for known file types

-Remove the checkmark from Hide protected operating system files (Recommended)

-Press the Apply button

Click OK

 

Then, reboot to Safe Mode as follows:

-Restart your computer.

-When the machine first starts again, tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.

-Select the option for Safe Mode using the arrow keys.

-Press Enter to boot into Safe Mode.

 

====

Search for and, if found, delete the following file (bold):

C:\WINDOWS\system32\37211.dll

 

====

Restart the computer.

 

====

Run HijackThis once again, and post a new log along with the information from the file scan.

Share this post


Link to post
Share on other sites

Well i did a ewido scan and it detected winupdate.exe as a malicious adware, so i removed it.

 

I am also unable to find the 37211.dll file.

 

So here's the HJT log

 

Logfile of HijackThis v1.99.1

Scan saved at 13:40, on 06-08-27

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

D:\program files\powerstrip\pstrip.exe

D:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\WINDOWS\System32\svchost.exe

D:\Program Files\HJT\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.singnet.com.sg:8080

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [PowerStrip] d:\program files\powerstrip\pstrip.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1152324366890

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{BEBB5088-E13A-4229-BA55-73E392119993}: NameServer = 165.21.83.88,165.21.100.88

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O23 - Service: Diskeeper - Diskeeper Corporation - D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Update Service For Windows (winupdate) - Unknown owner - C:\WINDOWS\winupdate.exe (file missing)

Share this post


Link to post
Share on other sites

Well, one of the reasons to my reluctance to install anti-virus programs is that they take up resources and they conflict with many programs. Moreover, my computer was absolutely fine and clean before i disconnected the router and connected to the internet via my modem only. This, i believe, was what caused my computer to be attacked so severely.

 

Btw, pcast is a tv streaming program. I don't think it's the podcastbar thing. I uninstalled pcast long ago.

Share this post


Link to post
Share on other sites

Are you familiar with: singnet.com.sg?

If not, post back.

 

====

Click Start > Run and type in: services.msc

Click OK

In the Services window find: winupdate

Select/highlight and right click the entry, and choose: Properties

On the General tab, under Service Status click the Stop button

Beside: Startup Type, in the drop menu, select: Disabled

Click Apply, then OK

 

====

Run HijackThis, Scan

Check box for:

 

O23 - Service: Update Service For Windows (winupdate) - Unknown owner - C:\WINDOWS\winupdate.exe (file missing)

 

Select: Fix checked

 

On the AV issue…been using AVG Grisoft for years. It is not a resource hog, cuts to the chase, and gets the job done. Would strongly recommend you give an AV program a whirl.

 

====

After doing the above, if you are not having malware problems, you are good to go!

 

====

Please read the following. They are some suggestions to remain malware free:

Tony Klein’s article 'How Did I Get Infected In The First Place'

http://forums.spywareinfo.com/index.php?showtopic=60955

 

====

Thank you for your patience, and performing the procedures requested.

If you have any questions or comments, post back. Otherwise...

 

Good luck!!

Share this post


Link to post
Share on other sites

Ok i guess i am gd to go then!

 

I can't say thanks enough for what you have done. I would have been so lost!

 

Thx for YOUR patience and guidance!!!

 

CHEERS! :clap::)

Edited by zizou

Share this post


Link to post
Share on other sites

Glad to help! :adios:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Edit: Can't spell today...

Edited by FZWG

Share this post


Link to post
Share on other sites
Sign in to follow this  

×
×
  • Create New...