Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Another pc another problem


  • Please log in to reply
11 replies to this topic

#1 DannyLedsham

DannyLedsham

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 05 July 2005 - 10:03 PM

Hi there everyone... and ddeerrff

So anyone can help...
I have this problem with another pc... It goes like this... It started yesterday...

My homepage is chnaged from blank to www.msn.com
and my internet explorer is going very slow. I installed mozilla to come here to write you... IE sometimes opens the page but mostly not. It just starts dowloading site/page and it lasts forever.

I ran longtime ad-aware 6 it finds something in interenet explorer area... I delete it but internet explorer isnt working any faster... (or at all) and when i restart pc it finds that registry entry again. Here what ad-aware 6 found

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "about:blank"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "about:blank"


At the moment it doesnt find it. I even ran ad-aware in safe mode and delete it but when i run in safe mode again it all ends up the same.

When i in my internet options change my start page option from msn.com to blank... in few moments it goes back again to www.msn.com

I ran online panda scan and this is report

Incident Status Location

Adware:Adware/WhenUSearch No disinfected C:\Program Files\Common Files\Whenu
Adware:Adware/NaviPromo No disinfected Windows Registry

Adware:Adware/CWS.Searchmeup No disinfected C:\RECYCLER\S-1-5-21-842925246-2111687655-1708537768-1003\Dc3.SBU[{95D0DFA1-BED4-4E0B-B97E-4F0962844EE0}]

I deleted folder Whenu
for the rest i didnt do it as i am not sure how to.

and one more thing...
When i ran outlook express, zone alarm asks me if i permit Messanger to go online. It didnt ask me that prior to this problem. And if i want to uninstall msn messanger i can not since there is no uninstall option.

i have xp sp1
zone alarm
hp printer (thats why those hp*** exe files, or maybe i am wrong)
I often run online scan tests panda as of few days ago and trend housecall from the beginning. but the second one (trend) didnt find anything as panda did. and i can not run panda without ie.


and here is hijack log
Logfile of HijackThis v1.99.1
Scan saved at 4:35:34 AM, on 7/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Crypto\AccessRunner ADSL\CnxDslTb.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\InterVideo\MSIPVS\WinScheduler.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Jasmin & Tanja\Desktop\MILKIJEV RPOCES\bleeping\VIRUS\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\Crypto\AccessRunner ADSL\CnxDslTb.exe"
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: InterVideo WinScheduler.lnk = C:\Program Files\InterVideo\MSIPVS\WinScheduler.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_...outLauncher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{57B47481-25C1-484B-B0A6-C97DC88CBDE6}: NameServer = 194.106.162.3
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Thank You very much

Very...

Edited by DannyLedsham, 06 July 2005 - 03:34 AM.


BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 07 July 2005 - 02:09 PM

Hi Danny and Welcome to the Bleeping Computer!

Please go to Add\Remove Programs and Remove

AdwareAlert

Now Locate and Delete

C:\Program Files\AdwareAlert<< Folder!

Open HijackThis and put a check by this one

O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot

Make sure all Windows and Browsers are Closed and Click "Fix Checked"

Download AdawareSE 1.06
http://www.bleepingcomputer.com/forums/ind...showtutorial=48

Scan the PC with that and see what it finds!

Have the PC scanned here and Save any results
http://www.kaspersky.com/beta?product=161744315

Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab
Make Sure Normal Startup is Checked!!

Click Apply>>OK>>Follow the Prompts to Restart!

Once Completed,Post back with a fresh HijackThis log and the results from Kaspersky!

#3 DannyLedsham

DannyLedsham
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  

Posted 15 July 2005 - 06:10 AM

Hi there
thank you for your reply

i was away for few days so thats why i am late with my reply

i didnt fin adwarealert on control panel reomve rpogram list... but i found its folder and i deleted it.

I already have adaware se 6.0 and here its log
at the moment he only found tracking cookies



Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Friday, July 15, 2005 9:03:05 AM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R347 26.10.2004
______________________________________________________

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry


7-15-2005 9:03:05 AM - Scan started. (Smart mode)

Listing running processes


#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 7-15-2005 5:45:21 AM
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 7-15-2005 5:45:48 AM
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7-15-2005 5:45:49 AM
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 8/23/2001 12:00:00 PM
Last accessed : 7/15/2005 6:58:26 AM
Last modified : 8/23/2001 12:00:00 PM

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7-15-2005 5:45:49 AM
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 8/29/2002 3:41:26 AM
Last accessed : 7/15/2005 6:58:28 AM
Last modified : 8/29/2002 3:41:26 AM

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7-15-2005 5:45:50 AM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/23/2001 12:00:00 PM
Last accessed : 7/15/2005 6:58:25 AM
Last modified : 8/23/2001 12:00:00 PM

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 7-15-2005 5:45:50 AM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/23/2001 12:00:00 PM
Last accessed : 7/15/2005 6:58:25 AM
Last modified : 8/23/2001 12:00:00 PM

#:7 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 7-15-2005 5:45:53 AM
BasePriority : Normal
FileSize : 980 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 8/29/2002 3:41:24 AM
Last accessed : 7/15/2005 6:33:26 AM
Last modified : 8/29/2002 3:41:24 AM

#:8 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7-15-2005 5:45:53 AM
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 8/23/2001 12:00:00 PM
Last accessed : 7/15/2005 6:58:30 AM
Last modified : 8/23/2001 12:00:00 PM

#:9 [avgamsvr.exe]
FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
ThreadCreationTime : 7-15-2005 5:45:53 AM
BasePriority : Normal
FileSize : 322 KB
FileVersion : 7,1,0,321
ProductVersion : 7.1.0.321
Copyright : Copyright
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Alert Manager
InternalName : avgamsvr
OriginalFilename : avgamsvr.EXE
ProductName : AVG Anti-Virus System
Created on : 7/6/2005 8:57:53 AM
Last accessed : 7/15/2005 6:26:04 AM
Last modified : 7/6/2005 8:57:53 AM

#:10 [avgupsvc.exe]
FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
ThreadCreationTime : 7-15-2005 5:45:54 AM
BasePriority : Normal
FileSize : 82 KB
FileVersion : 7,1,0,321
ProductVersion : 7.1.0.321
Copyright : Copyright
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Update Service
InternalName : avgupsvc
OriginalFilename : avgupdsvc.EXE
ProductName : AVG 7.0 Anti-Virus System
Created on : 7/6/2005 8:57:56 AM
Last accessed : 7/15/2005 6:58:26 AM
Last modified : 7/6/2005 8:57:56 AM

#:11 [incdsrv.exe]
FilePath : C:\Program Files\Ahead\InCD\
ThreadCreationTime : 7-15-2005 5:45:54 AM
BasePriority : Normal
FileSize : 780 KB
FileVersion : 4, 0, 6, 1
ProductVersion : 4, 0, 6, 1
Copyright : Copyright
CompanyName : AHEAD Software
FileDescription : incdsrv
InternalName : incdsrv
OriginalFilename : incdsrv.exe
ProductName : AHEAD Software incdsrv
Created on : 10/14/2004 12:50:23 PM
Last accessed : 7/15/2005 6:58:27 AM
Last modified : 9/15/2003 1:57:32 PM

#:12 [nvsvc32.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 7-15-2005 5:45:54 AM
BasePriority : Normal
FileSize : 56 KB
FileVersion : 5.13.01.2183
ProductVersion : 5.13.01.2183
Copyright : Copyright
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 21.83
InternalName : NVSVC
OriginalFilename : nvsvc32.exe
ProductName : NVIDIA Driver Helper Service, Version 21.83
Created on : 9/14/2001 2:52:00 PM
Last accessed : 7/15/2005 6:58:28 AM
Last modified : 9/14/2001 2:52:00 PM

#:13 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 7-15-2005 5:45:54 AM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/23/2001 12:00:00 PM
Last accessed : 7/15/2005 6:58:25 AM
Last modified : 8/23/2001 12:00:00 PM

#:14 [vsmon.exe]
FilePath : C:\WINDOWS\system32\ZoneLabs\
ThreadCreationTime : 7-15-2005 5:45:56 AM
BasePriority : Normal
FileSize : 805 KB
FileVersion : 4.5.538.001
ProductVersion : 4.5.538.001
Copyright : Copyright
CompanyName : Zone Labs Inc.
FileDescription : TrueVector Service
InternalName : vsmon
OriginalFilename : vsmon.exe
ProductName : TrueVector Service
Created on : 10/14/2004 12:44:38 PM
Last accessed : 7/15/2005 6:58:31 AM
Last modified : 2/17/2004 3:00:44 PM

#:15 [zlclient.exe]
FilePath : C:\PROGRA~1\ZONELA~1\ZONEAL~1\
ThreadCreationTime : 7-15-2005 5:45:57 AM
BasePriority : Normal
FileSize : 677 KB
FileVersion : 4.5.538.001
ProductVersion : 4.5.538.001
Copyright : Copyright
CompanyName : Zone Labs Inc.
FileDescription : Zone Labs Client
InternalName : zlclient
OriginalFilename : zlclient.exe
ProductName : Zone Labs Client
Created on : 10/14/2004 12:44:41 PM
Last accessed : 7/15/2005 6:33:15 AM
Last modified : 2/17/2004 3:01:32 PM

#:16 [incd.exe]
FilePath : C:\Program Files\Ahead\InCD\
ThreadCreationTime : 7-15-2005 5:45:58 AM
BasePriority : Normal
FileSize : 1184 KB
FileVersion : 4, 0, 6, 1
ProductVersion : 4, 0, 6, 1
Copyright : Copyright © Ahead Software 1996-2003, Karlsbad, Germany
CompanyName : Ahead Software AG
FileDescription : InCD
InternalName : InCD
OriginalFilename : InCD.exe
ProductName : InCD
Created on : 10/14/2004 12:50:21 PM
Last accessed : 7/15/2005 6:23:17 AM
Last modified : 9/15/2003 1:58:00 PM

#:17 [jusched.exe]
FilePath : C:\Program Files\Java\j2re1.4.2_05\bin\
ThreadCreationTime : 7-15-2005 5:45:58 AM
BasePriority : Normal
FileSize : 32 KB
Created on : 6/3/2068 9:05:12 PM
Last accessed : 7/15/2005 7:03:06 AM
Last modified : 6/3/2004 9:05:08 PM

#:18 [hpcmpmgr.exe]
FilePath : C:\Program Files\HP\hpcoretech\
ThreadCreationTime : 7-15-2005 5:45:58 AM
BasePriority : Normal
FileSize : 236 KB
FileVersion : 2.1.1.0
ProductVersion : 2.1.5
Copyright : Copyright © Hewlett-Packard. 2002-2004
CompanyName : Hewlett-Packard Company
FileDescription : HP Framework Component Manager Service
InternalName : HPComponentManagerService module
OriginalFilename : HpCmpMgr.exe
ProductName : hp coretech (COmponent REuse TECHnology)
Created on : 5/12/2004 2:18:56 PM
Last accessed : 7/15/2005 7:03:06 AM
Last modified : 5/12/2004 2:18:56 PM

#:19 [hpwuschd2.exe]
FilePath : C:\Program Files\HP\HP Software Update\
ThreadCreationTime : 7-15-2005 5:45:58 AM
BasePriority : Normal
FileSize : 48 KB
FileVersion : 5, 0, 0, 0
ProductVersion : 5, 0, 0, 0
Copyright : Copyright
CompanyName : Hewlett-Packard Company
FileDescription : hpwuSchd
InternalName : hpwuSchd
OriginalFilename : hpwuSchd.exe
ProductName : HP Software Update Application
Created on : 9/13/2004 2:49:00 PM
Last accessed : 7/15/2005 7:03:06 AM
Last modified : 9/13/2004 2:49:00 PM

#:20 [winampa.exe]
FilePath : C:\Program Files\Winamp\
ThreadCreationTime : 7-15-2005 5:45:58 AM
BasePriority : Normal
FileSize : 33 KB
Created on : 12/13/2003 12:50:34 AM
Last accessed : 7/15/2005 6:32:13 AM
Last modified : 12/13/2003 12:50:34 AM

#:21 [realsched.exe]
FilePath : C:\Program Files\Common Files\Real\Update_OB\
ThreadCreationTime : 7-15-2005 5:45:58 AM
BasePriority : Normal
FileSize : 176 KB
FileVersion : 0.1.0.3208
ProductVersion : 0.1.0.3208
Copyright : Copyright
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
OriginalFilename : realsched.exe
ProductName : RealPlayer (32-bit)
Created on : 2/17/2005 7:09:45 AM
Last accessed : 7/15/2005 7:03:06 AM
Last modified : 2/17/2005 7:09:45 AM

#:22 [cnxdsltb.exe]
FilePath : C:\Program Files\Crypto\AccessRunner ADSL\
ThreadCreationTime : 7-15-2005 5:45:58 AM
BasePriority : Normal
FileSize : 452 KB
FileVersion : 2.099.085.000
ProductVersion : 2.099.085.000
CompanyName : Conexant Systems Inc.
FileDescription : TaskBar Application
ProductName : Conexant AccessRunner ADSL
Created on : 2/18/2005 1:56:45 PM
Last accessed : 7/15/2005 6:55:53 AM
Last modified : 4/22/2004 8:04:04 AM

#:23 [avgcc.exe]
FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
ThreadCreationTime : 7-15-2005 5:45:58 AM
BasePriority : Normal
FileSize : 344 KB
FileVersion : 7,1,0,321
ProductVersion : 7.1.0.321
Copyright : Copyright
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Control Center
InternalName : AvgCC
OriginalFilename : AvgCC.EXE
ProductName : AVG Anti-Virus System
Created on : 7/6/2005 8:57:54 AM
Last accessed : 7/15/2005 6:52:07 AM
Last modified : 7/6/2005 8:57:54 AM

#:24 [avgemc.exe]
FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\
ThreadCreationTime : 7-15-2005 5:45:59 AM
BasePriority : Normal
FileSize : 266 KB
FileVersion : 7,1,0,321
ProductVersion : 7.1.0.321
Copyright : Copyright
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG E-Mail Scanner
InternalName : avgemc
OriginalFilename : avgemc.exe
ProductName : AVG Anti-Virus System
Created on : 7/6/2005 8:57:54 AM
Last accessed : 7/15/2005 7:03:06 AM
Last modified : 7/6/2005 8:57:55 AM

#:25 [ctfmon.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 7-15-2005 5:45:59 AM
BasePriority : Normal
FileSize : 13 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
OriginalFilename : CTFMON.EXE
ProductName : Microsoft
Created on : 8/29/2002 3:41:22 AM
Last accessed : 7/15/2005 7:03:06 AM
Last modified : 8/29/2002 3:41:22 AM

#:26 [hpqtra08.exe]
FilePath : C:\Program Files\HP\Digital Imaging\bin\
ThreadCreationTime : 7-15-2005 5:45:59 AM
BasePriority : Normal
FileSize : 236 KB
FileVersion : 43.1.5.000
ProductVersion : 043.001.005.000
Copyright : Copyright © Hewlett-Packard Co. 1995-2004
CompanyName : Hewlett-Packard Co.
FileDescription : HP Digital Imaging Monitor (CUE)
InternalName : HPQTRA00
OriginalFilename : HPQTRA00.EXE
ProductName : hp digital imaging - hp all-in-one series
Created on : 5/28/2004 9:31:38 PM
Last accessed : 7/15/2005 7:03:06 AM
Last modified : 5/28/2004 9:31:38 PM

#:27 [winscheduler.exe]
FilePath : C:\Program Files\InterVideo\MSIPVS\
ThreadCreationTime : 7-15-2005 5:46:00 AM
BasePriority : Normal
FileSize : 132 KB
FileVersion : 2.0.34.198
ProductVersion : 2.0.34.198
Copyright : Copyright © 2000-2001 InterVideo Inc.
CompanyName : InterVideo Inc.
FileDescription : InterVideo
InternalName : WinScheduler
OriginalFilename : WinScheduler.EXE
ProductName : InterVideo® WinDVR
Created on : 10/14/2004 1:28:47 PM
Last accessed : 7/15/2005 7:03:06 AM
Last modified : 10/12/2003 6:26:22 PM

#:28 [devldr32.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 7-15-2005 5:46:03 AM
BasePriority : Normal
FileSize : 23 KB
FileVersion : 1, 0, 0, 17
ProductVersion : 1, 0, 0, 17
Copyright : Copyright © Creative Technology Ltd. 1998-2001
CompanyName : Creative Technology Ltd.
FileDescription : DevLdr32
InternalName : DevLdr
OriginalFilename : DevLdr32.exe
ProductName : Creative Ring3 NT Inteface
Created on : 10/14/2004 8:45:31 AM
Last accessed : 7/15/2005 7:03:06 AM
Last modified : 8/17/2001 10:36:42 PM

#:29 [hpqgalry.exe]
FilePath : C:\Program Files\HP\Digital Imaging\bin\
ThreadCreationTime : 7-15-2005 5:46:08 AM
BasePriority : Normal
FileSize : 508 KB
FileVersion : 043.001.005.000
ProductVersion : 043.001.005.000
Copyright : Copyright © Hewlett-Packard Co. 1995-2004
CompanyName : Hewlett-Packard Co.
InternalName : hpqgalry.exe
OriginalFilename : hpqgalry.exe
ProductName : hp digital imaging - hp all-in-one series
Created on : 5/28/2004 10:08:52 PM
Last accessed : 7/15/2005 7:03:06 AM
Last modified : 5/28/2004 10:08:52 PM

#:30 [ose.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\Source Engine\
ThreadCreationTime : 7-15-2005 6:52:33 AM
BasePriority : Normal
FileSize : 87 KB
FileVersion : 11.0.5525
ProductVersion : 11.0.5525
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Office Source Engine
InternalName : ose
OriginalFilename : ose.exe
ProductName : Office Source Engine
Created on : 7/28/2003 10:28:22 AM
Last accessed : 7/15/2005 6:25:36 AM
Last modified : 7/28/2003 10:28:22 AM

#:31 [hijackthis.exe]
FilePath : C:\Documents and Settings\Jasmin & Tanja\Desktop\MILKIJEV RPOCES\bleeping\VIRUS\
ThreadCreationTime : 7-15-2005 6:58:20 AM
BasePriority : Normal
FileSize : 213 KB
FileVersion : 1.99.0001
ProductVersion : 1.99.0001
Copyright : Freeware
CompanyName : Soeperman Enterprises Ltd.
FileDescription : HijackThis
InternalName : HijackThis
OriginalFilename : HijackThis.exe
ProductName : HijackThis
Created on : 2/16/2005 9:06:16 AM
Last accessed : 7/15/2005 6:58:20 AM
Last modified : 2/16/2005 9:06:16 AM

#:32 [notepad.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7-15-2005 6:58:31 AM
BasePriority : Normal
FileSize : 64 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Notepad
InternalName : Notepad
OriginalFilename : NOTEPAD.EXE
ProductName : Microsoft
Created on : 8/23/2001 12:00:00 PM
Last accessed : 7/15/2005 6:57:31 AM
Last modified : 8/23/2001 12:00:00 PM

#:33 [msmsgs.exe]
FilePath : C:\Program Files\Messenger\
ThreadCreationTime : 7-15-2005 7:01:07 AM
BasePriority : Normal
FileSize : 1624 KB
FileVersion : 4.7.2010
ProductVersion : Version 4.7
Copyright : Copyright © Microsoft Corporation 1997-2003
CompanyName : Microsoft Corporation
FileDescription : Messenger
InternalName : msmsgs
OriginalFilename : msmsgs.exe
ProductName : Messenger
Created on : 7/3/2005 11:50:34 AM
Last accessed : 7/15/2005 7:01:09 AM
Last modified : 11/15/2004 7:45:59 PM

#:34 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ThreadCreationTime : 7-15-2005 7:02:29 AM
BasePriority : Normal
FileSize : 89 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Microsoft
Created on : 10/14/2004 6:55:44 AM
Last accessed : 7/15/2005 7:02:29 AM
Last modified : 8/29/2002 3:41:26 AM

#:35 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 7-15-2005 7:02:59 AM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 5/5/2005 2:31:39 PM
Last accessed : 7/15/2005 6:29:28 AM
Last modified : 7/12/2003 8:00:20 PM

Memory scan result :

New objects : 0
Objects found so far: 0


Started registry scan


Registry scan result :

New objects : 0
Objects found so far: 0


Started deep registry scan


Deep registry scan result :

New objects : 0
Objects found so far: 0




Tracking Cookie Object recognized!
Type : File
Data : jasmin & tanja@advertising[1].txt
Object : C:\Documents and Settings\Jasmin & Tanja\Cookies\

Created on : 7/14/2005 6:50:09 PM
Last accessed : 7/15/2005 7:06:04 AM
Last modified : 7/14/2005 6:50:09 PM



Tracking Cookie Object recognized!
Type : File
Data : jasmin & tanja@atdmt[2].txt
Object : C:\Documents and Settings\Jasmin & Tanja\Cookies\

Created on : 7/13/2005 7:54:22 PM
Last accessed : 7/15/2005 7:06:04 AM
Last modified : 7/13/2005 7:54:22 PM



Tracking Cookie Object recognized!
Type : File
Data : jasmin & tanja@doubleclick[2].txt
Object : C:\Documents and Settings\Jasmin & Tanja\Cookies\

Created on : 7/14/2005 7:33:19 AM
Last accessed : 7/15/2005 7:06:04 AM
Last modified : 7/14/2005 6:44:47 PM



Tracking Cookie Object recognized!
Type : File
Data : jasmin & tanja@fastclick[1].txt
Object : C:\Documents and Settings\Jasmin & Tanja\Cookies\

Created on : 7/13/2005 6:29:36 PM
Last accessed : 7/15/2005 7:06:05 AM
Last modified : 7/13/2005 6:30:09 PM



Tracking Cookie Object recognized!
Type : File
Data : jasmin & tanja@mediaplex[1].txt
Object : C:\Documents and Settings\Jasmin & Tanja\Cookies\

Created on : 7/13/2005 7:54:05 PM
Last accessed : 7/15/2005 7:06:06 AM
Last modified : 7/13/2005 7:54:05 PM



Tracking Cookie Object recognized!
Type : File
Data : jasmin & tanja@servedby.advertising[2].txt
Object : C:\Documents and Settings\Jasmin & Tanja\Cookies\

Created on : 7/14/2005 6:50:11 PM
Last accessed : 7/15/2005 7:06:07 AM
Last modified : 7/14/2005 6:50:12 PM



Tracking Cookie Object recognized!
Type : File
Data : jasmin & tanja@targetnet[1].txt
Object : C:\Documents and Settings\Jasmin & Tanja\Cookies\

Created on : 7/14/2005 6:44:42 PM
Last accessed : 7/15/2005 7:06:07 AM
Last modified : 7/14/2005 6:44:49 PM



Tracking Cookie Object recognized!
Type : File
Data : jasmin & tanja@tribalfusion[1].txt
Object : C:\Documents and Settings\Jasmin & Tanja\Cookies\

Created on : 7/13/2005 6:29:40 PM
Last accessed : 7/15/2005 7:06:07 AM
Last modified : 7/13/2005 6:29:44 PM





Deep scanning and examining files (C:)



Performing conditional scans..


Conditional scan result:

New objects : 0
Objects found so far: 8


9:07:16 AM Scan complete

Summary of this scan

Total scanning time :00:04:10:851
Objects scanned :55336
Objects identified :8
Objects ignored :0
New objects :8




i then ran kaspersky online
it did find some old files with old trojans in my old outlook files...
here is the log of that


Scan Statistics:
Total number of scanned objects: 92866
Number of viruses found: 3
Number of infected objects: 31
Number of suspicious objects: 4
Duration of the scan process: 5578 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Jasmin & Tanja\Desktop\MILKIJEV RPOCES\hijackthis 0107 2.txt Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Jasmin & Tanja\Desktop\MILKIJEV RPOCES\hijackthis 0107.txt Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Jasmin & Tanja\Local Settings\Temp\backups\backup-20050705-205938-603 Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Jasmin & Tanja\Local Settings\Temp\backups\backup-20050705-205938-905 Suspicious: Exploit.HTML.Mht
E:\temp_milenijum\My Documents STARI\DOKUMENTI\Jasmin Cvisic pictures, wallpapers, posters, contact, nude, gallery, biography, filmography, photos, images, naked, wallpaper, cards, bio data, poster, picture.htm Infected: Trojan-Clicker.JS.Linker.j
E:\temp_milenijum\Outlook Express\Sent Items.dbx/[From "kbtrsmoosdj" <dem-i-jan@beotel.yu>][Date Wed, 18 Jun 2003 06:24:17 +0200]/UNNAMED/UNNAMED/html Infected: Virus.JS.Fortnight.b
E:\temp_milenijum\Outlook Express\Sent Items.dbx/[From "kbtrsmoosdj" <dem-i-jan@beotel.yu>][Date Wed, 18 Jun 2003 06:24:17 +0200]/UNNAMED/UNNAMED Infected: Virus.JS.Fortnight.b
E:\temp_milenijum\Outlook Express\Sent Items.dbx/[From "kbtrsmoosdj" <dem-i-jan@beotel.yu>][Date Wed, 18 Jun 2003 06:24:17 +0200]/UNNAMED Infected: Virus.JS.Fortnight.b
E:\temp_milenijum\Outlook Express\Sent Items.dbx/[From "kbtrsmoosdj" <dem-i-jan@beotel.yu>][Date Wed, 18 Jun 2003 06:26:42 +0200]/UNNAMED/UNNAMED/html Infected: Virus.JS.Fortnight.b
E:\temp_milenijum\Outlook Express\Sent Items.dbx/[From "kbtrsmoosdj" <dem-i-jan@beotel.yu>][Date Wed, 18 Jun 2003 06:26:42 +0200]/UNNAMED/UNNAMED Infected: Virus.JS.Fortnight.b
E:\temp_milenijum\Outlook Express\Sent Items.dbx/[From "kbtrsmoosdj" <dem-i-jan@beotel.yu>][Date Wed, 18 Jun 2003 06:26:42 +0200]/UNNAMED Infected: Virus.JS.Fortnight.b
E:\temp_milenijum\Outlook Express\Sent Items.dbx/[From "kbtrsmoosdj" <dem-i-jan@beotel.yu>][Date Wed, 18 Jun 2003 06:28:20 +0200]/UNNAMED/UNNAMED/html Infected: Virus.JS.Fortnight.b
E:\temp_milenijum\Outlook Express\Sent Items.dbx/[From "kbtrsmoosdj" <dem-i-jan@beotel.yu>][Date Wed, 18 Jun 2003 06:28:20 +0200]/UNNAMED/UNNAMED Infected: Virus.JS.Fortnight.b
E:\temp_milenijum\Outlook Express\Sent Items.dbx/[From "kbtrsmoosdj" <dem-i-jan@beotel.yu>][Date Wed, 18 Jun 2003 06:28:20 +0200]/UNNAMED Infected: Virus.JS.Fortnight.b
E:\temp_milenijum\Outlook Express\Sent Items.dbx/[From "kbtrsmoosdj" <dem-i-jan@beotel.yu>][Date Fri, 20 Jun 2003 00:06:30 +0200]/UNNAMED/UNNAMED/html Infected: Virus.JS.Fortnight.b
E:\temp_milenijum\Outlook Express\Sent Items.dbx/[From "kbtrsmoosdj" <dem-i-jan@beotel.yu>][Date Fri, 20 Jun 2003 00:06:30 +0200]/UNNAMED/UNNAMED Infected: Virus.JS.Fortnight.b
E:\temp_milenijum\Outlook Express\Sent Items.dbx/[From "kbtrsmoosdj" <dem-i-jan@beotel.yu>][Date Fri, 20 Jun 2003 00:06:30 +0200]/UNNAMED Infected: Virus.JS.Fortnight.b
E:\temp_milenijum\Outlook Express\Sent Items.dbx/[From "kbtrsmoosdj" <dem-i-jan@beotel.yu>][Date Sat, 21 Jun 2003 01:29:30 +0200]/UNNAMED/UNNAMED/html Infected: Virus.JS.Fortnight.b
E:\temp_milenijum\Outlook Express\Sent Items.dbx/[From "kbtrsmoosdj" <dem-i-jan@beotel.yu>][Date Sat, 21 Jun 2003 01:29:30 +0200]/UNNAMED/UNNAMED Infected: Virus.JS.Fortnight.b
E:\temp_milenijum\Outlook Express\Sent Items.dbx/[From "kbtrsmoosdj" <dem-i-jan@beotel.yu>][Date Sat, 21 Jun 2003 01:29:30 +0200]/UNNAMED Infected: Virus.JS.Fortnight.b
E:\temp_milenijum\Outlook Express\Sent Items.dbx/[From "kbtrsmoosdj" <dem-i-jan@beotel.yu>][Date Sat, 21 Jun 2003 18:35:04 +0200]/UNNAMED/UNNAMED/html Infected: Virus.JS.Fortnight.b
E:\temp_milenijum\Outlook Express\Sent Items.dbx/[From "kbtrsmoosdj" <dem-i-jan@beotel.yu>][Date Sat, 21 Jun 2003 18:35:04 +0200]/UNNAMED/UNNAMED Infected: Virus.JS.Fortnight.b
E:\temp_milenijum\Outlook Express\Sent Items.dbx/[From "kbtrsmoosdj" <dem-i-jan@beotel.yu>][Date Sat, 21 Jun 2003 18:35:04 +0200]/UNNAMED Infected: Virus.JS.Fortnight.b
E:\temp_milenijum\Outlook Express\Sent Items.dbx/[From "kbtrsmoosdj" <dem-i-jan@beotel.yu>][Date Mon, 23 Jun 2003 10:19:07 +0200]/UNNAMED/html Infected: Virus.JS.Fortnight.b
E:\temp_milenijum\Outlook Express\Sent Items.dbx/[From "kbtrsmoosdj" <dem-i-jan@beotel.yu>][Date Mon, 23 Jun 2003 10:19:07 +0200]/UNNAMED Infected: Virus.JS.Fortnight.b
E:\temp_milenijum\Outlook Express\Sent Items.dbx/[From "kbtrsmoosdj" <dem-i-jan@beotel.yu>][Date Mon, 23 Jun 2003 10:22:39 +0200]/UNNAMED/UNNAMED/html Infected: Virus.JS.Fortnight.b
E:\temp_milenijum\Outlook Express\Sent Items.dbx/[From "kbtrsmoosdj" <dem-i-jan@beotel.yu>][Date Mon, 23 Jun 2003 10:22:39 +0200]/UNNAMED/UNNAMED Infected: Virus.JS.Fortnight.b
E:\temp_milenijum\Outlook Express\Sent Items.dbx/[From "kbtrsmoosdj" <dem-i-jan@beotel.yu>][Date Mon, 23 Jun 2003 10:22:39 +0200]/UNNAMED Infected: Virus.JS.Fortnight.b
E:\temp_milenijum\Outlook Express\Sent Items.dbx/[From "kbtrsmoosdj" <dem-i-jan@beotel.yu>][Date Tue, 24 Jun 2003 12:24:57 +0200]/UNNAMED/UNNAMED/html Infected: Virus.JS.Fortnight.b
E:\temp_milenijum\Outlook Express\Sent Items.dbx/[From "kbtrsmoosdj" <dem-i-jan@beotel.yu>][Date Tue, 24 Jun 2003 12:24:57 +0200]/UNNAMED/UNNAMED Infected: Virus.JS.Fortnight.b
E:\temp_milenijum\Outlook Express\Sent Items.dbx/[From "kbtrsmoosdj" <dem-i-jan@beotel.yu>][Date Tue, 24 Jun 2003 12:24:57 +0200]/UNNAMED Infected: Virus.JS.Fortnight.b
E:\temp_milenijum\Outlook Express\Sent Items.dbx/[From "kbtrsmoosdj" <dem-i-jan@beotel.yu>][Date Tue, 24 Jun 2003 12:33:15 +0200]/UNNAMED/UNNAMED/html Infected: Virus.JS.Fortnight.b
E:\temp_milenijum\Outlook Express\Sent Items.dbx/[From "kbtrsmoosdj" <dem-i-jan@beotel.yu>][Date Tue, 24 Jun 2003 12:33:15 +0200]/UNNAMED/UNNAMED Infected: Virus.JS.Fortnight.b
E:\temp_milenijum\Outlook Express\Sent Items.dbx/[From "kbtrsmoosdj" <dem-i-jan@beotel.yu>][Date Tue, 24 Jun 2003 12:33:15 +0200]/UNNAMED Infected: Virus.JS.Fortnight.b
E:\temp_milenijum\Outlook Express\Sent Items.dbx Infected: Virus.JS.Fortnight.b

Scan process completed.


but i am sure that this trojan has nothing to do with my ie problem... since i know that some mails with attachments are inffected. but if dont open them there is no bad thing, i guess

then i did msonfig
and everything already was as you had told me to do.

here is new hijack log

Logfile of HijackThis v1.99.1
Scan saved at 11:27:35 AM, on 7/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Crypto\AccessRunner ADSL\CnxDslTb.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\InterVideo\MSIPVS\WinScheduler.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Soulseek\slsk.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Jasmin & Tanja\Desktop\MILKIJEV RPOCES\bleeping\VIRUS\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\Crypto\AccessRunner ADSL\CnxDslTb.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: InterVideo WinScheduler.lnk = C:\Program Files\InterVideo\MSIPVS\WinScheduler.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_...outLauncher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{57B47481-25C1-484B-B0A6-C97DC88CBDE6}: NameServer = 194.106.162.3
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



thank you

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 15 July 2005 - 06:23 AM

Hopefully Kaspersky removed all those files?

That Version of Ad Aware is way outdated!

The latest version can be found here
http://www.bleepingcomputer.com/forums/ind...showtutorial=48


Download WinPFind:
http://www.bleepingcomputer.com/files/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet!

Restart in Safe Mode

Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient!

Once the Scan is Complete-> Locate WinPFind.txt in the WinPFind folder and post those results!

#5 DannyLedsham

DannyLedsham
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 17 July 2005 - 01:37 PM

Neverending problems...
Now i have some problem with low virtual memory... I think its a problem.
and when i shut down pc i have that message of closing
WindowsFormsParkingWindow

what is that?

and here what u have asked me to do...


Files found

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...
UPX! C:\Program Files\HijackThis.exe

Checking %WinDir% folder...
PECompact2 C:\WINDOWS\LPT$VPN.703
qoologic C:\WINDOWS\LPT$VPN.703
SAHAgent C:\WINDOWS\LPT$VPN.703
UPX! C:\WINDOWS\tsc.exe
PECompact2 C:\WINDOWS\VPTNFILE.703
qoologic C:\WINDOWS\VPTNFILE.703
SAHAgent C:\WINDOWS\VPTNFILE.703
UPX! C:\WINDOWS\vsapi32.dll
aspack C:\WINDOWS\vsapi32.dll

Checking %System% folder...
UPX! C:\WINDOWS\system32\avisynth.dll
UPX! C:\WINDOWS\system32\AVIwrap.dll
UPX! C:\WINDOWS\system32\avi_renderer.ax
UPX! C:\WINDOWS\system32\claud.ax
UPX! C:\WINDOWS\system32\D2VSource.ax
UPX! C:\WINDOWS\system32\dedynamic.ax
PEC2 C:\WINDOWS\system32\dfrg.msc
PEC2 C:\WINDOWS\system32\DivX.dll
PECompact2 C:\WINDOWS\system32\DivX.dll
UPX! C:\WINDOWS\system32\DivXa32.acm
UPX! C:\WINDOWS\system32\DivXAF.ax
UPX! C:\WINDOWS\system32\DivXc32.dll
UPX! C:\WINDOWS\system32\divxc32f.dll
UPX! C:\WINDOWS\system32\DivX_c32.ax
UPX! C:\WINDOWS\system32\dump.ax
UPX! C:\WINDOWS\system32\DVobSub.ax
UPX! C:\WINDOWS\system32\ffdshow.ax
UPX! C:\WINDOWS\system32\huffyuv.dll
UPX! C:\WINDOWS\system32\ir32_32.dll
UPX! C:\WINDOWS\system32\ir41_32.ax
UPX! C:\WINDOWS\system32\ir41_qc.dll
UPX! C:\WINDOWS\system32\ir41_qcx.dll
UPX! C:\WINDOWS\system32\ir50_lcs.dll
UPX! C:\WINDOWS\system32\Ir50_qc.dll
UPX! C:\WINDOWS\system32\Ir50_qcx.dll
UPX! C:\WINDOWS\system32\Ivfsrc.ax
UPX! C:\WINDOWS\system32\iviaudio.ax
UPX! C:\WINDOWS\system32\Iyvu9_32.dll
UPX! C:\WINDOWS\system32\l3codecx.ax
UPX! C:\WINDOWS\system32\lameACM.acm
UPX! C:\WINDOWS\system32\libavcodec.dll
UPX! C:\WINDOWS\system32\libmpeg2_ff.dll
UPX! C:\WINDOWS\system32\MMSwitch.ax
UPX! C:\WINDOWS\system32\mp4fil32.dll
UPX! C:\WINDOWS\system32\mpg4c32.dll
UPX! C:\WINDOWS\system32\mpgaudio.ax
UPX! C:\WINDOWS\system32\mpgdec.ax
PECompact2 C:\WINDOWS\system32\MRT.exe
aspack C:\WINDOWS\system32\MRT.exe
UPX! C:\WINDOWS\system32\multiple_mpeg2_source.ax
UPX! C:\WINDOWS\system32\ogg.dll
UPX! C:\WINDOWS\system32\OggDS.dll
UPX! C:\WINDOWS\system32\proppage.dll
UPX! C:\WINDOWS\system32\pvmjpg21.dll
Umonitor C:\WINDOWS\system32\rasdlg.dll
UPX! C:\WINDOWS\system32\TomsMoComp_ff.dll
UPX! C:\WINDOWS\system32\unrar.dll
UPX! C:\WINDOWS\system32\vfcodec.dll
UPX! C:\WINDOWS\system32\vobsub.dll
UPX! C:\WINDOWS\system32\vorbis.dll
UPX! C:\WINDOWS\system32\vorbisenc.dll
UPX! C:\WINDOWS\system32\wavdest.ax
UPX! C:\WINDOWS\system32\xcdsrc.ax
UPX! C:\WINDOWS\system32\XviD.ax
UPX! C:\WINDOWS\system32\XviD.dll

Checking %System%\Drivers folder and sub-folders...
UPX! C:\WINDOWS\system32\drivers\avg7core.sys
FSG! C:\WINDOWS\system32\drivers\avg7core.sys
aspack C:\WINDOWS\system32\drivers\avg7core.sys

Checking the Windows folder for system and hidden files within the last 60 days...
7/16/2005 C:\WINDOWS\QTFont.qfn
7/5/2005 C:\WINDOWS\Thumbs.db
7/6/2005 C:\WINDOWS\$NtServicePackUninstall$\Thumbs.db
7/1/2005 C:\WINDOWS\inf\oem13.inf
7/3/2005 C:\WINDOWS\inf\oem14.inf
7/3/2005 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_10.cab
7/3/2005 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_11.cab
7/3/2005 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_12.cab
7/3/2005 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_13.cab
7/3/2005 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_14.cab
7/3/2005 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_15.cab
7/3/2005 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_16.cab
7/3/2005 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_17.cab
7/3/2005 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_18.cab
7/3/2005 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_19.cab
7/3/2005 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_20.cab
7/3/2005 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_21.cab
7/3/2005 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_22.cab
7/3/2005 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_23.cab
7/3/2005 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_24.cab
7/3/2005 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_25.cab
7/3/2005 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_26.cab
7/3/2005 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_27.cab
7/3/2005 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_28.cab
7/3/2005 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_29.cab
7/3/2005 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_30.cab
7/3/2005 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_31.cab
7/3/2005 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_32.cab
7/3/2005 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_33.cab
7/3/2005 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_34.cab
7/3/2005 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_35.cab
7/3/2005 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_36.cab
7/3/2005 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_37.cab
7/3/2005 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_38.cab
7/3/2005 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_39.cab
7/3/2005 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_40.cab
7/3/2005 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_41.cab
7/3/2005 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_42.cab
7/3/2005 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_43.cab
7/3/2005 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_44.cab
7/3/2005 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_45.cab
7/3/2005 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_46.cab
7/3/2005 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_47.cab
7/3/2005 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_48.cab
7/3/2005 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_49.cab
7/3/2005 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_50.cab
7/3/2005 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_51.cab
7/3/2005 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_52.cab
7/3/2005 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_53.cab
7/3/2005 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_54.cab
7/3/2005 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_55.cab
7/3/2005 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_9.cab
7/17/2005 C:\WINDOWS\system32\vsconfig.xml
7/17/2005 C:\WINDOWS\system32\config\default.LOG
7/17/2005 C:\WINDOWS\system32\config\SAM.LOG
7/17/2005 C:\WINDOWS\system32\config\SECURITY.LOG
7/17/2005 C:\WINDOWS\system32\config\software.LOG
7/17/2005 C:\WINDOWS\system32\config\system.LOG
7/3/2005 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
7/11/2005 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\92445b2c-0022-4f0b-87c4-65bd6784996e
7/11/2005 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
7/17/2005 C:\WINDOWS\Tasks\SA.DAT

Checking Global Startup

Checking %ALLUSERSPROFILE%\Startup folder...

Checking %ALLUSERSPROFILE%\Application Data folder...

Checking %USERPROFILE%\Startup folder...

Checking %USERPROFILE%\Application Data folder...

Registry Entries Found

*\shellex\ContextMenuHandlers
*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL
*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin =

SOFTWARE\Classes\Folder\shellex\ColumnHandlers
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvCplDaemon RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
Zone Labs Client C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
NeroCheck C:\WINDOWS\system32\NeroCheck.exe
InCD C:\Program Files\Ahead\InCD\InCD.exe
SunJavaUpdateSched C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
HP Component Manager "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
HP Software Update "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
WinampAgent C:\Program Files\Winamp\winampa.exe
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
CnxDslTaskBar "C:\Program Files\Crypto\AccessRunner ADSL\CnxDslTb.exe"
AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
AVG7_EMC C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
IMAIL
MAPI
MSFS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CTFMON.EXE C:\WINDOWS\System32\ctfmon.exe
Yahoo! Pager C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\PostBootReminder
{7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\CDBurn
{fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck
{E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysTray
{35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cqw32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\front.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mngreg32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\photohse.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\printhse.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ps80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psdmt.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qfinder.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qpw.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sevinst.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ua80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xwsetup.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_INSTPGM.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
UserInit C:\WINDOWS\system32\userinit.exe,
Shell Explorer.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs NVDESK32.DLL

Scan Complete
WinPFind v1.0.0.8 - Log file written to "WinPFind.Txt" in the WinPFind folder.

------------------------------


hijack log

Logfile of HijackThis v1.99.1
Scan saved at 6:20:08 PM, on 7/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Crypto\AccessRunner ADSL\CnxDslTb.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\InterVideo\MSIPVS\WinScheduler.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jasmin & Tanja\Desktop\MILKIJEV RPOCES\bleeping\VIRUS\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\Crypto\AccessRunner ADSL\CnxDslTb.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: InterVideo WinScheduler.lnk = C:\Program Files\InterVideo\MSIPVS\WinScheduler.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_...outLauncher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{57B47481-25C1-484B-B0A6-C97DC88CBDE6}: NameServer = 194.106.162.3
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

----------------------------------------------------

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 17 July 2005 - 05:13 PM

OK,seems that the bugs are gone for the most part but I can assure you part of this problem is within those emails!


That version of AVG 7,thats not the beta version with Firewall is it?


Now for Messanger and how to Kill it at Startup once and for all!
http://www.dougknox.com/xp/utils/xp_mess_disable.htm


How to reduce the Services in XP that load at Startup
http://theeldergeek.com/services_guide.htm

Entries in HijackThis that arent needed at Startup

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: InterVideo WinScheduler.lnk = C:\Program Files\InterVideo\MSIPVS\WinScheduler.exe


All these are up to you and how you want the P to load,most of these can be easily disabled or renabled through Msconfig!

Using Msconfig to disabled this is much safer in that you have the Option to renable it should you need it!


Disable System Restore
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Get Spyware Blaster Installed
http://www.javacoolsoftware.com/spywareblaster.html
Update Immediatly!

Couple of programs that will help you with keeping all the temporary files cleaned out!

CCleaner:
http://www.filehippo.com/download_ccleaner.html
This is to help keep those Temporary Files Cleaned Up!


CleanUp! 4.0:
http://downloads.stevengould.org/cleanup/CleanUp40.exe


An excellent page to read about Spyware and the Prevention of it,from fellow poster-> Metallica
http://home.planet.nl/~kleyn080/Spywareinfoen.html


Let me know if any of this helps!

#7 DannyLedsham

DannyLedsham
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  

Posted 17 July 2005 - 06:05 PM

Thank you

what i did:

I used messaner removal and its connection with OE.

Through msconfig i disabled hpqthb08.exe

Maybe I should do the rest of it... I will decide... as u said i can alaways enable it again...

I was afraid of using Services functions (with all those warnings on the page you linked me to).

Conserning system restore... when i kept it turned off someone told me it is more advise to keep it turned on and now i dont know which one is better

i downloaded and will sintalll spyblaster (with update)

let u know 2morrow if anything new happen

Thank you very very much

#8 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 17 July 2005 - 08:28 PM

The Only reason I had you disable System Restore is that some of these bugs are still hanging around in there,locked up mind you,but hanging around none the less!

So by Disableing and Renableing,you flush out all the old restore points and after Renabling,the next restart produces a nice new clean one!


As for the Services Page,I totally understand!

I was the same way but as time went on and I looked for the processes that were safe to change,I began to understand what I could live without!

Its different for each user because the way the PC is setup!

I hope this explains a little!

#9 DannyLedsham

DannyLedsham
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 18 July 2005 - 04:11 AM

So what you suggest is that I just shut system restore and then enable it again?

Or to change to ENABLE system restore after I did all cleaning of my pc.

Idea: would it be smart to find some restore point before this problem with WindowsFormsParkingWindow started. And run it? Sorry if i am being stupid.

I blocked hpqthb08.exe through msconfig since i read somewhere that WindowsFormsParkingWindow problem is cause by that exe process. BUt it looks like that in my case its not the problem. Since i have that exe process running for 7 months and it didnt cause any problems so far, but now i still have that WindowsFormsParkingWindow process closing when i shut down my pc. and afterwards... maybe it was just once and not regullar operation. My pc at the same manner closed some "Log" process.
PC alerted me about low virtual memory one more time. And it started increasing it. It is third time in last couple of days. The only similarity but maybe it is not important is that it happend when my pc is working for few hours.

So i cleaned that problem with ie and homepage but something different happens. I am online through adsl connection. at some point my connection works only for soulseeker and not for ie and mails. my ie doesnt go online and my OE couldnt check e-mails. Is there corelation between these problems I dont know. I will run some online antivirus scanas... Kaspersky TRendMicro and Panda and will give you reports if you want them

I will also remove those infected e-mails in my old outlook files.

thank you
and sorry for bothering you...

#10 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 18 July 2005 - 05:33 AM

You arent bothering me at all!

System Restore is a feature that can be Disabled and Renabled at the Users discretion!

Once Disabled,Restart,Renable,Restart---> = New Restore Point!

I would like to know if any of those Online Scans find anything!

One that has proven well in Scanning Emails is

http://www.ravantivirus.com/scan/

You have to navigate through page and locate the Online System Scan,not the Single File Scan!


As for IE and Outlook,I know of none of these having an Impact on either but I dont like coincidence either!


Let me know what the Scans produce!

#11 DannyLedsham

DannyLedsham
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  

Posted 18 July 2005 - 05:27 PM

I ran the test
then i moved zip file with old infected e-mails and burn it on cd. i thought that ziping it would be less harm...

Scan started at 7/18/2005 11:37:33 AM

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\Documents and Settings\Jasmin & Tanja\Local Settings\Temp\backups\backup-20050705-205938-603 - Exploit:HTML/MhtRedir.gen* -> Infected
C:\Documents and Settings\Jasmin & Tanja\Local Settings\Temp\backups\backup-20050705-205938-905 - Exploit:HTML/MhtRedir.gen* -> Infected
C:\Documents and Settings\Jasmin & Tanja\Local Settings\Temporary Internet Files\Content.IE5\2P9IFALK\mp3M[1].htm->(SCRIPT0000) - JS/Drost.A* -> Infected
E:\razno mart\adware\za trojance\iparmor.exe->[inno.16] - PWS:Win32/Hooker.P -> Infected
E:\temp_milenijum\Outlook Express.zip->Outlook Express/Sent Items.dbx->Message.684: ("kbtrsmoosdj" [])->(part0002:)->(EncScript) - JS/Fortnight.C* -> Infected
E:\temp_milenijum\Outlook Express.zip->Outlook Express/Sent Items.dbx->Message.683: ("kbtrsmoosdj" [])->(part0002:)->(EncScript) - JS/Fortnight.C* -> Infected
E:\temp_milenijum\Outlook Express.zip->Outlook Express/Sent Items.dbx->Message.682: ("kbtrsmoosdj" [TROKREVETNA])->(part0002:)->(SCRIPT0000)->(EncScript) - JS/Fortnight.C* -> Infected
E:\temp_milenijum\Outlook Express.zip->Outlook Express/Sent Items.dbx->Message.682: ("kbtrsmoosdj" [TROKREVETNA])->(part0002:)->(SCRIPT0002)->(EncScript) - JS/Fortnight.C* -> Infected
E:\temp_milenijum\Outlook Express.zip->Outlook Express/Sent Items.dbx->Message.681: ("kbtrsmoosdj" [DVOKREVETNA])->(part0002:)->(SCRIPT0000)->(EncScript) - JS/Fortnight.C* -> Infected
E:\temp_milenijum\Outlook Express.zip->Outlook Express/Sent Items.dbx->Message.680: ("kbtrsmoosdj" [])->(part0002:)->(SCRIPT0000)->(EncScript) - JS/Fortnight.C* -> Infected

Scanned
============================
Objects: 68993
Directories: 4514
Archives: 1935
Size(Kb): 915723
Infected files: 10

Found
============================
Viruses found: 4
Suspicious files: 0
Disinfected files: 0
Mail files: 6827


Logfile of HijackThis v1.99.1
Scan saved at 10:07:44 PM, on 7/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Crypto\AccessRunner ADSL\CnxDslTb.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\InterVideo\MSIPVS\WinScheduler.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Soulseek\slsk.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Winamp\Winamp.exe
C:\Documents and Settings\Jasmin & Tanja\Desktop\MILKIJEV RPOCES\bleeping\VIRUS\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\Crypto\AccessRunner ADSL\CnxDslTb.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: InterVideo WinScheduler.lnk = C:\Program Files\InterVideo\MSIPVS\WinScheduler.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_...outLauncher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{57B47481-25C1-484B-B0A6-C97DC88CBDE6}: NameServer = 194.106.162.3
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



today again I had problem with low virtual memory and WindowsFormsParkingWindow ending while shuting down... But i did some actions in the meantime so i will see what happens next time...

Thank you anyway
for the all effort

#12 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 20 July 2005 - 03:39 AM

So you have moved the emails to a disc?

The only thing I see there,that really bothers me is this one

C:\Documents and Settings\Jasmin & Tanja\Local Settings\Temporary Internet Files\Content.IE5\2P9IFALK\mp3M[1].htm->(SCRIPT0000) - JS/Drost.A* -> Infected

This one would bother me but I cant read it

E:\razno mart\adware\za trojance\iparmor.exe->[inno.16] - PWS:Win32/Hooker.P -> Infected

Run all the Temp File cleaners you have and do a manual temp clean as well!

Delete files/folder from the following directories (But not the directory itself, for example delete all files/folder IN temp; but not temp itself!)

C:\Temp

C:\Windows\Temp

C:\Windows\System32\Temp

C:\Documents and Settings\Owner\Local Settings\Temp

C:\Documents and Settings\<Your Profile>\Local Settings\Temp

C:\Documents and Settings\<All other users Profile>\Local Settings\Temp

Empty your "Recycle Bin"

Open Internet Explorer,
Select Tools,
Select Internet Options
Select Delete Cookies and Delete Files(Check the box for Delete all offline content)

Go to Start,
Select All Programs
Select Accessories
Select System Tools
Select and Run Disk Cleanup(Make sure that all boxes are checked for cleaning!!)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users