Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Downloader-aux Trojan


  • Please log in to reply
13 replies to this topic

#1 Cloud_Strife

Cloud_Strife

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:18 AM

Posted 03 June 2006 - 05:56 PM

Hello All, well after downloading a keygen my computer got infected with virus that hijacks your homepage and makes Systemuptodate your homepage.

So far i've gotten rid of that but now McAfee keeps alerting me that that my computer is infected with a trojan named Downloader-AUX and McAfee cannot clean it. I've scanned using McAfee, S&D and Ad Aware but they've found nothing.

Heres my HyjackThis Log


Logfile of HijackThis v1.99.1
Scan saved at 10:49:26 a.m., on 4/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xtra.co.nz/
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Nothing - {6ab7158b-4bff-4160-ad7d-4d622df548cf} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WinCinemaMgr] rem "C:\Program Files\InterVideo\Common\bin\WinCinemaMgr.exe"
O4 - HKLM\..\Run: [Home Theater SchSvr] rem "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [mm_server] rem C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPPAVI~1\Pavilion\XPHWWBP4\plugin\bin\PCHButton.exe
O4 - HKCU\..\Run: [LimeWire Acceleration Patch] C:\Documents and Settings\All Users\Start Menu\Programs\LimeWire Acceleration Patch\LimeWire Acceleration Patch.lnk
O4 - Startup: mov06[1].exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.xtra.co.nz
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{041B32B1-9CA9-4381-BC5C-E5E717CBBA08}: NameServer = 202.27.184.3 202.27.184.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{041B32B1-9CA9-4381-BC5C-E5E717CBBA08}: NameServer = 202.27.184.3 202.27.184.5
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: winowl32 - C:\WINDOWS\SYSTEM32\winowl32.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

Any help would be greatly appreciated. Thanks

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 04 June 2006 - 09:24 AM

Hi Cloud_Strife and Welcome to the Bleeping Computer!

Download smitRem.exe ©noahdfear, and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop (in Internet Explorer, right click on Panda ActiveScan link select "Copy Shortcut" then right click on your desktop and select "Paste Shortcut" or in FireFox right-click the link and select "Save Link As" and save it to your desktop).

Please download the trial version of ewido anti-malware here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • While the scan is in progress you will be prompted to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Close ewido anti-malware.

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut.
  • Once you are on the Panda site click the Scan your PC button.
  • A new window will open...click the Check Now button.
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When the download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Add Reply.
Let us know if any problems persist

#3 Cloud_Strife

Cloud_Strife
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  

Posted 05 June 2006 - 04:48 AM

Hi Cretemonster, thanks for the Reply.

I tried to run the Panda ActiveScan but i kept on getting an 'error on downloading activescan' so i gave up after several attemps to get it to work, i did the rest of the instructions and the computer seems to be fine now, haven't gotten any trojan alerts yet.

heres the logs that you wanted.

Logfile of HijackThis v1.99.1
Scan saved at 9:37:58 p.m., on 5/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
c:\Program Files\HP\Digital Imaging\Unload\HpqUnApl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Real\RealOne Player\realplay.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xtra.co.nz/
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WinCinemaMgr] rem "C:\Program Files\InterVideo\Common\bin\WinCinemaMgr.exe"
O4 - HKLM\..\Run: [Home Theater SchSvr] rem "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [mm_server] rem C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPPAVI~1\Pavilion\XPHWWBP4\plugin\bin\PCHButton.exe
O4 - Startup: mov06[1].exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.xtra.co.nz
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{041B32B1-9CA9-4381-BC5C-E5E717CBBA08}: NameServer = 202.27.184.3 202.27.184.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{041B32B1-9CA9-4381-BC5C-E5E717CBBA08}: NameServer = 202.27.184.3 202.27.184.5
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: winowl32 - winowl32.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe




smitRem © log file
version 2.9

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
"IE"="6.0000"
The current date is: Mon 05/06/2006
The current time is: 11:32:44.06

Running from
C:\Documents and Settings\Owner\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!


checking for drsmartload2 key


drsmartload2 key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
AlfaCleaner uninstaller NOT present
SpyFalcon uninstaller NOT present
SpywareQuake uninstaller NOT present
SpywareSheriff uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 824 'explorer.exe'
Killing PID 824 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN! :thumbsup:



---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 1:21:45 p.m., 5/06/2006
+ Report-Checksum: 9A4F0D96

+ Scan result:

[268] C:\WINDOWS\system32\winowl32.dll -> Trojan.Agent.qt : Cleaned with backup
C:\WINDOWS\system32\winowl32.dll -> Trojan.Agent.qt : Cleaned with backup


::Report End

Edited by Cloud_Strife, 05 June 2006 - 04:52 AM.


#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 05 June 2006 - 04:15 PM

Download WinPFind to your C Drive.
http://www.bleepingcomputer.com/files/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient

Once you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder


Restart Normal and Open Internet Explorer-> Click Tools--> Internet Options

Click the Programs Tab and then Click Reset Web Settings.

Click on the Advanced Tab and Click Restore Defaults.

To reset the Internet Security Zone Settings

1. Start Microsoft Internet Explorer.
2. Click Tools > Internet Options.
3. Click on the Security tab.
4. Click on the Internet Icon on upper pane of the window.
5. Click on Default Level on lower right corner of the window.
6. Click on the Local Internet Icon on upper pane of the window.
7. Click on Default Level on lower right corner of the window.
8. Click on the Trusted sites Icon on upper pane of the window.
9. Click on Default Level on lower right corner of the window.
10. Click on the Restricted sites Icon on upper pane of the window.
11. Click on Default Level on lower right corner of the window.
12. Click OK on lower right corner of the window.


Download The Hoster from here:
http://www.funkytoad.com/download/hoster.zip

Right Click the Zip Folder and Select "Extract All"

Open Hoster and Make sure that the "Make Hosts Writable?" button in the upper right corner is Enabled

Click "Back up Host files"

Press "Restore Original Hosts" and press "OK"

Exit the Program.


Try the Panda scan once more.

Post back with the WinPFind log and the results from Panda if it will run.

#5 Cloud_Strife

Cloud_Strife
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:18 AM

Posted 06 June 2006 - 05:44 AM

The Scan worked this time.

heres the logs.

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
qoologic 6/06/2006 4:39:52 p.m. 204131 C:\WinPFind.zip

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 3/05/2005 11:44:44 a.m. 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 10/01/2005 4:17:24 p.m. 170053 C:\WINDOWS\tsc.exe

Checking %System% folder...
PEC2 19/09/2003 3:28:40 a.m. 59252 C:\WINDOWS\SYSTEM32\ansi.cfg
PEC2 25/09/2003 6:30:00 a.m. 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 10/06/2005 8:32:28 a.m. 692736 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 10/06/2005 8:32:28 a.m. 692736 C:\WINDOWS\SYSTEM32\DivX.dll
PTech 20/08/2004 2:56:24 p.m. 59914 C:\WINDOWS\SYSTEM32\igfxhcsy.lhp
PECompact2 3/05/2006 9:26:24 p.m. 5818784 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 3/05/2006 9:26:24 p.m. 5818784 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 4/08/2004 7:56:36 p.m. 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 4/08/2004 7:56:44 p.m. 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 2/06/2006 5:27:44 p.m. 288417 C:\WINDOWS\SYSTEM32\SrchSTS.exe
UPX! 2/06/2006 5:27:44 p.m. 42496 C:\WINDOWS\SYSTEM32\swreg.exe
UPX! 2/06/2006 5:27:44 p.m. 40960 C:\WINDOWS\SYSTEM32\swsc.exe
winsync 25/09/2003 12:19:00 a.m. 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 4/08/2004 5:41:38 p.m. 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
6/06/2006 4:45:52 p.m. S 2048 C:\WINDOWS\bootstat.dat
3/06/2006 7:35:26 p.m. H 2804552 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\224e79f8727683358fe9dcc8d9f4a34b\BIT569.tmp
6/06/2006 4:45:40 p.m. H 8192 C:\WINDOWS\system32\config\default.LOG
6/06/2006 4:46:08 p.m. H 1024 C:\WINDOWS\system32\config\SAM.LOG
6/06/2006 4:45:54 p.m. H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
6/06/2006 4:50:18 p.m. H 167936 C:\WINDOWS\system32\config\software.LOG
6/06/2006 4:44:50 p.m. H 1024 C:\WINDOWS\system32\config\system.LOG
3/06/2006 8:11:44 p.m. H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
6/06/2006 4:44:44 p.m. H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 4/08/2004 7:56:58 p.m. 68608 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 20/09/2004 2:20:44 p.m. 16121856 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 4/08/2004 7:56:58 p.m. 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 4/08/2004 7:56:58 p.m. 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 4/08/2004 7:56:58 p.m. 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 4/08/2004 7:56:58 p.m. 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 4/08/2004 7:56:58 p.m. 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation 20/08/2004 2:53:06 p.m. 94208 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 4/08/2004 7:56:58 p.m. 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 4/08/2004 7:56:58 p.m. 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 4/08/2004 7:56:58 p.m. 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 4/08/2004 7:56:58 p.m. 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 10/11/2005 1:03:50 p.m. 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 24/09/2003 4:43:00 p.m. 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 4/08/2004 7:56:58 p.m. 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 24/09/2003 5:00:00 p.m. 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 4/08/2004 7:56:58 p.m. 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 4/08/2004 7:56:58 p.m. 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 19/08/2003 4:56:00 a.m. 143360 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 4/08/2004 7:56:58 p.m. 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 4/08/2004 7:56:58 p.m. 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 4/08/2004 7:56:58 p.m. 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 24/09/2003 5:26:00 p.m. 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 4/08/2004 7:56:58 p.m. 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 4/08/2004 7:56:58 p.m. 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 26/05/2005 3:16:30 a.m. 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 24/09/2003 4:43:00 p.m. 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 24/09/2003 5:00:00 p.m. 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 4/08/2004 7:56:58 p.m. 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 24/09/2003 5:26:00 p.m. 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Intel Corporation 7/04/2003 9:14:30 a.m. 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0003\DriverFiles\igfxcpl.cpl
Realtek Semiconductor Corp. 13/09/2003 4:24:20 a.m. 10435584 C:\WINDOWS\SYSTEM32\ReinstallBackups\0017\DriverFiles\ALSNDMGR.CPL
Intel Corporation 7/04/2003 9:14:30 a.m. 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0018\DriverFiles\igfxcpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
24/10/2003 10:28:06 p.m. HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
25/10/2003 12:39:48 a.m. 1808 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
24/04/2006 7:33:44 p.m. 763 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
25/10/2003 8:20:16 a.m. HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
24/04/2006 11:22:22 a.m. 3955 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
24/10/2003 10:28:06 p.m. HS 84 C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini
13/06/2005 5:29:38 p.m. 0 C:\Documents and Settings\Owner\Start Menu\Programs\Startup\mov06[1].exe
9/05/2004 3:56:50 p.m. 225280 C:\Documents and Settings\Owner\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe

Checking files in %USERPROFILE%\Application Data folder...
25/10/2003 8:20:16 a.m. HS 62 C:\Documents and Settings\Owner\Application Data\desktop.ini
11/02/2005 4:01:24 p.m. 1408 C:\Documents and Settings\Owner\Application Data\PopUpNoNo.opt
5/10/2005 4:59:28 p.m. 4194441 C:\Documents and Settings\Owner\Application Data\sdi.db
25/04/2006 11:47:44 a.m. 836 C:\Documents and Settings\Owner\Application Data\ViewerApp.dat

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido anti-malware\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ICQLiteMenu
{73B24247-042E-4EF5-ADC2-42F62E6FD654} = C:\Program Files\ICQLite\ICQLiteShell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
=
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}
= c:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
=
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}
= c:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido anti-malware\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu
{73B24247-042E-4EF5-ADC2-42F62E6FD654} = C:\Program Files\ICQLite\ICQLiteShell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{227B8AA8-DAF2-4892-BD1D-73F568BCB24E}
McBrwHelper Class = c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3EC8255F-E043-4cae-8B3B-B191550C2A22}
McAfee Privacy Service Popup Blocker = c:\program files\mcafee.com\mps\popupkiller.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{8F4902B6-6C04-4ade-8052-AA58578A21BD}
hp view = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
= :
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} = HP View : c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
{BA52B914-B692-46c4-B683-905236F6F655} = McAfee VirusScan : c:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B863453A-26C3-4e1f-A54D-A2CD196348E9}
ButtonText = ICQ Lite : C:\Program Files\ICQLite\ICQLite.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{8F4902B6-6C04-4ADE-8052-AA58578A21BD}
hp view = C:\WINDOWS\System32\Shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} = HP View : c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} = HP View : c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = :
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
IMJPMIG8.1 "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
PHIME2002ASync C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
hpsysdrv c:\windows\system\hpsysdrv.exe
HotKeysCmds C:\WINDOWS\System32\hkcmd.exe
CamMonitor c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
HPHUPD05 C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
HPHmon05 C:\WINDOWS\System32\hphmon05.exe
KBD C:\HP\KBD\KBD.EXE
UpdateManager "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
WinCinemaMgr rem "C:\Program Files\InterVideo\Common\bin\WinCinemaMgr.exe"
Home Theater SchSvr rem "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
Recguard C:\WINDOWS\SMINST\RECGUARD.EXE
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
Sunkist2k C:\Program Files\Multimedia Card Reader\shwicon2k.exe
mm_server rem C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe
OASClnt C:\Program Files\McAfee.com\VSO\oasclnt.exe
MPFExe C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
IgfxTray C:\WINDOWS\System32\igfxtray.exe
MPSExe c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
MCUpdateExe c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
MCAgentExe c:\PROGRA~1\mcafee.com\agent\mcagent.exe
mmtask "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
VSOCheckTask "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
VirusScan Online C:\Program Files\McAfee.com\VSO\mcvsshld.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
NVIEW rundll32.exe nview.dll,nViewLoadHook
BackupNotify c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
Acme.PCHButton C:\PROGRA~1\HPPAVI~1\Pavilion\XPHWWBP4\plugin\bin\PCHButton.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoCDBurning 0
LinkResolveIgnoreLinkInfo 0
NoResolveSearch 1
NoResolveTrack 1
NoActiveDesktopChanges 0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
DisableTaskMgr 0


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
NoAddingComponents 0
NoComponents 0
NoDeletingComponents 0
NoEditingComponents 0
NoCloseDragDropBands 0
NoMovingBands 0
NoHTMLWallPaper 0
NoChangingWallPaper 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
NoResolveTrack 1
NoActiveDesktop 0
NoSaveSettings 0
ClassicShell 0
NoThemesTab 0
ForceActiveDesktopOn 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
NoDispSettingsPage 0
NoDispScrSavPage 0
DisableRegistryTools 1
NoAdminPage 1
DisableTaskMgr 0
NoColorChoice 0
NoSizeChoice 0
NoDispCPL 0
NoVisualStyleChoice 0
NoDispAppearancePage 0
NoDispBackgroundPage 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
SystemCheck2 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = userinit.exe
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winowl32
= winowl32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 6/06/2006 4:54:24 p.m.




Incident Status Location

Adware:adware/transponder Not disinfected Windows Registry
Potentially unwanted tool:application/altnet Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\AltnetDM
Dialer:dialer.xd Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\shellserviceobjectdelayload\SystemCheck2
Potentially unwanted tool:Application/Winantivirus2006 Not disinfected C:\Program Files\Common Files\Companion Wizard\WapCHK{F186041D-6956-44DB-9FC4-6F453D182A15}.dll

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 06 June 2006 - 05:07 PM

Can you post a fresh HijackThis log for me,please.

#7 Cloud_Strife

Cloud_Strife
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  

Posted 07 June 2006 - 11:06 PM

Logfile of HijackThis v1.99.1
Scan saved at 4:02:10 p.m., on 8/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xtra.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.xtra.co.nz
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WinCinemaMgr] rem "C:\Program Files\InterVideo\Common\bin\WinCinemaMgr.exe"
O4 - HKLM\..\Run: [Home Theater SchSvr] rem "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [mm_server] rem C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPPAVI~1\Pavilion\XPHWWBP4\plugin\bin\PCHButton.exe
O4 - Startup: mov06[1].exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.xtra.co.nz
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{041B32B1-9CA9-4381-BC5C-E5E717CBBA08}: NameServer = 202.27.184.3 202.27.184.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{041B32B1-9CA9-4381-BC5C-E5E717CBBA08}: NameServer = 202.27.184.3 202.27.184.5
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: winowl32 - winowl32.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

#8 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 08 June 2006 - 03:50 AM

Copy the text in the quote box to a blank notepad page and Save it to the Desktop with the name Clr.reg but dont run it just yet.


REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\AltnetDM]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SystemCheck2]




Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet

F2 - REG:system.ini: UserInit=userinit.exe

O4 - Startup: mov06[1].exe

O4 - Startup: PowerReg Scheduler V3.exe

O20 - Winlogon Notify: winowl32 - winowl32.dll (file missing)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button


Configure Windows to Show All Hidden Files and Folders Here is a link to help with that:
http://www.bleepingcomputer.com/tutorials/...al62.html#winxp


Locate and Delete if found

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\mov06[1].exe<-- File

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe<-- File

C:\Program Files\Common Files\Companion Wizard<-- Folder


Locate and Double Click Clr.reg and allow it to merge into the registry.



Restart the Machine and Please run the F-Secure Online Scanner
  • Follow the directions in the F-Secure page for proper Installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Custom Scan and be sure the following are checked.
    • Scan whole System
    • Scan all files
    • Scan whole system for rootkits
    • Scan whole system for spyware
    • Scan inside archives
    • Use advanced heuristics
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the I want to decide item by item button.
  • For each item found,Select Disinfect and Click Next
  • Click the Show Report button and Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Edited by Cretemonster, 08 June 2006 - 03:50 AM.


#9 Cloud_Strife

Cloud_Strife
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:18 AM

Posted 09 June 2006 - 01:58 AM

Scanning Report
Friday, June 09, 2006 15:46:15 - 18:44:53
Computer name: COMPUTER
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\


--------------------------------------------------------------------------------

Result: 3 malware found
Backdoor.Win32.Virkel.b (virus)
C:\WINDOWS\system32\pstord.0xe
Tracking Cookie (spyware)
System (Disinfected)
System

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 227631
System: 4833
Not scanned: 46
Actions:
Disinfected: 1
Renamed: 0
Deleted: 0
None: 2
Submitted: 0
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\BIOS1.ROM
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\WINDOWS\SYSTEM32\CATROOT2\EDB.LOG
C:\WINDOWS\SYSTEM32\CATROOT2\TMP.EDB
C:\WINDOWS\I386\BIOS1.RO_
C:\PROGRAM FILES\REGISTRY MECHANIC\BACKUP\AUTOMATIC BACKUP[10].RMB
C:\PROGRAM FILES\REGISTRY MECHANIC\BACKUP\AUTOMATIC BACKUP[11](02-06-06-19-22-31).BK2
C:\PROGRAM FILES\REGISTRY MECHANIC\BACKUP\AUTOMATIC BACKUP[11](02-06-06-20-08-37).BK2
C:\PROGRAM FILES\REGISTRY MECHANIC\BACKUP\AUTOMATIC BACKUP[1](22-04-06-15-09-44).BK2
C:\PROGRAM FILES\REGISTRY MECHANIC\BACKUP\AUTOMATIC BACKUP[1].RMB
C:\PROGRAM FILES\REGISTRY MECHANIC\BACKUP\AUTOMATIC BACKUP[2].RMB
C:\PROGRAM FILES\REGISTRY MECHANIC\BACKUP\AUTOMATIC BACKUP[3].RMB
C:\PROGRAM FILES\REGISTRY MECHANIC\BACKUP\AUTOMATIC BACKUP[4].RMB
C:\PROGRAM FILES\REGISTRY MECHANIC\BACKUP\AUTOMATIC BACKUP[5].RMB
C:\PROGRAM FILES\REGISTRY MECHANIC\BACKUP\AUTOMATIC BACKUP[6].RMB
C:\PROGRAM FILES\REGISTRY MECHANIC\BACKUP\AUTOMATIC BACKUP[7].RMB
C:\PROGRAM FILES\REGISTRY MECHANIC\BACKUP\AUTOMATIC BACKUP[8].RMB
C:\PROGRAM FILES\REGISTRY MECHANIC\BACKUP\AUTOMATIC BACKUP[9].RMB
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\DATA\TWERP.IDX
C:\Program Files\McAfee.com\Agent\Uninst\mpfrem.ui\appconst.vbs
C:\Program Files\McAfee.com\Agent\Uninst\mpsrem.ui\appconst.vbs
C:\Program Files\McAfee.com\Agent\Uninst\screm.ui\agntcons.vbs
C:\Program Files\McAfee.com\Agent\Uninst\shredrem.ui\comctl.lpk
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\Ad-Aware SE Default.skn
C:\PROGRAM FILES\KAZAA\MY SHARED FOLDER\DOWNLOAD11322195984759687.DAT
C:\PROGRAM FILES\KAZAA\MY SHARED FOLDER\DOWNLOAD11391275436553890.DAT
C:\PROGRAM FILES\KAZAA\MY SHARED FOLDER\DOWNLOAD114475610013319875.DAT
C:\Program Files\Kazaa\BGP2P\plugins\plugins.cab.cab (incomplete)\emalware.ivd
C:\MSOCache\All Users\90000409-6000-11D3-8CFE-0150048383C9\ZF612707.CAB\REFSPCL.TTF
C:\HP\DRIVERS\PRINTERS\DESKJET\PROGRAM FILES\HEWLETT-PACKARD\HP DESKJET ASSISTANT\5600\SAMPLE1.PCL
C:\HP\DRIVERS\PRINTERS\DESKJET\PROGRAM FILES\HEWLETT-PACKARD\HP DESKJET ASSISTANT\5100\SAMPLE1.PCL
C:\DOCUMENTS AND SETTINGS\OWNER\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\OWNER\MY DOCUMENTS\MY MUSIC\MUSIC\KELLY_ROWLAND_-_FLASHBACK EXTENDED FULL.MP3
C:\DOCUMENTS AND SETTINGS\OWNER\MY DOCUMENTS\DOWNLOADS\[A.F.K.] THE MELANCHOLY OF HARUHI SUZUMIYA - 03.AVI
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\HSPERFDATA_OWNER\2708
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
D:\I386\BIOS1.RO_

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure AVP: 6.0.171, 2006-06-08
F-Secure Libra: 2.4.1, 2006-06-08
F-Secure Orion: 1.2.37, 2006-06-08
F-Secure Blacklight: 1.0.31, 0000-00-00
F-Secure Draco: 1.0.35, 2006-06-01
F-Secure Pegasus: 1.19.0, 2006-00-20
Scanning options:
Scan all files
Scan inside archives
Use Advanced heuristics


Logfile of HijackThis v1.99.1
Scan saved at 6:53:58 p.m., on 9/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\LimeWirepro\LimeWire.exe
C:\WINDOWS\System32\svchost.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xtra.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.xtra.co.nz
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WinCinemaMgr] rem "C:\Program Files\InterVideo\Common\bin\WinCinemaMgr.exe"
O4 - HKLM\..\Run: [Home Theater SchSvr] rem "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [mm_server] rem C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPPAVI~1\Pavilion\XPHWWBP4\plugin\bin\PCHButton.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.xtra.co.nz
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{041B32B1-9CA9-4381-BC5C-E5E717CBBA08}: NameServer = 202.27.184.3 202.27.184.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{041B32B1-9CA9-4381-BC5C-E5E717CBBA08}: NameServer = 202.27.184.3 202.27.184.5
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

#10 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 09 June 2006 - 04:23 AM

See if you can locate this file

C:\WINDOWS\system32\pstord.0xe


Go back to Safe Mode and scan once more with WinPFind.


Restart Normal and Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post along with the WinPFind log.


#11 Cloud_Strife

Cloud_Strife
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  

Posted 09 June 2006 - 09:28 PM

I found the file pstord.0xe and deleted it.

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 3/05/2005 11:44:44 a.m. 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 10/01/2005 4:17:24 p.m. 170053 C:\WINDOWS\tsc.exe

Checking %System% folder...
PEC2 19/09/2003 3:28:40 a.m. 59252 C:\WINDOWS\SYSTEM32\ansi.cfg
PEC2 25/09/2003 6:30:00 a.m. 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 10/06/2005 8:32:28 a.m. 692736 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 10/06/2005 8:32:28 a.m. 692736 C:\WINDOWS\SYSTEM32\DivX.dll
PTech 20/08/2004 2:56:24 p.m. 59914 C:\WINDOWS\SYSTEM32\igfxhcsy.lhp
PECompact2 3/05/2006 9:26:24 p.m. 5818784 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 3/05/2006 9:26:24 p.m. 5818784 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 4/08/2004 7:56:36 p.m. 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 4/08/2004 7:56:44 p.m. 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 2/06/2006 5:27:44 p.m. 288417 C:\WINDOWS\SYSTEM32\SrchSTS.exe
UPX! 2/06/2006 5:27:44 p.m. 42496 C:\WINDOWS\SYSTEM32\swreg.exe
UPX! 2/06/2006 5:27:44 p.m. 40960 C:\WINDOWS\SYSTEM32\swsc.exe
winsync 25/09/2003 12:19:00 a.m. 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 4/08/2004 5:41:38 p.m. 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
10/06/2006 10:14:30 a.m. S 2048 C:\WINDOWS\bootstat.dat
3/06/2006 7:35:26 p.m. H 2804552 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\224e79f8727683358fe9dcc8d9f4a34b\BIT569.tmp
10/06/2006 10:14:16 a.m. H 8192 C:\WINDOWS\system32\config\default.LOG
10/06/2006 10:14:48 a.m. H 1024 C:\WINDOWS\system32\config\SAM.LOG
10/06/2006 10:14:32 a.m. H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
10/06/2006 10:18:56 a.m. H 126976 C:\WINDOWS\system32\config\software.LOG
10/06/2006 10:12:44 a.m. H 1024 C:\WINDOWS\system32\config\system.LOG
3/06/2006 8:11:44 p.m. H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
10/06/2006 10:12:38 a.m. H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 4/08/2004 7:56:58 p.m. 68608 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 20/09/2004 2:20:44 p.m. 16121856 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 4/08/2004 7:56:58 p.m. 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 4/08/2004 7:56:58 p.m. 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 4/08/2004 7:56:58 p.m. 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 4/08/2004 7:56:58 p.m. 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 4/08/2004 7:56:58 p.m. 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation 20/08/2004 2:53:06 p.m. 94208 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 4/08/2004 7:56:58 p.m. 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 4/08/2004 7:56:58 p.m. 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 4/08/2004 7:56:58 p.m. 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 4/08/2004 7:56:58 p.m. 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 10/11/2005 1:03:50 p.m. 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 24/09/2003 4:43:00 p.m. 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 4/08/2004 7:56:58 p.m. 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 24/09/2003 5:00:00 p.m. 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 4/08/2004 7:56:58 p.m. 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 4/08/2004 7:56:58 p.m. 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 19/08/2003 4:56:00 a.m. 143360 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 4/08/2004 7:56:58 p.m. 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 4/08/2004 7:56:58 p.m. 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 4/08/2004 7:56:58 p.m. 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 24/09/2003 5:26:00 p.m. 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 4/08/2004 7:56:58 p.m. 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 4/08/2004 7:56:58 p.m. 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 26/05/2005 3:16:30 a.m. 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 24/09/2003 4:43:00 p.m. 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 24/09/2003 5:00:00 p.m. 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 4/08/2004 7:56:58 p.m. 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 24/09/2003 5:26:00 p.m. 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Intel Corporation 7/04/2003 9:14:30 a.m. 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0003\DriverFiles\igfxcpl.cpl
Realtek Semiconductor Corp. 13/09/2003 4:24:20 a.m. 10435584 C:\WINDOWS\SYSTEM32\ReinstallBackups\0017\DriverFiles\ALSNDMGR.CPL
Intel Corporation 7/04/2003 9:14:30 a.m. 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0018\DriverFiles\igfxcpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
24/10/2003 10:28:06 p.m. HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
25/10/2003 12:39:48 a.m. 1808 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
24/04/2006 7:33:44 p.m. 763 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
25/10/2003 8:20:16 a.m. HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
24/04/2006 11:22:22 a.m. 3955 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
24/10/2003 10:28:06 p.m. HS 84 C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
25/10/2003 8:20:16 a.m. HS 62 C:\Documents and Settings\Owner\Application Data\desktop.ini
11/02/2005 4:01:24 p.m. 1408 C:\Documents and Settings\Owner\Application Data\PopUpNoNo.opt
5/10/2005 4:59:28 p.m. 4194441 C:\Documents and Settings\Owner\Application Data\sdi.db
25/04/2006 11:47:44 a.m. 836 C:\Documents and Settings\Owner\Application Data\ViewerApp.dat

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido anti-malware\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ICQLiteMenu
{73B24247-042E-4EF5-ADC2-42F62E6FD654} = C:\Program Files\ICQLite\ICQLiteShell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
=
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}
= c:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
=
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}
= c:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido anti-malware\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu
{73B24247-042E-4EF5-ADC2-42F62E6FD654} = C:\Program Files\ICQLite\ICQLiteShell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{227B8AA8-DAF2-4892-BD1D-73F568BCB24E}
McBrwHelper Class = c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3EC8255F-E043-4cae-8B3B-B191550C2A22}
McAfee Privacy Service Popup Blocker = c:\program files\mcafee.com\mps\popupkiller.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{8F4902B6-6C04-4ade-8052-AA58578A21BD}
hp view = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
= :
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} = HP View : c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
{BA52B914-B692-46c4-B683-905236F6F655} = McAfee VirusScan : c:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{8F4902B6-6C04-4ADE-8052-AA58578A21BD}
hp view = C:\WINDOWS\System32\Shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} = HP View : c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} = HP View : c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = :
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
IMJPMIG8.1 "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
PHIME2002ASync C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
hpsysdrv c:\windows\system\hpsysdrv.exe
HotKeysCmds C:\WINDOWS\System32\hkcmd.exe
CamMonitor c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
HPHUPD05 C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
HPHmon05 C:\WINDOWS\System32\hphmon05.exe
KBD C:\HP\KBD\KBD.EXE
UpdateManager "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
WinCinemaMgr rem "C:\Program Files\InterVideo\Common\bin\WinCinemaMgr.exe"
Home Theater SchSvr rem "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
Recguard C:\WINDOWS\SMINST\RECGUARD.EXE
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
Sunkist2k C:\Program Files\Multimedia Card Reader\shwicon2k.exe
mm_server rem C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe
OASClnt C:\Program Files\McAfee.com\VSO\oasclnt.exe
MPFExe C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
IgfxTray C:\WINDOWS\System32\igfxtray.exe
MPSExe c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
MCUpdateExe C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
MCAgentExe c:\PROGRA~1\mcafee.com\agent\mcagent.exe
mmtask "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
VSOCheckTask "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
VirusScan Online C:\Program Files\McAfee.com\VSO\mcvsshld.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
NVIEW rundll32.exe nview.dll,nViewLoadHook
BackupNotify c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
Acme.PCHButton C:\PROGRA~1\HPPAVI~1\Pavilion\XPHWWBP4\plugin\bin\PCHButton.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoCDBurning 0
LinkResolveIgnoreLinkInfo 0
NoResolveSearch 1
NoResolveTrack 1
NoActiveDesktopChanges 0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
DisableTaskMgr 0


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
NoAddingComponents 0
NoComponents 0
NoDeletingComponents 0
NoEditingComponents 0
NoCloseDragDropBands 0
NoMovingBands 0
NoHTMLWallPaper 0
NoChangingWallPaper 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
NoResolveTrack 1
NoActiveDesktop 0
NoSaveSettings 0
ClassicShell 0
NoThemesTab 0
ForceActiveDesktopOn 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
NoDispSettingsPage 0
NoDispScrSavPage 0
DisableRegistryTools 1
NoAdminPage 1
DisableTaskMgr 0
NoColorChoice 0
NoSizeChoice 0
NoDispCPL 0
NoVisualStyleChoice 0
NoDispAppearancePage 0
NoDispBackgroundPage 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
SystemCheck2 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\SYSTEM32\Userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 10/06/2006 10:23:04 a.m.


-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, June 10, 2006 1:55:56 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 9/06/2006
Kaspersky Anti-Virus database records: 199573
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 92830
Number of viruses found: 4
Number of infected objects: 12
Number of suspicious objects: 0
Duration of the scan process: 01:32:53

Infected Object Name / Virus Name / Last Action
C:\System Volume Information\_restore{C6780E7C-D8FE-4ABA-9216-1565A92BD264}\RP10\A0001155.exe Infected: Backdoor.Win32.Virkel.b skipped
C:\System Volume Information\_restore{C6780E7C-D8FE-4ABA-9216-1565A92BD264}\RP7\A0000766.dll Infected: Trojan.Win32.Agent.qt skipped
C:\System Volume Information\_restore{C6780E7C-D8FE-4ABA-9216-1565A92BD264}\RP8\A0000894.exe/data0002/data0003 Infected: Trojan-Downloader.Win32.Keenval.f skipped
C:\System Volume Information\_restore{C6780E7C-D8FE-4ABA-9216-1565A92BD264}\RP8\A0000894.exe/data0002 Infected: Trojan-Downloader.Win32.Keenval.f skipped
C:\System Volume Information\_restore{C6780E7C-D8FE-4ABA-9216-1565A92BD264}\RP8\A0000894.exe/data0003/data0002 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\System Volume Information\_restore{C6780E7C-D8FE-4ABA-9216-1565A92BD264}\RP8\A0000894.exe/data0003 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\System Volume Information\_restore{C6780E7C-D8FE-4ABA-9216-1565A92BD264}\RP8\A0000894.exe NSIS: infected - 4 skipped
C:\System Volume Information\_restore{C6780E7C-D8FE-4ABA-9216-1565A92BD264}\RP8\A0000902.exe/data0002/data0003 Infected: Trojan-Downloader.Win32.Keenval.f skipped
C:\System Volume Information\_restore{C6780E7C-D8FE-4ABA-9216-1565A92BD264}\RP8\A0000902.exe/data0002 Infected: Trojan-Downloader.Win32.Keenval.f skipped
C:\System Volume Information\_restore{C6780E7C-D8FE-4ABA-9216-1565A92BD264}\RP8\A0000902.exe/data0003/data0002 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\System Volume Information\_restore{C6780E7C-D8FE-4ABA-9216-1565A92BD264}\RP8\A0000902.exe/data0003 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\System Volume Information\_restore{C6780E7C-D8FE-4ABA-9216-1565A92BD264}\RP8\A0000902.exe NSIS: infected - 4 skipped

Scan process completed.

#12 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 10 June 2006 - 04:17 AM

Copy all the text in the Quote Box to a blank notepad page and Save it to the Desktop with the name Clr.reg


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SystemCheck2"=-



Double Click Clr.reg and allow it to merge into the registry.


Please Install these 2 to add to the Security of the PC!

SpywareBlaster:
http://www.javacoolsoftware.com/downloads.html
Update Immediatly!

WinHelp2002 Hosts File
http://www.mvps.org/winhelp2002/hosts2.htm

Disable System Restore
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Go ahead and Reconfigure Msconfig the way you like the PC to Startup

Go ahead and remove any of the tools downloaded that are of no use anymore

Post back and let me know how things are?

#13 Cloud_Strife

Cloud_Strife
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:18 AM

Posted 10 June 2006 - 10:36 PM

Hi Cretemonster Thankyou for all your help, the computer is running fine now, it runs alot smoother and seems to take less time to startup and load things.

#14 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 11 June 2006 - 06:33 AM

Go ahead and Renable System Restore and restart the PC,this will clear out all old nasty restore points and create a nice new fresh clean one for you to fall back on should you ever need it.


Updating Java and Clearing Cache
  • Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
  • It will say "Java Plug-in" under the icon.
    Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
  • If you are unable to update you can manually update by going here:
  • After the reboot, go back into the Control Panel and double-click the Java Icon.
  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 CheckedDownloaded Applets
    Downloaded Applications
    Other Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.
It is suggested that you go and change all your passwords since some of these may have been compromised during the infection.


Read through those 3 little black links in my signature to get some extra ideas about how to avoid this in the future.


Please remember to check your AntiVirus and any Spyware Apps for updates atleast twice a week


Make sure you keep your Windows Operating System up to date by visiting Windows Updates regularly to download and install any critical updates and service packs.


If you ever need us again,you know how to find us! :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users