Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojans, Viruses, Malware, Oh My!


  • Please log in to reply
17 replies to this topic

#1 Alienfog

Alienfog

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 15 November 2006 - 11:49 PM

Okay, it looks like I got infected with Virus Bursters malware and tons of other crap. I've never had this problem in 10 years of being online. I have run AVG 7.5 several times, I have run Spybot several times, I can't run McAfee AVERT Stinger because it says it may be infected!! And Ad-Aware does nothing. These programs seem to be finding the infection but it's not getting rid of them. What gives!?!?!

Need help ASAP please. Here is my Hijack This log.

Logfile of HijackThis v1.99.1
Scan saved at 2:02:30 AM, on 1/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RioMSC.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE
C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Daddy.ALIENFOG\Desktop\Downloads\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O4 - HKLM\..\Run: [nTrayFw] C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R1800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE /P24 "EPSON Stylus Photo R1800" /O12 "EP1394D3_001" /M "Stylus Photo R1800"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [USIUDF_Eject_Monitor] C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Office XP\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\OFFICE~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by116fd.bay116.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_...outLauncher.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_...inematycoon.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - AppInit_DLLs: dxclib303562752.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TGFycnkgUy4\command.exe (file missing)
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
*****************************************************************************************
Abit An8 Ultra
A64 3000 @ 2.2
7800GT
1GB Corsair XXL

BC AdBot (Login to Remove)

 


#2 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:04:08 PM

Posted 16 November 2006 - 04:45 AM

Hi Alienfog and welcome to Bleeping Computer :thumbsup:

You got infections there....

You should print these instructions or save these to a text file. Follow these instructions carefully.

At first, well have to disable AVG Anti-Spyware guard since it may interfere with our cleaning (We can enable it when you're clean)
  • Open AVG Anti-Spyware
  • Click Shield
  • Click under "resident shield is"
  • Change it to inactive
Please rename HijackThis.exe to Scanner.exe

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply along with a fresh HijackThis (scanner.exe) log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
UNITE & ASAP member since 2006
Posted Image
Posted Image

#3 Alienfog

Alienfog
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 16 November 2006 - 11:40 AM

Okay, things went from bad to worse to OMGWTF!!?!?!?! :thumbsup:
Everytime I try to run a program it gives me a "System Failure: unable to run xxxxx.exe". I was ticked off so I turned off my computer and took a break. I went back a little while later and when I booted up Windows gave me a pop-up saying that it needed to be verified. If I click on the "Don't verify now" button it just keeps me at the log on screen. I can only boot into Safe Mode, and I still get the "System Failure" error if I try and run a program.

My solution at this time is to reformat my Windows partition and reinstall Windows unless someone has another idea. Lucky for me I keep all my documents, games, pictures, etc on another drive.
*****************************************************************************************
Abit An8 Ultra
A64 3000 @ 2.2
7800GT
1GB Corsair XXL

#4 Alienfog

Alienfog
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 16 November 2006 - 11:42 AM

Ooops, sorry. Double post. I'm at work right now. I apologize.

Edited by Alienfog, 16 November 2006 - 11:43 AM.

*****************************************************************************************
Abit An8 Ultra
A64 3000 @ 2.2
7800GT
1GB Corsair XXL

#5 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:04:08 PM

Posted 16 November 2006 - 12:57 PM

Hi again :thumbsup:

No do not format yet. There is a possiblity that we can get things running again :flowers:
This may also be a sign of a very dangerous infection but we can't know that for sure - yet.

So let's try this.

Ok at first i need you to download one file and move it to the infected computer's desktop.
Use a eg a memory stick... You need to use another computer than the infected one because your browser won't work...

Download the fix.reg file from below, rightclick, "save target as".
Attached File  fix.reg   77bytes   17 downloads
Move it to the infected computer's desktop.

You should print these instructions or save these to a text file. You won't have acces to internet from the infected computer. Follow these instructions carefully.

Restart the infected computer to the safe mode:
  • Restart your computer
  • Start tapping the F8 key when the computer restarts.
  • When the start menu opens, choose Safe mode
  • Press Enter. The computer then begins to start in Safe mode.
Make your hidden files visible:
  • Go to My Computer
  • Select the Tools menu and click Folder Options
  • Click the View tab.
  • Checkmark the "Display the contents of system folders"
  • Under the Hidden files and folders select "Show hidden files and folders"
  • Uncheck "Hide protected operating system files"
  • Uncheck "hide file extensions for known file types"
  • Click Apply and then the OK and close My Computer.
Go to My Computer and browse to the following file:
C:\Windows\Regedit.exe

Rightclick the file with your mouse.
Choose Copy
Get back to your desktop.
Rightclick you desktop and choose Paste

Then rename the Regedit.exe file to Regedit.com (on your desktop)
Rightclick the Regedit.com file with your mouse.
Choose Copy
Get back to your C:\Windows folder.
Rightclick to the background of the C:\Windows folder and choose Paste

Get back to your desktop. Double click on the file Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.
Let me know if you get an error at this point.

Restart the computer normally.

Try if *.exe files are opening normally.

Post also the contents of C:\Combofix.txt

Please let me know every error message that you get. (if you get those)

:huh:

Edited by Mr_JAk3, 16 November 2006 - 12:58 PM.

UNITE & ASAP member since 2006
Posted Image
Posted Image

#6 Alienfog

Alienfog
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 17 November 2006 - 10:28 AM

Okay I did the Reg fix and it seems to have helped. Thank you! :thumbsup:

I ran Combofix and will post the log. You wanted to know the errors I'm getting also so here they are. I can only boot into Safe Mode. If I try anything else, including Safe Mode with Networking, I get an error telling me I have to activate Windows. Also, while in Save Mode, every few minutes I get the pop up box saying that Windows is in Save Mode. Everytime I boot up my computer it always upens up the My Documents folder.
I ran Spybot and it found the following; YazzleSudoku, VirtuMonde, Smitfraud-c.Toolbar888, SearchToolbarCorp.ToolbarVision. Spybot could not get rid of VirtuMonde or Smitfraud-c.Toolbar888. I had already done the SmitFraud fix to get rid of VirusBursters so I don't know what that Toolbar888 is.
When I scanned with AVG it found nothing. :flowers:

And I think that's it for now. I am using my PC at work to transfer files to my Home PC. So a detailed list of everything I need to do AND download would be great. I am posting my Combofix log. And will post my most recent Hijack log.

********Combo fix log ***********


Daddy - 06-11-16 7:37:01.00 Service Pack 2
ComboFix 06.11.9 - Running from: "C:\Documents and Settings\Daddy.ALIENFOG\Desktop\Downloads"

((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Daddy.ALIENFOG\Application Data\Dxcknwrd.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\tracert.com
C:\Program Files\Common Files\Yazzle1162OinAdmin.exe
C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\Program Files\winupdates
C:\WINDOWS\system32\components
C:\Program Files\Common Files\{38C78806-08CC-1033-0927-050916050001}
C:\Program Files\Common Files\{A8C78806-0710-1033-0927-050916050001}
C:\Program Files\Common Files\{A8C78806-08CC-1033-0927-050916050001}
C:\WINDOWS\TGFycnkgUy4

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Daddy.ALIENFOG\Application Data\SSEMBL~1
C:\QooBox\Purity\Documents and Settings\Daddy.ALIENFOG\Application Data\SSEMBL~1\j?vaw.exe
C:\QooBox\Purity\Program Files\STEM~1
C:\QooBox\Purity\Program Files\STEM~1\??stem


((((((((((((((((((((((((((((((( Files Created from 2006-10-16 to 2006-11-16 ))))))))))))))))))))))))))))))))))


2006-11-16 07:31 146,432 --a------ C:\WINDOWS\regedit.com.exe
2006-11-14 22:27 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-14 22:24 2,704 --a------ C:\WINDOWS\system32\tmp.reg
2006-11-14 22:08 817 --a------ C:\WINDOWS\system32\winpfg32.sys
2006-11-14 20:55 397,312 --a------ C:\WINDOWS\cfg32p.dll
2006-11-14 20:55 2 --a------ C:\WINDOWS\system32\wnsapisv.exe
2006-11-14 20:55 178,306 --a------ C:\WINDOWS\ac3_0008.exe
2006-11-14 20:55 126 --a------ C:\WINDOWS\lefvf.dll
2006-11-14 20:55 106,496 --a------ C:\WINDOWS\system32\DomainHelper.dll
2006-11-14 20:55 1,335 --a------ C:\WINDOWS\system32\ary08083.sys
2006-11-14 20:54 15,872 --a------ C:\WINDOWS\system32\winuns32.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-16 07:37 -------- d-------- C:\Program Files\Common Files
2006-11-14 23:48 -------- d---s---- C:\Documents and Settings\Daddy.ALIENFOG\Application Data\Microsoft
2006-11-14 22:26 -------- d-------- C:\Program Files\Grisoft
2006-11-14 21:33 -------- d-------- C:\Program Files\Windows NT
2006-11-14 21:30 -------- d-------- C:\Program Files\Internet Explorer
2006-11-14 21:13 -------- d-------- C:\Program Files\Online Services
2006-11-12 21:32 -------- d-------- C:\Documents and Settings\Daddy.ALIENFOG\Application Data\Microsoft Games
2006-11-12 13:32 -------- d-------- C:\Program Files\Java
2006-11-04 21:48 -------- d-------- C:\Program Files\BitTorrent
2006-11-04 21:48 -------- d-------- C:\Documents and Settings\Daddy.ALIENFOG\Application Data\BitTorrent
2006-10-01 20:59 -------- d-------- C:\Documents and Settings\Daddy.ALIENFOG\Application Data\LimeWire
2006-09-28 21:52 43688 --a------ C:\Documents and Settings\Daddy.ALIENFOG\Application Data\GDIPFONTCACHEV1.DAT
2006-09-28 10:28 -------- d-------- C:\Documents and Settings\Daddy.ALIENFOG\Application Data\AdobeUM
2006-09-27 17:47 -------- d-------- C:\Documents and Settings\Daddy.ALIENFOG\Application Data\Ulead Systems
2006-09-15 14:16 53248 --a------ C:\WINDOWS\uni_e6h.exe
2006-08-29 18:43 135168 --a------ C:\WINDOWS\system32\swreg.exe
2006-08-22 16:15 98304 --a--c--- C:\WINDOWS\system32\CmdLineExt.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Weather"="C:\\PROGRA~1\\AWS\\WEATHE~1\\Weather.exe 1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"nTrayFw"="C:\\PROGRA~1\\NVIDIA~1\\NETWOR~1\\bin\\nTrayFw.exe"
"zBrowser Launcher"="C:\\Program Files\\Logitech\\iTouch\\iTouch.exe"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"EPSON Stylus Photo R1800"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATI9LA.EXE /P24 \"EPSON Stylus Photo R1800\" /O12 \"EP1394D3_001\" /M \"Stylus Photo R1800\""
"PinnacleDriverCheck"="C:\\WINDOWS\\system32\\PSDrvCheck.exe -CheckReg"
"USIUDF_Eject_Monitor"="C:\\Program Files\\Common Files\\Ulead Systems\\DVD\\USISrv.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{CFE9E8A8-38C0-4EF8-AEC2-5035EFE81030}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
"path"="C:\\Documents and Settings\\All Users.WINDOWS\\Start Menu\\Programs\\Startup\\InterVideo WinCinema Manager.lnk"
"backup"="C:\\WINDOWS\\pss\\InterVideo WinCinema Manager.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\INTERV~1\\Common\\Bin\\WINCIN~1.EXE "
"item"="InterVideo WinCinema Manager"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Daddy.ALIENFOG^Start Menu^Programs^Startup^Adobe Gamma.lnk]
"path"="C:\\Documents and Settings\\Daddy.ALIENFOG\\Start Menu\\Programs\\Startup\\Adobe Gamma.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Daddy.ALIENFOG^Start Menu^Programs^Startup^TA_Start.lnk]
"path"="C:\\Documents and Settings\\Daddy.ALIENFOG\\Start Menu\\Programs\\Startup\\TA_Start.lnk"
"backup"="C:\\WINDOWS\\pss\\TA_Start.lnkStartup"
"location"="Startup"
"command"="C:\\WINDOWS\\system32\\dwdsregt.exe GEN001"
"item"="TA_Start"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Daddy.ALIENFOG^Start Menu^Programs^Startup^Think-Adz.lnk]
"path"="C:\\Documents and Settings\\Daddy.ALIENFOG\\Start Menu\\Programs\\Startup\\Think-Adz.lnk"
"backup"="C:\\WINDOWS\\pss\\Think-Adz.lnkStartup"
"location"="Startup"
"command"="C:\\WINDOWS\\system32\\nwinkoem.exe GEN001"
"item"="Think-Adz"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bittorrent"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Configuration Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cfg32"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\cfg32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeluxeCommunications]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Dxc"
"hkey"="HKLM"
"command"="C:\\Program Files\\DeluxeCommunications\\Dxc.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R1800]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="E_FATI9LA"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATI9LA.EXE /P24 \"EPSON Stylus Photo R1800\" /M \"Stylus Photo R1800\" /EF \"HKCU\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwinkoem"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\nwinkoem.exe GEN001"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jwkio]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="niypnk"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\niypnk.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchList]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LaunchList"
"hkey"="HKLM"
"command"="F:\\Programs\\Pinnacle Studio\\LaunchList.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="KHALMNPR"
"hkey"="HKLM"
"command"="KHALMNPR.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\madhni]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="niypnk"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\niypnk.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SOUNDMAN"
"hkey"="HKLM"
"command"="SOUNDMAN.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\win320922-14633185]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="win320922-14633185"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\win320922-14633185.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Program Files\\Winamp\\winampa.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\windows]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="windows_e57"
"hkey"="HKLM"
"command"="C:\\\\windows_e57.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winupdates]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winupdates"
"hkey"="HKLM"
"command"="C:\\Program Files\\winupdates\\winupdates.exe /auto"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{78-88-80-06-ZN}]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="njdsregk"
"hkey"="HKLM"
"command"="c:\\windows\\system32\\njdsregk.exe GEN001"
"inimapping"="0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfecdd
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqpo
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winuns32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-11-16 7:40:46.54
C:\ComboFix.txt ... 06-11-16 07:40
*****************************************************************************************
Abit An8 Ultra
A64 3000 @ 2.2
7800GT
1GB Corsair XXL

#7 Alienfog

Alienfog
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 17 November 2006 - 10:32 AM

Here is my latest HijackThis log. I ran it after I did the regfix and Spybot and AVG scan. Ad-Aware will not run.


******** HijackThis Log ************



Logfile of HijackThis v1.99.1
Scan saved at 8:31:10 AM, on 11/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Daddy.ALIENFOG\Desktop\Downloads\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [nTrayFw] C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R1800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE /P24 "EPSON Stylus Photo R1800" /O12 "EP1394D3_001" /M "Stylus Photo R1800"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [USIUDF_Eject_Monitor] C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Office XP\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\OFFICE~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by116fd.bay116.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_...outLauncher.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_...inematycoon.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O18 - Filter: text/html - (no CLSID) - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
*****************************************************************************************
Abit An8 Ultra
A64 3000 @ 2.2
7800GT
1GB Corsair XXL

#8 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:04:08 PM

Posted 17 November 2006 - 01:27 PM

Hi again :thumbsup:

Ok the exe's are working again which is a good thing. I can't see anything specific from the logs that could have caused that...

Do you have another computer ? Running the Pc in the "Safe Mode with Networking" is really dangerous. You're vulnerable to all kinds of threats. So please keep your computer offline as much as possible.

The "activate windows" message is propably malware based. (hard to say because you can't take a log from normal mode)

The next step is to run a scanner. Hopefully I can you tell more after that :flowers:

Download Dr.Web CureIt and move it to the infected pc's desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

You should print these instructions or save these to a text file. Follow these instructions carefully.

Restart the infected computer to the safe mode

Run a can with Dr.Web CureIt
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, you should now mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found Posted Image
  • If so, click it and then click the next icon right below and select Move incurable
  • After the scan, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Post the Cure-it report and a fresh HijackThis log
Please use another computer for posting and downloading if possible :huh:
UNITE & ASAP member since 2006
Posted Image
Posted Image

#9 Alienfog

Alienfog
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 17 November 2006 - 02:16 PM

I am unable to download the file. I don't thing I can download from an FTP site here at my job. Is there anything else I can try?
*****************************************************************************************
Abit An8 Ultra
A64 3000 @ 2.2
7800GT
1GB Corsair XXL

#10 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:04:08 PM

Posted 17 November 2006 - 02:52 PM

Hi again :thumbsup:

Ok I have uploaded the latets version of Dr.Web CureIt to my homepage. It is a non FTP site so you should be able to download it.

Here it is --> Cureit.exe

:flowers:
UNITE & ASAP member since 2006
Posted Image
Posted Image

#11 Alienfog

Alienfog
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 17 November 2006 - 03:01 PM

Wonderful! :thumbsup:

It is downloaded and ready to go. Will report later. You didn't mention it, but I'll get a new Hijack log too.
*****************************************************************************************
Abit An8 Ultra
A64 3000 @ 2.2
7800GT
1GB Corsair XXL

#12 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:04:08 PM

Posted 18 November 2006 - 02:43 AM

Hi again :thumbsup:

Please rename HijackThis.exe to Scanner.exe before runnning HijackThis (scanner.exe) and posting the log.
UNITE & ASAP member since 2006
Posted Image
Posted Image

#13 Alienfog

Alienfog
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 20 November 2006 - 10:34 AM

Okay so here's the deal. I only had one day (Saturday) in which to get this straightened out. I ran Dr.Web and it took care of all but 2 dll files that would not go away. Well, I got impatient (and frustrated) as I was having the "can't run .exe" error popping up again and it kept giving me the "windows needs to be activated" pop up at the log in screen. I couldn't go much longer without my computer as both of my kids are home schooled through a state online academy and they had missed 3 days already due to my stupidity. :thumbsup:
So out came the WinXP disk. I re-formatted my Windows partition 3 times and re-installed WinXP. All is right in the universe once again. :flowers:

I appreciate ALL your help Mr._JAk3. It was very much appreciated. I only have one request left of you. Could you take a look at my HijackThis log if I post it later on this evening? It would be much appreciated. Again thanks for the help.
*****************************************************************************************
Abit An8 Ultra
A64 3000 @ 2.2
7800GT
1GB Corsair XXL

#14 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:04:08 PM

Posted 20 November 2006 - 12:20 PM

Hi again.

I'll respect you decicion to do a clean install, it was a wise move since the computer seemed to be pretty messed up :thumbsup:

I can check your fresh log is you want :flowers:

There are a couple of things you should do immediately after installing Windows and before surfing the net...
  • Install an antivirus and firewall (you should download and have those on a CD or USB drive, all ready to be installed).

    These are good (free) firewalls:
    - Kerio
    - Sygate
    - Outpost

    These are good (free) antiviruses:
    - Antivir
    - Avast
    - AVG
  • Get all Windows updates installed!
Then here are a few things that you can do in order to make your fresh computer more secure:
UNITE & ASAP member since 2006
Posted Image
Posted Image

#15 Alienfog

Alienfog
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 21 November 2006 - 10:24 AM

Thanks for understanding Mr.JAk3. Here's my lastest HijackThis log.


Logfile of HijackThis v1.99.1
Scan saved at 7:28:23 AM, on 11/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Daddy\Desktop\Downloads\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R1800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE /P24 "EPSON Stylus Photo R1800" /O12 "EP1394D3_001" /M "Stylus Photo R1800"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [BitTorrent] "D:\Programs\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Office XP\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\OFFICE~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1163833297296
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
*****************************************************************************************
Abit An8 Ultra
A64 3000 @ 2.2
7800GT
1GB Corsair XXL




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users