Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

?hkntfs


  • Please log in to reply
5 replies to this topic

#1 Craving

Craving

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 15 February 2007 - 12:41 AM

I'm not sure if ?hkntfs (which sits in c://WINDOWS/system32/) is the cause, but:

1. All my display property tabs, except "Themes", have disappeared. No screen saver, no wallpaper, etc.

2. Computer refuses to download or install windows security updates. I get the icon in the bottom right saying 0% downloaded, but the download never appers to happen. If I goto the microsoft website to try to d/l from there, it will eternally search for which updates I need and never show anything.

3. IE 7 refuses to function - I have "set it up", in other words, chosen my homepage for it, but when I tried to d/l an MS update it locked up, and now IE crashes when I try to open it. Btw, I normally refuse to use IE and instead use Firefox (which as I type is working fine), but I saw no easier way to get essential security updates.

When IE 7 crashes at load, I get the following error: The instruction at "0x02009f3c" referenced memory at "0x5e5b5982". The memory could not be "read".


Logfile of HijackThis v1.99.1
Scan saved at 12:26:08 AM, on 2/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ati.com/online/registration
R3 - URLSearchHook: (no name) - {E92B7CC5-E227-B983-7BE7-B29EFC4253B0} - blank (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5746C483-7C0B-3E1F-1157-0490138258AB} - C:\WINDOWS\system32\qgakokj.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [habpdln.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\habpdln.dll,npgtzy
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://*.btsword.com
O15 - Trusted IP range: http://127.0.0.1
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - (no file)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winrnt32 - winrnt32.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (file missing)
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\system32\wdfmgr.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 15 February 2007 - 04:46 AM

Welcome to Bleepingcomputer Craving :thumbsup:

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

****************************

Download DelDomains.zip and extract/unzip it to your desktop:
http://ralphcaddell.com/Uploads/deldomains.zip
Now right click on Deldomains.inf and select 'Install',click Ok.
Note:
When right clicking on Deldomains.inf 'Install',it will appear nothing happened,this is normal.

****************************

Please make sure all hidden files are showing:

* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

****************************

Download/install AVG Anti-Spyware 7.5.

Please follow these instructions carefully.

Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.
Exit AVG Anti-Spyware,don't run the scan just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:

R3 - URLSearchHook: (no name) - {E92B7CC5-E227-B983-7BE7-B29EFC4253B0} - blank (file missing)
O2 - BHO: (no name) - {5746C483-7C0B-3E1F-1157-0490138258AB} - C:\WINDOWS\system32\qgakokj.dll
O4 - HKLM\..\Run: [habpdln.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\habpdln.dll,npgtzy
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - (no file)
O20 - Winlogon Notify: winrnt32 - winrnt32.dll (file missing)


Exit Hijackthis,find and delete if present:
C:\WINDOWS\system32\qgakokj.dll
C:\WINDOWS\system32\habpdln.dll

Still in Safe Mode launch AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.
Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done.
Reboot normally.


Post the AVG Anti Spyware report,and a new Hijackthis log in your next reply.
Let me know how your pc is running now please.

Edited by RichieUK, 15 February 2007 - 09:50 AM.

Posted Image
Posted Image

#3 Craving

Craving
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 15 February 2007 - 09:04 PM

Much improved! I thank you very much for the help and for any more help which you provide!

The ?hkntfs is now gone (I should say, AVG is no longer detecting it). IE7 now works very smoothly, and I have successfully downloaded all of the latest MS security updates.

The only thing which still persists is the absence of tabs in my display properties. Again, the only thing there (when I right click on desktop and select properties) is "themes". While this isn't a show-stopper, it is definitely annoying, since I like to change my SS option alot.

Below please find the AVG Anti-Spyware log that you requested and another HJT log.


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:28:21 PM 2/15/2007

+ Scan result:



C:\Program Files\Geneforge\7966cbdd45cf2a9abe9a8044451da7d52d8.zip/GNFrg.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned.
:mozilla.226:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.289:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.292:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.30:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.31:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.32:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.33:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.34:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.100:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.101:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.256:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.99:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.358:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.359:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.360:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.110:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.111:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.36:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.63:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.28:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned.
:mozilla.375:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned.
:mozilla.121:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.122:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.376:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.132:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.37:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.103:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.104:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.105:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.62:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.383:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.361:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.362:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.363:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.221:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.222:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.106:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.107:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.108:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.109:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.91:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.92:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.85:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.155:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.156:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.120:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.241:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.242:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.243:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.244:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.245:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.390:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Smartadserver : Cleaned.
:mozilla.391:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Smartadserver : Cleaned.
:mozilla.392:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Smartadserver : Cleaned.
:mozilla.262:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.263:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.264:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.275:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.276:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.277:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.278:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.279:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.280:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.281:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.282:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.283:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.284:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.340:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.50:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.325:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.326:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.327:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.328:C:\Documents and Settings\HP USER\Application Data\Mozilla\Firefox\Profiles\d9pogh2y.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Program Files\Demise - Rise of the Ku'tan\Demise_ACEd.ZIP/Install.exe -> Trojan.Install.d : Cleaned.
C:\Program Files\Demise - Rise of the Ku'tan\Install.exe -> Trojan.Install.d : Cleaned.
C:\WINDOWS\system32\wnsintsu.exe -> Trojan.Small : Cleaned.


::Report end


Logfile of HijackThis v1.99.1
Scan saved at 9:00:32 PM, on 2/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ati.com/online/registration
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (file missing)
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\system32\wdfmgr.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 15 February 2007 - 09:23 PM

See if this registry fix fixes your display tabs problem.
Copy and paste the following bold blue text below into Notepad.
Click on File(in the menu at the top)>Save as..Save as Type: 'All Files' File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktop and agree to merge it into the registry,then reboot.

*************************************
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktopChanges"=hex:00,00,00,00
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"ClassicShell"=dword:00000000
"NoThemesTab"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"SetVisualStyle"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoChangingWallPaper"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager]
"ThemeActive"="1"
"DllName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,72,00,65,00,73,00,6f,00,75,00,72,00,63,00,65,00,73,00,5c,\
00,54,00,68,00,65,00,6d,00,65,00,73,00,5c,00,6c,00,75,00,6e,00,61,00,5c,00,\
6c,00,75,00,6e,00,61,00,2e,00,6d,00,73,00,73,00,74,00,79,00,6c,00,65,00,73,\
00,00,00


********************************************

Your log is clean :thumbsup:
If all's ok,please do the following:

Reverse these settings back to default:
* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

Clear your 'System Restore' points by doing the following:
Right-click on 'My Computer' and select 'Properties'.
Select 'System Restore'.
Select 'Turn Off System Restore On All Drives'.
Select 'Apply'.
You will then get the following warning:
"You have chosen to turn off System Restore.
If you continue,all existing restore points will be deleted,and you will not be able to track or undo changes to your computer.
Do you want to turn off System Restore?".
Then select 'Yes',your 'System Restore' directories will be purged.

Turn 'System Restore' back on:
Right click on 'My Computer' and select 'Properties'.
Select 'System Restore'.
Unselect 'Turn Off System Restore On All Drives'.
Select 'Apply',then click 'Ok'.

Create a new 'System Restore' point:
Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description,then click on 'Create',then click 'Close'.
The date and time is created automatically.

You should now go to Windows Update and install any available critical/high priority updates.

Read through the info found here,to help you prevent any possible future infections.
How did I get infected?
http://www.bleepingcomputer.com/forums/t/2520/how-did-i-get-infected/

Edited by RichieUK, 15 February 2007 - 09:25 PM.

Posted Image
Posted Image

#5 Craving

Craving
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 16 February 2007 - 12:28 AM

Thanks again very much, Richie. This was the first time I had ever posted to one of these forums; yet I have read through many for a long time. You and the other techs that answer here are a great asset to the internet community.

I've actually tried the above posted reg fix, but it was before getting my system clean. I will try it again! [EDIT: The reg fix still doesn't work - this really baffles me. The only thing I can think is that I use to have a specialized window theme and it somehow jacked things up...]

Edited by Craving, 16 February 2007 - 01:01 AM.


#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 16 February 2007 - 07:16 AM

Check for a driver update for your video card on the manufacturers website.
If it's onboard graphics check for a BIOS update on your motherboard manufacturers website.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users