Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Redirects And Url.cpvfeeds.com


  • This topic is locked This topic is locked
10 replies to this topic

#1 wwooww

wwooww

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 03 May 2007 - 11:31 AM

I have ran mcaffee virusscan and fixed all the items it suggested,then I ran ad-aware se and fixed all the items it selected.I'm still getting bombarded with these sites,with 3 browsers (opera,IE,Firefox)If anyone gets the time I sure would appreciate some help here.The rest of my system is running like a dream,so if formatting to rid this could be avoided,it would be awesome :thumbsup:

Here is a hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 1:01:06 PM, on 5/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\KSE\nHancer 32bit\nHancerService.exe
C:\Documents and

Settings\QuickSilver24\Desktop\SetAffinity\setaffinity_ser

vice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\KSE\nHancer 32bit\nHancer.exe
C:\WINDOWS\system32\devldr32.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\McAfee.com\VSO\mcmnhdlr.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\program files\mcafee.com\shared\mghtml.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) -

{53707962-6F74-2D53-2644-206D7942484F} - C:\Program

Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class -

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan -

{BA52B914-B692-46c4-B683-905236F6F655} -

c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program

Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe

NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program

Files\RivaTuner v2.0 RC 16.1\RivaTuner.exe" /S
O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE

/P26 "EPSON Stylus CX4600 Series" /O6 "USB001" /M "Stylus

CX4600"
O4 - HKLM\..\Run: [MCUpdateExe]

c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe]

c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask]

"C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program

Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program

Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [CleanUp]

C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKLM\..\RunServices: [Microsoft] msmsger.exe
O4 - HKCU\..\Run: [nHancer] "C:\Program Files\KSE\nHancer

32bit\nHancer.exe" /tray
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O17 -

HKLM\System\CCS\Services\Tcpip\..\{E5644047-5EC2-431A-BE82

-9D2E23F75A14}: NameServer = 206.248.154.22 69.28.199.126
O20 - Winlogon Notify: WBSrv -

C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O23 - Service: McAfee.com McShield (McShield) - McAfee

Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: nHancer Support (nHancer) - KSE -

Korndörfer Software Engineering - C:\Program

Files\KSE\nHancer 32bit\nHancerService.exe
O23 - Service: setaffinity - Unknown owner - C:\Documents

and

Settings\QuickSilver24\Desktop\SetAffinity\\setaffinity_se

rvice.exe

Edited by wwooww, 03 May 2007 - 12:03 PM.


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:37 AM

Posted 03 May 2007 - 01:13 PM

Hello,

First of all,
The current formatting of your log makes it difficult to read, so in notepad:
On top, click Format >uncheck Word Wrap

Then, * Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 wwooww

wwooww
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 03 May 2007 - 02:07 PM

Ok here goes....Hijackthis Log:

Logfile of HijackThis v1.99.1
Scan saved at 3:01:17 PM, on 5/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\KSE\nHancer 32bit\nHancerService.exe
C:\Documents and Settings\QuickSilver24\Desktop\SetAffinity\setaffinity_service.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\KSE\nHancer 32bit\nHancer.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.0 RC 16.1\RivaTuner.exe" /S
O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB001" /M "Stylus CX4600"
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKCU\..\Run: [nHancer] "C:\Program Files\KSE\nHancer 32bit\nHancer.exe" /tray
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O23 - Service: nHancer Support (nHancer) - KSE - Korndörfer Software Engineering - C:\Program Files\KSE\nHancer 32bit\nHancerService.exe
O23 - Service: setaffinity - Unknown owner - C:\Documents and Settings\QuickSilver24\Desktop\SetAffinity\\setaffinity_service.exe

ComboFix Log:

"QuickSilver24" - 07-05-03 14:52:37 Service Pack 2
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\QuickSilver24\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\install.exe
C:\WINDOWS\system32\drivers\core.sys


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\core
-------\LEGACY_CORE


((((((((((((((((((((((((((((((( Files Created from 2007-04-03 to 2007-05-03 ))))))))))))))))))))))))))))))))))


2007-05-03 14:09 2,236 --a------ C:\WINDOWS\system32\tmp.reg
2007-05-03 10:33 1 --a------ C:\WINDOWS\system32\sav87312.sys
2007-05-03 10:32 1 --a------ C:\WINDOWS\system32\sav970451.sys
2007-05-03 10:32 1 --a------ C:\WINDOWS\system32\sav950231.sys
2007-05-03 10:31 <DIR> d-------- C:\temp\tn3
2007-05-03 10:30 <DIR> d-------- C:\Program Files\3Deep Space
2007-05-02 18:36 <DIR> d-------- C:\epson
2007-05-02 14:47 <DIR> d-------- C:\Program Files\Majesco Entertainment
2007-05-02 14:25 1,156 --a------ C:\WINDOWS\mozver.dat
2007-05-02 14:19 0 --a------ C:\WINDOWS\nsreg.dat
2007-05-02 12:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MinigolfAdventures
2007-05-02 12:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\InstallShield
2007-04-29 21:27 <DIR> d-------- C:\DOCUME~1\QUICKS~1\APPLIC~1\Activision
2007-04-26 18:54 63,488 --a------ C:\WINDOWS\system32\unam4ie.exe
2007-04-26 18:54 4,608 --a------ C:\WINDOWS\system32\w95inf32.dll
2007-04-26 18:54 38,160 --a------ C:\WINDOWS\system32\LMRTREND.dll
2007-04-26 18:54 285 --a------ C:\WINDOWS\EReg072.dat
2007-04-26 18:54 2,272 --a------ C:\WINDOWS\system32\w95inf16.dll
2007-04-26 18:54 194,320 --a------ C:\WINDOWS\system32\qcut.dll
2007-04-26 18:54 182,032 --a------ C:\WINDOWS\system32\dxtmsft3.dll
2007-04-26 18:54 10,240 --a------ C:\WINDOWS\system32\vidx16.dll
2007-04-25 16:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\nView_Profiles
2007-04-25 16:27 794,624 --a------ C:\WINDOWS\system32\nvcplui.exe
2007-04-25 16:27 466,944 --a------ C:\WINDOWS\system32\nvshell.dll
2007-04-25 16:27 45,056 --a------ C:\WINDOWS\system32\nvmccsrs.dll
2007-04-25 16:27 442,368 --a------ C:\WINDOWS\system32\nvappbar.exe
2007-04-25 16:27 425,984 --a------ C:\WINDOWS\system32\keystone.exe
2007-04-25 16:27 311,296 --a------ C:\WINDOWS\system32\nvexpbar.dll
2007-04-25 16:27 208,896 --a------ C:\WINDOWS\system32\nvudisp.exe
2007-04-25 16:27 147,456 --a------ C:\WINDOWS\system32\nvcolor.exe
2007-04-25 16:27 1,662,976 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2007-04-25 16:27 1,519,616 --a------ C:\WINDOWS\system32\nwiz.exe
2007-04-25 16:27 1,470,464 --a------ C:\WINDOWS\system32\nview.dll
2007-04-25 16:27 1,339,392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2007-04-25 16:27 1,019,904 --a------ C:\WINDOWS\system32\nvwimg.dll
2007-04-25 16:27 <DIR> d-------- C:\WINDOWS\nview
2007-04-25 16:21 <DIR> d-------- C:\Program Files\Driver Cleaner PE
2007-04-23 12:00 <DIR> d-------- C:\Program Files\Alien Shooter
2007-04-23 11:59 <DIR> d-------- C:\Program Files\ReflexiveArcade
2007-04-23 11:54 <DIR> d-------- C:\Program Files\GameHouse Games Collection
2007-04-22 16:11 <DIR> d-------- C:\Program Files\CAPCOM
2007-04-19 17:59 7,552 --a------ C:\WINDOWS\system32\drivers\enodpl.sys
2007-04-19 17:59 4,736 --a------ C:\WINDOWS\system32\drivers\tandpl.sys
2007-04-19 15:30 14,336 --a------ C:\WINDOWS\system32\drivers\amdacpi.sys
2007-04-18 23:22 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-04-18 16:06 <DIR> d-------- C:\Program Files\KSE
2007-04-18 16:06 <DIR> d-------- C:\DOCUME~1\QUICKS~1\APPLIC~1\nHancer
2007-04-17 21:29 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2007-04-17 21:29 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2007-04-17 21:29 261,480 --a------ C:\WINDOWS\system32\xactengine2_7.dll
2007-04-17 21:29 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
2007-04-17 21:29 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2007-04-14 12:14 21,504 --a------ C:\WINDOWS\jestertb.dll
2007-04-13 17:35 <DIR> d-------- C:\temp\bjc250Win2kXPv150
2007-04-05 20:28 569,344 --a------ C:\WINDOWS\system32\imagr5.dll
2007-04-05 20:28 544,768 --a------ C:\WINDOWS\system32\imagx5.dll
2007-04-05 20:28 38,912 --a------ C:\WINDOWS\system32\picn20.dll
2007-04-05 20:28 283,920 --a------ C:\WINDOWS\system32\ImagXpr5.dll
2007-04-05 20:28 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2007-04-05 20:28 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2007-04-05 20:28 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-04-05 20:27 53,248 -ra------ C:\WINDOWS\system32\NeroCo.dll
2007-04-05 20:27 1,658,880 --------- C:\WINDOWS\UNNeroBurnRights.exe
2007-04-05 18:14 <DIR> d-------- C:\DOCUME~1\QUICKS~1\APPLIC~1\ImgBurn
2007-04-05 17:57 <DIR> d-------- C:\Program Files\ImgBurn
2007-04-04 15:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-04-04 14:57 <DIR> d-------- C:\Program Files\PowerISO
2007-04-03 18:11 <DIR> d-------- C:\Program Files\NVIDIA Corporation
2007-04-03 18:01 928,096 --a------ C:\WINDOWS\system32\nvucode.bin


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-02 18:32 -------- d--h----- C:\Program Files\installshield installation information
2007-05-02 18:32 -------- d-------- C:\Program Files\epson
2007-05-02 00:18 -------- d-------- C:\Program Files\steam
2007-04-22 16:45 108144 --a------ C:\WINDOWS\system32\cmdlineext.dll
2007-04-19 17:56 -------- d-------- C:\Program Files\ubisoft
2007-04-19 16:29 -------- d-------- C:\Program Files\opera
2007-04-19 15:52 -------- d-------- C:\Program Files\Common Files\wise installation wizard
2007-04-19 15:52 -------- d-------- C:\Program Files\amd
2007-04-15 19:30 -------- d-------- C:\Program Files\wolfenstein - enemy territory
2007-04-05 20:28 -------- d-------- C:\Program Files\ahead
2007-03-30 15:43 81768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2007-03-28 13:40 -------- d-------- C:\Program Files\thq
2007-03-22 12:52 356352 --a------ C:\WINDOWS\system32\nvusmb.exe
2007-03-17 13:54 -------- d-------- C:\Program Files\google
2007-03-08 23:49 271360 --a------ C:\WINDOWS\system32\drivers\atksgt.sys
2007-03-08 23:49 18048 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys
2007-03-08 23:49 -------- d-------- C:\Program Files\ageia technologies
2007-03-06 11:39 -------- d-------- C:\Program Files\creative
2007-03-06 11:23 24 --a------ C:\WINDOWS\system32\dvcstatebkp-{00000004-00000000-00000007-00001102-00000002-80271102}.dat
2007-03-06 11:23 24 --a------ C:\WINDOWS\system32\dvcstate-{00000004-00000000-00000007-00001102-00000002-80271102}.dat
2007-03-05 12:42 15128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2007-02-23 21:42 409600 --a------ C:\WINDOWS\system32\wrap_oal.dll
2007-02-08 23:13 179 --a------ C:\WINDOWS\powerreg.dat


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Logitech Utility"="Logi_MwX.Exe"
"WINDVDPatch"="CTHELPER.EXE"
"amd_dc_opt"="C:\\Program Files\\AMD\\Dual-Core Optimizer\\amd_dc_opt.exe"
"P17Helper"="Rundll32 P17.dll,P17Helper"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"RivaTunerStartupDaemon"="\"C:\\Program Files\\RivaTuner v2.0 RC 16.1\\RivaTuner.exe\" /S"
"EPSON Stylus CX4600 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATI9AA.EXE /P26 \"EPSON Stylus CX4600 Series\" /O6 \"USB001\" /M \"Stylus CX4600\""
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
"OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"nHancer"="\"C:\\Program Files\\KSE\\nHancer 32bit\\nHancer.exe\" /tray"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="wbsys.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\InterVideo WinCinema Manager.lnk"
"backup"="C:\\WINDOWS\\pss\\InterVideo WinCinema Manager.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\INTERV~1\\Common\\Bin\\WINCIN~1.EXE "
"item"="InterVideo WinCinema Manager"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^QuickSilver24^Start Menu^Programs^Startup^Epson all-in-one Registration.lnk]
"path"="C:\\Documents and Settings\\QuickSilver24\\Start Menu\\Programs\\Startup\\Epson all-in-one Registration.lnk"
"backup"="C:\\WINDOWS\\pss\\Epson all-in-one Registration.lnkStartup"
"location"="Startup"
"command"="E:\\EREG\\EpsonReg.EXE /remind /language=ENU /PRNM=\"00583\"/PRIN=\"all-in-one\""
"item"="Epson all-in-one Registration"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGEIA PhysX SysTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TrayIcon"
"hkey"="HKLM"
"command"="C:\\Program Files\\AGEIA Technologies\\TrayIcon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amd_dc_opt]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="amd_dc_opt"
"hkey"="HKLM"
"command"="C:\\Program Files\\AMD\\Dual-Core Optimizer\\amd_dc_opt.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\au]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DealioAU"
"hkey"="HKLM"
"command"="C:\\Program Files\\Dealio\\DealioAU.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CleanUp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcappins"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\McAfee.com\\Shared\\mcappins.exe /v=3 /cleanup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CTDetect"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Creative\\MediaSource\\Detector\\CTDetect.exe\" /R"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CTSysVol"
"hkey"="HKLM"
"command"="C:\\Program Files\\Creative\\Surround Mixer\\CTSysVol.exe /r"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX4600 Series]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="E_FATI9AA"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATI9AA.EXE /P26 \"EPSON Stylus CX4600 Series\" /O6 \"USB001\" /M \"Stylus CX4600\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ADGJDet"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Creative\\SBLive\\PROGRAM\\ADGJDet.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="McAgent"
"hkey"="HKLM"
"command"="c:\\PROGRA~1\\mcafee.com\\agent\\McAgent.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="McUpdate"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsger"
"hkey"="HKLM"
"command"="msmsger.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MpfTray"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nHancer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nHancer"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\KSE\\nHancer 32bit\\nHancer.exe\" /tray"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvMcTray"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="oasclnt"
"hkey"="HKLM"
"command"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Rundll32 P17"
"hkey"="HKLM"
"command"="Rundll32 P17.dll,P17Helper"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PDVDServ"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Steam"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Steam\\Steam.exe\" -silent"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UpdReg"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\UpdReg.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcvsshld"
"hkey"="HKLM"
"command"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcmnhdlr"
"hkey"="HKLM"
"command"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CTHELPER"
"hkey"="HKLM"
"command"="CTHELPER.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NVSvc"=dword:00000002
"mcupdmgr.exe"=dword:00000003
"McShield"=dword:00000002
"MpfService"=dword:00000002
"McDetect.exe"=dword:00000002
"IDriverT"=dword:00000003
"SandraTheSrv"=dword:00000003
"SandraDataSrv"=dword:00000003
"PDEngine"=dword:00000003
"PDAgent"=dword:00000003
"Creative Service for CDROM Access"=dword:00000002

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\L]
Shell\AutoRun\command L:\LaunchU3.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fff8c636-ef56-11db-80e9-001731f88b40}]
Shell\AutoRun\command L:\LaunchU3.exe

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-03 14:58:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

cmd.exe [2680]

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...


scan completed successfully
hidden processes: 1
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-05-03 14:59:46 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-05-03 14:59

SIDE NOTE Spyware finds 3 smithfraud entries it cannot fix,or quaratine.
I hope this is the way you wanted it m8

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:37 AM

Posted 03 May 2007 - 02:33 PM

Hi,

Is there any reason why you disabled your McAfee via msconfig? How are you supposed to prevent malware if you disable your Antivirus?

Please enable all McAfee related components again.

Delete next files:

C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\sav87312.sys
C:\WINDOWS\system32\sav970451.sys
C:\WINDOWS\system32\sav950231.sys

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft]

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u1.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u1".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
Your HijackThislog looks clean again. Let me know in your next reply how things are now.
Normally the popups should be gone now though..

Also,

SIDE NOTE Spyware finds 3 smithfraud entries it cannot fix,or quaratine

Let me know what exact entries they are...

Edited by miekiemoes, 03 May 2007 - 02:34 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 wwooww

wwooww
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 03 May 2007 - 03:24 PM

I did it exactly as you said and WHAMMO...like WHAMMO FIXED!!!!!

I really appreciate you sharing you expertise with me miekiemoe,sharing people are few and far between these days good to see there are still some 'normal' people around.Over at nvnews.net I try to help everyone with their PC gaming woes. (Xaxly24 username) I did not delete those 4 files you had mentioned(reg & 3 sav files)If they need to be deleted I will delete them,but all seems well now.

One last hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 4:22:52 PM, on 5/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\KSE\nHancer 32bit\nHancerService.exe
C:\Documents and Settings\QuickSilver24\Desktop\SetAffinity\setaffinity_service.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\KSE\nHancer 32bit\nHancer.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.0 RC 16.1\RivaTuner.exe" /S
O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB001" /M "Stylus CX4600"
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [nHancer] "C:\Program Files\KSE\nHancer 32bit\nHancer.exe" /tray
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{E5644047-5EC2-431A-BE82-9D2E23F75A14}: NameServer = 206.248.154.22 69.28.199.126
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O23 - Service: nHancer Support (nHancer) - KSE - Korndörfer Software Engineering - C:\Program Files\KSE\nHancer 32bit\nHancerService.exe
O23 - Service: setaffinity - Unknown owner - C:\Documents and Settings\QuickSilver24\Desktop\SetAffinity\\setaffinity_service.exe

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:37 AM

Posted 03 May 2007 - 03:43 PM

Hi,

I did not delete those 4 files you had mentioned(reg & 3 sav files)If they need to be deleted I will delete them,but all seems well now

Yes, they need to be deleted, since they were dropped by the same malware as you were dealing with and I suspect next folder as well: C:\temp\tn3 since this folder appears in every combofixlog where the user was dealing with exact the same problems as you were.

As a sidenote, is it possible your problems started after you installed a screensaver? Because I notice in a lot of logs that this malware mainly appears after a certain screensaver was installed.

Also, I still see you didn't enable all the McAfee Antvirus components. Any reason?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 wwooww

wwooww
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 03 May 2007 - 04:00 PM

Damn screensavers get me everytime ...lols

Yup thats when the preverbial bleepe hit the fan.those files are now deleted

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:37 AM

Posted 03 May 2007 - 04:03 PM

You forgot to answer this question: :thumbsup:

Also, I still see you didn't enable all the McAfee Antvirus components. Any reason?

Because I am always wondering why some people disable their Antivirus....
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 wwooww

wwooww
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:37 AM

Posted 03 May 2007 - 04:18 PM

I disabled mcaffe to give me a little extra ram for gaming,I usually remember to turn it back on and reboot.

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:37 AM

Posted 03 May 2007 - 04:27 PM

Yes, McAfee is a huge resource hog and can be indeed a pain when you want to play games, but if you disable it, nothing will prevent malware. Also, if you forget to enable it again as I suspect frequently happens here, you're wideopen for infection.
Normally if you just shut down McAfee from the icon in your systray, you already gain a lot of ram to play games smoothly without to disable the services and processes all the time, because when you reboot and you disabled the services, they will stay disabled as in this case.
So I suggest you don't disable the services while playing games, but just exit McAfee from the System tray. So, then, after reboot, McAfee will be enabled again.
Or..; you can install another Antivirus instead which isn't such a resource hog as McAfee is.
A great free Antivirus I recommend is Avira. It only requires a small amount of ram (this in contrary with McAfee which requires a lot of ram).

Anyway,

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:37 AM

Posted 07 May 2007 - 12:05 PM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users