Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Vundo And Others


  • Please log in to reply
15 replies to this topic

#1 Clue

Clue

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:18 PM

Posted 16 May 2007 - 10:11 AM

Hi, I've recently had strange problems that I'm not sure what they are. Vundofix would continuously find more Vundo. Occasionaly I would see Spybot(Tea Timer?) come up with an attempt to change registry settings that would persist until basically tea timer would crash
Posted Image

However, I've attempted to follow directions based on other vundo problems here, and things are looking better. I'm sorry to trouble everyone here, my question is, is this malware or whatever it is, finally gone? :thumbsup:

Steps I have taken so far:
Scaned (Avira Antivire, Adaware, Spybot, Spynomore (Removed Spynomore after suspecting it via Zone Alarm spyware checker)). All register as clean at the moment.
Removed old versions of Java, only 11 is left, as recommended by the Vundofix log (However, the log still says v3 is still there, hmm).
Ran Vundo Fix, it found three Vundos (As usual)
Ran Combofix, it found various things (Crashed while trying to save the log file, saying it couldn't find the file specified)
Ran Hijack This.

As of now
Everything seems to be running nicely, Tea Timer isn't coming up with any suspect attempts at changing the registry for the last hour.
My only concern from the little knowledge I have about these Malware things is that Hijack this still shows some suspect BHOs.

I thank everyone for going out of their way to take the time to assist me on this matter :flowers:

The following reports are in order- Vundofix, Combofix, Hijackthis


VundoFix V6.3.23

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 09:27:04 2007-05-16

Listing files found while scanning....

C:\WINDOWS\system32\llnmp.bak1
C:\WINDOWS\system32\llnmp.ini
C:\WINDOWS\system32\pmnll.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\llnmp.bak1
C:\WINDOWS\system32\llnmp.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\llnmp.ini
C:\WINDOWS\system32\llnmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnll.dll
C:\WINDOWS\system32\pmnll.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\pmnll.dll
C:\WINDOWS\system32\pmnll.dll Has been deleted!

Performing Repairs to the registry.
Done!


Combofix

"Administrator" - 2007-05-16 9:41:38 Service Pack 2
ComboFix 07-05.16.13.V - Running from: "C:\Documents and Settings\Administrator\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\ddcyx.dll
C:\WINDOWS\system32\mllmm.dll
C:\WINDOWS\system32\sstqp.dll
C:\WINDOWS\system32\vtsqn.dll
C:\WINDOWS\system32\tuvtuur.dll
C:\WINDOWS\system32\tuvurqp.dll
C:\WINDOWS\system32\xycdd.ini
C:\WINDOWS\system32\mmllm.bak1
C:\WINDOWS\system32\mmllm.ini
C:\WINDOWS\system32\pqtss.bak1
C:\WINDOWS\system32\iifcaxw.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\smpi1\lb66.exe
C:\Temp\17O7\tmpTF.log
C:\WINDOWS\system32\smpi1
C:\Temp\17O7


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-16 ))))))))))))))))))))))))))))))))))


2007-05-15 15:58 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-05-15 15:57 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-05-15 15:56 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-05-15 14:41 6,553,600 --a------ C:\DOCUME~1\ADMINI~1\ntuser.dat
2007-05-15 14:34 0 -ra------ C:\WINDOWS\msdns.dll
2007-05-15 13:41 1,493,802 ---hs---- C:\WINDOWS\system32\xbeeg.bak1
2007-05-15 13:33 <DIR> d-------- C:\VundoFix Backups
2007-05-15 10:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-15 10:31 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-05-15 10:09 1,494,707 ---hs---- C:\WINDOWS\system32\ttstv.bak1
2007-05-15 09:41 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-05-15 09:31 677,225 --a------ C:\Temp\gorPUS.exe
2007-05-15 09:31 <DIR> d-------- C:\WINDOWS\system32\SBO
2007-05-15 09:31 <DIR> d-------- C:\Temp
2007-05-13 05:37 <DIR> d-------- C:\WINDOWS\system32\bak
2007-05-09 23:37 <DIR> d-------- C:\Nano Research
2007-05-08 22:05 <DIR> d-------- C:\Program Files\Image-Line
2007-05-08 20:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\element5
2007-05-08 20:38 <DIR> d-------- C:\Program Files\Common Files\element5 Shared
2007-05-08 20:35 <DIR> d--h----- C:\Program Files\Zero G Registry
2007-05-08 20:35 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\InstallAnywhere
2007-05-03 00:40 <DIR> d-------- C:\Folder For The Guest
2007-04-20 18:39 43,584 --a------ C:\WINDOWS\system32\drivers\avipbb.sys
2007-04-20 18:39 28,352 --a------ C:\WINDOWS\system32\drivers\ssmdrv.sys
2007-04-18 23:48 <DIR> d-------- C:\=Destinta


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-16 13:54:00 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\WTablet
2007-05-16 02:54:45 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Corel
2007-05-16 01:36:05 4,756 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-05-15 22:16:07 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\uTorrent
2007-05-15 20:46:57 -------- d-----w C:\Program Files\WildTangent
2007-05-15 18:19:35 1,324 ----a-w C:\WINDOWS\system32\d3d9caps.dat
2007-05-15 14:07:58 -------- d-----w C:\Program Files\Common Files\ODBC
2007-05-03 21:13:51 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Aim
2007-03-28 04:09:55 163,712 ----a-w C:\WINDOWS\system32\drivers\vidstub.sys
2007-03-15 16:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll
2007-03-15 16:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{00C6482D-C502-44C8-8409-FCE54AD9C208}=C:\Program Hearts\Storybooke Creation\Saga Creators\SnagIt 8\SnagItBHO.dll [2006-05-10 08:02]
{1C5852DC-91B7-41D6-BE7C-B621ED7E1E75}=C:\WINDOWS\system32\pmnll.dll []
{53707962-6F74-2D53-2644-206D7942484F}=c:\PROGRA~2\Hidden\Security\ANTI-A~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll [2006-12-15 04:23]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"amd_dc_opt"="C:\Program Hearts\Hidden\Managing The Yellow Reflection\3800+ XP Dual Core Processor\amd_dc_opt.exe" [2007-05-13 05:36]
"avgnt"="C:\Program Hearts\Hidden\Security\Anti-Virus Programs\Anti-Vir\AntiVir PersonalEdition Classic\avgnt.exe" [2007-05-13 05:36]
"BootSkin Startup Jobs"="c:\program hearts\great library tamers\appearance\bootskin\bootskin.exe" [2007-05-13 05:36]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-05-13 05:36]
"SoundMan"="SOUNDMAN.EXE" []
"TVTray"="" []
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 21:43]
"nwiz"="nwiz.exe" [2006-08-11 21:43 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-08-11 21:43 C:\WINDOWS\system32\nvmctray.dll]
"QuickTime Task"="c:\program hearts\hidden\codecs\quicktime alternative\qttask.exe" [2007-05-13 05:36]
"Zone Labs Client"="C:\Program Hearts\Hidden\Security\Firewalls\Zone Alarm\zlclient.exe" [2006-08-23 23:38]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2007-05-13 05:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-13 05:36]
"Fraps"="C:\Program Hearts\Program Additions\=Destinta\Of The Dream World\FRAPS.EXE" [2006-12-19 09:02]
"SpybotSD TeaTimer"="C:\Program Hearts\Hidden\Security\Anti-Ad Programs\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]
"XP Tools"="c:\program hearts\hidden\managing the yellow reflection\xp tools\xptools.exe" [2007-05-13 05:36]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
@=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"nlsf"=hex(2):63,6d,64,2e,65,78,65,20,2f,43,20,6d,6f,76,65,20,2f,59,20,22,25,\
53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,73,79,73,73,\
65,74,75,62,2e,64,6c,6c,22,20,22,25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,\
79,73,74,65,6d,33,32,5c,73,79,73,73,65,74,75,70,2e,64,6c,6c,22,00
"tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"=dword:00000001
"ForceClassicControlPanel"=dword:00000001
"NoRemoteRecursiveEvents"=dword:00000001
"MemCheckBoxInRunDlg"=dword:00000001
"DisableCAD"=dword:00000001
"NoInternetOpenWith"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"=dword:00000001
"NoSharedDocuments"=dword:00000001
"ClearRecentDocsOnExit"=dword:00000001
"NoInstrumentation"=dword:00000001
"NoSMConfigurePrograms"=dword:00000001
"NoSaveSettings"=dword:00000000
"DisableCAD"=dword:00000000
"ForceCopyACLWithFile"=dword:00000001
"NoInternetOpenWith"=dword:00000001
"NoRecentDocsHistory"=dword:00000001
"NosecurityTab"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"=dword:00000001
"NoSharedDocuments"=dword:00000001
"ClearRecentDocsOnExit"=dword:00000001
"NoInstrumentation"=dword:00000001
"NoSMConfigurePrograms"=dword:00000001
"NosecurityTab"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\run]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0
Security Packages kerberos msv1_0 schannel wdigest
Notification Packages scecli

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HTTPFilter HTTPFilter
LocalService Alerter WebClient LmHosts upnphost SSDPSRV
NetworkService DnsCache
DcomLaunch DcomLaunch TermService
rpcss RpcSs
imgsvc StiSvc
termsvcs TermService

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070515-162105-126
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)
backup-20070515-162105-445
O20 - Winlogon Notify: sstqp - C:\WINDOWS\system32\sstqp.dll
backup-20070515-162105-638
O20 - Winlogon Notify: iifcaxw - C:\WINDOWS\SYSTEM32\iifcaxw.dll
backup-20070515-162105-115
O20 - AppInit_DLLs:
backup-20070515-162104-111
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1179255533421
backup-20070515-162104-228
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
backup-20070515-162104-357
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
backup-20070515-162104-363
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
backup-20070515-162104-496
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
backup-20070515-162104-694
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
backup-20070515-162104-166
O2 - BHO: (no name) - {3E8EC2D9-806B-4C7F-AE7F-F44AD4ABE8B5} - C:\WINDOWS\system32\iifcaxw.dll
backup-20070515-162104-102
O2 - BHO: (no name) - {2BDFED74-AECC-4D82-BBD9-9647BCB988CC} - C:\WINDOWS\system32\sstqp.dll
backup-20070515-162104-769
O2 - BHO: (no name) - AutorunsDisabled - (no file)
backup-20070515-151108-995
O2 - BHO: (no name) - {3E8EC2D9-806B-4C7F-AE7F-F44AD4ABE8B5} - C:\WINDOWS\system32\iifcaxw.dll
backup-20070515-151108-212
O2 - BHO: (no name) - {2BDFED74-AECC-4D82-BBD9-9647BCB988CC} - C:\WINDOWS\system32\sstqp.dll

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\System Restore.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-16 09:54:41
Windows 5.1.2600 Service Pack 2

scanning hidden processes ...

scanning hidden autostart entries ...


********************************************************************

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Windows]
"AppInit_DLLs"=" "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\AutorunsDisabled]
"{3E8EC2D9-806B-4C7F-AE7F-F44AD4ABE8B5}"=""

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\AutorunsDisabled]
"msdns"="{FF0D57E6-F34A-42E9-AF09-B7A696A775E7}"

Completion time: 2007-05-16 9:54:56 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-16 09:54


--- End of File ----



Hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 10:40:19 AM, on 5/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Hearts\Great Library Tamers\Appearance\SharpE\SharpCore.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Hearts\Great Library Tamers\Appearance\SharpE\SharpBar.exe
C:\Program Hearts\Hidden\Security\Anti-Virus Programs\Anti-Vir\AntiVir PersonalEdition Classic\sched.exe
C:\Program Hearts\Great Library Tamers\Appearance\SharpE\SharpDesk.exe
C:\Program Hearts\Great Library Tamers\Appearance\SharpE\SharpTray.exe
C:\Program Hearts\Great Library Tamers\Appearance\SharpE\SharpTask.exe
C:\Program Hearts\Hidden\Security\Anti-Virus Programs\Anti-Vir\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Hearts\Great Library Tamers\Appearance\SharpE\SharpVWM.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\system32\taskmgr.exe
c:\program hearts\great library tamers\appearance\sharpe\sharpmenu.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
c:\program hearts\program additions\=destinta\of the dream world\fraps.exe
c:\program hearts\skyesheart 2k\cd programs\of image heart\image heart\daemon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
c:\program hearts\skyesheart 2k\avant browser\avant.exe
C:\Program Hearts\Hidden\Security\Firewalls\Zone Alarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Hearts\Hidden\Security\Anti-Ad Programs\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
c:\program hearts\skyesheart 2k\firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
D:\Ready To Go Setups\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omfghugebelt.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Hearts\Storybooke Creation\Saga Creators\SnagIt 8\SnagItBHO.dll
O2 - BHO: (no name) - {1C5852DC-91B7-41D6-BE7C-B621ED7E1E75} - C:\WINDOWS\system32\pmnll.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - c:\PROGRA~2\Hidden\Security\ANTI-A~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Hearts\Storybooke Creation\Saga Creators\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [amd_dc_opt] "C:\Program Hearts\Hidden\Managing The Yellow Reflection\3800+ XP Dual Core Processor\amd_dc_opt.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Hearts\Hidden\Security\Anti-Virus Programs\Anti-Vir\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "c:\program hearts\great library tamers\appearance\bootskin\bootskin.exe" /StartupJobs
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "c:\program hearts\hidden\codecs\quicktime alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Hearts\Hidden\Security\Firewalls\Zone Alarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Fraps] C:\Program Hearts\Program Additions\=Destinta\Of The Dream World\FRAPS.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Hearts\Hidden\Security\Anti-Ad Programs\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [XP Tools] c:\program hearts\hidden\managing the yellow reflection\xp tools\xptools.exe
O4 - Startup: daemon.exe.lnk = C:\Program Hearts\Skyesheart 2k\CD Programs\Of Image Heart\Image Heart\daemon.exe
O8 - Extra context menu item: Add to AD Black List - c:\program hearts\skyesheart 2k\avant browser\AddToADBlackList.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\STORYB~2\WRITTE~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\STORYB~2\WRITTE~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program hearts\instant messangers\aim\aim.exe
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O20 - AppInit_DLLs:
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Hearts\Hidden\Security\Anti-Virus Programs\Anti-Vir\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Hearts\Hidden\Security\Anti-Virus Programs\Anti-Vir\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Hearts\Art\3d Programs\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: NBService - Nero AG - C:\Program Hearts\Skyesheart 2k\CD Programs\Of Burning\Burning Capella\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:09:18 PM

Posted 17 May 2007 - 06:05 AM

* I see you are running Teatimer.
Disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If Teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.Open Spybot and click on Mode, select Advanced mode
Click Yes to next window.
Click on Tools in bottom left hand corner.
Click on Resident.
Uncheck Resident "TeaTimer" box.
Close Spybot.
* Please download WinHelp2002's DelDomains by right-clicking on the following link, and choosing "Save Target As":
http://www.mvps.org/winhelp2002/DelDomains.inf
Save the file to the desktop. Then go to the desktop, right click on DelDomains.inf, and choose Install. You may not see any noticeable changes or prompts; this is normal. Then please restart your computer, and post a new HijackThis log. You will have to reimmunize with SpywareBlaster, IE-SPYADS, and/or Spybot after doing this.

* Download OTMoveIt.exe from here and place it on your desktop:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

* Open OTMoveIt.exe.
In the left pane where it says: "Paste List of Files/Folders to be Moved", copy and paste next part:

C:\WINDOWS\msdns.dll
C:\WINDOWS\system32\xbeeg.bak1
C:\WINDOWS\system32\ttstv.bak1


Then click the MoveIt button below.
In case you get a "Bad Image" error, just click OK at the promt. It will move the file anyway.
When done, it will create a log (********_******.log -- * stands for date and time) in next folder: C:\_OTMoveIt\MovedFiles.
Copy and paste this log in your next reply.

* Please run Notepad and paste the following text into a new file:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{1C5852DC-91B7-41D6-BE7C-B621ED7E1E75}"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\AutorunsDisabled]
"{3E8EC2D9-806B-4C7F-AE7F-F44AD4ABE8B5}"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\AutorunsDisabled]
"msdns"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"=-
"ForceClassicControlPanel"=-
"NoRemoteRecursiveEvents"=-
"MemCheckBoxInRunDlg"=-
"DisableCAD"=-
"NoInternetOpenWith"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"=-
"NoSharedDocuments"=-
"ClearRecentDocsOnExit"=-
"NoInstrumentation"=-
"NoSMConfigurePrograms"=-
"NoSaveSettings"=-
"DisableCAD"=-
"ForceCopyACLWithFile"=-
"NoInternetOpenWith"=-
"NoRecentDocsHistory"=-
"NosecurityTab"=-

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"=-
"NoSharedDocuments"=-
"ClearRecentDocsOnExit"=-
"NoInstrumentation"=-
"NoSMConfigurePrograms"=-
"NosecurityTab"=-


Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry, after that, reboot your system and post a new hijackthis log here.
Greets Jürgenv

Donation: Click me.

#3 Clue

Clue
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:18 PM

Posted 17 May 2007 - 10:29 AM

Hi, thank you kindly for the response!

I have followed the directions you've posted. Here is the-

Hijackthis log after completing the DelDomains step only as described in the steps, just in case :thumbsup:
The latest Hijack this is below.

Logfile of HijackThis v1.99.1
Scan saved at 11:10:41 AM, on 5/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Hearts\Great Library Tamers\Appearance\SharpE\SharpCore.exe
C:\Program Hearts\Great Library Tamers\Appearance\SharpE\SharpBar.exe
C:\Program Hearts\Great Library Tamers\Appearance\SharpE\SharpDesk.exe
C:\Program Hearts\Great Library Tamers\Appearance\SharpE\SharpTray.exe
C:\Program Hearts\Great Library Tamers\Appearance\SharpE\SharpTask.exe
C:\Program Hearts\Great Library Tamers\Appearance\SharpE\SharpVWM.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Hearts\Hidden\Security\Anti-Virus Programs\Anti-Vir\AntiVir PersonalEdition Classic\sched.exe
C:\Program Hearts\Hidden\Security\Anti-Virus Programs\Anti-Vir\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\Tablet.exe
c:\program hearts\great library tamers\appearance\sharpe\sharpmenu.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
c:\program hearts\hidden\security\firewalls\zone alarm\zlclient.exe
c:\program files\java\jre1.6.0_01\bin\jusched.exe
c:\program hearts\program additions\=destinta\of the dream world\fraps.exe
c:\program hearts\skyesheart 2k\cd programs\of image heart\image heart\daemon.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Ready To Go Setups\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omfghugebelt.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Hearts\Storybooke Creation\Saga Creators\SnagIt 8\SnagItBHO.dll
O2 - BHO: (no name) - {1C5852DC-91B7-41D6-BE7C-B621ED7E1E75} - C:\WINDOWS\system32\pmnll.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\Hidden\Security\ANTI-A~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Hearts\Storybooke Creation\Saga Creators\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [amd_dc_opt] "C:\Program Hearts\Hidden\Managing The Yellow Reflection\3800+ XP Dual Core Processor\amd_dc_opt.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Hearts\Hidden\Security\Anti-Virus Programs\Anti-Vir\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "c:\program hearts\great library tamers\appearance\bootskin\bootskin.exe" /StartupJobs
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "c:\program hearts\hidden\codecs\quicktime alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Hearts\Hidden\Security\Firewalls\Zone Alarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Fraps] C:\Program Hearts\Program Additions\=Destinta\Of The Dream World\FRAPS.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Hearts\Hidden\Security\Anti-Ad Programs\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [XP Tools] c:\program hearts\hidden\managing the yellow reflection\xp tools\xptools.exe
O4 - Startup: daemon.exe.lnk = C:\Program Hearts\Skyesheart 2k\CD Programs\Of Image Heart\Image Heart\daemon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\STORYB~2\WRITTE~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\STORYB~2\WRITTE~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program hearts\instant messangers\aim\aim.exe
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} -
O20 - AppInit_DLLs:
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Hearts\Hidden\Security\Anti-Virus Programs\Anti-Vir\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Hearts\Hidden\Security\Anti-Virus Programs\Anti-Vir\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Hearts\Art\3d Programs\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: NBService - Nero AG - C:\Program Hearts\Skyesheart 2k\CD Programs\Of Burning\Burning Capella\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe




Move it log
LoadLibrary failed for C:\WINDOWS\msdns.dll
C:\WINDOWS\msdns.dll NOT unregistered.
C:\WINDOWS\msdns.dll moved successfully.
C:\WINDOWS\system32\xbeeg.bak1 moved successfully.
C:\WINDOWS\system32\ttstv.bak1 moved successfully.

Created on 05/17/2007 11:13:41


And the latest Hijackthis log after all the steps were completed

Logfile of HijackThis v1.99.1
Scan saved at 11:19:29 AM, on 5/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Hearts\Great Library Tamers\Appearance\SharpE\SharpCore.exe
C:\Program Hearts\Great Library Tamers\Appearance\SharpE\SharpBar.exe
C:\Program Hearts\Great Library Tamers\Appearance\SharpE\SharpDesk.exe
C:\Program Hearts\Great Library Tamers\Appearance\SharpE\SharpTray.exe
C:\Program Hearts\Great Library Tamers\Appearance\SharpE\SharpTask.exe
C:\Program Hearts\Great Library Tamers\Appearance\SharpE\SharpVWM.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Hearts\Hidden\Security\Anti-Virus Programs\Anti-Vir\AntiVir PersonalEdition Classic\sched.exe
C:\Program Hearts\Hidden\Security\Anti-Virus Programs\Anti-Vir\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
c:\program hearts\great library tamers\appearance\sharpe\sharpmenu.exe
C:\WINDOWS\system32\Tablet.exe
c:\program hearts\hidden\security\firewalls\zone alarm\zlclient.exe
c:\program files\java\jre1.6.0_01\bin\jusched.exe
c:\program hearts\program additions\=destinta\of the dream world\fraps.exe
c:\program hearts\skyesheart 2k\cd programs\of image heart\image heart\daemon.exe
C:\WINDOWS\Explorer.exe
c:\program hearts\skyesheart 2k\avant browser\avant.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\Ready To Go Setups\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omfghugebelt.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Hearts\Storybooke Creation\Saga Creators\SnagIt 8\SnagItBHO.dll
O2 - BHO: (no name) - {1C5852DC-91B7-41D6-BE7C-B621ED7E1E75} - C:\WINDOWS\system32\pmnll.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\Hidden\Security\ANTI-A~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Hearts\Storybooke Creation\Saga Creators\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [amd_dc_opt] "C:\Program Hearts\Hidden\Managing The Yellow Reflection\3800+ XP Dual Core Processor\amd_dc_opt.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Hearts\Hidden\Security\Anti-Virus Programs\Anti-Vir\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "c:\program hearts\great library tamers\appearance\bootskin\bootskin.exe" /StartupJobs
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "c:\program hearts\hidden\codecs\quicktime alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Hearts\Hidden\Security\Firewalls\Zone Alarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Fraps] C:\Program Hearts\Program Additions\=Destinta\Of The Dream World\FRAPS.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Hearts\Hidden\Security\Anti-Ad Programs\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [XP Tools] c:\program hearts\hidden\managing the yellow reflection\xp tools\xptools.exe
O4 - Startup: daemon.exe.lnk = C:\Program Hearts\Skyesheart 2k\CD Programs\Of Image Heart\Image Heart\daemon.exe
O8 - Extra context menu item: Add to AD Black List - c:\program hearts\skyesheart 2k\avant browser\AddToADBlackList.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\STORYB~2\WRITTE~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\STORYB~2\WRITTE~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program hearts\instant messangers\aim\aim.exe
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} -
O20 - AppInit_DLLs:
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Hearts\Hidden\Security\Anti-Virus Programs\Anti-Vir\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Hearts\Hidden\Security\Anti-Virus Programs\Anti-Vir\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Hearts\Art\3d Programs\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: NBService - Nero AG - C:\Program Hearts\Skyesheart 2k\CD Programs\Of Burning\Burning Capella\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Thanks again :flowers:

#4 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:09:18 PM

Posted 17 May 2007 - 10:40 AM

You didn't disabled Teatimer, so everything is undone by Teatimer...

So disable it and do all step again. :thumbsup:
Greets Jürgenv

Donation: Click me.

#5 Clue

Clue
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:18 PM

Posted 17 May 2007 - 12:15 PM

Boo at Tea Timer! I had unchecked the Resident in the main Tools right column without realizing it's use was just to make reports. I have now found the correct box to disable it ..hopefully. Sorry :D



Directly after Deldomains HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 1:04:15 PM, on 5/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Hearts\Great Library Tamers\Appearance\SharpE\SharpCore.exe
C:\Program Hearts\Great Library Tamers\Appearance\SharpE\SharpBar.exe
C:\Program Hearts\Great Library Tamers\Appearance\SharpE\SharpDesk.exe
C:\Program Hearts\Great Library Tamers\Appearance\SharpE\SharpTray.exe
C:\Program Hearts\Great Library Tamers\Appearance\SharpE\SharpTask.exe
C:\Program Hearts\Great Library Tamers\Appearance\SharpE\SharpVWM.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Hearts\Hidden\Security\Anti-Virus Programs\Anti-Vir\AntiVir PersonalEdition Classic\sched.exe
C:\Program Hearts\Hidden\Security\Anti-Virus Programs\Anti-Vir\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\Tablet.exe
c:\program hearts\great library tamers\appearance\sharpe\sharpmenu.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
c:\program hearts\hidden\security\firewalls\zone alarm\zlclient.exe
c:\program files\java\jre1.6.0_01\bin\jusched.exe
c:\program hearts\program additions\=destinta\of the dream world\fraps.exe
c:\program hearts\skyesheart 2k\cd programs\of image heart\image heart\daemon.exe
C:\WINDOWS\system32\wuauclt.exe
c:\program hearts\skyesheart 2k\avant browser\avant.exe
C:\WINDOWS\Explorer.exe
D:\Ready To Go Setups\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omfghugebelt.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Hearts\Storybooke Creation\Saga Creators\SnagIt 8\SnagItBHO.dll
O2 - BHO: (no name) - {1C5852DC-91B7-41D6-BE7C-B621ED7E1E75} - C:\WINDOWS\system32\pmnll.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\Hidden\Security\ANTI-A~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Hearts\Storybooke Creation\Saga Creators\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [amd_dc_opt] "C:\Program Hearts\Hidden\Managing The Yellow Reflection\3800+ XP Dual Core Processor\amd_dc_opt.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Hearts\Hidden\Security\Anti-Virus Programs\Anti-Vir\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "c:\program hearts\great library tamers\appearance\bootskin\bootskin.exe" /StartupJobs
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "c:\program hearts\hidden\codecs\quicktime alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Hearts\Hidden\Security\Firewalls\Zone Alarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Fraps] C:\Program Hearts\Program Additions\=Destinta\Of The Dream World\FRAPS.EXE
O4 - HKCU\..\Run: [XP Tools] c:\program hearts\hidden\managing the yellow reflection\xp tools\xptools.exe
O4 - Startup: daemon.exe.lnk = C:\Program Hearts\Skyesheart 2k\CD Programs\Of Image Heart\Image Heart\daemon.exe
O8 - Extra context menu item: Add to AD Black List - c:\program hearts\skyesheart 2k\avant browser\AddToADBlackList.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\STORYB~2\WRITTE~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\STORYB~2\WRITTE~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program hearts\instant messangers\aim\aim.exe
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} -
O20 - AppInit_DLLs:
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Hearts\Hidden\Security\Anti-Virus Programs\Anti-Vir\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Hearts\Hidden\Security\Anti-Virus Programs\Anti-Vir\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Hearts\Art\3d Programs\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: NBService - Nero AG - C:\Program Hearts\Skyesheart 2k\CD Programs\Of Burning\Burning Capella\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Move It Log
File/Folder C:\WINDOWS\msdns.dll not found.
File/Folder C:\WINDOWS\system32\xbeeg.bak1 not found.
File/Folder C:\WINDOWS\system32\ttstv.bak1 not found.

Created on 05/17/2007 13:05:10





Final HijackThis log
Logfile of HijackThis v1.99.1
Scan saved at 1:05:57 PM, on 5/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Hearts\Great Library Tamers\Appearance\SharpE\SharpCore.exe
C:\Program Hearts\Great Library Tamers\Appearance\SharpE\SharpBar.exe
C:\Program Hearts\Great Library Tamers\Appearance\SharpE\SharpDesk.exe
C:\Program Hearts\Great Library Tamers\Appearance\SharpE\SharpTray.exe
C:\Program Hearts\Great Library Tamers\Appearance\SharpE\SharpTask.exe
C:\Program Hearts\Great Library Tamers\Appearance\SharpE\SharpVWM.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Hearts\Hidden\Security\Anti-Virus Programs\Anti-Vir\AntiVir PersonalEdition Classic\sched.exe
C:\Program Hearts\Hidden\Security\Anti-Virus Programs\Anti-Vir\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\Tablet.exe
c:\program hearts\great library tamers\appearance\sharpe\sharpmenu.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
c:\program hearts\hidden\security\firewalls\zone alarm\zlclient.exe
c:\program files\java\jre1.6.0_01\bin\jusched.exe
c:\program hearts\program additions\=destinta\of the dream world\fraps.exe
c:\program hearts\skyesheart 2k\cd programs\of image heart\image heart\daemon.exe
C:\WINDOWS\system32\wuauclt.exe
c:\program hearts\skyesheart 2k\avant browser\avant.exe
C:\WINDOWS\Explorer.exe
D:\Ready To Go Setups\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omfghugebelt.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Hearts\Storybooke Creation\Saga Creators\SnagIt 8\SnagItBHO.dll
O2 - BHO: (no name) - {1C5852DC-91B7-41D6-BE7C-B621ED7E1E75} - C:\WINDOWS\system32\pmnll.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\Hidden\Security\ANTI-A~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Hearts\Storybooke Creation\Saga Creators\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [amd_dc_opt] "C:\Program Hearts\Hidden\Managing The Yellow Reflection\3800+ XP Dual Core Processor\amd_dc_opt.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Hearts\Hidden\Security\Anti-Virus Programs\Anti-Vir\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "c:\program hearts\great library tamers\appearance\bootskin\bootskin.exe" /StartupJobs
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "c:\program hearts\hidden\codecs\quicktime alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Hearts\Hidden\Security\Firewalls\Zone Alarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Fraps] C:\Program Hearts\Program Additions\=Destinta\Of The Dream World\FRAPS.EXE
O4 - HKCU\..\Run: [XP Tools] c:\program hearts\hidden\managing the yellow reflection\xp tools\xptools.exe
O4 - Startup: daemon.exe.lnk = C:\Program Hearts\Skyesheart 2k\CD Programs\Of Image Heart\Image Heart\daemon.exe
O8 - Extra context menu item: Add to AD Black List - c:\program hearts\skyesheart 2k\avant browser\AddToADBlackList.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\STORYB~2\WRITTE~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\STORYB~2\WRITTE~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program hearts\instant messangers\aim\aim.exe
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} -
O20 - AppInit_DLLs:
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Hearts\Hidden\Security\Anti-Virus Programs\Anti-Vir\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Hearts\Hidden\Security\Anti-Virus Programs\Anti-Vir\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Hearts\Art\3d Programs\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: NBService - Nero AG - C:\Program Hearts\Skyesheart 2k\CD Programs\Of Burning\Burning Capella\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#6 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:09:18 PM

Posted 17 May 2007 - 12:17 PM

* Please open hijackthis and put a check next to the following:

O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {1C5852DC-91B7-41D6-BE7C-B621ED7E1E75} - C:\WINDOWS\system32\pmnll.dll (file missing)
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone


* After you check the items you want to fix, close all browsers and windows, except for HijackThis, then click on the Fix Checked button on HijackThis.

* After that, restart your computer and post a new hijackthis log here.
Greets Jürgenv

Donation: Click me.

#7 Clue

Clue
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:18 PM

Posted 17 May 2007 - 12:46 PM

After the fixes and restart, here is my latest HijackThis log :thumbsup:

Logfile of HijackThis v1.99.1
Scan saved at 1:40:21 PM, on 5/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Hearts\Great Library Tamers\Appearance\SharpE\SharpCore.exe
C:\Program Hearts\Great Library Tamers\Appearance\SharpE\SharpBar.exe
C:\Program Hearts\Great Library Tamers\Appearance\SharpE\SharpDesk.exe
C:\Program Hearts\Great Library Tamers\Appearance\SharpE\SharpTray.exe
C:\Program Hearts\Great Library Tamers\Appearance\SharpE\SharpTask.exe
C:\Program Hearts\Great Library Tamers\Appearance\SharpE\SharpVWM.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Hearts\Hidden\Security\Anti-Virus Programs\Anti-Vir\AntiVir PersonalEdition Classic\sched.exe
C:\Program Hearts\Hidden\Security\Anti-Virus Programs\Anti-Vir\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\Tablet.exe
c:\program hearts\great library tamers\appearance\sharpe\sharpmenu.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
c:\program hearts\hidden\security\firewalls\zone alarm\zlclient.exe
c:\program files\java\jre1.6.0_01\bin\jusched.exe
c:\program hearts\program additions\=destinta\of the dream world\fraps.exe
c:\program hearts\skyesheart 2k\cd programs\of image heart\image heart\daemon.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Ready To Go Setups\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omfghugebelt.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Hearts\Storybooke Creation\Saga Creators\SnagIt 8\SnagItBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\Hidden\Security\ANTI-A~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Hearts\Storybooke Creation\Saga Creators\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [amd_dc_opt] "C:\Program Hearts\Hidden\Managing The Yellow Reflection\3800+ XP Dual Core Processor\amd_dc_opt.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Hearts\Hidden\Security\Anti-Virus Programs\Anti-Vir\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "c:\program hearts\great library tamers\appearance\bootskin\bootskin.exe" /StartupJobs
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "c:\program hearts\hidden\codecs\quicktime alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Hearts\Hidden\Security\Firewalls\Zone Alarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Fraps] C:\Program Hearts\Program Additions\=Destinta\Of The Dream World\FRAPS.EXE
O4 - HKCU\..\Run: [XP Tools] c:\program hearts\hidden\managing the yellow reflection\xp tools\xptools.exe
O4 - Startup: daemon.exe.lnk = C:\Program Hearts\Skyesheart 2k\CD Programs\Of Image Heart\Image Heart\daemon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\STORYB~2\WRITTE~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\STORYB~2\WRITTE~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program hearts\instant messangers\aim\aim.exe
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} -
O20 - AppInit_DLLs:
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Hearts\Hidden\Security\Anti-Virus Programs\Anti-Vir\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Hearts\Hidden\Security\Anti-Virus Programs\Anti-Vir\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Hearts\Art\3d Programs\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: NBService - Nero AG - C:\Program Hearts\Skyesheart 2k\CD Programs\Of Burning\Burning Capella\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#8 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:09:18 PM

Posted 17 May 2007 - 12:49 PM

Hmm, can I see a new combofix log?
Greets Jürgenv

Donation: Click me.

#9 Clue

Clue
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:18 PM

Posted 17 May 2007 - 01:26 PM

Around the time of it making the log, i noticed a program named cf12430.exe or so had crashed. Thanks for the continued help :thumbsup:

ComboFix 07-05.16.13.V - Running from: "C:\Documents and Settings\Administrator\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-17 ))))))))))))))))))))))))))))))))))


2007-05-16 09:54 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-15 15:58 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-05-15 15:57 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-05-15 15:56 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-05-15 14:41 6,553,600 --a------ C:\DOCUME~1\ADMINI~1\ntuser.dat
2007-05-15 13:33 <DIR> d-------- C:\VundoFix Backups
2007-05-15 10:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-15 10:31 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-05-15 09:41 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-05-15 09:31 <DIR> d-------- C:\WINDOWS\system32\SBO
2007-05-13 05:37 <DIR> d-------- C:\WINDOWS\system32\bak
2007-05-09 23:37 <DIR> d-------- C:\Nano Research
2007-05-08 22:05 <DIR> d-------- C:\Program Files\Image-Line
2007-05-08 20:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\element5
2007-05-08 20:38 <DIR> d-------- C:\Program Files\Common Files\element5 Shared
2007-05-08 20:35 <DIR> d--h----- C:\Program Files\Zero G Registry
2007-05-08 20:35 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\InstallAnywhere
2007-05-03 00:40 <DIR> d-------- C:\Folder For The Guest
2007-04-20 18:39 43,584 --a------ C:\WINDOWS\system32\drivers\avipbb.sys
2007-04-20 18:39 28,352 --a------ C:\WINDOWS\system32\drivers\ssmdrv.sys
2007-04-18 23:48 <DIR> d-------- C:\=Destinta


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-17 18:06:44 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\WTablet
2007-05-17 17:58:25 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Corel
2007-05-17 17:58:09 4,756 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-05-15 22:16:07 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\uTorrent
2007-05-15 20:46:57 -------- d-----w C:\Program Files\WildTangent
2007-05-15 18:19:35 1,324 ----a-w C:\WINDOWS\system32\d3d9caps.dat
2007-05-15 14:07:58 -------- d-----w C:\Program Files\Common Files\ODBC
2007-05-03 21:13:51 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Aim
2007-03-28 04:09:55 163,712 ----a-w C:\WINDOWS\system32\drivers\vidstub.sys
2007-03-15 16:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll
2007-03-15 16:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{00C6482D-C502-44C8-8409-FCE54AD9C208}=C:\Program Hearts\Storybooke Creation\Saga Creators\SnagIt 8\SnagItBHO.dll [2006-05-10 08:02]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~2\Hidden\Security\ANTI-A~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"amd_dc_opt"="C:\Program Hearts\Hidden\Managing The Yellow Reflection\3800+ XP Dual Core Processor\amd_dc_opt.exe" [2007-05-13 05:36]
"avgnt"="C:\Program Hearts\Hidden\Security\Anti-Virus Programs\Anti-Vir\AntiVir PersonalEdition Classic\avgnt.exe" [2007-05-13 05:36]
"BootSkin Startup Jobs"="c:\program hearts\great library tamers\appearance\bootskin\bootskin.exe" [2007-05-13 05:36]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-05-13 05:36]
"SoundMan"="SOUNDMAN.EXE" []
"TVTray"="" []
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 21:43]
"nwiz"="nwiz.exe" [2006-08-11 21:43 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-08-11 21:43 C:\WINDOWS\system32\nvmctray.dll]
"QuickTime Task"="c:\program hearts\hidden\codecs\quicktime alternative\qttask.exe" [2007-05-13 05:36]
"Zone Labs Client"="C:\Program Hearts\Hidden\Security\Firewalls\Zone Alarm\zlclient.exe" [2006-08-23 23:38]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-13 05:36]
"Fraps"="C:\Program Hearts\Program Additions\=Destinta\Of The Dream World\FRAPS.EXE" [2006-12-19 09:02]
"XP Tools"="c:\program hearts\hidden\managing the yellow reflection\xp tools\xptools.exe" [2007-05-13 05:36]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
@=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"nlsf"=hex(2):63,6d,64,2e,65,78,65,20,2f,43,20,6d,6f,76,65,20,2f,59,20,22,25,\
53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,73,79,73,73,\
65,74,75,62,2e,64,6c,6c,22,20,22,25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,\
79,73,74,65,6d,33,32,5c,73,79,73,73,65,74,75,70,2e,64,6c,6c,22,00
"tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0
Security Packages kerberos msv1_0 schannel wdigest
Notification Packages scecli

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HTTPFilter HTTPFilter
LocalService Alerter WebClient LmHosts upnphost SSDPSRV
NetworkService DnsCache
DcomLaunch DcomLaunch TermService
rpcss RpcSs
imgsvc StiSvc
termsvcs TermService

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\System Restore.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-17 14:12:33
Windows 5.1.2600 Service Pack 2

scanning hidden processes ...

scanning hidden autostart entries ...


********************************************************************

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Windows]
"AppInit_DLLs"=" "

Completion time: 2007-05-17 14:12:45
C:\ComboFix-quarantined-files.txt ... 2007-05-17 14:12
C:\ComboFix2.txt ... 2007-05-16 09:54


--- End of File ----

#10 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:09:18 PM

Posted 17 May 2007 - 02:12 PM

Please run Notepad and paste the following text into a new file:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
"@ivt"=dword:00000001
"file"=dword:00000003
"ftp"=dword:00000003
"http"=dword:00000003
"https"=dword:00000003

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
"@ivt"=dword:00000001
"file"=dword:00000003
"ftp"=dword:00000003
"http"=dword:00000003
"https"=dword:00000003


Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

* After that, reboot your system and post a new hijackthis log here.
Greets Jürgenv

Donation: Click me.

#11 Clue

Clue
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:18 PM

Posted 17 May 2007 - 02:59 PM

After the registry entries and reboot

Logfile of HijackThis v1.99.1
Scan saved at 3:53:24 PM, on 5/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Hearts\Hidden\Security\Anti-Virus Programs\Anti-Vir\AntiVir PersonalEdition Classic\sched.exe
C:\Program Hearts\Hidden\Security\Anti-Virus Programs\Anti-Vir\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Hearts\Great Library Tamers\Appearance\SharpE\SharpCore.exe
C:\Program Hearts\Great Library Tamers\Appearance\SharpE\SharpBar.exe
C:\Program Hearts\Great Library Tamers\Appearance\SharpE\SharpDesk.exe
C:\Program Hearts\Great Library Tamers\Appearance\SharpE\SharpTray.exe
C:\Program Hearts\Great Library Tamers\Appearance\SharpE\SharpTask.exe
C:\Program Hearts\Great Library Tamers\Appearance\SharpE\SharpVWM.exe
c:\program hearts\great library tamers\appearance\sharpe\sharpmenu.exe
c:\program hearts\hidden\security\firewalls\zone alarm\zlclient.exe
c:\program files\java\jre1.6.0_01\bin\jusched.exe
c:\program hearts\program additions\=destinta\of the dream world\fraps.exe
c:\program hearts\skyesheart 2k\cd programs\of image heart\image heart\daemon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.exe
D:\Ready To Go Setups\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omfghugebelt.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Hearts\Storybooke Creation\Saga Creators\SnagIt 8\SnagItBHO.dll
O2 - BHO: (no name) - {1C5852DC-91B7-41D6-BE7C-B621ED7E1E75} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\Hidden\Security\ANTI-A~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Hearts\Storybooke Creation\Saga Creators\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [amd_dc_opt] "C:\Program Hearts\Hidden\Managing The Yellow Reflection\3800+ XP Dual Core Processor\amd_dc_opt.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Hearts\Hidden\Security\Anti-Virus Programs\Anti-Vir\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "c:\program hearts\great library tamers\appearance\bootskin\bootskin.exe" /StartupJobs
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "c:\program hearts\hidden\codecs\quicktime alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Hearts\Hidden\Security\Firewalls\Zone Alarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Fraps] C:\Program Hearts\Program Additions\=Destinta\Of The Dream World\FRAPS.EXE
O4 - HKCU\..\Run: [XP Tools] c:\program hearts\hidden\managing the yellow reflection\xp tools\xptools.exe
O4 - Startup: daemon.exe.lnk = C:\Program Hearts\Skyesheart 2k\CD Programs\Of Image Heart\Image Heart\daemon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\STORYB~2\WRITTE~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\STORYB~2\WRITTE~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program hearts\instant messangers\aim\aim.exe
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} -
O20 - AppInit_DLLs:
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Hearts\Hidden\Security\Anti-Virus Programs\Anti-Vir\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Hearts\Hidden\Security\Anti-Virus Programs\Anti-Vir\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Hearts\Art\3d Programs\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: NBService - Nero AG - C:\Program Hearts\Skyesheart 2k\CD Programs\Of Burning\Burning Capella\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#12 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:09:18 PM

Posted 17 May 2007 - 03:01 PM

* Please open hijackthis and put a check next to the following:

O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {1C5852DC-91B7-41D6-BE7C-B621ED7E1E75} - (no file)


* After you check the items you want to fix, close all browsers and windows, except for HijackThis, then click on the Fix Checked button on HijackThis.

* After that, post a new hijackthis log here.
Greets Jürgenv

Donation: Click me.

#13 Clue

Clue
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:18 PM

Posted 17 May 2007 - 03:32 PM

Logfile of HijackThis v1.99.1
Scan saved at 4:27:31 PM, on 5/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Hearts\Great Library Tamers\Appearance\SharpE\SharpCore.exe
C:\Program Hearts\Great Library Tamers\Appearance\SharpE\SharpBar.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Hearts\Great Library Tamers\Appearance\SharpE\SharpDesk.exe
C:\Program Hearts\Great Library Tamers\Appearance\SharpE\SharpTray.exe
C:\Program Hearts\Great Library Tamers\Appearance\SharpE\SharpTask.exe
C:\Program Hearts\Great Library Tamers\Appearance\SharpE\SharpVWM.exe
C:\Program Hearts\Hidden\Security\Anti-Virus Programs\Anti-Vir\AntiVir PersonalEdition Classic\sched.exe
C:\Program Hearts\Hidden\Security\Anti-Virus Programs\Anti-Vir\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\Tablet.exe
c:\program hearts\great library tamers\appearance\sharpe\sharpmenu.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
c:\program hearts\hidden\security\firewalls\zone alarm\zlclient.exe
c:\program files\java\jre1.6.0_01\bin\jusched.exe
c:\program hearts\program additions\=destinta\of the dream world\fraps.exe
c:\program hearts\skyesheart 2k\cd programs\of image heart\image heart\daemon.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Ready To Go Setups\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://omfghugebelt.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Hearts\Storybooke Creation\Saga Creators\SnagIt 8\SnagItBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\Hidden\Security\ANTI-A~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Hearts\Storybooke Creation\Saga Creators\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [amd_dc_opt] "C:\Program Hearts\Hidden\Managing The Yellow Reflection\3800+ XP Dual Core Processor\amd_dc_opt.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Hearts\Hidden\Security\Anti-Virus Programs\Anti-Vir\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "c:\program hearts\great library tamers\appearance\bootskin\bootskin.exe" /StartupJobs
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "c:\program hearts\hidden\codecs\quicktime alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Hearts\Hidden\Security\Firewalls\Zone Alarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Fraps] C:\Program Hearts\Program Additions\=Destinta\Of The Dream World\FRAPS.EXE
O4 - HKCU\..\Run: [XP Tools] c:\program hearts\hidden\managing the yellow reflection\xp tools\xptools.exe
O4 - Startup: daemon.exe.lnk = C:\Program Hearts\Skyesheart 2k\CD Programs\Of Image Heart\Image Heart\daemon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\STORYB~2\WRITTE~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\STORYB~2\WRITTE~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program hearts\instant messangers\aim\aim.exe
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} -
O20 - AppInit_DLLs:
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Hearts\Hidden\Security\Anti-Virus Programs\Anti-Vir\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Hearts\Hidden\Security\Anti-Virus Programs\Anti-Vir\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Hearts\Art\3d Programs\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: NBService - Nero AG - C:\Program Hearts\Skyesheart 2k\CD Programs\Of Burning\Burning Capella\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#14 jurgenv

jurgenv

  • Members
  • 1,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:09:18 PM

Posted 17 May 2007 - 03:33 PM

Looking good, how is everything working?
Greets Jürgenv

Donation: Click me.

#15 Clue

Clue
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:18 PM

Posted 17 May 2007 - 03:55 PM

Running noticably smoother than before back when I had whatever this was. I'll remember you when I do get a credit card for pay pal. I would like to donate something, albeit probably petty. That was very kind. Best wishes :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users