Project1 and others simultaneously - Geeks to Go Forums

Jump to content

Log in Register Register Malware removal guide How it works

Project1 and others simultaneously lots of problems.

#1 feedkillchain

  • Group: Member
  • Posts: 4
  • Joined: 04-August 06

Posted 04 August 2006 - 01:18 AM

I clicked a link on a website a few hours ago and then... BAM! 8000 pop ups, slow connection, project1 running in my task manager, dll errors, all kinds of nifty stuff going on. I ran adaware, cleanup, CWS shredder, search & destroy, and whatever else I had available, went to add/remove programs in my Control Panel and removed all suspicious software. Things are running a little better now, but I'm still having major popup problems... can somebody help pleaaase? Here is my hijack this log.

Logfile of HijackThis v1.99.1
Scan saved at 2:08:46 AM, on 8/4/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\hgxbog.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\xpofo.exe
C:\WINDOWS\System32\xpofo.exe
C:\WINDOWS\System32\xpofo.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Common Files\{E47B7AAE-08DA-1033-0618-020621020001}\Update.exe
C:\PROGRA~1\SCURIT~1\WNWORD~1.EXE
C:\PROGRA~1\COMMON~1\mkzr\mkzrm.exe
C:\PROGRA~1\COMMON~1\DOBE~1\nslookup.exe
C:\PROGRA~1\COMMON~1\mkzr\mkzra.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Rev. Cody C. Gaisser\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bestbuy.msn.com
R3 - URLSearchHook: (no name) - _{B51B6169-A3EC-FD29-2394-CE3D37E387AA} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\xpofo.exe
F2 - REG:system.ini: UserInit=userinit.exe,ikvjyms.exe
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: Ozbyq Class - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:\WINDOWS\System32\xeymi.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hwcsof] C:\WINDOWS\System32\hgxbog.exe reg_run
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [Bdkebbhr] C:\PROGRA~1\SCURIT~1\WNWORD~1.EXE
O4 - HKCU\..\Run: [dtiup] C:\WINDOWS\System32\hgxbog.exe reg_run
O4 - HKCU\..\Run: [mkzr] C:\PROGRA~1\COMMON~1\mkzr\mkzrm.exe
O4 - HKCU\..\Run: [Rcsh] "C:\PROGRA~1\COMMON~1\DOBE~1\nslookup.exe" -vt yazr
O4 - Global Startup: anjcu.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O15 - Trusted Zone: *.adgate.info
O15 - Trusted Zone: *.adsextend.net
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.matcash.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: *.snipernet.biz
O15 - Trusted Zone: *.sxload.com
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.adsextend.net (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://www.systemdoctor.com/download/2006/...FreeInstall.cab
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://c:\nesunex.mht!http://adsextend.net/zscript/pre.chm::/pre.exe
O16 - DPF: {42B1C70D-9823-41F7-810A-682DA294D868} - ms-its:mhtml:file://c:\nesunee.mht!http://adsextend.net/zscript/yea.chm::/recife.exe
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemed...s/mediaview.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - ms-its:mhtml:file://c:\nesunem.mht!http://adsextend.net/zscript/mca.chm::/speedtest2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E775D7A-C40C-4B98-82E6-E0D620286F58}: NameServer = 85.255.115.77,85.255.112.159
O17 - HKLM\System\CCS\Services\Tcpip\..\{1D98341F-B6FA-4A0C-8D33-7AC87A21A265}: NameServer = 85.255.115.77,85.255.112.159
O17 - HKLM\System\CCS\Services\Tcpip\..\{2CA701BB-3DE9-4D3A-AD79-9BF0B8885EE5}: NameServer = 85.255.115.77,85.255.112.159
O17 - HKLM\System\CCS\Services\Tcpip\..\{3B789F91-2CFC-41A0-A61C-E867E1FF036E}: NameServer = 85.255.115.77,85.255.112.159
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C41FCE6-D00E-44BD-8617-D3E5268F855C}: NameServer = 85.255.115.77,85.255.112.159
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA5DB684-6596-4416-9866-53089141A6BC}: NameServer = 85.255.115.77,85.255.112.159
O17 - HKLM\System\CCS\Services\Tcpip\..\{D145C637-5DE8-4AAA-A77B-4763C4CE05AC}: NameServer = 85.255.115.77,85.255.112.159
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA25A650-D304-417F-A316-34D22BB45F8A}: NameServer = 85.255.115.77,85.255.112.159
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.77 85.255.112.159
O17 - HKLM\System\CS1\Services\Tcpip\..\{0E775D7A-C40C-4B98-82E6-E0D620286F58}: NameServer = 85.255.115.77,85.255.112.159
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.77 85.255.112.159
O17 - HKLM\System\CS2\Services\Tcpip\..\{0E775D7A-C40C-4B98-82E6-E0D620286F58}: NameServer = 85.255.115.77,85.255.112.159
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.77 85.255.112.159
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\System32\xeymi.dll
O20 - AppInit_DLLs: attrib.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

#2 feedkillchain

  • Group: Member
  • Posts: 4
  • Joined: 04-August 06

Posted 04 August 2006 - 01:24 AM

Oh yes, I also went into my Windows directory and deleted any subfolders created since yesterday (as I have not done anything major on my system since then or added any significant software)... Since then I haven't had Project1 showing in my Task Manager, but I've read reports where that program will disappear for a couple of hours and come back ...... so I'm kind of skeptical, my computer's been off for the last couple of hours and I only messed with trying to fix it for about an hour after I encountered the problems before getting frustrated and turning it off... and I'm not familiar with how to read a Hijack This log... so if anyone can help me clear this garbage off... Also of note, Adaware came back with MANY MANY MANY problems (in excess of 300 files on the first scan) and couldn't delete about 10 of them... So I'm not sure what exactly has happened. I know I had SurfSidekick, the Toolbar888 hijacker, Project1 virus, and lot of popups coming from uskyOnline... which were blank and would lock up my computer... I didnt get them on this boot up, but I did last time and I haven't made any changes since then.... so????

#3 feedkillchain

  • Group: Member
  • Posts: 4
  • Joined: 04-August 06

Posted 04 August 2006 - 05:45 AM

In the downtime I've run adaware (it locks up during scanning), spybot S&d (does the same), ewido (crashes during scan), and cleanup! several times (deletes massive amounts of temp files every run). Rebooted in Safe Mode... adaware makes it through the scan, then locks up during deletion... spybot scans and deletes most offenders, but cannot delete certain files - suggests running on reboot... when I do this it returns MORE files, and deletes everything but the ones it couldn't delete in the first place. Ewido still crashes in safe mode when running a full scan, but I've found if I isolate a block of files and send them to Ewido for scanning it will scan them, and then attempt to delete the offensive files to varying results. I've got multiple copies of a process called XPOFO.EXE running in regular and safe modes... don't know if this is something normal or not (i'm not the most skilled at this) but the weird name and multiple copies made me suspicious, and I tracked down some related files in my SYSTEM32 folder. I can't end the process and when I delete the file and related files, some won't delete and others just come back in a few minutes... Once again I don't know if this is an offensive file or not... need help there. Finally flustered to the point of doing things out of my league and just seeing what happens I decided to delete every file or directory in my WINDOWS and WINDOWS\SYSTEM32 directory that were created in the last 2 days. Not much seemed to be effected as far as computer performance. A few of the files either came back or wouldn't delete. Some of these files and folders had "PROJECT" in the title...

GOOD NEWS: I HAVENT SEEN PROJECT1 IN A GOOD WHILE.

BAD NEWS: Here's the lowdown on what happens in windows (running normal mode). Massive, massive amount of popups... Constant barrage. My browser is constantly being taken over by new toolbars, and shady-looking antivirus programs keep trying to install themselves. If I go to START > MY COMPUTER, it has an error and shuts down. If I go to START>SEARCH and run a search, after a few seconds it has an error and shuts down. Some of the popups actually close out whatever browser window I have open.... conversely I've typed the first half of this post about 5 times, and I'm SHOCKED I've made it this far.... I also keep deleting these freakin' POKER and TAGASAURUS icons off my desktop (at one point in Safe Mode actually tracked down the files for TAGASAURUS and deleted them....) and they keep coming back. I bumped up my IE security from medium to high, although I don't think that's part of the issue at this juncture. Occasionally I get this HGXBOG.EXE running in my processes as well as a MKZRA.EXE, and I don't know if these are normal.... but the HGXBOG.EXE was in the same folder and created around the same time as the XPOFO.EXE. deleted it and it returned almost immediately. Oh great, now I've got a CCZoop05.exe running... which doesn't look normal to me. Funk this I'm going to post before my browser gets closed and repost with a current Hijack This log.

#4 feedkillchain

  • Group: Member
  • Posts: 4
  • Joined: 04-August 06

Posted 04 August 2006 - 05:47 AM

Logfile of HijackThis v1.99.1
Scan saved at 6:44:34 AM, on 8/4/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\hgxbog.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\xpofo.exe
C:\WINDOWS\System32\xpofo.exe
C:\WINDOWS\System32\xpofo.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\CCZoop05.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\v1201.exe
C:\Program Files\Common Files\{E47B7AAE-08DA-1033-0618-020621020001}\Update.exe
C:\PROGRA~1\COMMON~1\mkzr\mkzrm.exe
C:\PROGRA~1\COMMON~1\DOBE~1\nslookup.exe
C:\PROGRA~1\COMMON~1\mkzr\mkzra.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Rev. Cody C. Gaisser\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bestbuy.msn.com
R3 - URLSearchHook: (no name) - _{B51B6169-A3EC-FD29-2394-CE3D37E387AA} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\xpofo.exe
F2 - REG:system.ini: UserInit=userinit.exe,ikvjyms.exe
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {4072CF4E-7FD7-9ED7-C59E-2EEA7F358CCE} - C:\WINDOWS\jnvrjnim.dll
O2 - BHO: Vdrw Class - {8711CF54-E9C5-4DB4-9B9F-7D67393CC771} - C:\WINDOWS\System32\vf1v62x.dll (file missing)
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB57.dll (file missing)
O2 - BHO: (no name) - {9BB90E1D-EB88-4877-93CE-EA85BA2E1455} - C:\Program Files\Messenger\hovemawen.dll
O2 - BHO: Ozbyq Class - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:\WINDOWS\System32\xeymi.dll (file missing)
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB57.dll (file missing)
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\CCZoop05.exe
O4 - HKLM\..\Run: [epy9J] "C:\WINDOWS\System32\l3jdfs.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe"
O4 - HKLM\..\Run: [hwcsof] C:\WINDOWS\System32\hgxbog.exe reg_run
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKCU\..\Run: [Bdkebbhr] C:\PROGRA~1\SCURIT~1\WNWORD~1.EXE
O4 - HKCU\..\Run: [dtiup] C:\WINDOWS\System32\hgxbog.exe reg_run
O4 - HKCU\..\Run: [mkzr] C:\PROGRA~1\COMMON~1\mkzr\mkzrm.exe
O4 - HKCU\..\Run: [Rcsh] "C:\PROGRA~1\COMMON~1\DOBE~1\nslookup.exe" -vt yazr
O4 - Global Startup: anjcu.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O15 - Trusted Zone: *.adgate.info
O15 - Trusted Zone: *.adsextend.net
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.matcash.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: *.snipernet.biz
O15 - Trusted Zone: *.sxload.com
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.adsextend.net (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://www.systemdoctor.com/download/2006/...FreeInstall.cab
O16 - DPF: {42B1C70D-9823-41F7-810A-682DA294D868} - ms-its:mhtml:file://c:\nesunee.mht!http://adsextend.net/zscript/yea.chm::/recife.exe
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemed...s/mediaview.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - ms-its:mhtml:file://c:\nesunem.mht!http://adsextend.net/zscript/mca.chm::/speedtest2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E775D7A-C40C-4B98-82E6-E0D620286F58}: NameServer = 85.255.115.77,85.255.112.159
O17 - HKLM\System\CCS\Services\Tcpip\..\{1D98341F-B6FA-4A0C-8D33-7AC87A21A265}: NameServer = 85.255.115.77,85.255.112.159
O17 - HKLM\System\CCS\Services\Tcpip\..\{2CA701BB-3DE9-4D3A-AD79-9BF0B8885EE5}: NameServer = 85.255.115.77,85.255.112.159
O17 - HKLM\System\CCS\Services\Tcpip\..\{3B789F91-2CFC-41A0-A61C-E867E1FF036E}: NameServer = 85.255.115.77,85.255.112.159
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C41FCE6-D00E-44BD-8617-D3E5268F855C}: NameServer = 85.255.115.77,85.255.112.159
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA5DB684-6596-4416-9866-53089141A6BC}: NameServer = 85.255.115.77,85.255.112.159
O17 - HKLM\System\CCS\Services\Tcpip\..\{D145C637-5DE8-4AAA-A77B-4763C4CE05AC}: NameServer = 85.255.115.77,85.255.112.159
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA25A650-D304-417F-A316-34D22BB45F8A}: NameServer = 85.255.115.77,85.255.112.159
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.77 85.255.112.159
O17 - HKLM\System\CS1\Services\Tcpip\..\{0E775D7A-C40C-4B98-82E6-E0D620286F58}: NameServer = 85.255.115.77,85.255.112.159
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.77 85.255.112.159
O17 - HKLM\System\CS2\Services\Tcpip\..\{0E775D7A-C40C-4B98-82E6-E0D620286F58}: NameServer = 85.255.115.77,85.255.112.159
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.77 85.255.112.159
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {D5BA18F2-FF61-465F-831D-A6850B94FC01} - C:\WINDOWS\System32\vf1v62x.dll
O20 - AppInit_DLLs: attrib.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe






------
that was my log, i also keep getting hiddendll in CWSshredder, but i read somewhere that sometimes that's a false positive... but I just wanted to add that in case that's useful in any way.

Share this topic:


Page 1 of 1