Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Can't run Hijack This & other recommended software


  • Please log in to reply

#1
felipao

felipao

    Member

  • Member
  • PipPip
  • 23 posts
Hello,

First of all thank you for accepting me and for keeping this amazing site. I am having serious problems with virus/malware and would like some advice. I tried to to the steps mentioned on the topic "You Must Read This Before Posting A Hijackthis Log, Required steps before posting your log" but I wasnt able to do many of them. I am getting tons of pop us, and my pc is extremelly slow. I tried to use many spyware removal softwares but none seem to work. below is a brief description of the troubles I am having:

CleanUp!: Intalled and ran with no problems, it freed 2,8 GB !

Ad-aware SE: I updated the definitions and Scanned, but on the middle of the process the explorer.exe reboted. Ad-aware kept running and found some problems. It cleaned some of it but wasnt able to clean everything. It asked to rebot, and when windows started nothing came up.

CWShreder: The installation process was misteriously closed.

Spybot S&D : I had it installed on my computer but cant open it.

Ewido Anti-Malware : The installation process was misteriously closed.

Trend Housecall : Internet explorer was misteriously closed.

AVG: I had it installed on my computer but couldnt open it.

TrojanHunter: The installation process was misteriously closed.

Windows Update: Computer was misteriously reboted during service pack 4 (windows 2000) update.

Hijack This: Installed fine but it opens the first screen for few seconds and them it is misteriously closed.


I tried doing these steps in safe mode but the same problems would occurr. I can surf the web normally on most websites but my internet explorer will just close when navigating Geeks to Go, Symante, Ewido, etc.

Is there any hope on my case??

Thank you very much in advance

Felipe S
  • 0

Advertisements


#2
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi there

Im not promising anything but I'll give it a go :whistling:

Please download ComboFix and save it to your desktop.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please go ahead and post that log .
Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Next


Download WindPFind

Extract WinPFind.zip to your c:\ folder.

Reboot your computer into Safe Mode

Then open c:\WinPFind and double-click on WinPFind.exe.
When the program is open, click on the Start Scan button to start scanning your computer. Be patient as this scan may take a while.
When it is done, it will show a log and tell you the scan is completed.


Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.

Edited by loophole, 14 September 2006 - 09:18 PM.

  • 0

#3
felipao

felipao

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hello loophole!!
Thank you very much for trying to help. I am sure we will fix the problem. Anyway, below are the two logs you required, Combofix and WinPFind:

Combofix:

Felipe - Fri 15/09/2006 14:55:57.43 Service Pack 4
ComboFix 06.09.14 - Running from: C:\Documents and Settings\Felipe .GLOBAL\Desktop

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\CLSID\{463B30D1-B6E1-4D67-A0B6-EF98DECFE3DB}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{463B30D1-B6E1-4D67-A0B6-EF98DECFE3DB}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{463B30D1-B6E1-4D67-A0B6-EF98DECFE3DB}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{463B30D1-B6E1-4D67-A0B6-EF98DECFE3DB}\InprocServer32]
@="blank"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{D92EC297-3913-4406-92CF-4426C32B2442}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D92EC297-3913-4406-92CF-4426C32B2442}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D92EC297-3913-4406-92CF-4426C32B2442}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D92EC297-3913-4406-92CF-4426C32B2442}\InprocServer32]
@="blank"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{A8307608-9367-4171-B41E-B904A38E1111}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A8307608-9367-4171-B41E-B904A38E1111}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A8307608-9367-4171-B41E-B904A38E1111}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{A8307608-9367-4171-B41E-B904A38E1111}\InprocServer32]
@="C:\\WINNT\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{2F217C8E-A26C-46AD-9B37-965B7CEBEBDD}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2F217C8E-A26C-46AD-9B37-965B7CEBEBDD}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2F217C8E-A26C-46AD-9B37-965B7CEBEBDD}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{2F217C8E-A26C-46AD-9B37-965B7CEBEBDD}\InprocServer32]
@="blank"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{47207841-3C27-4376-80E8-A8C286D917CA}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{47207841-3C27-4376-80E8-A8C286D917CA}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{47207841-3C27-4376-80E8-A8C286D917CA}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{47207841-3C27-4376-80E8-A8C286D917CA}\InprocServer32]
@="blank"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{9B8B8E6E-F885-4BFA-94F8-945D19918B15}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9B8B8E6E-F885-4BFA-94F8-945D19918B15}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9B8B8E6E-F885-4BFA-94F8-945D19918B15}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{9B8B8E6E-F885-4BFA-94F8-945D19918B15}\InprocServer32]
@="C:\\WINNT\\system32\\nsdskcc.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{B34434D5-C6FF-425F-8B80-4E4DC6B5C33F}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B34434D5-C6FF-425F-8B80-4E4DC6B5C33F}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B34434D5-C6FF-425F-8B80-4E4DC6B5C33F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{B34434D5-C6FF-425F-8B80-4E4DC6B5C33F}\InprocServer32]
@="C:\\WINNT\\system32\\wnpcore.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{DB22D5B1-1274-40C2-8CD1-C81E749AA4AD}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DB22D5B1-1274-40C2-8CD1-C81E749AA4AD}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DB22D5B1-1274-40C2-8CD1-C81E749AA4AD}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DB22D5B1-1274-40C2-8CD1-C81E749AA4AD}\InprocServer32]
@="C:\\WINNT\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{15331117-471D-458D-9607-C47FE2478710}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{15331117-471D-458D-9607-C47FE2478710}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{15331117-471D-458D-9607-C47FE2478710}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{15331117-471D-458D-9607-C47FE2478710}\InprocServer32]
@="C:\\WINNT\\system32\\iGshlpr.dll"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


FILES REMOVED:

C:\WINNT\system32\biowselc.dll
C:\WINNT\system32\hr4205hoe.dll
C:\WINNT\system32\i6240gfqe62e0.dll
C:\WINNT\system32\p6n8lg5u16.dll
C:\WINNT\system32\pch.dll
C:\WINNT\system32\sutupdll.dll
C:\WINNT\system32\trbyuv.dll
C:\WINNT\system32\UWTFS.DLL


Granting sedebugprivilege to Administrators ... successful


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\dfndrff_17.exe
C:\dfndrff_18.exe
C:\dfndrff_e.exe
C:\dfndrff_e1.exe
C:\dfndrff_e2.exe
C:\dfndrff_e3.exe
C:\deskbar3.exe
C:\kybrdff_18.exe
C:\Documents and Settings\Felipe .GLOBAL\Local Settings\Temporary Internet Files\Content.IE5\09WLE56N\dfndrff_e[1].exe
C:\WINNT\system32\dwdsregt.exe
C:\WINNT\offun.exe
C:\Program Files\Deskbar
C:\Program Files\Common Files\{3C9CAC2C-072D-1033-1128-030312220002}


((((((((((((((((((((((((((((((( Files Created from 2006-08-15 to 2006-09-15 ))))))))))))))))))))))))))))))))))


2006-09-15 00:53 235,832 -r--s---- C:\WINNT\system32\n8n6li5s18.dll
2006-09-15 00:53 234,174 -r--s---- C:\WINNT\system32\iGshlpr.dll
2006-09-15 00:19 233,826 -r--s---- C:\WINNT\system32\rxched20.dll
2006-09-14 21:05 556,864 -r-hs---- C:\WINNT\akkpsatA.exe
2006-09-14 21:05 430,592 --a------ C:\912_121.exe
2006-09-13 21:15 159,232 --ahs---- C:\WINNT\system32\wgareg.exe
2006-09-13 20:49 194,048 --a------ C:\WINNT\system32\54887_netapi.exe
2006-09-13 20:45 159,232 --ahs---- C:\WINNT\system32\.exe
2006-09-13 20:09 20,480 --a------ C:\mscts.exe
2006-09-13 20:04 20,480 --a------ C:\msct.exe
2006-09-12 21:17 1,386,496 --a------ C:\WINNT\system32\msvbvm60.dll
2006-09-12 20:46 194,048 --a------ C:\WINNT\system32\50531_netapi.exe
2006-09-12 20:23 831,760 --a------ C:\WINNT\system32\mswdat10.dll
2006-09-12 20:23 614,672 --a------ C:\WINNT\system32\mswstr10.dll
2006-09-12 20:23 6,416 -ra------ C:\WINNT\system32\hccoin.dll
2006-09-12 20:23 53,520 --a------ C:\WINNT\system32\msjter40.dll
2006-09-12 20:23 512,272 --a------ C:\WINNT\system32\msexch40.dll
2006-09-12 20:23 422,160 --a------ C:\WINNT\system32\msrd2x40.dll
2006-09-12 20:23 380,957 --a------ C:\WINNT\system32\expsrv.dll
2006-09-12 20:23 315,664 --a------ C:\WINNT\system32\msrd3x40.dll
2006-09-12 20:23 213,264 --a------ C:\WINNT\system32\msltus40.dll
2006-09-12 20:23 151,824 --a------ C:\WINNT\system32\msjint40.dll
2006-09-12 20:22 30,749 --a------ C:\WINNT\system32\vbajet32.dll
2006-09-12 20:02 176,128 --a------ C:\WINNT\system32\nvuaudio.exe
2006-09-12 19:54 6,928 --a------ C:\WINNT\system32\schmupd.exe
2006-09-12 19:29 20,480 --a------ C:\windrv.exe
2006-09-12 02:15 194,048 --a------ C:\MS32.exe
2006-09-12 02:15 0 --a------ C:\WINNT\system32\41221_netapi.exe
2006-09-12 02:07 0 --a------ C:\WINNT\system32\31184_netapi.exe
2006-09-11 19:35 138,862 --a------ C:\vnsbnsb.exe
2006-09-11 19:33 770,048 --a------ C:\ubbns.exe
2006-09-11 19:21 216,064 --------- C:\WINNT\system32\WinzAPI32.exe
2006-09-11 18:21 138,862 --a------ C:\videotron.exe
2006-09-11 18:03 770,048 --a------ C:\ubbn.exe
2006-09-11 18:01 138,862 --a------ C:\videotrom.exe
2006-09-11 18:00 770,048 --a------ C:\lcn.exe
2006-09-11 15:32 770,048 --a------ C:\hgshsgbx.exe
2006-09-11 15:32 138,862 --a------ C:\rayons.exe
2006-09-11 15:29 138,862 --a------ C:\rayon.exe
2006-09-11 15:28 770,048 --a------ C:\nycshook.exe
2006-09-11 14:42 770,048 --a------ C:\nycshos.exe
2006-09-11 14:22 770,048 --a------ C:\nycsho.exe
2006-09-11 13:59 770,048 --a------ C:\nyc.exe
2006-09-11 13:33 770,048 --a------ C:\nbncbc.exe
2006-09-11 13:16 138,862 --a------ C:\fix32ddd.exe
2006-09-11 13:15 770,048 --a------ C:\telekt.exe
2006-09-11 13:06 138,862 --a------ C:\fix32oi.exe
2006-09-11 13:03 770,048 --a------ C:\teleit.exe
2006-09-11 12:55 770,048 --a------ C:\ewewllllklkpo.exe
2006-09-11 12:47 770,048 --a------ C:\ewewllllklk.exe
2006-09-11 12:31 770,048 --a------ C:\ewewlll.exe
2006-09-11 12:21 770,048 --a------ C:\ewewll.exe
2006-09-11 12:15 138,862 --a------ C:\fix32.exe
2006-09-11 12:13 770,048 --a------ C:\ewew.exe
2006-09-11 12:06 770,048 --a------ C:\kjkj.exe
2006-09-11 12:01 770,048 --a------ C:\plpls.exe
2006-09-11 11:58 0 --a------ C:\WINNT\system32\37481_netapi.exe
2006-09-11 11:54 770,048 --a------ C:\6ruftjh.exe
2006-09-11 11:52 45,083 --a------ C:\WINNT\system32\ondsregl.exe
2006-09-11 11:26 770,048 --a------ C:\[email protected]
2006-09-11 11:17 194,048 --a------ C:\WINNT\system32\83652_netapi.exe
2006-09-11 10:56 770,048 --a------ C:\xpsp2.exe
2006-09-11 10:53 770,048 --a------ C:\[email protected]
2006-09-11 10:48 770,048 --a------ C:\rrrere.exe
2006-09-11 10:48 188,928 --a------ C:\WINNT\system32\45388_netapi.exe
2006-09-11 10:47 836 --a------ C:\WINNT\system32\winpfg32.sys
2006-09-11 10:47 45,056 --a------ C:\TIGEN001.exe
2006-09-11 10:47 32,768 --a------ C:\nwnmff_17.exe
2006-09-11 10:47 168,049 --a------ C:\WINNT\system32\lwinopex.exe
2006-09-11 10:46 770,048 --a------ C:\popopo.exe
2006-09-11 10:19 188,928 --a------ C:\wincomm.exe
2006-09-11 10:15 188,928 --a------ C:\winservnt32.exe
2006-09-11 06:18 188,928 --a------ C:\WINNT\system32\01164_netapi.exe
2006-09-11 00:23 18,192 --a------ C:\WINNT\system32\hid.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-15 14:58 -------- d-a------ C:\Program Files\Common Files
2006-09-15 01:25 -------- d-------- C:\Program Files\Mozilla Thunderbird
2006-09-15 00:28 -------- d-a------ C:\Program Files\ewido anti-spyware 4.0
2006-09-13 23:36 -------- d-------- C:\Program Files\Winamp
2006-09-13 23:36 -------- d-------- C:\Program Files\Webshots
2006-09-13 23:36 -------- d-------- C:\Program Files\Internet Explorer
2006-09-13 23:35 -------- d-------- C:\Program Files\PrintView
2006-09-13 23:35 -------- d-------- C:\Program Files\iTunes
2006-09-13 23:24 -------- d-------- C:\Program Files\CleanUp!
2006-09-13 21:15 159232 --ahs---- C:\WINNT\system32\.exe
2006-09-12 21:17 -------- d-------- C:\Program Files\Registry Mechanic
2006-09-12 19:51 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-12 02:19 -------- d-------- C:\Program Files\Last.fm Player
2006-09-11 10:46 33856 --a------ C:\WINNT\system32\drivers\oreans32.sys
2006-09-11 02:01 -------- d-------- C:\Program Files\eMule
2006-09-01 02:10 -------- d-------- C:\Program Files\Easy DVD Player
2006-08-24 17:45 -------- d-a------ C:\Documents and Settings\Felipe .GLOBAL\Application Data\SopCast
2006-08-22 22:44 -------- d-------- C:\Program Files\Java
2006-08-13 23:50 -------- d-------- C:\Program Files\Guild Wars
2006-08-13 13:13 -------- d-------- C:\Program Files\Soulseek-Test
2006-08-08 23:19 -------- d-------- C:\Documents and Settings\Felipe .GLOBAL\Application Data\CyberLink
2006-08-08 17:59 777472 --a------ C:\WINNT\system32\drivers\avg7core.sys
2006-08-08 17:59 27904 --a------ C:\WINNT\system32\drivers\avg7rsxp.sys
2006-08-08 17:59 26912 --a------ C:\WINNT\system32\drivers\avg7rsnt.sys
2006-08-01 01:39 -------- d-------- C:\Program Files\mIRC
2006-07-26 23:43 -------- d-------- C:\Program Files\EndlessOnline
2006-07-26 17:57 -------- d-------- C:\Program Files\Common Files\xing shared
2006-07-26 17:57 -------- d-------- C:\Program Files\Common Files\Real
2006-07-19 18:52 -------- d-------- C:\Program Files\SopCast
2006-07-18 20:12 122 --a------ C:\Documents and Settings\Felipe .GLOBAL\Application Data\iScrobbler.ini
2006-07-11 23:31 9363 --a------ C:\Documents and Settings\Felipe .GLOBAL\Application Data\Comma Separated Values (Windows).EML


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe"
"fukr"="C:\\PROGRA~1\\COMMON~1\\fukr\\fukrm.exe"
"Start WingMan Profiler"=""
"stonedrv"="c:\\winnt\\system32\\stonedrv.exe"
"Microsoft Windows Communicator for NT/XP"="11514_netapi.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"LoadQM"="loadqm.exe"
"NeroCheck"="C:\\WINNT\\system32\\\\NeroCheck.exe"
"IntelliType"="\"C:\\Program Files\\Microsoft Hardware\\Keyboard\\type32.exe\""
"ATIModeChange"="Ati2mdxx.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"Microsoft Windows Communicator for NT/XP"="11514_netapi.exe"
"{CA-AC-C2-2C-ZN}"="c:\\winnt\\system32\\ondsregl.exe GEN001"
"PVModule"="C:\\PROGRA~1\\PRINTV~1\\pvmodule.exe"
"RegistryMechanic"=""
"akkpsatA"="C:\\WINNT\\akkpsatA.exe"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"stonedrv"="c:\\winnt\\system32\\stonedrv.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000002

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="file:///D:/My%20Pictures/ana%20fotos%202/setembro/101MSDCF/DSC02717.JPG"
"SubscribedURL"="file:///D:/My%20Pictures/ana%20fotos%202/setembro/101MSDCF/DSC02717.JPG"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,cc,00,00,00,60,00,00,00,34,03,00,00,00,03,00,00,e8,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,50,05,00,00,62,01,00,00,80,02,00,00,e0,01,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,c8,00,00,00,2f,00,00,00,a8,00,00,00,9e,00,\
00,00,01,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,c8,00,00,00,ed,00,00,00,a8,00,00,00,9e,00,00,00,ea,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:00000001
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,50,05,00,00,1f,00,00,00,20,01,00,00,23,01,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"Microsoft Windows Communicator for NT/XP"="11514_netapi.exe"
"Ms Java for Windows NT"="MS32.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000000
"CDRAutoRun"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Completion time: Fri 2006-09-15 14:58:27.40
ComboFix.txt


WinPFind:

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Logfile created on: 15/09/2006 8:18:04 PM
WinPFind v1.5.0 Folder = C:\WinPFind\
Microsoft Windows 2000 Service Pack 4 (Version = 5.0.2195)
Internet Explorer (Version = 6.0.2800.1106)

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! 14/09/2006 9:05:56 PM 430592 C:\912_121.exe ()
UPX! 04/04/2006 10:44:00 PM 691450012 C:\NeroTemp.nrg ()
FSG! 04/04/2006 10:44:00 PM 691450012 C:\NeroTemp.nrg ()
PEC2 04/04/2006 10:44:00 PM 691450012 C:\NeroTemp.nrg ()
WSUD 04/04/2006 10:44:00 PM 691450012 C:\NeroTemp.nrg ()

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
WSUD 12/12/1989 10:10:10 AM RHS 556864 C:\WINNT\akkpsatA.exe (System Service)
aspack 13/03/2005 3:23:18 PM 145408 C:\WINNT\CustoMess_Uninstall.exe (blobz.net)

Checking %System% folder...
aspack 18/03/2005 5:19:58 PM 2337488 C:\WINNT\SYSTEM32\d3dx9_25.dll (Microsoft Corporation)
PEC2 09/08/2005 3:14:00 PM 692736 C:\WINNT\SYSTEM32\DivX.dll (DivXNetworks)
PECompact2 09/08/2005 3:14:00 PM 692736 C:\WINNT\SYSTEM32\DivX.dll (DivXNetworks)
WinShutDown 15/09/2006 12:54:00 AM R S 234174 C:\WINNT\SYSTEM32\iGshlpr.dll ()
PTech 12/07/2005 6:04:22 PM 520456 C:\WINNT\SYSTEM32\LegitCheckControl.dll (Microsoft® Corporation)
WSUD 19/06/2003 12:05:04 PM 1011764 C:\WINNT\SYSTEM32\mfc42u.dll (Microsoft Corporation)
PECompact2 06/04/2006 12:48:38 PM 5143456 C:\WINNT\SYSTEM32\MRT.exe (Microsoft Corporation)
aspack 06/04/2006 12:48:38 PM 5143456 C:\WINNT\SYSTEM32\MRT.exe (Microsoft Corporation)
WinShutDown 15/09/2006 12:54:00 AM R S 235832 C:\WINNT\SYSTEM32\n8n6li5s18.dll ()
Umonitor 12/01/2005 12:39:46 PM 531216 C:\WINNT\SYSTEM32\RASDLG.DLL (Microsoft Corporation)
WinShutDown 15/09/2006 12:19:08 AM R S 233826 C:\WINNT\SYSTEM32\rxched20.dll ()
winsync 08/05/2001 5:00:00 AM 1309184 C:\WINNT\SYSTEM32\wbdbase.deu ()

Checking %System%\Drivers folder and sub-folders...
UPX! 08/08/2006 5:59:30 PM 777472 C:\WINNT\SYSTEM32\drivers\avg7core.sys (GRISOFT, s.r.o.)
FSG! 08/08/2006 5:59:30 PM 777472 C:\WINNT\SYSTEM32\drivers\avg7core.sys (GRISOFT, s.r.o.)
PEC2 08/08/2006 5:59:30 PM 777472 C:\WINNT\SYSTEM32\drivers\avg7core.sys (GRISOFT, s.r.o.)
aspack 08/08/2006 5:59:30 PM 777472 C:\WINNT\SYSTEM32\drivers\avg7core.sys (GRISOFT, s.r.o.)

Items found in C:\WINNT\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
15/09/2006 3:01:40 PM H 464472 C:\WINNT\ShellIconCache ()
15/09/2006 8:12:54 PM S 64 C:\WINNT\CSC\00000001 ()
12/09/2006 12:15:46 AM S 64 C:\WINNT\CSC\00000002 ()
11/09/2006 7:09:04 PM S 64 C:\WINNT\CSC\csc1.tmp ()
13/09/2006 9:15:32 PM HS 159232 C:\WINNT\system32\.exe ()
15/09/2006 12:54:00 AM R S 234174 C:\WINNT\system32\iGshlpr.dll ()
15/09/2006 12:54:00 AM R S 235832 C:\WINNT\system32\n8n6li5s18.dll ()
15/09/2006 12:19:08 AM R S 233826 C:\WINNT\system32\rxched20.dll ()
13/09/2006 9:15:32 PM HS 159232 C:\WINNT\system32\wgareg.exe ()
15/09/2006 8:08:06 PM H 1024 C:\WINNT\system32\config\default.LOG ()
15/09/2006 8:15:08 PM H 1024 C:\WINNT\system32\config\SAM.LOG ()
15/09/2006 8:13:14 PM H 1024 C:\WINNT\system32\config\SECURITY.LOG ()
15/09/2006 8:36:10 PM H 1024 C:\WINNT\system32\config\software.LOG ()
15/09/2006 2:39:10 PM RHS 21500 C:\WINNT\system32\dllcache\msvps.exe ()
11/09/2006 12:19:00 PM RHS 25664 C:\WINNT\system32\dllcache\mswincom32.exe ()
15/09/2006 8:12:56 PM H 6 C:\WINNT\Tasks\SA.DAT ()

Checking for CPL files...
08/05/2001 5:00:00 AM 67344 C:\WINNT\SYSTEM32\access.cpl (Microsoft Corporation)
19/06/2003 12:05:04 PM 301328 C:\WINNT\SYSTEM32\appwiz.cpl (Microsoft Corporation)
19/06/2003 12:05:04 PM 237328 C:\WINNT\SYSTEM32\DESK.CPL (Microsoft Corporation)
08/05/2001 5:00:00 AM 128272 C:\WINNT\SYSTEM32\hdwwiz.cpl (Microsoft Corporation)
29/08/2002 7:14:40 AM 292352 C:\WINNT\SYSTEM32\inetcpl.cpl (Microsoft Corporation)
08/05/2001 5:00:00 AM 118032 C:\WINNT\SYSTEM32\intl.cpl (Microsoft Corporation)
08/05/2001 5:00:00 AM 36112 C:\WINNT\SYSTEM32\irprops.cpl (Microsoft Corporation)
30/10/2001 8:10:00 AM 326144 C:\WINNT\SYSTEM32\joy.cpl (Microsoft Corporation)
26/07/2006 3:03:14 AM 49265 C:\WINNT\SYSTEM32\jpicpl32.cpl (Sun Microsystems, Inc.)
08/05/2001 5:00:00 AM 122128 C:\WINNT\SYSTEM32\main.cpl (Microsoft Corporation)
08/05/2001 5:00:00 AM 303888 C:\WINNT\SYSTEM32\mmsys.cpl (Microsoft Corporation)
08/05/2001 5:00:00 AM 17168 C:\WINNT\SYSTEM32\ncpa.cpl (Microsoft Corporation)
08/05/2001 5:00:00 AM 41232 C:\WINNT\SYSTEM32\nwc.cpl (Microsoft Corporation)
27/03/2001 12:14:00 PM 41232 C:\WINNT\SYSTEM32\odbccp32.cpl (Microsoft Corporation)
19/06/2003 12:05:04 PM 90896 C:\WINNT\SYSTEM32\powercfg.cpl (Microsoft Corporation)
19/06/2003 12:05:04 PM 83216 C:\WINNT\SYSTEM32\sticpl.cpl (Microsoft Corporation)
19/06/2003 12:05:04 PM 125712 C:\WINNT\SYSTEM32\SYSDM.CPL (Microsoft Corporation)
08/05/2001 5:00:00 AM 5904 C:\WINNT\SYSTEM32\telephon.cpl (Microsoft Corporation)
08/05/2001 5:00:00 AM 61200 C:\WINNT\SYSTEM32\timedate.cpl (Microsoft Corporation)
26/05/2005 4:16:30 AM 174360 C:\WINNT\SYSTEM32\wuaucpl.cpl (Microsoft Corporation)
29/08/2002 7:14:40 AM 292352 C:\WINNT\SYSTEM32\dllcache\inetcpl.cpl (Microsoft Corporation)
23/09/1999 6:44:36 PM 94208 C:\WINNT\SYSTEM32\dllcache\mwcpa32.cpl (IBM Corporation)
08/05/2001 5:00:00 AM 41232 C:\WINNT\SYSTEM32\dllcache\nwc.cpl (Microsoft Corporation)
27/03/2001 12:14:00 PM 41232 C:\WINNT\SYSTEM32\dllcache\odbccp32.cpl (Microsoft Corporation)
26/05/2005 4:16:30 AM 174360 C:\WINNT\SYSTEM32\dllcache\wuaucpl.cpl (Microsoft Corporation)

Checking for Downloaded Program Files...
{02BCC737-B171-4746-94C9-0D8A0B2C0089} - Microsoft Office Template and Media Control - CodeBase = http://office.micros...tes/ieawsdc.cab
{0D62A517-E7C6-4E1F-A577-07D4AC549A48} - Progetto1.int_ver32 - CodeBase = http://advnt01.com/d.../int_ver32n.CAB
{4F1E5B1A-2A80-42CA-8532-2D05CB959537} - MSN Photo Upload Tool - CodeBase = http://spaces.msn.co...ad/MsnPUpld.cab
{6414512B-B978-451D-A0D8-FCFDF33E833C} - WUWebControl Class - CodeBase = http://update.micros...b?1127002788515
{8AD9C840-044E-11D1-B3E9-00805F499D93} - Java Plug-in 1.5.0_08 - CodeBase = http://java.sun.com/...indows-i586.cab
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - ActiveScan Installer Class - CodeBase = http://acs.pandasoft...free/asinst.cab
{9F1C11AA-197B-4942-BA54-47A8489BB47F} - Update Class - CodeBase = http://v4.windowsupd...8972.8273032407
{B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - MsnMessengerSetupDownloadControl Class - CodeBase = http://messenger.msn...pDownloader.cab
{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} - Java Plug-in 1.5.0_01 - CodeBase = http://java.sun.com/...indows-i586.cab
{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - Java Plug-in 1.5.0_04 - CodeBase = http://java.sun.com/...indows-i586.cab
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/...indows-i586.cab
{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - Java Plug-in 1.5.0_08 - CodeBase = http://java.sun.com/...indows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - Java Plug-in 1.5.0_08 - CodeBase = http://java.sun.com/...indows-i586.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} - Shockwave Flash Object - CodeBase = http://fpdownload.ma...ash/swflash.cab
DirectAnimation Java Classes - - CodeBase = file://C:\WINNT\Java\classes\dajava.cab
Microsoft XML Parser for Java - - CodeBase = file://C:\WINNT\Java\classes\xmldso.cab

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
15/04/2006 5:10:02 PM 799 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk ()
15/04/2006 5:10:02 PM 1568 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk ()

Checking files in %ALLUSERSPROFILE%\Application Data folder...
01/04/2006 3:56:56 PM 1359 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache ()

Checking files in %USERPROFILE%\Startup folder...
15/09/2006 2:33:50 PM 509 C:\Documents and Settings\Felipe .GLOBAL\Start Menu\Programs\Startup\TA_Start.lnk ()
15/09/2006 8:06:46 PM 551 C:\Documents and Settings\Felipe .GLOBAL\Start Menu\Programs\Startup\Think-Adz.lnk ()
15/09/2006 8:07:42 PM 551 C:\Documents and Settings\Felipe .GLOBAL\Start Menu\Programs\Startup\Webshots.lnk ()

Checking files in %USERPROFILE%\Application Data folder...
11/07/2006 11:31:58 PM 9363 C:\Documents and Settings\Felipe .GLOBAL\Application Data\Comma Separated Values (Windows).EML ()
18/07/2006 8:12:34 PM 122 C:\Documents and Settings\Felipe .GLOBAL\Application Data\iScrobbler.ini ()

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

>>> Internet Explorer Settings <<<


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://www.microsoft...p...ER}&ar=home
\\Search Page - http://searchbar.fin...siteyouneed.com
\\Default_Page_URL - http://www.microsoft...p...&ar=msnhome
\\Default_Search_URL - http://www.microsoft...amp;ar=iesearch
\\Local Page - %SystemRoot%\system32\blank.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://www.findthewebsiteyouneed.com
\\Search Bar - http://searchbar.fin...siteyouneed.com
\\Search Page - http://searchbar.fin...siteyouneed.com
\\Default_Search_URL - http://searchbar.fin...siteyouneed.com
\\Local Page - C:\WINNT\System32\blank.htm

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
\\CustomizeSearch - http://ie.search.msn...st/srchcust.htm
\\SearchAssistant - http://searchbar.fin...siteyouneed.com


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

>>> BHO's <<<
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

>>> Internet Explorer Bars, Toolbars and Extensions <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
\{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
\{32683183-48a0-441b-a342-7c2a440a9478} - Media Band = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1} - File and Folders Search ActiveX Control = C:\WINNT\system32\shell32.dll (Microsoft Corporation)
\{EFA24E62-B078-11D0-89E4-00C04FC9E26E} - History Band = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation)
\{EFA24E64-B078-11D0-89E4-00C04FC9E26E} - Explorer Band = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
\ShellBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\ShellBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\WebBrowser\\{2E608F70-C430-4BC5-96F6-608E02EBA5B2} - = ()

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\CmdMapping]
\\NEXTID - 8195
\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - 8193 = Sun Java Console

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll (Sun Microsystems, Inc.)
\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll (Sun Microsystems, Inc.)(HKCU CLSID)

>>> Approved Shell Extensions (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
\\{42071714-76d4-11d1-8b24-00a0c9068ff3} - Display Panning CPL Extension = deskpan.dll ()
\\{764BF0E1-F219-11ce-972D-00AA00A14F56} - Shell extensions for file compression = ()
\\{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Encryption Context Menu = ()
\\{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = C:\WINNT\System32\hticons.dll (Hilgraeve, Inc.)
\\{E0D79304-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)
\\{E0D79305-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)
\\{E0D79306-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)
\\{E0D79307-84BE-11CE-9641-444553540000} - WinZip = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)
\\{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} - Shell Extensions for RealOne Player = C:\Program Files\Real\RealPlayer\rpshell.dll (RealNetworks, Inc.)
\\{B41DB860-8EE4-11D2-9906-E49FADC173CA} - WinRAR shell extension = C:\Program Files\WinRAR\rarext.dll ()
\\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} - AVG7 Shell Extension = C:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o.)
\\{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} - AVG7 Find Extension = C:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o.)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
\\{BDEADF00-C265-11d0-BCED-00A0C90AB50F} - = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL ()


>>> Context Menu Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers]
\AVG7 Shell Extension - {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o.)
\ewido anti-spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll (Anti-Malware Development a.s.)
\WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ()
\WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)

[HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers]
\ewido anti-spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll (Anti-Malware Development a.s.)
\WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ()
\WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\BackGround\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers]
\AVG7 Shell Extension - {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o.)
\WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ()
\WinZip - {E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL (WinZip Computing, Inc.)

>>> Column Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]

>>> Registry Run Keys <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Synchronization Manager - C:\WINNT\SYSTEM32\mobsync.exe (Microsoft Corporation)
LoadQM - C:\WINNT\loadqm.exe (Microsoft Corporation)
NeroCheck - C:\WINNT\system32\NeroCheck.exe (Ahead Software Gmbh)
IntelliType - C:\Program Files\Microsoft Hardware\Keyboard\type32.exe (Microsoft Corporation)
ATIModeChange - C:\WINNT\SYSTEM32\Ati2mdxx.exe (ATI Technologies, Inc.)
SunJavaUpdateSched - C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe (Sun Microsystems, Inc.)
Google Desktop Search - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe ()
ATIPTA - C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe (ATI Technologies, Inc.)
AVG7_CC - C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe (GRISOFT, s.r.o.)
iTunesHelper - C:\Program Files\iTunes\iTunesHelper.exe (Apple Computer, Inc.)
QuickTime Task - C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)
WinampAgent - C:\Program Files\Winamp\winampa.exe ()
RemoteControl - C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe (Cyberlink Corp.)
Microsoft Windows Communicator for NT/XP - 11514_netapi.exe ()
{CA-AC-C2-2C-ZN} - C:\winnt\system32\ondsregl.exe ()
PVModule - C:\PROGRA~1\PRINTV~1\pvmodule.exe ()
RegistryMechanic - Reg Data missing or invalid ()
akkpsatA - C:\WINNT\akkpsatA.exe (System Service)
!ewido - C:\Program Files\ewido anti-spyware 4.0\ewido.exe (Anti-Malware Development a.s.)
ExploreUpdSched - C:\WINNT\system32\lwinopex.exe ()

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
stonedrv - c:\winnt\system32\stonedrv.exe ()

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
internat.exe - C:\WINNT\SYSTEM32\internat.exe (Microsoft Corporation)
fukr - C:\PROGRA~1\COMMON~1\fukr\fukrm.exe ()
Start WingMan Profiler - Reg Data missing or invalid ()
stonedrv - c:\winnt\system32\stonedrv.exe ()
Microsoft Windows Communicator for NT/XP - 11514_netapi.exe ()

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

>>> Startup Links <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Common Startup]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Startup]
C:\Documents and Settings\Felipe .GLOBAL\Start Menu\Programs\Startup\TA_Start.lnk - C:\WINNT\system32\dwdsregt.exe ()
C:\Documents and Settings\Felipe .GLOBAL\Start Menu\Programs\Startup\Think-Adz.lnk - C:\WINNT\system32\lwinopex.exe ()
C:\Documents and Settings\Felipe .GLOBAL\Start Menu\Programs\Startup\Webshots.lnk - C:\Program Files\Webshots\Launcher.exe ()

>>> MSConfig Disabled Items <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[All Users Startup Folder Disabled Items]

[Current User Startup Folder Disabled Items]

>>> User Agent Post Platform <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

>>> AppInit Dll's <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs]
C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL = ()

>>> Image File Execution Options <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
\Your Image File Name Here without a path - Debugger = ntsd -d

>>> Shell Service Object Delay Load <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
\\Network.ConnectionTray - {7007ACCF-3202-11D1-AAD2-00805FC1270E} = C:\WINNT\system32\NETSHELL.dll (Microsoft Corporation)
\\WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll (Microsoft Corporation)
\\SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = stobject.dll (Microsoft Corporation)

>>> Shell Execute Hooks <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation)
\\{57B86673-276A-48B2-BAE7-C6DBB3020EB8} - CShellExecuteHookImpl Object = C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll (Anti-Malware Development a.s.)

>>> Shared Task Scheduler <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

>>> Winlogon <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
\\UserInit = C:\WINNT\system32\userinit.exe,11514_netapi.exe
\\Shell = explorer.exe
\\System =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
\crypt32chain - crypt32.dll = (Microsoft Corporation)
\cryptnet - cryptnet.dll = (Microsoft Corporation)
\cscdll - cscdll.dll = (Microsoft Corporation)
\sclgntfy - sclgntfy.dll = (Microsoft Corporation)
\SensLogn - WlNotify.dll = (Microsoft Corporation)
\wzcnotif - wzcdlg.dll = (Microsoft Corporation)

>>> DNS Name Servers <<<
{C6984616-148F-4080-89D7-92BF5CD7B627} - (NVIDIA nForce MCP Networking Controller)

>>> All Winsock2 Catalogs <<<
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries]
\000000000001\\LibraryPath - %SystemRoot%\System32\rnr20.dll (Microsoft Corporation)
\000000000002\\LibraryPath - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries]
\000000000001\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000002\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000003\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000004\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000005\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000006\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000007\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000008\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000009\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000010\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000011\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)

>>> Protocol Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler]
\ipp - ()
\msdaipp - ()
\vnd.ms.radio - C:\WINNT\System32\msdxm.ocx ()

>>> Protocol Filters (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter]

>>> Selected AddOn's <<<


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Thnaks again! :whistling:

Cheers
Felipe
  • 0

#4
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi

OK here we go. Let me know of any problems :whistling:

Please download the Killbox by Option^Explicit.Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
Please download Brute Force Uninstaller to your desktop.
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Behind the scriptline to execute field click the folder icon Posted Image and select alcanshorty.bfu
  • Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.
Run Killbox
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINNT\system32\n8n6li5s18.dll
    C:\WINNT\system32\rxched20.dll
    C:\WINNT\akkpsatA.exe
    C:\912_121.exe
    C:\WINNT\system32\wgareg.exe
    C:\mscts.exe
    C:\msct.exe
    C:\windrv.exe
    C:\MS32.exe
    C:\vnsbnsb.exe
    C:\ubbns.exe
    C:\videotron.exe
    C:\ubbn.exe
    C:\videotrom.exe
    C:\lcn.exe
    C:\hgshsgbx.exe
    C:\rayons.exe
    C:\rayon.exe
    C:\nycshook.exe
    C:\nycshos.exe
    C:\nycsho.exe
    C:\nyc.exe
    C:\nbncbc.exe
    C:\fix32ddd.exe
    C:\telekt.exe
    C:\fix32oi.exe
    C:\teleit.exe
    C:\ewewllllklkpo.exe
    C:\ewewllllklk.exe
    C:\ewewlll.exe
    C:\ewewll.exe
    C:\fix32.exe
    C:\ewew.exe
    C:\kjkj.exe
    C:\plpls.exe
    C:\6ruftjh.exe
    C:\rrrere.exe
    C:\popopo.exe
    C:\TIGEN001.exe
    c:\winnt\system32\stonedrv.exe

  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.


After the reboot see if you can post a hijack log. Rename Hijackthis to domething else and try again. Let me know either way :blink:

Edited by loophole, 18 September 2006 - 10:37 AM.

  • 0

#5
felipao

felipao

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hi loophole,

Thanks again for your time and patience. I followed your instructions but I am still finding some issues. I ran BFU and everything went smoothly, no problem. I then tried to run the new version of killbox but again the program would close by itself after a second or so. I sent the list of paths to my email and everytime I tried to open that specific email my thunderbird would close. I managed to copy the paths onto a notepad file and ran Killbox on safe mode. It ran ok and I got no messages about "pending files rename" whatsoever.

I then tried to run hijackthis but again it would be close few seconds after open. I was able to run it on safe mode and below is the log I got. I hope this can help you solve this mistery:

Logfile of HijackThis v1.99.1
Scan saved at 9:52:12 PM, on 17/09/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\userinit.exe
C:\WINNT\system32\wincomm.exe
C:\WINNT\Explorer.exe
C:\Documents and Settings\Felipe .GLOBAL\Desktop\ole\his.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.fin...siteyouneed.com
R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
F2 - REG:system.ini: Shell=Explorer.exe wincomm.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,wincomm.exe
O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Microsoft Windows Communicator for NT/XP] wincomm.exe
O4 - HKLM\..\Run: [{CA-AC-C2-2C-ZN}] C:\winnt\system32\ondsregl.exe GEN001
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [akkpsatA] C:\WINNT\akkpsatA.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINNT\system32\lwinopex.exe GEN001
O4 - HKLM\..\RunServices: [stonedrv] c:\winnt\system32\stonedrv.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [fukr] C:\PROGRA~1\COMMON~1\fukr\fukrm.exe
O4 - HKCU\..\Run: [stonedrv] c:\winnt\system32\stonedrv.exe
O4 - HKCU\..\Run: [Microsoft Windows Communicator for NT/XP] wincomm.exe
O4 - Startup: Think-Adz.lnk = C:\WINNT\system32\lwinopex.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0D62A517-E7C6-4E1F-A577-07D4AC549A48} (Progetto1.int_ver32) - http://advnt01.com/d.../int_ver32n.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1127002788515
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: ShellCompatibility - C:\WINNT\system32\hrjq0515e.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft VPS Service - Unknown owner - C:\WINNT\system32\dllcache\msvps.exe
O23 - Service: MSCommmand - Unknown owner - C:\WINNT\system32\dllcache\mswincom32.exe
O23 - Service: Windows Genuine Advantage Registration Service (net32a) - Unknown owner - C:\WINNT\system32\net32a.exe (file missing)
O23 - Service: Microsoft Windows Spooler Services (Windows Spooler Services) - Unknown owner - C:\WINNT\wfbmgr.exe


Thanks again,
waiting for instructions..
Cheers
Felipe
  • 0

#6
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Ok that helps, Give me a few

Edited by loophole, 18 September 2006 - 10:36 AM.

  • 0

#7
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Please save these directions to notepad and save them to your desktop. You will need to copy/paste in safemode with killbox.

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.


Go to Start | Run and type this in the box: services.msc
  • Locate these services, 'Microsoft Windows Spooler Services and MSCommmand
    and Microsoft VPS Service ' then right click and select properties.
  • Under Service Status: select Stop
  • In the drop down box labeled, Startup Type: select Disabled
Make sure you do this for all three

Please uninstall the following through control panel >> add/remove programs:

Deskbar
ToolBar888


Please run a scan with HijackThis If you can and check the following lines for removal:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.fin...siteyouneed.com
R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
F2 - REG:system.ini: Shell=Explorer.exe wincomm.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,wincomm.exe
O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.d
O4 - HKLM\..\Run: [Microsoft Windows Communicator for NT/XP] wincomm.exe
O4 - HKLM\..\Run: [{CA-AC-C2-2C-ZN}] C:\winnt\system32\ondsregl.exe GEN001

O4 - HKLM\..\Run: [akkpsatA] C:\WINNT\akkpsatA.exe

O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINNT\system32\lwinopex.exe GEN001
O4 - HKLM\..\RunServices: [stonedrv] c:\winnt\system32\stonedrv.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Startup: Think-Adz.lnk = C:\WINNT\system32\lwinopex.exe
O16 - DPF: {0D62A517-E7C6-4E1F-A577-07D4AC549A48} (Progetto1.int_ver32) - http://advnt01.com/d.../int_ver32n.CAB

Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.


Run Killbox
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINNT\system32\wincomm.exe
    C:\WINNT\system32\dllcache\msvps.exe
    C:\WINNT\system32\dllcache\mswincom32.exe
    C:\WINNT\wfbmgr.exe
    C:\WINNT\system32\lwinopex.exe



  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.



Please post a hijack log from normal mode. Hopefully you should be able to. If not reboot to safemode and make a log and then post it :whistling:
  • 0

#8
felipao

felipao

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Good news!

I was able to generate a hijackthis log from normal mode, despite that i wasnt able to follow some items from your previous intructions.

Go to Start | Run and type this in the box: services.msc

  • Locate these services, 'Microsoft Windows Spooler Services and MSCommmand
    and Microsoft VPS Service ' then right click and select properties.
  • Under Service Status: select Stop
  • In the drop down box labeled, Startup Type: select Disabled
Make sure you do this for all three


I was able to disable these 3 services but the stop button was not avaliable since they were already stoped.


Please uninstall the following through control panel >> add/remove programs:

Deskbar
ToolBar888


I did not find the item "deskbar" on the programs list.



Please run a scan with HijackThis If you can and check the following lines for removal:


O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll
[


These 2 items were not on the hijackthis list.

Despite that I was able to create a log on normal windows operation which is as follows:

Logfile of HijackThis v1.99.1
Scan saved at 8:29:50 PM, on 18/09/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\akkpsat.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\PRINTV~1\pvmodule.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\nwnmff_e7.exe
C:\kybrdff_e7.exe
C:\WINNT\akkpsatA.exe
C:\Program Files\Common Files\{3C9CAC2C-072D-1033-1128-030312220002}\Update.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINNT\system32\explorer.exe
C:\Documents and Settings\Felipe .GLOBAL\Desktop\ole\his.exe

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [newname] C:\\nwnmff_e7.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e7.exe
O4 - HKLM\..\Run: [akkpsatA] C:\WINNT\akkpsatA.exe
O4 - HKLM\..\Run: [Windows Explorer] C:\WINNT\system32\explorer.exe
O4 - HKCU\..\Run: [fukr] C:\PROGRA~1\COMMON~1\fukr\fukrm.exe
O4 - HKCU\..\Run: [stonedrv] c:\winnt\system32\stonedrv.exe
O4 - HKCU\..\Run: [Microsoft Windows Communicator for NT/XP] wincomm.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1127002788515
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: SharedDLLs - C:\WINNT\system32\hrjq0515e.dll (file missing)
O20 - Winlogon Notify: ShellScrap - C:\WINNT\system32\en20l1fm1.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Windows Genuine Advantage Registration Service (net32a) - Unknown owner - C:\WINNT\system32\net32a.exe (file missing)
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINNT\akkpsat.exe



Thnaks again, things are better already.
Cheers
Felipe
  • 0

#9
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :blink:

Great, Theres still quite a bit to remove but we should get alot of it now :whistling:

1 Please download Brute Force Uninstaller to your desktop.
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).


Then, please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Behind the scriptline to execute field click the folder icon Posted Image and select alcanshorty.bfu
  • Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.

Please Run Combofix again
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply With a new Hijack Log

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Edited by loophole, 18 September 2006 - 10:22 PM.

  • 0

#10
felipao

felipao

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hello loophole,

Unfortunatelly I am not able to do any of your instructions because when windows load nothing comes up except by my wallpaper. There is no icons on the desktop or the start toolbar. I tried loading windows on safe mode and the same would ocurr. I left the computer off the whole nigth and tried again this morning but the same thing happend. What should I do now???

Thank you so much
Felipe
  • 0

Advertisements


#11
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi

Can you press Control+Alt+delete to bring up task manager. Click on file, new task, then type explore.exe and see what happens. What computer are you posting from now?
  • 0

#12
felipao

felipao

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hello loophole,

You are awesome, I cant thank you enough for all your help!

Here is the deal. I tried creating a new task and opening explorer.exe from the task manager. A second explorer.exe apeared on the list of processes but my desktop remained empty. From the task manager I ran bfu with no problem. I also ran combofix but I did not gave me a log, instead it cleaned my computer and then reboted my computer. After that I ran hijackthis still from the task manager and following is the log i got. I've been posting from work / school/ grilfriend's computer since whatever virus I have would close my explorer everytime I tried to come to geeks to go or any other website aimed to fix computer problems.

Ok, here is the hijackthis log i just got:

Logfile of HijackThis v1.99.1
Scan saved at 23:01, on 06-09-19
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\akkpsat.exe
C:\WINNT\system32\wincomm.exe
C:\WINNT\system32\Explorer.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\cscript.exe
C:\Documents and Settings\Felipe .GLOBAL\Desktop\ole\his.exe

F2 - REG:system.ini: Shell=Explorer.exe wincomm.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,wincomm.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [akkpsatA] C:\WINNT\akkpsatA.exe
O4 - HKLM\..\Run: [Windows Explorer] C:\WINNT\system32\explorer.exe
O4 - HKLM\..\Run: [Microsoft Windows Communicator for NT/XP] wincomm.exe
O4 - HKLM\..\Run: [Client Server Runtime Process] C:\WINNT\system32\csrs.exe
O4 - HKLM\..\Run: [combofix] c:\subs\combofix.cmd
O4 - HKCU\..\Run: [fukr] C:\PROGRA~1\COMMON~1\fukr\fukrm.exe
O4 - HKCU\..\Run: [stonedrv] c:\winnt\system32\stonedrv.exe
O4 - HKCU\..\Run: [Microsoft Windows Communicator for NT/XP] wincomm.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1127002788515
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Windows Genuine Advantage Registration Service (net32a) - Unknown owner - C:\WINNT\system32\net32a.exe (file missing)
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINNT\akkpsat.exe

thanks again and again
Felipe
  • 0

#13
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi

I'm guessing you realized how to navigate without explorer or atleast you are doing a good job of it :whistling: Ill just give you the directions and if you cant figure anything out just ask. *Hopefully* explorer it will come back after this. Just try to get through this the best you can


Please run a scan with HijackThis and check the following lines for removal:

F2 - REG:system.ini: Shell=Explorer.exe wincomm.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,wincomm.exe
O4 - HKLM\..\Run: [akkpsatA] C:\WINNT\akkpsatA.exe
O4 - HKLM\..\Run: [Windows Explorer] C:\WINNT\system32\explorer.exe
O4 - HKLM\..\Run: [Microsoft Windows Communicator for NT/XP] wincomm.exe
O4 - HKLM\..\Run: [Client Server Runtime Process] C:\WINNT\system32\csrs.exe
O4 - HKLM\..\Run: [combofix] c:\subs\combofix.cmd
O4 - HKCU\..\Run: [fukr] C:\PROGRA~1\COMMON~1\fukr\fukrm.exe
O4 - HKCU\..\Run: [stonedrv] c:\winnt\system32\stonedrv.exe
O4 - HKCU\..\Run: [Microsoft Windows Communicator for NT/XP] wincomm.exe
O4 - HKLM\..\Run: [Client Server Runtime Process] C:\WINNT\system32\csrs.exe

Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.


  • Please run Killbox.exe
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINNT\akkpsat.exe
    C:\WINNT\system32\wincomm.exe
    C:\WINNT\system32\Explorer.exe
    C:\WINNT\system32\50531_netapi.exe
    C:\ComboFix.txt

  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Now please run combofix if you can and post the log with a new hijack log
  • 0

#14
felipao

felipao

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
You're right, I learnt how to navigate withou explorer.

I followed your instructions and now my explorer is back. When the computer reboted from killbox, it automatically generated an combofix log by itself but instead of posting it, I ran combofix again and following is the log. Something else I want to mention is that my avg and ewido are now working and they keep poping up about malware and viruses found and I am not sure if I should do anything on them.

following are the requested logs.

Combofix:

Felipe - Wed 20/09/2006 18:25:59.60 Service Pack 4
ComboFix 06.09.20 - Running from: "C:\Documents and Settings\Felipe .GLOBAL\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\{3C9CAC2C-072D-1033-1128-030312220001}


((((((((((((((((((((((((((((((( Files Created from 2006-08-20 to 2006-09-20 ))))))))))))))))))))))))))))))))))


2006-09-19 23:08 0 --a------ C:\WINNT\system32\74686_netapi.exe
2006-09-19 23:02 188,928 --a------ C:\winservnt32.exe
2006-09-19 22:59 0 --a------ C:\WINNT\system32\71584_netapi.exe
2006-09-19 22:15 127 --a------ C:\WINNT\system32\sjgcg.bat
2006-09-19 21:59 126 --a------ C:\WINNT\system32\fyqh.bat
2006-09-19 08:42 237,092 -r--s---- C:\WINNT\system32\s4pu0e79eh.dll
2006-09-19 08:42 237,092 -r--s---- C:\WINNT\system32\dtquery.dll
2006-09-18 21:54 237,092 -r--s---- C:\WINNT\system32\u0ru0a99ed.dll
2006-09-18 21:54 237,092 -r--s---- C:\WINNT\system32\rmclib.dll
2006-09-18 21:51 97,544 --ah----- C:\WINNT\system32\fmbqus.exe
2006-09-18 21:48 188,928 --a------ C:\wincomm.exe
2006-09-18 21:48 0 --a------ C:\WINNT\system32\12738_netapi.exe
2006-09-18 21:46 66 --a------ C:\steal.exe
2006-09-18 21:46 24,576 --a------ C:\dr.exe
2006-09-18 21:45 188,928 --a------ C:\WINNT\system32\10775_netapi.exe
2006-09-18 21:31 108,032 --ah----- C:\WINNT\system32\fawlixo.exe
2006-09-18 21:25 20,480 --a------ C:\acer.exe
2006-09-18 21:22 237,092 -r--s---- C:\WINNT\system32\f22mlcf11f2.dll
2006-09-18 20:54 188,928 --a------ C:\WINNT\system32\44132_netapi.exe
2006-09-18 03:05 53,120 --a------ C:\WINNT\srvzcymemb.exe
2006-09-18 03:05 406,864 -r-hs---- C:\WINNT\akkpsatA.exe
2006-09-18 03:05 215,308 --a------ C:\WINNT\srvdesrxnu.exe
2006-09-18 03:04 430,592 --a------ C:\912_121.exe
2006-09-17 21:31 170,836 --a------ C:\abcd.exe
2006-09-17 19:34 578,560 --a------ C:\Installer4.exe
2006-09-17 19:33 138,862 --a------ C:\acer32.exe
2006-09-17 19:29 188,928 --a------ C:\WINNT\system32\55175_netapi.exe
2006-09-15 00:53 234,174 -r--s---- C:\WINNT\system32\iGshlpr.dll
2006-09-13 20:49 194,048 --a------ C:\WINNT\system32\54887_netapi.exe
2006-09-13 20:45 20,448 --ahs---- C:\WINNT\system32\.exe
2006-09-12 21:17 1,386,496 --a------ C:\WINNT\system32\msvbvm60.dll
2006-09-12 20:23 831,760 --a------ C:\WINNT\system32\mswdat10.dll
2006-09-12 20:23 614,672 --a------ C:\WINNT\system32\mswstr10.dll
2006-09-12 20:23 6,416 -ra------ C:\WINNT\system32\hccoin.dll
2006-09-12 20:23 53,520 --a------ C:\WINNT\system32\msjter40.dll
2006-09-12 20:23 512,272 --a------ C:\WINNT\system32\msexch40.dll
2006-09-12 20:23 422,160 --a------ C:\WINNT\system32\msrd2x40.dll
2006-09-12 20:23 380,957 --a------ C:\WINNT\system32\expsrv.dll
2006-09-12 20:23 315,664 --a------ C:\WINNT\system32\msrd3x40.dll
2006-09-12 20:23 213,264 --a------ C:\WINNT\system32\msltus40.dll
2006-09-12 20:23 151,824 --a------ C:\WINNT\system32\msjint40.dll
2006-09-12 20:22 30,749 --a------ C:\WINNT\system32\vbajet32.dll
2006-09-12 20:02 176,128 --a------ C:\WINNT\system32\nvuaudio.exe
2006-09-12 19:54 6,928 --a------ C:\WINNT\system32\schmupd.exe
2006-09-12 02:15 0 --a------ C:\WINNT\system32\41221_netapi.exe
2006-09-12 02:07 0 --a------ C:\WINNT\system32\31184_netapi.exe
2006-09-11 19:21 216,064 --------- C:\WINNT\system32\WinzAPI32.exe
2006-09-11 11:58 0 --a------ C:\WINNT\system32\37481_netapi.exe
2006-09-11 11:52 45,083 --a------ C:\WINNT\system32\ondsregl.exe
2006-09-11 11:26 770,048 --a------ C:\[email protected]
2006-09-11 11:17 194,048 --a------ C:\WINNT\system32\83652_netapi.exe
2006-09-11 10:56 770,048 --a------ C:\xpsp2.exe
2006-09-11 10:53 770,048 --a------ C:\[email protected]
2006-09-11 10:48 188,928 --a------ C:\WINNT\system32\45388_netapi.exe
2006-09-11 10:47 836 --a------ C:\WINNT\system32\winpfg32.sys
2006-09-11 06:18 188,928 --a------ C:\WINNT\system32\01164_netapi.exe
2006-09-11 00:23 18,192 --a------ C:\WINNT\system32\hid.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-20 18:26 -------- d-a------ C:\Program Files\Common Files
2006-09-20 18:25 -------- d-a------ C:\Program Files\ewido anti-spyware 4.0
2006-09-18 20:24 20448 --ahs---- C:\WINNT\system32\.exe
2006-09-18 19:29 -------- d-------- C:\Program Files\Mozilla Thunderbird
2006-09-13 23:36 -------- d-------- C:\Program Files\Winamp
2006-09-13 23:36 -------- d-------- C:\Program Files\Webshots
2006-09-13 23:36 -------- d-------- C:\Program Files\Internet Explorer
2006-09-13 23:35 -------- d-------- C:\Program Files\PrintView
2006-09-13 23:35 -------- d-------- C:\Program Files\iTunes
2006-09-13 23:24 -------- d-------- C:\Program Files\CleanUp!
2006-09-12 21:17 -------- d-------- C:\Program Files\Registry Mechanic
2006-09-12 19:51 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-12 02:19 -------- d-------- C:\Program Files\Last.fm Player
2006-09-11 10:46 33856 --a------ C:\WINNT\system32\drivers\oreans32.sys
2006-09-11 02:01 -------- d-------- C:\Program Files\eMule
2006-09-01 02:10 -------- d-------- C:\Program Files\Easy DVD Player
2006-08-24 17:45 -------- d-a------ C:\Documents and Settings\Felipe .GLOBAL\Application Data\SopCast
2006-08-22 22:44 -------- d-------- C:\Program Files\Java
2006-08-13 23:50 -------- d-------- C:\Program Files\Guild Wars
2006-08-13 13:13 -------- d-------- C:\Program Files\Soulseek-Test
2006-08-08 23:19 -------- d-------- C:\Documents and Settings\Felipe .GLOBAL\Application Data\CyberLink
2006-08-08 17:59 777472 --a------ C:\WINNT\system32\drivers\avg7core.sys
2006-08-08 17:59 27904 --a------ C:\WINNT\system32\drivers\avg7rsxp.sys
2006-08-08 17:59 26912 --a------ C:\WINNT\system32\drivers\avg7rsnt.sys
2006-08-01 01:39 -------- d-------- C:\Program Files\mIRC
2006-07-26 23:43 -------- d-------- C:\Program Files\EndlessOnline
2006-07-26 17:57 -------- d-------- C:\Program Files\Common Files\xing shared
2006-07-26 17:57 -------- d-------- C:\Program Files\Common Files\Real
2006-07-18 20:12 122 --a------ C:\Documents and Settings\Felipe .GLOBAL\Application Data\iScrobbler.ini
2006-07-11 23:31 9363 --a------ C:\Documents and Settings\Felipe .GLOBAL\Application Data\Comma Separated Values (Windows).EML


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Start WingMan Profiler"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"LoadQM"="loadqm.exe"
"NeroCheck"="C:\\WINNT\\system32\\\\NeroCheck.exe"
"IntelliType"="\"C:\\Program Files\\Microsoft Hardware\\Keyboard\\type32.exe\""
"ATIModeChange"="Ati2mdxx.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"PVModule"="C:\\PROGRA~1\\PRINTV~1\\pvmodule.exe"
"RegistryMechanic"=""
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"
"Windows Explorer"="C:\\WINNT\\system32\\explorer.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000002

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="file:///D:/My%20Pictures/ana%20fotos%202/setembro/101MSDCF/DSC02717.JPG"
"SubscribedURL"="file:///D:/My%20Pictures/ana%20fotos%202/setembro/101MSDCF/DSC02717.JPG"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,cc,00,00,00,60,00,00,00,34,03,00,00,00,03,00,00,e8,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,50,05,00,00,62,01,00,00,80,02,00,00,e0,01,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,c8,00,00,00,2f,00,00,00,a8,00,00,00,9e,00,\
00,00,01,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,c8,00,00,00,ed,00,00,00,a8,00,00,00,9e,00,00,00,ea,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:00000001
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,50,05,00,00,1f,00,00,00,20,01,00,00,23,01,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"Microsoft Windows Communicator for NT/XP"="wincomm.exe"
"Ms Java for Windows NT"="MS32.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000000
"CDRAutoRun"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Completion time: Wed 2006-09-20 18:26:28.71
ComboFix.txt
ComboFix2.txt
ComboFix3.txt


HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 6:32:09 PM, on 20/09/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\PRINTV~1\pvmodule.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\explorer.exe
C:\Documents and Settings\Felipe .GLOBAL\Desktop\ole\his.exe

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [Windows Explorer] C:\WINNT\system32\explorer.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1127002788515
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Windows Genuine Advantage Registration Service (net32a) - Unknown owner - C:\WINNT\system32\net32a.exe (file missing)
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINNT\akkpsat.exe (file missing)
  • 0

#15
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Very good

Reboot to safemode and run a full scan with Ewido following the directions below. Lets see if we can get it to do some work for us. Remember to save the report

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
Open Ewido
  • select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"[list]
  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Reboot to normal windows and post the Ewido and Hijack logs

Thanks

Edited by loophole, 20 September 2006 - 08:18 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP