Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

HELP! system32:dllhost.exe [RESOLVED]


  • This topic is locked This topic is locked

#16
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
ok :)
  • 0

Advertisements


#17
micek206

micek206

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Here you go! Sorry, I didn't see that you posted afer me haha...
Btw, I scanned the whole computer twice, and everything crashed at the end, but he found only on C drive infected files, so I scanned for the third time just that :)

OTMOVEIT LOG

C:\WINDOWS\system32\HackIt.cmd moved successfully.
< @C:\WINDOWS\system32:dllhost.exe >
Unable to delete ADS C:\WINDOWS\system32:dllhost.exe .
C:\Documents and Settings\Hinamori\Application Data\IMVU\ProductFiles moved successfully.
C:\Documents and Settings\Hinamori\Application Data\IMVU\Cache moved successfully.
C:\Documents and Settings\Hinamori\Application Data\IMVU\avpics moved successfully.
C:\Documents and Settings\Hinamori\Application Data\IMVU moved successfully.
C:\Program Files\IMVU\_install moved successfully.
C:\Program Files\IMVU\resources moved successfully.
C:\Program Files\IMVU\data moved successfully.
C:\Program Files\IMVU moved successfully.
< HKLM\software\microsoft\active setup\installed components\{1615DBE6-CB07-A8A9-52FA-66BBF0AC000B} >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{1615DBE6-CB07-A8A9-52FA-66BBF0AC000B}\\ deleted successfully.
< HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{d9288080-1baa-4bc4-9cf8-a92d743db949} >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{d9288080-1baa-4bc4-9cf8-a92d743db949}\\ deleted successfully.
< emptytemp >
File delete failed. C:\DOCUME~1\Hinamori\LOCALS~1\Temp\~DF589A.tmp scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07102008_142611

Files moved on Reboot...
C:\DOCUME~1\Hinamori\LOCALS~1\Temp\~DF589A.tmp moved successfully.



MBAM LOG

Malwarebytes' Anti-Malware 1.20
Database version: 935
Windows 5.1.2600 Service Pack 2

14:39:05 10.7.2008
mbam-log-7-10-2008 (14-39-05).txt

Scan type: Quick Scan
Objects scanned: 40776
Time elapsed: 5 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{f0c5ef8b-f4bb-4612-9ea8-361fff3da3d5} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{127df9b4-d75d-44a6-af78-8c3a8ceb03db} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\acm.acmfactory (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\acm.acmfactory.1 (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a9aae1ab-9688-42c5-86f5-c12f6b9015ad} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{43382522-a846-46f4-ac57-1f71ae6e1086} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{572fb162-c0ba-4edf-8cff-e3846153b9b0} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{72a836d1-bc00-43c0-a941-17960e4fb842} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{df901432-1b9f-4f5b-9e56-301c553f9095} (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Information Center (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\WhenUSave (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\ACM.DLL (Adware.WhenUSave) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WUSN.1 (Adware.WhenUSave) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{23ed2206-856d-461a-bbcf-1c2466ac5ae3} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Security Troubleshooting.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Hinamori\Favorites\Online Security Test.url (Rogue.Link) -> Quarantined and deleted successfully.


KASPERSKY

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, July 11, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, July 10, 2008 19:43:30
Records in database: 935065
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Folder:
C:\

Scan statistics:
Files scanned: 63248
Threat name: 2
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 01:01:09


File name / Threat name / Threats count
C:\Program Files\Alcohol Soft\Alcohol 120% Toolbar\a120_tb.dll Infected: not-a-virus:AdWare.Win32.Mostofate.p 1
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1

The selected area was scanned.

Edited by micek206, 11 July 2008 - 04:21 AM.

  • 0

#18
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi, Re-run DSS for me and post main.txt please.
  • 0

#19
micek206

micek206

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Deckard's System Scanner v20071014.68
Run by Hinamori on 2008-07-11 13:17:43
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Hinamori.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:18:01, on 11.7.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sstray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\NetLimiter\NetLimiter.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\KMaestro\KMaestro.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\lxcecoms.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\PROGRA~1\DVDREG~1\DVDRegionFree.exe
C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart.exe
C:\Program Files\Opera\Opera.exe
D:\~ Downloads\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Hinamori.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.htnet.hr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.icq.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.htnet.hr/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = HTnet Microsoft Internet Explorer
R3 - URLSearchHook: Yahoo! ¤u¨a¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: CoTGT_BHO Class - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll,[email protected]
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [BtcMaestro] "C:\Program Files\KMaestro\KMaestro.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [EPSON Stylus COLOR 480] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.EXE /P22 "EPSON Stylus COLOR 480" /O5 "LPT1:" /M "Stylus COLOR 480"
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: HTnet - {04D3FBA8-DF9B-4091-AEE5-F715573F9F84} - C:\Program Files\Internet Explorer\SIGNUP\HTnet Start.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.htnet.hr/
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 7702 bytes

-- Files created between 2008-06-11 and 2008-07-11 -----------------------------

2040-01-21 16:42:40 0 d-------- C:\c6a1f6e119dc0aef156605294e24d6
2008-07-10 14:31:46 0 d-------- C:\Documents and Settings\Hinamori\Application Data\Malwarebytes
2008-07-10 14:31:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-10 14:31:41 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-09 16:00:45 0 d-------- C:\Documents and Settings\Hinamori\Application Data\TuneUp Software
2008-07-09 15:47:08 0 d-------- C:\Documents and Settings\Hinamori\Application Data\URSoft
2008-07-09 15:47:05 0 d-------- C:\Documents and Settings\Hinamori\Application Data\Thinstall
2008-07-09 15:06:01 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-09 15:05:46 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-07-09 15:05:46 0 d-------- C:\Documents and Settings\Hinamori\Application Data\SUPERAntiSpyware.com
2008-07-09 15:05:02 0 d-------- C:\Program Files\Trend Micro
2008-07-09 15:01:52 0 d-------- C:\Program Files\CCleaner
2008-07-09 13:58:25 0 d-------- C:\Program Files\DAEMON Tools
2008-07-09 13:58:25 0 d-------- C:\Documents and Settings\Hinamori\Application Data\WinRAR
2008-07-09 13:58:14 0 d-------- C:\Documents and Settings\Hinamori\Application Data\vlc
2008-07-08 23:33:31 596992 --a------ C:\WINDOWS\system32\rave.dll <Not Verified; Apple Computer, Inc.; Apple Computer, Inc. QuickDraw 3D Rendering Acceleration Virtual Engine - RAVE>
2008-07-08 23:33:31 969216 --a------ C:\WINDOWS\system32\qd3d.dll <Not Verified; Apple Computer Inc.; Apple Computer, Inc. QuickDraw 3D>
2008-07-08 23:33:31 126976 --a------ C:\WINDOWS\system32\3DViewer.dll <Not Verified; Apple Computer, Inc.; Apple Computer, Inc. QuickDraw 3D Viewer Controller>
2008-07-08 15:46:27 0 d-------- C:\Documents and Settings\Hinamori\Application Data\Opera
2008-07-08 15:46:12 0 d-------- C:\Program Files\Opera
2008-06-17 12:42:04 0 d-------- C:\Program Files\ALNO
2008-06-16 17:37:55 0 d-------- C:\Documents and Settings\Hinamori\System
2008-06-16 17:37:55 0 d-------- C:\Documents and Settings\Hinamori\Application Data\SmartDraw
2008-06-16 17:30:30 0 d-------- C:\Program Files\SmartDraw 2008
2008-06-16 12:31:12 0 d-------- C:\Program Files\SopCast
2008-06-15 14:19:18 0 d-------- C:\Program Files\IKEA HomePlanner
2008-06-15 14:18:58 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard


-- Find3M Report ---------------------------------------------------------------

2008-07-11 13:17:46 0 d-------- C:\Documents and Settings\Hinamori\Application Data\uTorrent
2008-07-11 12:18:55 0 d-------- C:\Program Files\Lx_cats
2008-07-10 14:52:15 0 d-------- C:\Program Files\Java
2008-07-10 13:42:13 0 d-------- C:\Program Files\mIRC
2008-07-09 17:55:09 298104 --a------ C:\WINDOWS\system32\imon.dll <Not Verified; Eset; NOD32 Antivirus System>
2008-07-09 17:51:36 0 d-------- C:\Program Files\Common Files
2008-07-09 15:59:06 0 d-------- C:\Program Files\NJStar Japanese WP
2008-07-09 13:58:26 0 dr-h----- C:\Documents and Settings\Hinamori\Application Data\yahoo!
2008-07-09 13:58:24 0 d-------- C:\Documents and Settings\Hinamori\Application Data\CyberLink
2008-07-09 13:58:14 0 d-------- C:\Program Files\Total Uninstall 4
2008-07-09 13:56:15 0 d-------- C:\Program Files\D-Tools
2008-07-09 13:56:03 0 d-------- C:\Program Files\Yahoo!
2008-07-08 16:45:30 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-08 16:41:41 0 d-------- C:\Program Files\The KMPlayer
2008-07-08 16:25:35 562 --a------ C:\Documents and Settings\Hinamori\Application Data\AutoGK.ini
2008-06-29 11:32:24 0 d-------- C:\Program Files\Common Files\Real
2008-06-12 16:04:34 0 d-------- C:\Program Files\Blaze Media Pro
2008-05-26 17:58:21 0 d-------- C:\Documents and Settings\Hinamori\Application Data\temp
2008-05-14 01:10:22 0 d-------- C:\Program Files\Microsoft Research
2008-04-29 19:29:49 230432 --a------ C:\StiImg.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nForce Tray Options"="sstray.exe" [17.12.2003 12:53 C:\WINDOWS\system32\sstray.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09.07.2001 12:50]
"BluetoothAuthenticationAgent"="bthprops.cpl" [04.08.2004 00:56 C:\WINDOWS\system32\bthprops.cpl]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [11.11.2005 14:47]
"nwiz"="nwiz.exe" [11.11.2005 14:47 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [11.11.2005 14:47]
"NetLimiter"="C:\Program Files\NetLimiter\NetLimiter.exe" [11.12.2005 12:59]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [03.08.2004 22:32]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [03.08.2004 22:31]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [03.08.2004 22:32]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [03.08.2004 22:32]
"LXCECATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCEtime.dll" [20.07.2005 15:46]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [07.01.2006 03:36]
"BtcMaestro"="C:\Program Files\KMaestro\KMaestro.exe" [13.06.2005 03:38]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [09.07.2008 17:55]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [25.01.2008 15:38]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [10.06.2008 04:27]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus COLOR 480"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.exe" []
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [24.05.2006 20:31]
"@"="" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [28.05.2008 10:33]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [11.12.2005 1:13:13]
BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [21.11.2005 10:19:49]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= C:\PROGRA~1\DVDREG~1\DVDShell.dll [09.10.2004 16:18 49152]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [13.05.2008 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus COLOR 480]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.EXE /P22 "EPSON Stylus COLOR 480" /O5 "LPT1:" /M "Stylus COLOR 480"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
"C:\Program Files\Lexmark 4300 Series\ezprint.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
"C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcemon.exe]
"C:\Program Files\Lexmark 4300 Series\lxcemon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SweetIM]
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp




-- End of Deckard's System Scanner: finished at 2008-07-11 13:18:25 ------------
  • 0

#20
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Since you didn't do it before please do this now.

Open notepad by going to START > RUN and type notepad.exe in the box that appears. In the window that pops up please copy and paste the following

@Echo off
dir "C:\Documents and Settings\Hinamori\System">looksee.txt
reg query "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run">>looksee.txt
notepad looksee.txt
del fix.bat
exit


In Notepad click on the "File" menu > Save As... Under "File name" type fix.bat and Change "Save as type" to All Files, save it to a place you will remember.

Posted Image

Double click on fix.bat.

Post back with the results, hows your pc running?
  • 0

#21
micek206

micek206

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Oh,sorry.. I was doing this step with my friend, and he said it was ok, but we got something weird...
My pc is running ok like it used to, there's no problem... The main problem was that dllhost.exe that kept pooping up on startup

Volume in drive C is Kiyomeru
Volume Serial Number is 9CF9-F3BF

Directory of C:\Documents and Settings\Hinamori\System

16.06.2008 17:37 <DIR> .
16.06.2008 17:37 <DIR> ..
17.06.2008 11:27 86 win_qs8.jqx
1 File(s) 86 bytes
2 Dir(s) 18.958.721.024 bytes free

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
EPSON Stylus COLOR 480 REG_SZ C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.EXE /P22 "EPSON Stylus COLOR 480" /O5 "LPT1:" /M "Stylus COLOR 480"
STYLEXP REG_SZ C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
<NO NAME> REG_SZ
SUPERAntiSpyware REG_SZ C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BtcMaestro
  • 0

#22
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Your logs look clean :)

You can keep or remove MalwareBytes' antimalware, just uninstall it if you no longer want it.

Let's remove the tools I had you use.

Please open OTMoveIt2:
  • Double click OTMoveIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet, please allow it to do so.

Right-click on "My Computer." The "System Properties" dialogue box will appear, showing a number of tabs. From here you can reset System Restore and configure Automatic Updates.

First, click the System Restore tab.
  • Check the box beside "Turn off System Restore"
  • Click "Apply"
  • At the prompt, click "Yes"
Wait while your system deletes existing Restore Points, this may take a few moments.
  • Uncheck the box beside "Turn off System Restore"
  • Click "Apply"
  • At the prompt, click "Yes"
Your system will now create a new Restore Point.

Now that your are clean, you'll want to stay that way.

Some important things that you should keep in mind in order to protect yourself:
  • Use common sense. This is the big one! Don't download programs from suspicious sites and be careful where you browse.
    Things you can do to aviod downloading bad programs:
    • Google the program. Read reviews and opinions from other people on the internet, if you dont see any reports of foul play - then there more than likely is none.
    • Stay away from Cracks! However luring the thought of free software can be it's not worth the hassle and potential danger of getting infected.
    • Download the program directly from the website of the developer - then you can be certain you haven't downloaded a bogus copy.
    • Read the EULA (End User License Agreement) - Find out exactly what you are downloading. A good tool to aid you in this would be EULAyzer.
  • Keep your protection programs up to date! No matter how good your Antivirus or Antispyware program is, without an updated set of definitions it will do you no good against the new infections. If you run a free program make sure to update them at least once a week.
  • Make sure that windows updates is enabled. Keeping your system up to date is a must - to turn on automatic updates take a look at this article by Microsoft.
I have listed two programs to boost your security while using no resources.
  • SpywareBlaster Take a look at the tutorial here.
  • ZonedOut Adds thousands of websites to your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Also consider using an alternative web broswer. Two big named ones, both far superior to Internet Explorer in terms of security and performance, would be Firefox and Opera.

Make a habit of scanning your computer for viruses every week or so and backing up important files regularly.

Please also read Expert Tony Klein's excellent article: How I got Infected in the First Place

Please post back and tell me if everything is OK, so that I may mark this thread as Resolved.
  • 0

#23
micek206

micek206

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hey, thanx a lot!! :) Everything is fiiiine... Really thank you for solving my problem :) Enjoy~
  • 0

#24
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
I'm glad everything is running well :)

Take care and have a great day still!

Mike
  • 0

#25
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP