Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

infected by trojan-spy.html.smitfraud.c

Started by Wallace Bishop , May 06 2005 10:40 AM

This topic is locked

#31
Daemon

Posted 25 May 2005 - 12:38 AM

Security Expert

Retired Staff
4,356 posts

Try this for me. Click Start>Run. Copy & paste the following and click OK.

regsvr32.exe /U u3s9wwh8p1m.dll

You should get a message that it has been uninstalled successfully. Then find and delete:

C:\WINDOWS\system32\u3s9wwh8p1m.dll

Next, fix this entry with HJT:

O20 - AppInit_DLLs: u3s9wwh8p1m.dll

Reboot and let me know. (If the filename has changed since your last post, be sure to use the current one)

#32
Wallace Bishop

Posted 25 May 2005 - 04:34 PM

Member

Topic Starter
Member
26 posts

I recieved this message after pasting in run. I did not proceed any further. thsi one is being difficult isn;t it

---------------------------
RegSvr32
---------------------------
u3s9wwh8p1m.dll was loaded, but the DllUnregisterServer entry point was not found.

This file can not be registered.
---------------------------
OK
---------------------------

#33
Wallace Bishop

Posted 25 May 2005 - 04:36 PM

Member

Topic Starter
Member
26 posts

I just tried to delete ti in Kill Box and it said it could not be deleted.

#34
Daemon

Posted 26 May 2005 - 12:01 AM

Security Expert

Retired Staff
4,356 posts

It is a little persistent. Download Swap.zip. Extract it from the zip file. Browse to where you unzipped the Swap.zip files. Run Swap.bat. This will create a log at C:\log.txt. It will also reboot your PC.

Post the contents of the log created by Swap.bat and a new HijackThis log please.

#35
Wallace Bishop

Posted 26 May 2005 - 07:12 PM

Member

Topic Starter
Member
26 posts

I did as instructed, how long does it take it is just sitting there and sayes the following. As soon as I opened the swap.bat the AVG virus alert popped up. I had not seen it in days. I guess Swap.bat will reboot when it is finished. What caused the AVG to start popping up again?

1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
Scanning C:\WINDOWS\system32

#36
Wallace Bishop

Posted 26 May 2005 - 09:17 PM

Member

Topic Starter
Member
26 posts

Swap.bat is still sitting and has not changed in about 3 hours. I do not think it is working. I will leave it alone until in the morning. Hopefully it is working in the background

Thansk
Wally

#37
Wallace Bishop

Posted 26 May 2005 - 09:20 PM

Member

Topic Starter
Member
26 posts

In Task manager i see 5 process called svchost.exe. have never seen this before. What is it.

Thanks
Wally

#38
Daemon

Posted 27 May 2005 - 12:29 AM

Security Expert

Retired Staff
4,356 posts

It normally takes 20-30 minutes to run - did it produce the log?

svchost.exe is OK, see here: http://www.liutiliti...ibrary/svchost/

#39
Wallace Bishop

Posted 27 May 2005 - 05:12 AM

Member

Topic Starter
Member
26 posts

whne i awoke this morning it looked like the system had rebooted and there were no virus alerts showing. here are the scan reports. I accidently opend the swap.bat file and it erased the log so i will do again tonight. It also started the virus alert agin. I rebooted and the virus alert has not popped up yet. The HJT look seesm to be missing our very persistent file, hmmmm maybe something cleaned it.

I really appreciate your diligence & patience with me. I am just a novice with little actual computer knowledge but am sure learning a lot from you.

Thanks again
Wally

Logfile of HijackThis v1.99.1
Scan saved at 6:55:12 AM, on 5/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\system32\sstray.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homes...ive/HS_live.cab
O16 - DPF: {5AA5A569-F96F-4628-A528-8B3698F558BB} (HS_live Control) - http://install.homes...ive/HS_live.cab
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#40
Daemon

Posted 27 May 2005 - 06:53 AM

Security Expert

Retired Staff
4,356 posts

Looks like we got it with that last step. Could you redownload mwav again so that you get the latest version, scan again with that and post the mwav scan as before.

#41
Wallace Bishop

Posted 28 May 2005 - 05:44 AM

Member

Topic Starter
Member
26 posts

looks like the virus is still with me.

Lower box
File System Found infected by "cws.therealsearch Spyware/Adware" Virus! Action Taken: No Action Taken.
File C:\!Submit\u3s9wwh8p1m.dll infected by "Trojan.Win32.Krepper.ae" Virus! Action Taken: No Action Taken.
File C:\Program Files\America Online 9.0\Jiti\Jiti_mm.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP11\A0147395.dll infected by "Trojan.Win32.Krepper.ae" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP11\A0147396.dll infected by "Trojan.Win32.Krepper.ae" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP11\A0147397.dll infected by "Trojan.Win32.Krepper.ae" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP11\A0147398.dll infected by "Trojan.Win32.Krepper.ae" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP11\A0147399.dll infected by "Trojan.Win32.Krepper.ae" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP13\A0147631.dll infected by "Trojan.Win32.Krepper.ae" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP13\A0147646.dll infected by "Trojan.Win32.Krepper.ae" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP13\A0147647.dll infected by "Trojan.Win32.Krepper.ae" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP14\A0147935.dll infected by "Trojan.Win32.Krepper.ae" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP14\A0147936.dll infected by "Trojan.Win32.Krepper.ae" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP14\A0147937.dll infected by "Trojan.Win32.Krepper.ae" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP14\A0147938.dll infected by "Trojan.Win32.Krepper.ae" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP14\A0147939.dll infected by "Trojan.Win32.Krepper.ae" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP14\A0147940.dll infected by "Trojan.Win32.Krepper.ae" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP14\A0147941.dll infected by "Trojan.Win32.Krepper.ae" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP14\A0147942.dll infected by "Trojan.Win32.Krepper.ae" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP17\A0148226.dll infected by "Trojan.Win32.Krepper.ae" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP20\A0148736.dll infected by "Trojan.Win32.Krepper.ae" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP20\A0148737.dll infected by "Trojan.Win32.Krepper.ae" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP20\A0148738.dll infected by "Trojan.Win32.Krepper.ae" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP20\A0148740.dll infected by "Trojan.Win32.Krepper.ae" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP20\A0148741.dll infected by "Trojan.Win32.Krepper.ae" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP4\A0052604.dll infected by "Trojan.Win32.Krepper.ae" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP5\A0079464.dll infected by "Trojan.Win32.Krepper.ae" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP8\A0123500.dll infected by "Trojan.Win32.Krepper.ae" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP8\A0134287.dll infected by "Trojan.Win32.Krepper.ae" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP8\A0134903.dll infected by "Trojan.Win32.Krepper.ae" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP8\A0137012.dll infected by "Trojan.Win32.Krepper.ae" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP8\A0146719.exe infected by "Trojan.Win32.Small.cr" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP8\A0146735.dll infected by "Trojan.Win32.Krepper.ae" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP8\A0146742.dll infected by "Trojan.Win32.Krepper.ae" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP8\A0146751.dll infected by "Trojan.Win32.Krepper.ae" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP8\A0146759.dll infected by "Trojan.Win32.Krepper.ae" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP8\A0146767.dll infected by "Trojan.Win32.Krepper.ae" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP8\A0146775.dll infected by "Trojan.Win32.Krepper.ae" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP8\A0146788.dll infected by "Trojan.Win32.Krepper.ae" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP8\A0146809.dll infected by "Trojan.Win32.Krepper.ae" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP8\A0146822.dll infected by "Trojan.Win32.Krepper.ae" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP8\A0146834.dll infected by "Trojan.Win32.Krepper.ae" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP8\A0146842.dll infected by "Trojan.Win32.Krepper.ae" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP8\A0146866.dll infected by "Trojan.Win32.Krepper.ae" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP8\A0146877.dll infected by "Trojan.Win32.Krepper.ae" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP8\A0146916.dll infected by "Trojan.Win32.Krepper.ae" Virus! Action Taken: No Action Taken.

Top Box
Sat May 28 07:37:36 2005 => ***** Scanning complete. *****
Sat May 28 07:37:36 2005 => Total Objects Scanned: 289293
Sat May 28 07:37:36 2005 => Total Virus(es) Found: 46
Sat May 28 07:37:36 2005 => Total Disinfected Files: 0
Sat May 28 07:37:36 2005 => Total Files Renamed: 0
Sat May 28 07:37:36 2005 => Total Deleted Objects: 0
Sat May 28 07:37:36 2005 => Total Errors: 3
Sat May 28 07:37:36 2005 => Time Elapsed: 06:42:56
Sat May 28 07:37:36 2005 => Virus Database Date: 2005/05/12
Sat May 28 07:37:36 2005 => Virus Database Count: 129400

Sat May 28 07:37:36 2005 => Scan Completed.

#42
Daemon

Posted 28 May 2005 - 06:57 AM

Security Expert

Retired Staff
4,356 posts

No, it's gone. Find and delete this folder:

C:\!Submit

then follow this sequence:

1. Right-click My Computer>Click Properties>Click the System Restore tab>Check the box next to 'Turn off System Restore on all drives'>Click Apply>Click OK.

2. Reboot.

3. Repeat the process but this time remove the check from the box.

Post a new HJT log for a final check.

#43
Wallace Bishop

Posted 28 May 2005 - 07:39 PM

Member

Topic Starter
Member
26 posts

I did just as instructed and here is the log. I hope this has it!!

Thanks

Logfile of HijackThis v1.99.1
Scan saved at 6:00:12 PM, on 5/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\sstray.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homes...ive/HS_live.cab
O16 - DPF: {5AA5A569-F96F-4628-A528-8B3698F558BB} (HS_live Control) - http://install.homes...ive/HS_live.cab
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#44
Daemon

Posted 29 May 2005 - 06:45 AM

Security Expert

Retired Staff
4,356 posts

Looks good now, how is it running?

#45
Wallace Bishop

Posted 29 May 2005 - 11:34 AM

Member

Topic Starter
Member
26 posts

Daemon, it seems to be running very good. I can't thank you enough. You are very talented at fighting the bad guys. I would like to punch them in the nose.

Is it safe now to order over the internet with a credit card like ordering online. or to send you some money via paypal. I am not rich and don't have much but would like show my appreciation to you.

Thanks so much!!

Wally