Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Need assistance :( [RESOLVED]

Started by Dzrtfox , Feb 22 2006 09:17 PM

  • This topic is locked This topic is locked

#1
Dzrtfox
Posted 22 February 2006 - 09:17 PM

Dzrtfox

    Member

  • Member
  • PipPip
  • 11 posts
Being a newbie here I think I may have messed up by replying to my own post :tazz: http://www.geekstogo...showtopic=99055

Here is my HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 7:15:37 PM, on 2/22/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CPUCooL\CooLSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\System32\mssearchnet.exe
C:\WINDOWS\System32\nvctrl.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Steganos Internet Anonym 2\siabcs.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Kali\Kali.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://phoenix.cox.net/
O2 - BHO: (no name) - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\System32\hp32D8.tmp
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [RAM Medic] C:\Program Files\Iomatic\RAM Medic\RAMMedic.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Siabcs] C:\Program Files\Steganos Internet Anonym 2\siabcs.exe
O23 - Service: CPUCooLServer Service (CPUCooLServer) - Unknown owner - C:\Program Files\CPUCooL\CooLSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0

Advertisements

#2
greyknight17
Posted 24 February 2006 - 02:12 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Yeah, try not to reply to your own posts if you can. We would have gotten to your topic a little bit earlier if you didn't bump it. I closed it, so we will work on it here...

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Download smitRem at http://noahdfear.gee.../click.php?id=1 and save the file to your desktop.

Please download Ewido Security Suite at http://www.ewido.net/en/download/ and read the Ewido setup instructions at http://rstones12.gee.../ewidosetup.htm. Install it, and update the definitions to the newest files. Do NOT run a scan yet. NOTE: If you have Windows 9x/ME, you don't need to run Ewido (skip this step).

If you have not already installed Ad-Aware SE 1.06, follow the download and setup instructions at http://rstones12.gee...areSE_setup.htm. Otherwise, check for updates. Don't run it yet!

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. Don't run it yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O2 - BHO: (no name) - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\System32\hp32D8.tmp

Run the smitRem.exe tool you downloaded earlier. There should be a folder called smitrem created on your desktop. Open it and double click on the RunThis file. Follow the prompts on the screen. Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Delete these files if found:

C:\WINDOWS\System32\mssearchnet.exe
C:\WINDOWS\System32\nvctrl.exe
C:\WINDOWS\System32\hp32D8.tmp

Open Ad-aware and do a full scan. Remove all it finds.

Run Ewido:

* Click on scanner.
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with ewido it is finding cases of false positives.
* You will need to step through the process of cleaning files one-by-one.
* If Ewido detects a file you KNOW to be legitimate, select none as the action.
* Do NOT select 'Perform action on all infections'.
* If you are unsure of any entry found, select none for now.
* When the scan is finished, click the Save report button at the bottom of the screen.
* Save the report to your desktop.

Close Ewido.

Next go to Control Panel->Display->Desktop (or Appearance)->Customize Desktop->Web-> Uncheck 'Security Info' if present. Also delete it.

Restart your computer to get back to Normal Mode..

Perform an online scan with Internet Explorer at Panda ActiveScan http://www.pandasoft.../activescan.htm

* Click on 'Scan your PC' button. There should be a popup - if you have a pop-up blocker, make sure it's not blocking it.
* Click 'Check Now' & a pop-up window will appear.
* Enter your Country, State and E-mail Address & click 'Scan Now' - begin downloading Panda's ActiveX controls (8 MB size).
* Begin the scan by selecting My Computer.
* If it finds any malware, it will offer you a report. Ignore any entry it finds (since it wants you to buy the program for removal) as we will address this later.
* Click on see report. Then click Save report.
* Please post that log in your next reply.

Then post the Panda log here along with the logs for smitfiles.txt, Ewido and a new HijackThis log.
  • 0

#3
Dzrtfox
Posted 24 February 2006 - 09:19 PM

Dzrtfox

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Logfile of HijackThis v1.99.1
Scan saved at 8:12:08 PM, on 2/24/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CPUCooL\CooLSrv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Steganos Internet Anonym 2\siabcs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://phoenix.cox.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://phoenix.cox.net/
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [RAM Medic] C:\Program Files\Iomatic\RAM Medic\RAMMedic.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Siabcs] C:\Program Files\Steganos Internet Anonym 2\siabcs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: CPUCooLServer Service (CPUCooLServer) - Unknown owner - C:\Program Files\CPUCooL\CooLSrv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


Smitlog


smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Fri 02/24/2006
The current time is: 16:46:27.66

Running from
C:\Documents and Settings\Dzrtfox\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~

Security Toolbar


~~~ Shortcuts ~~~

Online Security Guide.url
Security Troubleshooting.url


~~~ Favorites ~~~

Antivirus Test Online.url


~~~ system32 folder ~~~

1024 dir
msvol.tlb
ld****.tmp
mssearchnet.exe
ncompat.tlb
nvctrl.exe
hp***.tmp


~~~ Icons in System32 ~~~

ot.ico


~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1224 'explorer.exe'
Killing PID 1224 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN! :tazz:


Ewido Log

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 6:52:50 PM, 2/24/2006
+ Report-Checksum: B2BF4904

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{00000000-0000-0000-0000-000000000010} -> Adware.Generic : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\AUI -> Adware.WebSearch : Cleaned with backup
C:\bfcpetmp\BatComp.CAB/bat2exe._32 -> Trojan.Eraser.a : Cleaned with backup
C:\Documents and Settings\Dzrtfox\Desktop\frequently used stuff\GRC.COM\backup-20060221-111133-387.dll -> Downloader.Zlob.hc : Cleaned with backup
C:\Documents and Settings\Dzrtfox\Desktop\frequently used stuff\GRC.COM\backup-20060221-111219-377.dll -> Downloader.Zlob.hc : Cleaned with backup
C:\MYFTP\Dzrtfox FTP\-=Apps=-\-=CD=-\g6 server 2.15\g6 server 2.15.rar/g6 server 2.15\6 Addons for Bulletproof G6 ftp\G6 Renamer v1.41\CR-GR141.ZIP/CORE2000.EXE -> Worm.Finaldo.a : Cleaned with backup
C:\MYFTP\Dzrtfox FTP\-=Apps=-\-=Securtiy=-\Panda.Antivirus.Titanium.v2.00.08.WinALL\Panda Antivirus Titanium RETAIL v2.01.exe/QRV.KRN -> Trojan.FormatC : Cleaned with backup
C:\MYFTP\Dzrtfox FTP\-=Apps=-\-=Securtiy=-\SpyHunter.zip/SpyHunter/Backup/dzrtfox@casalemedia[1].txt.bak -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Program Files\Internet Explorer\bgxxjhhi.exe -> Downloader.WinShow.z : Cleaned with backup
C:\Program Files\Mozilla Firefox\plugins\npzango.dll -> Adware.WinAD : Cleaned with backup
C:\Program Files\Netscape\Netscape\plugins\npzango.dll -> Adware.WinAD : Cleaned with backup
C:\Program Files\Proxy Switcher Standard\ProxySwitcher.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\Program Files\Proxy Switcher Standard\tmp.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\UWFX6_0001_N68M2301NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.d : Cleaned with backup
C:\WINDOWS\NDNuninstall4_94.exe -> Adware.NewDotNet : Cleaned with backup
C:\WINDOWS\nqbL71e4y.dll -> Downloader.Lemmy.q : Cleaned with backup
C:\WINDOWS\system32\dxmpp.dll -> Not-A-Virus.Hoax.Win32.Renos.v : Cleaned with backup
C:\WINDOWS\system32\msiaih.dll -> Adware.Ipend : Cleaned with backup
C:\WINDOWS\system32\winqlq32.dll -> Hijacker.Small.kb : Cleaned with backup


::Report End


Panda Log

Incident Status Location

Adware:adware/ncase Not disinfected C:\WINDOWS\didduid.ini
Adware:adware/sidesearch Not disinfected C:\Documents and Settings\Dzrtfox\Application Data\Lycos
Adware:adware/deskwizz Not disinfected Windows Registry
Adware:Adware/IST.ISTBar Not disinfected C:\Documents and Settings\Dzrtfox\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5ad1bcbe-7d974f60.zip[InstallerApplet.class]
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Dzrtfox\Desktop\backups\backup-20060221-185235-246.dll
Potentially unwanted tool:Application/Leaktest.A Not disinfected C:\Documents and Settings\Dzrtfox\Desktop\frequently used stuff\GRC.COM\leaktest.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Dzrtfox\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Dzrtfox\Desktop\smitRem.exe[Process.exe]
Potentially unwanted tool:Application/ServUBased.A Not disinfected C:\MYFTP\Dzrtfox FTP\-=Apps=-\-=Other=-\Apps\Rhinosoft.Serv-U.FTP.Server.Pro.v4.1\gdserv41.rar[SERVUDAEMON.EXE]
Possible Virus. Not disinfected C:\MYFTP\Dzrtfox FTP\-=Apps=-\-=Other=-\Apps\Zealot.All.Video.Splitter.v1.0.6.Incl.Keygen-ORiON\o-avs106.zip[Keygen.exe]
Potentially unwanted tool:Application/ServUBased.A Not disinfected C:\MYFTP\Dzrtfox FTP\-=Apps=-\-=Other=-\Rhino_Software_Serv-U_v5.0.0.11_Corporate_Final-HARPOON\Rhino_Software_Serv-U_v5.0.0.11_Corporate_Final-HARPOON.rar[SERVUDAEMON.EXE]
Potentially unwanted tool:Application/ServUBased.A Not disinfected C:\MYFTP\Dzrtfox FTP\-=Apps=-\-=Other=-\Rhino_Software_Serv-U_v5.0.0.11_Corporate_Final-HARPOON\Rhino_Software_Serv-U_v5.0.0.11_Corporate_Final-HARPOON.rar[SERVUTRAY.EXE]
Potentially unwanted tool:Application/ServUBased.A Not disinfected C:\MYFTP\Dzrtfox FTP\-=Apps=-\-=Other=-\Rhino_Software_Serv-U_v5.0.0.11_Corporate_Final-HARPOON\Rhino_Software_Serv-U_v5.0.0.11_Corporate_Final-HARPOON.rar[SERVUPERFCOUNT.DLL]
Potentially unwanted tool:Application/SlimFTP.A Not disinfected C:\WINDOWS\navap.exe
Adware:Adware/eZula Not disinfected C:\WINDOWS\system32\iezset.exe
Spyware:Spyware/ClientMan Not disinfected C:\WINDOWS\system32\msdipo.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\xvunfmbx.dll
  • 0

#4
greyknight17
Posted 24 February 2006 - 10:21 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Click on Start->Settings->Control Panel->Java Plug-in and click on the Cache tab. Then click on the Clear button and hit OK.
If you have Java 1.5, do this instead. Start->Control Panel->Java->Settings->Delete Files and click OK and OK.

Delete these:

C:\WINDOWS\didduid.ini
C:\Documents and Settings\Dzrtfox\Application Data\Lycos
C:\Documents and Settings\Dzrtfox\Desktop\backups\backup-20060221-185235-246.dll
C:\WINDOWS\navap.exe
C:\WINDOWS\system32\iezset.exe
C:\WINDOWS\system32\msdipo.dll
C:\WINDOWS\system32\xvunfmbx.dll

Restart.

Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#5
Dzrtfox
Posted 25 February 2006 - 12:35 PM

Dzrtfox

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Looks to be in decent shape :tazz: .. had one thing come up. Thinks its that about:blank thing... know how get rid of that? Thank you for all your help!!!

Logfile of HijackThis v1.99.1
Scan saved at 12:15:23 AM, on 2/25/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CPUCooL\CooLSrv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Steganos Internet Anonym 2\siabcs.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://phoenix.cox.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://phoenix.cox.net/
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [RAM Medic] C:\Program Files\Iomatic\RAM Medic\RAMMedic.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Siabcs] C:\Program Files\Steganos Internet Anonym 2\siabcs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: CPUCooLServer Service (CPUCooLServer) - Unknown owner - C:\Program Files\CPUCooL\CooLSrv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0

#6
greyknight17
Posted 25 February 2006 - 01:10 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
What's detecting the about:blank and what does it say about it?

Try this:

Download CWShredder at http://www.greyknigh.../CWShredder.exe and run it. Click on 'I Agree' button if you agree. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

Still getting it?
  • 0

#7
Dzrtfox
Posted 25 February 2006 - 02:42 PM

Dzrtfox

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
It has only popped up once, right after I was finished with all the others scans and reboot. It ha not been back since and Shredder found nothing. I guess we can consider my comp fixed :tazz:

Thank you very very much greyknight17!
  • 0

#8
greyknight17
Posted 25 February 2006 - 03:12 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP