Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Help Please

Started by Dj_Eddie , Nov 12 2005 11:44 PM

Please log in to reply

8 replies to this topic

#1 Dj_Eddie

New Member

Member
5 posts

Posted 12 November 2005 - 11:44 PM

Hi everyone. I'm new to this site. I have a big problem. I have Downloaded :

SpyBot
Ad-Aware SE Personal
HiJackThis
Microsoft AntiSpyWare
I had also NAV but uninstalled it because I thought that it was causing all the mess.

When I'm trying to run SpyBot & Ad-Aware SE Personal they crashes. (also happened with the NAV before uninstall). It happens when I hit the Scan Button. I've read the instructions I found in this forum but I can't do anything. Accidentaly I found a program running (sometimes) in the Ctrl-Alt-Del menu "msresearch". Here Is the list of HiJackThis

Logfile of HijackThis v1.99.1
Scan saved at 01:32:06, on 13/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microcom\ADSL DeskPorte USB\CnxDslTb.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HiJackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Dj Eddie's Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [msresearch] C:\windows\msresearch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\Microcom\ADSL DeskPorte USB\CnxDslTb.exe" "Microcom\ADSL DeskPorte USB"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{21CDFFEC-F3D9-4653-883E-209A295EDFC0}: NameServer = 85.255.115.90,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F50CC43-69C7-4C1E-ACF8-7D50FFEE031A}: NameServer = 85.255.115.90,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA562466-1EFF-418E-9AE6-DC999A0C381F}: NameServer = 80.76.33.227 80.76.39.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{21CDFFEC-F3D9-4653-883E-209A295EDFC0}: NameServer = 85.255.115.90,85.255.112.103
O17 - HKLM\System\CS2\Services\Tcpip\..\{21CDFFEC-F3D9-4653-883E-209A295EDFC0}: NameServer = 85.255.115.90,85.255.112.103
O20 - Winlogon Notify: URL - C:\WINDOWS\system32\rRstapi.dll (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Back to top

#2 Dj_Eddie

New Member

Member
5 posts

Posted 12 November 2005 - 11:46 PM

What should I do? Thanks for your time

Back to top

#3 Mosaic1

Most Respected SuperExpert

Member
4,576 posts

Posted 13 November 2005 - 04:38 AM

We need to disable your Microsoft AntiSpyware Real-time Protection as it may interfere with the fixes that we need to make. It can be enabled when your clean.

Open Microsoft AntiSpyware.
Click on Tools, Settings.
In the left pane, click on Real-time Protection.
Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.
_ _ _ _

You will be restarting into Safe mode later. Here's help if you need it.

To use the F8 key to start Windows XP in Safe mode
Restart the computer.
Some computers have a progress bar that refers to the word BIOS. Others may not let you know what is happening.
As soon as the BIOS loads, begin tapping the F8 key on your keyboard. Do so until the Windows Advanced Options menu appears.
If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. If this happens, restart the computer and try again.
Using the arrow keys on the keyboard, select Safe mode and then press Enter.

------
Because XP will not always show you hidden files and folders by default.
Reset your search settings first.

Open Folder Options>view and check your settings:
Select
Show hidden files and folders
Display the contents of system folders
Uncheck: Hide protected operating system files
Next go to Search and look down to More advanced options and click onthe chevron next to it.
Be sure the first three boxes are selected:
Search System folders
Search Hidden Files and folders
Search SubFolders
--------
Download CCleaner.

http://www.filehippo...d_ccleaner.html

Install CCleaner
Launch CCleaner and look in the upper right corner and click on the "Options" button.
Click "Advanced" and remove the check by "Only delete files in Windows temp folders older than 48 hours".
Click OK
Do not run CCleaner yet. You will run it later in safe mode.

Download the trial version of Ewido Security Suite:

http://www.ewido.net/en/download/

Install ewido.
During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
Launch ewido
It will prompt you to update click the OK button and it will go to the main screen
On the left side of the main screen click update
Click on Start and let it update.
DO NOT run a scan yet. You will do that later in safe mode.
--------------------------

Copy these instructions to notepad and save them to your desktop for easy reference.

--
Physically disconnect from your Internet Connection.

Restart your computer into safe mode.

Run Ewido:
Click on scanner
Click Complete System Scan and the scan will begin.
During the scan it will prompt you to clean files, click OK
When the scan is finished, look at the bottom of the screen and click the Save report button.
Save the report to your desktop

Start Ccleaner and click Run Cleaner
.

--------------------
Run hijackthis and select any of the following which still exist.
Press the fix checked button:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O4 - HKLM\..\Run: [msresearch] C:\windows\msresearch.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
DFC0}: NameServer = 85.255.115.90,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F50CC43-69C7-4C1E-ACF8-7D50FFEE031A}: NameServer = 85.255.115.90,85.255.112.103
O17 - HKLM\System\CS1\Services\Tcpip\..\{21CDFFEC-F3D9-4653-883E-209A295EDFC0}: NameServer = 85.255.115.90,85.255.112.103
O17 - HKLM\System\CS2\Services\Tcpip\..\{21CDFFEC-F3D9-4653-883E-209A295EDFC0}: NameServer = 85.255.115.90,85.255.112.103
O20 - Winlogon Notify: URL - C:\WINDOWS\system32\rRstapi.dll (file missing)

Shutdown the computer and reconnect your internet connection.

Restart back into regular windows.

Go for a free online Virus scan here:
http://www.pandasoft...com/activescan/

Allow it to clean

Panda will have the option to create a log afer the scan has finished. Click the See Report button. Then click the save Report button. It will be saved under the name activescan.txt Do that and post that log into your next reply here.

Post a new Hijackthis log along with the results from ActiveScan and the ewido scan.

Please download silentrunners.zip
http://www.silentrun...ent Runners.zip

Unzip to your desktop and double click on the VBS file.
If your get a message about a malicious script, please allow the script to run. It is a diagnostic tool.

The script will save a Notepad document to your Desktop.

Copy and paste the contents of that text file into your next reply.

Back to top

#4 Dj_Eddie

New Member

Member
5 posts

Posted 13 November 2005 - 04:52 PM

Thanks for the reply.Here are the results:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 17:55:38, 13/11/2005
+ Report-Checksum: 37740A9E

+ Scan result:

HKU\S-1-5-21-507921405-1275210071-682003330-1003\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{08BEC6AA-49FC-4379-3587-4B21E286C19E} -> Spyware.SBSoft : Cleaned with backup
HKU\S-1-5-21-507921405-1275210071-682003330-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{08BEC6AA-49FC-4379-3587-4B21E286C19E} -> Spyware.SBSoft : Cleaned with backup
HKU\S-1-5-21-507921405-1275210071-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08BEC6AA-49FC-4379-3587-4B21E286C19E} -> Spyware.SBSoft : Cleaned with backup
HKU\S-1-5-21-507921405-1275210071-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
[212] VM_00D60000 -> TrojanDownloader.Agent.uj : Error during cleaning
[236] VM_00C70000 -> TrojanDownloader.Agent.uj : Error during cleaning
[444] VM_009D0000 -> TrojanDownloader.Agent.uj : Error during cleaning
C:\drsmartload.exe -> Spyware.SmartLoad : Cleaned with backup
C:\installer.exe -> Spyware.Look2Me : Cleaned with backup
C:\mte3ndm6odoxng.exe -> TrojanDownloader.Small.buy : Cleaned with backup
C:\Program Files\Common Files\ccnnepda\cbrtbtqcen\mofulftom.exe -> Adware.Gator : Cleaned with backup
C:\Program Files\Common Files\ccnnepda\eadtqepr\qufslelf.exe -> Adware.Gator : Cleaned with backup
C:\RECYCLER\NPROTECT\00008341.fil -> Adware.Gator : Cleaned with backup
C:\RECYCLER\NPROTECT\00008472.exe -> Trojan.Agent.fe : Cleaned with backup
C:\RECYCLER\NPROTECT\00008499.exe -> Trojan.Agent.fe : Cleaned with backup
C:\RECYCLER\NPROTECT\00008627.exe -> Trojan.Agent.fe : Cleaned with backup
C:\RECYCLER\NPROTECT\00008643.exe -> Trojan.Agent.fe : Cleaned with backup
C:\RECYCLER\NPROTECT\00008817.exe -> Trojan.Agent.fe : Cleaned with backup
C:\RECYCLER\NPROTECT\00009024.exe -> Trojan.Agent.fe : Cleaned with backup
C:\RECYCLER\NPROTECT\00009031.exe -> Trojan.Agent.fe : Cleaned with backup
C:\RECYCLER\NPROTECT\00009160.exe -> Trojan.Agent.fe : Cleaned with backup
C:\RECYCLER\NPROTECT\00009251.exe -> Trojan.Agent.fe : Cleaned with backup
C:\RECYCLER\NPROTECT\00009435.exe -> Trojan.Agent.fe : Cleaned with backup
C:\RECYCLER\NPROTECT\00009452.exe -> Trojan.Agent.fe : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP50\A0000722.EXE -> Adware.Gator : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP53\A0001127.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP54\A0001139.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP54\A0002139.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP55\A0003139.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP55\A0003156.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP55\A0004156.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP55\A0004166.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP55\A0004173.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP55\A0004183.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP55\A0004205.EXE -> Adware.Gator : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP56\A0004267.exe -> Trojan.DNSChanger.ag : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP56\A0004268.sys -> TrojanDownloader.Agent.tc : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP56\A0004269.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP56\A0004270.EXE -> Trojan.Agent.fe : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP56\A0004271.exe -> Trojan.DNSChanger.ag : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP56\A0004286.exe -> Trojan.Agent.fe : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP56\A0004291.exe -> Trojan.Agent.fe : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP56\A0004292.exe -> Trojan.Agent.fe : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP56\A0004293.exe -> Trojan.Agent.fe : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP56\A0004294.exe -> Trojan.Agent.fe : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP56\A0004295.exe -> Trojan.DNSChanger.ag : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP56\A0004296.sys -> TrojanDownloader.Small.brp : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP56\A0004297.exe -> Trojan.DNSChanger.ag : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP56\A0004298.exe -> Trojan.Agent.fe : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP56\A0004299.exe -> Trojan.Agent.fe : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP56\A0004300.dll -> Adware.Gator : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP56\A0004301.exe -> Adware.Gator : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP56\A0004309.DLL -> Adware.Gator : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP56\A0004310.dll -> Adware.Gator : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP56\A0004311.dll -> Adware.Gator : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP56\A0004312.DLL -> Adware.Gator : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP56\A0004316.dll -> Adware.Gator : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP56\A0004317.DLL -> Adware.Gator : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP56\A0004325.exe -> Trojan.Agent.fe : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP56\A0004328.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP56\A0004339.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP57\A0004364.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP57\A0004373.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP58\A0004407.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP59\A0005407.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP59\A0006407.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP59\A0007407.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP59\A0008408.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP59\A0008421.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP59\A0009421.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP59\A0009823.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP59\A0009827.exe -> Trojan.Agent.fe : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP59\A0009981.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP59\A0009986.exe -> Trojan.Agent.fe : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP59\A0009989.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP59\A0009993.exe -> Trojan.Agent.fe : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP59\A0009996.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP59\A0010000.exe -> Trojan.Agent.fe : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP59\A0010003.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP59\A0010007.exe -> Trojan.Agent.fe : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP59\A0011003.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP59\A0011007.exe -> Trojan.Agent.fe : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP59\A0012003.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP59\A0012007.exe -> Trojan.Agent.fe : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP59\A0012011.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP59\A0012014.EXE -> Adware.Gator : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP59\A0012018.DLL -> Adware.Gator : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP59\A0012019.dll -> Adware.Gator : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP59\A0012020.exe -> Adware.Gator : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP59\A0012022.dll -> Adware.Gator : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP59\A0012023.exe -> Adware.Gator : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP59\A0012026.dll -> Adware.Gator : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP59\A0012027.dll -> Adware.Gator : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP59\A0012029.dll -> Adware.Gator : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP59\A0012030.dll -> Adware.Gator : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP59\A0012031.dll -> Adware.Gator : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP59\A0012032.DLL -> Adware.Gator : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP59\A0012033.dll -> Spyware.SBSoft : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP59\A0012035.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP59\A0012039.exe -> Trojan.Agent.fe : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP60\A0013035.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP60\A0013039.exe -> Trojan.Agent.fe : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP60\A0014035.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP60\A0014039.exe -> Trojan.Agent.fe : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP61\A0015035.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP61\A0015039.exe -> Trojan.Agent.fe : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP61\A0015044.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP61\A0015051.exe -> TrojanDownloader.Agent.uj : Cleaned with backup
C:\WINDOWS\msresearch.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\sp2update00.exe -> TrojanDownloader.VB.nh : Cleaned with backup
C:\ysbinstall_1003585.exe -> TrojanDownloader.IstBar.is : Cleaned with backup
I:\My Programs\ACDSee V6.0.3 Powerpack Suite\- Read our board rules -\acdseepowerpackv6.0.3.18- Read our board rules -fff.zip/fff-ap6x-reg.exe -> Trojan.Small.cr : Error during cleaning
I:\My Programs\ACDSee V6.0.3 Powerpack Suite\- Read our board rules -\fff-ap6x-reg.exe -> Trojan.Small.cr : Cleaned with backup
I:\My Programs\- Read our board rules -s & Serials\Norton Sustem works 2005\- Read our board rules -.exe -> TrojanDownloader.VB.qr : Cleaned with backup
I:\My Programs\- Read our board rules -s & Serials\Norton Sustem works 2005\Norton_Systemworks_2005.zip/- Read our board rules -.exe -> TrojanDownloader.VB.qr : Error during cleaning
I:\My Programs\Tweak XP pro V3\- Read our board rules -.exe -> TrojanDownloader.IstBar.er : Cleaned with backup
I:\My Programs\Tweak XP pro V3\- Read our board rules -.zip/- Read our board rules -.exe -> TrojanDownloader.IstBar.er : Error during cleaning
I:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP57\A0004395.exe -> TrojanDownloader.VB.qr : Cleaned with backup

Logfile of HijackThis v1.99.1
Scan saved at 17:57:12, on 13/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HiJackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Dj Eddie's Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\Microcom\ADSL DeskPorte USB\CnxDslTb.exe" "Microcom\ADSL DeskPorte USB"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{21CDFFEC-F3D9-4653-883E-209A295EDFC0}: NameServer = 85.255.115.90,85.255.112.103
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F50CC43-69C7-4C1E-ACF8-7D50FFEE031A}: NameServer = 85.255.115.90,85.255.112.103
O17 - HKLM\System\CS1\Services\Tcpip\..\{21CDFFEC-F3D9-4653-883E-209A295EDFC0}: NameServer = 85.255.115.90,85.255.112.103
O17 - HKLM\System\CS2\Services\Tcpip\..\{21CDFFEC-F3D9-4653-883E-209A295EDFC0}: NameServer = 85.255.115.90,85.255.112.103
O20 - Winlogon Notify: URL - C:\WINDOWS\system32\rRstapi.dll (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Incident Status Location

Adware:adware/sbsoft No disinfected C:\WINDOWS\rdt.ini
Adware:adware/cws No disinfected C:\Documents and Settings\Dj_Eddie\Favorites\Online - No chance for spammers -
Adware:Adware/Gator No disinfected C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP56\A0004302.DLL
Adware:Adware/Gator No disinfected C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP56\A0004303.DLL
Adware:Adware/Gator No disinfected C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP56\A0004304.DLL
Adware:Adware/Gator No disinfected C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP56\A0004305.DLL
Adware:Adware/Gator No disinfected C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP56\A0004306.dll
Adware:Adware/Gator No disinfected C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP56\A0004308.EXE
Adware:Adware/Gator No disinfected C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP56\A0004314.dll
Adware:Adware/Gator No disinfected C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP56\A0004315.dll
Adware:Adware/Gator No disinfected C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP56\A0004318.dll
Adware:Adware/Gator No disinfected C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP56\A0004319.EXE
Adware:Adware/Gator No disinfected C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP59\A0012013.DLL
Adware:Adware/Gator No disinfected C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP59\A0012016.DLL
Adware:Adware/Gator No disinfected C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP59\A0012017.DLL
Adware:Adware/Gator No disinfected C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP59\A0012021.dll
Adware:Adware/Gator No disinfected C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP59\A0012024.dll
Adware:Adware/Gator No disinfected C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP59\A0012025.DLL
Adware:Adware/Gator No disinfected C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP59\A0012028.DLL
Virus:Trj/Downloader.FRV Disinfected C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP61\A0015111.exe
Adware:Adware/Look2Me No disinfected C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP61\A0015112.exe
Adware:Adware/ISearch No disinfected C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP61\A0015113.exe
Adware:Adware/Gator No disinfected C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP61\A0015114.exe
Adware:Adware/Gator No disinfected C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP61\A0015115.exe
Virus:Trj/Pipas.A Disinfected C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP61\A0015116.exe
Virus:Trj/Pipas.A Disinfected C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP61\A0015117.exe
Virus:Trj/Pipas.A Disinfected C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP61\A0015118.exe
Virus:Trj/Pipas.A Disinfected C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP61\A0015119.exe
Virus:Trj/Pipas.A Disinfected C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP61\A0015120.exe
Virus:Trj/Pipas.A Disinfected C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP61\A0015121.exe
Virus:Trj/Pipas.A Disinfected C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP61\A0015122.exe
Virus:Trj/Pipas.A Disinfected C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP61\A0015123.exe
Virus:Trj/Pipas.A Disinfected C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP61\A0015124.exe
Virus:Trj/Pipas.A Disinfected C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP61\A0015125.exe
Virus:Trj/Pipas.A Disinfected C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP61\A0015126.exe
Adware:Adware/Findtheweb No disinfected C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP61\A0015127.exe
Virus:Trj/Downloader.FOD Disinfected C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP61\A0015128.exe
Adware:Adware/IST.ISTBar No disinfected C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP61\A0015129.exe
Virus:Trj/Downloader.FFZ Disinfected C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP61\A0015136.exe
Virus:Trj/Pipas.A Disinfected C:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP61\A0015139.exe
Hacktool:Hacktool/RegPatch.A No disinfected I:\My Programs\ACDSee V6.0.3 Powerpack Suite\- Read our board rules -\acdseepowerpackv6.0.3.18- Read our board rules -fff.zip[fff-ap6x-reg.exe]
Adware:Adware/Ucmore No disinfected I:\My Programs\- Read our board rules -s & Serials\Norton Sustem works 2005\Norton_Systemworks_2005.zip[- Read our board rules -.exe]
Virus:Trj/Nuker.EwK Disinfected I:\My Programs\FireX MIRC\FireX.exe[Satan.exe]
Virus:Trj/Nuker.Vai Disinfected I:\My Programs\FireX MIRC\FireX.exe[VTJNuker.exe]
Hacktool:HackTool/Flood No disinfected I:\My Programs\FireX MIRC\FireX.exe[NHTMLN.DLL]
Adware:Adware/IST.ISTBar No disinfected I:\My Programs\Tweak XP pro V3\- Read our board rules -.zip[- Read our board rules -.exe]
Virus:Trj/Downloader.FPY Disinfected I:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP57\A0004396.exe[run.exe]
Hacktool:Hacktool/RegPatch.A No disinfected I:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP61\A0015130.exe
Adware:Adware/Ucmore No disinfected I:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP61\A0015131.exe
Adware:Adware/IST.ISTBar No disinfected I:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP61\A0015132.exe
Virus:Trj/Nuker.EwK Disinfected I:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP61\A0015143.exe[Satan.exe]
Virus:Trj/Nuker.Vai Disinfected I:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP61\A0015143.exe[VTJNuker.exe]
Hacktool:HackTool/Flood No disinfected I:\System Volume Information\_restore{C66AB244-4979-48D7-B3AE-F081EFA13323}\RP61\A0015143.exe[NHTMLN.DLL]

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"RemoteCenter" = "C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE" ["Creative Technology Ltd"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"CARPService" = "carpserv.exe" ["Conexant Systems"]
"CTSysVol" = "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r" ["Creative Technology Ltd"]
"CTDVDDET" = "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" ["Creative Technology Ltd"]
"CTHelper" = "CTHELPER.EXE" ["Creative Technology Ltd"]
"SBDrvDet" = "C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r" ["Creative Technology Ltd"]
"UpdReg" = "C:\WINDOWS\UpdReg.EXE" ["Creative Technology Ltd."]
"type32" = ""C:\Program Files\Microsoft IntelliType Pro\type32.exe"" [MS]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"CnxDslTaskBar" = ""C:\Program Files\Microcom\ADSL DeskPorte USB\CnxDslTb.exe" "Microcom\ADSL DeskPorte USB"" ["Conexant Systems, Inc."]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]
"dmbcd.exe" = "C:\WINDOWS\system32\dmbcd.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{97FA8AA2-EE77-4FF2-9449-424D8924EF21}" = "IntelliType Pro Zooming Control Panel Property Page"
-> {CLSID}\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliType Pro\itcplzm.dll"" [MS]
"{111D8120-25EB-4E1C-A4DF-C9EE5FCA35CB}" = "IntelliType Pro Scrolling Control Panel Property Page"
-> {CLSID}\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliType Pro\itcplwhl.dll"" [MS]
"{ED6E87C6-8A83-43aa-8208-8DBC8247F4D2}" = "IntelliType Pro Key Settings Control Panel Property Page"
-> {CLSID}\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliType Pro\itcplkey.dll"" [MS]
"{A2569D1F-4E06-43EC-9825-0088B471BE47}" = "IntelliType Pro Wireless Control Panel Property Page"
-> {CLSID}\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliType Pro\itcplwir.dll"" [MS]
"{5948C48A-6FA3-4BD7-8E27-F96FF9222BD4}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\rRstapi.dll" [file not found]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" [file not found]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csgby.exe" [null data]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

Group Policies [Description] {enabled Group Policy setting}:
------------------------------------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
HIJACK WARNING! "NoBandCustomize"=dword:00000001
[disables toolbar status changes in Internet Explorer|View|Toolbars]
{User Configuration|Administrative Templates|Windows Components|
Internet Explorer|Toolbars|Disable customizing browser toolbars}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Bliss.bmp"

Startup items in "Dj_Eddie" & "All Users" startup folders:
----------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\system32\CTsvcCDA.exe" ["Creative Technology Ltd"]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\system32\MsPMSPSv.exe" [MS]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 62 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 7 seconds.
---------- (total run time: 84 seconds)

Now what?

Back to top

#5 Dj_Eddie

New Member

Member
5 posts

Posted 13 November 2005 - 08:24 PM

I also tried to reinstall Norton System Works and after the restart my computer freezed (in the windows task manager (processes) there was a NMain.exe running and using 50 of CPU) Of course I reuninstalled it.
I've noticed too that my connection freezes after a while and I don't have access to the connection tray Icon. When I try to shut down I get a message "connection tray not responding" ...or something.

Back to top

#6 Mosaic1

Most Respected SuperExpert

Member
4,576 posts

Posted 13 November 2005 - 09:47 PM

Go to this pagfe and follow the instructions to uninstall your Norton System Works and then restart. Try the reinstall again.

http://service1.syma...=&osv=&osv_lvl=

Back to top

#7 Dj_Eddie

New Member

Member
5 posts

Posted 13 November 2005 - 11:50 PM

I have uninstalled it but the problems remain

Back to top

#8 Mosaic1

Most Respected SuperExpert

Member
4,576 posts

Posted 13 November 2005 - 11:59 PM

When you use - Read our board rules -ed versoins of legitimate programs you run great risks. Anything not legitimate should be totally and permanently uninstalled!

Download Rootkitreveal
http://www.sysintern...itrevealer.html

Extract rootkitreveal

Double click on rootkit revealer and press scan.

It will take some time to do a complete scan. When finished press file/save and post the contents of the log please.

Back to top

#9 Mosaic1

Most Respected SuperExpert

Member
4,576 posts

Posted 14 November 2005 - 12:09 AM

Do this too please.

Sign off and be sure all internet related programs are closed. Go into Control Panel>Network Connections.

Right click on your connection and click Properties. On the Properties page, Highlight Internet Protocol(TCP/IP)

Click Properties. This will bring up another page.

Select Obtain DNS Server Automatically

Click the ok button. The page will close. Press ok on the page in front of you.
EDIT: ANd I am aware that Silent Runners shows a new nasty file starting from your run keys. but until I get a fuller picture, I am going to wait on trying to remove it. I think you have a rootkit (hiden infection) and I need to see a rootkit revealer log first.

Back to top

Back to HELP! Think you are Infected?

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Help Please

#1 Dj_Eddie

#2 Dj_Eddie

#3 Mosaic1

#4 Dj_Eddie

#5 Dj_Eddie

#6 Mosaic1

#7 Dj_Eddie

#8 Mosaic1

#9 Mosaic1

0 user(s) are reading this topic

Sign In