1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

"Attention (name) some dangerous trojan horse detected in your system"

Discussion in 'Malware and Virus Removal Archive' started by Elisei, 2008/07/02.

  1. 2008/07/02
    Elisei

    Elisei Inactive Thread Starter

    Joined:
    2008/07/01
    Messages:
    10
    Likes Received:
    0
    I'm having this problem couple of days now... i did some reading and i was directed here to get some help without complicating the things by myself, which i probably did. I did a Malwarebytes' Anti-Malware scan yesterday, so i will upload that too along the Deckards System Scanner log. The pop-up stopped yestarday, but i'm not sure that its gone. I don't know if it's needed but i'll upload the NOD32 threat log.

    Deckard's System Scanner v20071014.68
    Run by Nenad on 2008-07-02 15:02:12
    Computer is in Normal Mode.
    --------------------------------------------------------------------------------

    -- System Restore --------------------------------------------------------------

    System Restore is disabled; attempting to re-enable...success.


    -- Last 1 Restore Point(s) --
    1: 2008-07-02 13:02:14 UTC - RP1 - System Checkpoint


    Backed up registry hives.
    Performed disk cleanup.

    System Drive C: has 2.6 GiB (less than 15%) free.


    -- HijackThis (run as Nenad.exe) -----------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 15:05:54, on 02.07.2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\LVCOMSX.EXE
    C:\Program Files\Eset\nod32kui.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Logitech\Video\FxSvr2.exe
    C:\Documents and Settings\Nenad\Desktop\dss.exe
    C:\PROGRA~1\TRENDM~1\HIJACK~1\Nenad.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Xfire] Xfire.exe /minimize
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
    O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
    O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe "
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe "
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
    O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
    O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1199284012031
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 6406 bytes

    -- File Associations -----------------------------------------------------------

    .reg - regfile - shell\open\command - regedit.exe "%1" %*
    .scr - scrfile - shell\open\command - "%1" %*


    -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

    R1 mapledxp - c:\windows\system32\drivers\mapledxp.sys <Not Verified; Jeff Hurchalla and Marble Sound; MarbleSound Maple Midi XP Driver SYS>
    R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
    R2 RVIEGVST (VSC VST Engine) - d:\install\rolandvst\rvieg01vst.sys <Not Verified; Roland; Roland VSC Synthesizer Engine>
    R3 CLEDX (Team H2O CLEDX service) - c:\windows\system32\drivers\cledx.sys <Not Verified; Team H2O; CLEDX>
    R3 cwcspud (Terratec DMX Xfire 1024 Driver) - c:\windows\system32\drivers\cwcspud.sys <Not Verified; Terratec Electronic GmbH; Terratec CS46XX WDM PCI Driver>
    R3 cwcwdm (Terratec DMX Xfire 1024 WDM Driver) - c:\windows\system32\drivers\cwcwdm.sys <Not Verified; Terratec Electronic GmbH; Terratec CS46XX WDM PCI Driver>

    S2 AKEProtect - c:\program files\anti keylogger elite\akeprotect.sys (file missing)
    S3 ss_bus (Samsung Mobile USB Device 1.0 driver (WDM)) - c:\windows\system32\drivers\ss_bus.sys <Not Verified; MCCI; Samsung Mobile USB Device 1.0>
    S3 ss_mdfl (SAMSUNG Mobile USB Modem 1.0 Filter) - c:\windows\system32\drivers\ss_mdfl.sys <Not Verified; MCCI; SAMSUNG Mobile USB Modem 1.0 Filter>
    S3 ss_mdm (SAMSUNG Mobile USB Modem 1.0 Drivers) - c:\windows\system32\drivers\ss_mdm.sys <Not Verified; MCCI; SAMSUNG Mobile USB Modem 1.0>


    -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

    All services whitelisted.


    -- Device Manager: Disabled ----------------------------------------------------

    Class GUID: {4D36E96E-E325-11CE-BFC1-08002BE10318}
    Description: Default Monitor
    Device ID: DISPLAY\DEFAULT_MONITOR\5&133946B9&0&113377A1&01&00
    Manufacturer: (Standard monitor types)
    Name: Default Monitor
    PNP Device ID: DISPLAY\DEFAULT_MONITOR\5&133946B9&0&113377A1&01&00
    Service:

    Class GUID: {4D36E96E-E325-11CE-BFC1-08002BE10318}
    Description: Default Monitor
    Device ID: DISPLAY\DEFAULT_MONITOR\5&133946B9&0&1133779A&01&00
    Manufacturer: (Standard monitor types)
    Name: Default Monitor
    PNP Device ID: DISPLAY\DEFAULT_MONITOR\5&133946B9&0&1133779A&01&00
    Service:


    -- Scheduled Tasks -------------------------------------------------------------

    2008-06-26 23:26:01 270 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job
    2007-12-20 00:26:41 392 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job


    -- Files created between 2008-06-02 and 2008-07-02 -----------------------------

    2008-07-02 00:31:51 0 d-------- C:\Documents and Settings\Nenad\Application Data\Winamp
    2008-07-01 22:21:06 0 d-------- C:\Documents and Settings\Nenad\Application Data\Malwarebytes
    2008-07-01 22:21:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-07-01 22:20:57 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-07-01 18:19:11 0 d-------- C:\Fraps
    2008-07-01 18:18:50 53248 --a------ C:\WINDOWS\system32\uninstpw.exe
    2008-07-01 18:18:50 90112 --a------ C:\WINDOWS\system32\custmon2k.dll
    2008-07-01 18:18:49 24576 --a------ C:\WINDOWS\system32\custsave.exe <Not Verified; Acro Software Inc.; CutePDF Application>
    2008-07-01 18:18:49 0 d-------- C:\Program Files\PDF Writer
    2008-07-01 18:18:27 0 d-------- C:\Program Files\gs
    2008-07-01 18:12:01 0 d-------- C:\Program Files\Planetwide Games
    2008-06-29 23:01:03 24576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
    2008-06-29 22:54:10 0 d-------- C:\VundoFix Backups
    2008-06-29 20:40:08 20371 --a------ C:\WINDOWS\system32\MagicV2mEngine.dll
    2008-06-29 17:54:45 0 d-------- C:\Documents and Settings\Nenad\Application Data\PC Tools
    2008-06-29 13:57:44 0 d-------- C:\Program Files\XoftSpySE
    2008-06-28 23:50:49 4 -r-hs---- C:\Documents and Settings\All Users\Application Data\sysqcl0.dat
    2008-06-28 23:49:45 0 d-------- C:\Program Files\plasq
    2008-06-28 23:34:41 0 d--hs---- C:\WINDOWS\ftpcache
    2008-06-28 20:30:38 0 d-------- C:\Program Files\Common Files\DFX
    2008-06-28 20:03:42 0 d-------- C:\Documents and Settings\All Users\Application Data\DFX
    2008-06-28 20:03:40 0 d-------- C:\Program Files\DFX
    2008-06-28 20:02:12 0 d-------- C:\Program Files\QO Labs
    2008-06-17 20:22:07 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
    2008-06-17 20:21:29 0 d-------- C:\Program Files\Common Files\Skype
    2008-06-05 04:27:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Sony
    2008-06-05 04:23:24 0 d-------- C:\Program Files\MSBuild
    2008-06-05 04:10:52 0 d-------- C:\WINDOWS\system32\XPSViewer
    2008-06-05 04:08:34 0 d-------- C:\Program Files\Reference Assemblies
    2008-06-05 00:13:50 0 d-------- C:\Documents and Settings\Nenad\Application Data\Waves Preferences
    2008-06-05 00:11:25 0 d-------- C:\Documents and Settings\Nenad\Application Data\Waves Audio
    2008-06-05 00:05:26 0 d-------- C:\Program Files\Waves


    -- Find3M Report ---------------------------------------------------------------

    2008-07-02 14:56:01 0 d-------- C:\Documents and Settings\Nenad\Application Data\Skype
    2008-07-02 14:31:43 0 d-------- C:\Documents and Settings\Nenad\Application Data\skypePM
    2008-07-02 05:11:07 0 d-------- C:\Documents and Settings\Nenad\Application Data\BitTorrent
    2008-07-02 03:21:00 0 d-------- C:\Program Files\Cakewalk
    2008-07-02 03:11:24 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-07-02 00:34:39 0 d-------- C:\Program Files\Winamp
    2008-07-01 22:09:40 0 d-------- C:\Program Files\Spyware Doctor
    2008-07-01 22:08:57 0 d-------- C:\Program Files\Readerware
    2008-06-29 23:01:25 0 d-------- C:\Program Files\PowerISO
    2008-06-29 22:52:44 0 d-------- C:\Program Files\eMule
    2008-06-29 17:53:57 0 d-------- C:\Program Files\Common Files
    2008-06-23 11:07:11 0 d-------- C:\Program Files\SecondLife
    2008-06-17 22:00:44 467 --a------ C:\WINDOWS\system32\Datei9
    2008-06-17 22:00:44 467 --a------ C:\WINDOWS\system32\Datei8
    2008-06-17 22:00:44 469 --a------ C:\WINDOWS\system32\Datei7
    2008-06-17 22:00:44 465 --a------ C:\WINDOWS\system32\Datei6
    2008-06-17 22:00:44 469 --a------ C:\WINDOWS\system32\Datei5
    2008-06-17 22:00:44 471 --a------ C:\WINDOWS\system32\Datei4
    2008-06-17 22:00:44 470 --a------ C:\WINDOWS\system32\Datei3
    2008-06-17 22:00:44 471 --a------ C:\WINDOWS\system32\Datei2
    2008-06-17 22:00:44 467 --a------ C:\WINDOWS\system32\Datei10
    2008-06-17 22:00:44 470 --a------ C:\WINDOWS\system32\Datei1
    2008-06-17 22:00:44 468 --a------ C:\WINDOWS\system32\Datei0
    2008-06-17 20:25:21 0 d-------- C:\Program Files\Last.fm
    2008-06-07 12:41:26 0 d-------- C:\Program Files\BitTorrent
    2008-06-05 04:50:56 0 d-------- C:\Documents and Settings\Nenad\Application Data\Sony
    2008-06-05 04:27:24 0 d-------- C:\Program Files\Sony
    2008-06-05 04:01:32 0 d-------- C:\Documents and Settings\Nenad\Application Data\Sony Setup
    2008-06-05 00:52:33 0 d-------- C:\Program Files\Vstplugins
    2008-06-05 00:52:18 0 d-------- C:\Program Files\Native Instruments
    2008-06-04 23:24:20 0 d-------- C:\Program Files\Steinberg
    2008-06-04 23:23:59 0 d-------- C:\Program Files\Syncrosoft
    2008-06-01 18:35:24 0 d-------- C:\Program Files\Garritan Gofriller Cello
    2008-05-31 18:04:41 1700352 --a------ C:\WINDOWS\system32\gdiplus.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
    2008-05-31 17:55:42 0 d-------- C:\Program Files\Garritan Personal Orchestra
    2008-05-31 17:53:19 0 d-------- C:\Program Files\Garritan Jazz Big Band
    2008-05-31 17:45:11 0 d-------- C:\Program Files\Finale 2006
    2008-05-31 16:07:56 0 d-------- C:\Program Files\Common Files\Digidesign
    2008-05-31 04:10:18 0 d--h----- C:\Program Files\InstallShield Installation Information
    2008-05-31 03:43:56 0 d-------- C:\Documents and Settings\Nenad\Application Data\Garritan
    2008-05-31 03:40:05 0 d-------- C:\Program Files\Garritan
    2008-05-31 03:20:32 0 d-------- C:\Program Files\GenieSoft
    2008-05-31 02:30:12 0 d-------- C:\Program Files\GameSpy Arcade
    2008-05-30 16:35:47 0 d-------- C:\Documents and Settings\Nenad\Application Data\Cakewalk
    2008-05-30 16:33:36 118784 --a------ C:\WINDOWS\dsdxirmv.exe
    2008-05-30 15:47:05 0 d-------- C:\Program Files\Digidesign
    2008-05-25 01:28:42 0 d-------- C:\Documents and Settings\Nenad\Application Data\LimeWire
    2008-05-15 04:56:48 0 d-------- C:\Program Files\The Rosetta Stone
    2008-05-15 03:21:00 0 d-------- C:\Documents and Settings\Nenad\Application Data\Publish Providers
    2008-05-05 01:40:41 0 d-------- C:\Program Files\Grammatica32SG
    2008-05-02 15:23:37 0 d-------- C:\Program Files\Veoh Networks
    2008-04-19 18:15:09 74752 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic per Windows>


    -- Registry Dump ---------------------------------------------------------------

    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [18.12.2007 18:11]
    "Xfire "= "Xfire.exe" []
    "NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [20.07.2005 22:07]
    "nwiz "= "nwiz.exe" [20.07.2005 22:07 C:\WINDOWS\system32\nwiz.exe]
    "NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [20.07.2005 22:07]
    "TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [13.01.2008 04:38]
    "LVCOMSX "= "C:\WINDOWS\system32\LVCOMSX.EXE" [19.07.2005 18:32]
    "LogitechVideoTray "= "C:\Program Files\Logitech\Video\LogiTray.exe" [08.06.2005 16:14]
    "Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11.01.2008 23:16]
    "SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25.09.2007 02:11]
    "nod32kui "= "C:\Program Files\Eset\nod32kui.exe" [29.02.2008 01:55]
    "H2O "= "C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [01.11.2005 01:00]
    "NBKeyScan "= "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" []
    "KernelFaultCheck "= "C:\WINDOWS\system32\dumprep 0 -k" []
    "WinampAgent "= "C:\Program Files\Winamp\winampa.exe" [01.04.2008 20:49]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE "= "C:\WINDOWS\system32\ctfmon.exe" [04.08.2004 00:56]
    "Uniblue RegistryBooster 2 "= "C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []
    "LogitechSoftwareUpdate "= "C:\Program Files\Logitech\Video\ManifestEngine.exe" [08.06.2005 15:44]
    "msnmsgr "= "C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18.10.2007 12:34]
    "IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" []
    "ProxyWay "= "C:\Program Files\ProxyWay\proxyway.exe" []
    "Skype "= "C:\Program Files\Skype\Phone\Skype.exe" [30.05.2008 15:54]
    "SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [28.01.2008 11:43]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA "=0 (0x0)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "DisableTaskMgr "=0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "appinit_dlls "=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,




    -- End of Deckard's System Scanner: finished at 2008-07-02 15:06:57 ------------




    Malwarebytes' Anti-Malware 1.19
    Database version: 912
    Windows 5.1.2600 Service Pack 2

    23:47:04 01.07.2008
    mbam-log-7-1-2008 (23-47-04).txt

    Scan type: Full Scan (C:\|D:\|E:\|)
    Objects scanned: 238918
    Time elapsed: 1 hour(s), 9 minute(s), 59 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 6
    Registry Values Infected: 0
    Registry Data Items Infected: 1
    Folders Infected: 2
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\bhonew.bho (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\bhonew.bho.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{8ae578e0-6df5-41e0-869f-f65a32d2f6bd} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8ae578e0-6df5-41e0-869f-f65a32d2f6bd} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{caf9d798-c659-4b9b-8e19-ee27c3d04ee7} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Typelib\{15c7d7ad-a87a-4c0d-9d8b-637fcd3488ef} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

    Folders Infected:
    C:\Program Files\MediaVideoCodec (Trojan.Fakealert) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\downld (Trojan.Agent) -> Quarantined and deleted successfully.

    Files Infected:
    C:\Documents and Settings\Nenad\My Documents\Downloads\Comic Life Deluxe Edition v1.3.5\Comic Life Deluxe Edition v1.3.5\junla\patch.exe (Trojan.Downloader) -> Quarantined and deleted successfully.


    NOD32

    Time Module Object Name Threat Action User Information
    01.07.2008 23:46:00 AMON file E:\eMule\Virtumonde_Remover_build_40_beta\Virtumonde_Remover_build_40_beta.exe Win32/Bagle.PB worm deleted NENO\Nenad Event occurred at an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.
    01.07.2008 23:45:59 AMON file E:\eMule\Trojan.Vundo free Removal Tool 1.5\Trojan.Vundo free Removal Tool 1.5.exe Win32/Bagle.PB worm deleted NENO\Nenad Event occurred at an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.
    01.07.2008 23:45:55 AMON file E:\eMule\eMule\Virtumonde_Remover_build_40_beta.exe Win32/Bagle.PB worm deleted NENO\Nenad Event occurred at an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.
    01.07.2008 23:45:52 AMON file E:\eMule\eMule\Trojan.Vundo free Removal Tool 1.5.exe Win32/Bagle.PB worm deleted NENO\Nenad Event occurred at an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.
    01.07.2008 23:45:43 AMON file C:\Documents and Settings\Nenad\Local Settings\Temporary Internet Files\Content.IE5\81E1LRP9\c-setup[1].exe Win32/Adware.IeDefender.NFX application deleted NENO\Nenad Event occurred at an attempt to access the file by the application: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe.
    01.07.2008 12:10:55 Kernel file c:\program files\logitech\video\isstart.exe Win32/Bagle.PB worm Alert was generated during the system startup file check.
    30.06.2008 19:53:08 AMON file C:\WINDOWS\SYSTEM32\XMLVIEW.DLL Win32/Adware.IeDefender.NFX application deleted (after the next restart) NENO\Nenad Event occurred when attempting to access the file.
    30.06.2008 18:49:22 Kernel file C:\WINDOWS\system32\xmlview.dll Win32/Adware.IeDefender.NFX application Alert was generated during the system startup file check.
    30.06.2008 18:49:16 Kernel file c:\windows\system32\xmlview.dll Win32/Adware.IeDefender.NFX application Alert was generated during the system startup file check.
    30.06.2008 18:48:54 Kernel file c:\program files\logitech\video\isstart.exe Win32/Bagle.PB worm Alert was generated during the system startup file check.
    28.06.2008 19:28:25 AMON file C:\DOCUME~1\Nenad\LOCALS~1\Temp\IXP000.TMP\IYPAQE~1.EXE Win32/Adware.Virtumonde application quarantined - deleted NENO\Nenad Event occurred on a new file created by the application: C:\Documents and Settings\Nenad\My Documents\Downloads\35 Windows Xp Professional Fantasy Themes [2008]\35 Windows Xp Professional Fantasy Themes [2008]\35 Windows Xp Professional Fantasy Themes [2008].exe. The file was moved to quarantine. You may close this window.
    08.06.2008 04:11:22 AMON file C:\Documents and Settings\Nenad\Incomplete\T-3545425-milice foltin.mp3 WMA/TrojanDownloader.Wimad.N trojan quarantined - deleted NENO\Nenad Event occurred on a file modified by the application: C:\Program Files\LimeWire\LimeWire.exe. The file was moved to quarantine. You may close this window.

    Thank you for helping... i'll wait further instructions.
     
    Elisei,
    #1
  2. 2008/07/03
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Welcome to WindowsBBS Elisei :)

    Logs look clean. I only see a couple of broken file associations, which we can use dss.exe to fix. Highlight and copy the bolded command below.

    "%userprofile%\desktop\dss.exe" /daft
    • Click Start>Run and paste the command in, then hit enter.
    • An interface of Deckards file association fix will open.
    • Click Scan.
    • Check the box next to the following entries, then click Fix.
      • .reg
      • .scr
    • Exit when complete.


    Would probably be a good idea to run an online scan too. Please scan with Kaspersky WebScanner

    You will be promted to install an ActiveX component from Kaspersky, Click Yes.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT
    • Now click on Scan Settings
    • In the scan settings make that the following are selected:
      • Scan using the following Anti-Virus database:
      • Extended (if available otherwise Standard)
      • Scan Options:
      • Scan Archives
        Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      • Select My Computer
    • This will program will start and scan your system.
    • The scan will take a while so be patient and let it run.
    • Once the scan is complete it will display if your system has been infected.
      • Now click on the Save as Text button:
    • Save the file to your desktop.

    Post the Kaspersky log and a fresh dss log to this topic.
     
    noahdfear,
    #2


  3. to hide this advert.

  4. 2008/07/03
    Elisei

    Elisei Inactive Thread Starter

    Joined:
    2008/07/01
    Messages:
    10
    Likes Received:
    0
    Thanks for the welcome noahdfear, i'm glad to be here. Here are the logs:


    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Thursday, July 03, 2008 11:04:41 PM
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 3/07/2008
    Kaspersky Anti-Virus database records: 910352
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    A:\
    C:\
    D:\
    E:\
    F:\
    G:\
    H:\
    J:\
    K:\
    L:\

    Scan Statistics:
    Total number of scanned objects: 224171
    Number of viruses found: 3
    Number of infected objects: 7
    Number of suspicious objects: 0
    Duration of the scan process: 05:33:32

    Infected Object Name / Virus Name / Last Action
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\Nenad\Application Data\Skype\fala.neno\call256.dbb Object is locked skipped
    C:\Documents and Settings\Nenad\Application Data\Skype\fala.neno\callmember256.dbb Object is locked skipped
    C:\Documents and Settings\Nenad\Application Data\Skype\fala.neno\chat256.dbb Object is locked skipped
    C:\Documents and Settings\Nenad\Application Data\Skype\fala.neno\chat512.dbb Object is locked skipped
    C:\Documents and Settings\Nenad\Application Data\Skype\fala.neno\chatmember256.dbb Object is locked skipped
    C:\Documents and Settings\Nenad\Application Data\Skype\fala.neno\chatmsg1024.dbb Object is locked skipped
    C:\Documents and Settings\Nenad\Application Data\Skype\fala.neno\chatmsg2048.dbb Object is locked skipped
    C:\Documents and Settings\Nenad\Application Data\Skype\fala.neno\chatmsg256.dbb Object is locked skipped
    C:\Documents and Settings\Nenad\Application Data\Skype\fala.neno\chatmsg4096.dbb Object is locked skipped
    C:\Documents and Settings\Nenad\Application Data\Skype\fala.neno\chatmsg512.dbb Object is locked skipped
    C:\Documents and Settings\Nenad\Application Data\Skype\fala.neno\chatsync\23\2357afd127cec2e0.dat Object is locked skipped
    C:\Documents and Settings\Nenad\Application Data\Skype\fala.neno\chatsync\2d\2d1b4395b50d81b4.dat Object is locked skipped
    C:\Documents and Settings\Nenad\Application Data\Skype\fala.neno\contactgroup256.dbb Object is locked skipped
    C:\Documents and Settings\Nenad\Application Data\Skype\fala.neno\dyncontent\bundle.dat Object is locked skipped
    C:\Documents and Settings\Nenad\Application Data\Skype\fala.neno\index2.dat Object is locked skipped
    C:\Documents and Settings\Nenad\Application Data\Skype\fala.neno\profile16384.dbb Object is locked skipped
    C:\Documents and Settings\Nenad\Application Data\Skype\fala.neno\transfer1024.dbb Object is locked skipped
    C:\Documents and Settings\Nenad\Application Data\Skype\fala.neno\transfer256.dbb Object is locked skipped
    C:\Documents and Settings\Nenad\Application Data\Skype\fala.neno\transfer512.dbb Object is locked skipped
    C:\Documents and Settings\Nenad\Application Data\Skype\fala.neno\user1024.dbb Object is locked skipped
    C:\Documents and Settings\Nenad\Application Data\Skype\fala.neno\user16384.dbb Object is locked skipped
    C:\Documents and Settings\Nenad\Application Data\Skype\fala.neno\user4096.dbb Object is locked skipped
    C:\Documents and Settings\Nenad\Application Data\Skype\fala.neno\voicemail256.dbb Object is locked skipped
    C:\Documents and Settings\Nenad\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\Nenad\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\Nenad\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\Nenad\Local Settings\Application Data\Microsoft\Windows Live Contacts\t.n.lemon.novecento@hotmail.com\real\members.stg Object is locked skipped
    C:\Documents and Settings\Nenad\Local Settings\Application Data\Microsoft\Windows Live Contacts\t.n.lemon.novecento@hotmail.com\shadow\members.stg Object is locked skipped
    C:\Documents and Settings\Nenad\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Nenad\Local Settings\Temp\~DFB61F.tmp Object is locked skipped
    C:\Documents and Settings\Nenad\Local Settings\Temp\~DFB62A.tmp Object is locked skipped
    C:\Documents and Settings\Nenad\Local Settings\Temp\~DFC2ED.tmp Object is locked skipped
    C:\Documents and Settings\Nenad\Local Settings\Temp\~DFC2FB.tmp Object is locked skipped
    C:\Documents and Settings\Nenad\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Nenad\My Documents\Downloads\HijackThis_2_0_2(New).rar/HijackThis_2_0_2(New).EXE/data0000.cab/UNINST~2.EXE Infected: Trojan.Win32.Monder.gen skipped
    C:\Documents and Settings\Nenad\My Documents\Downloads\HijackThis_2_0_2(New).rar/HijackThis_2_0_2(New).EXE/data0000.cab Infected: Trojan.Win32.Monder.gen skipped
    C:\Documents and Settings\Nenad\My Documents\Downloads\HijackThis_2_0_2(New).rar/HijackThis_2_0_2(New).EXE Infected: Trojan.Win32.Monder.gen skipped
    C:\Documents and Settings\Nenad\My Documents\Downloads\HijackThis_2_0_2(New).rar RAR: infected - 3 skipped
    C:\Documents and Settings\Nenad\My Documents\My Chat Logs\Recorded Events.xml Object is locked skipped
    C:\Documents and Settings\Nenad\My Documents\My Chat Logs\јули 2008\junfankungfu@hotmail.com.html Object is locked skipped
    C:\Documents and Settings\Nenad\My Documents\My Chat Logs\јули 2008\m_ilina@hotmail.com.html Object is locked skipped
    C:\Documents and Settings\Nenad\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\Nenad\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Program Files\Eset\cache\CACHE.NDB Object is locked skipped
    C:\Program Files\Eset\infected\TRXJWRBA.NQF Infected: Trojan.Win32.Pakes.den skipped
    C:\Program Files\Eset\logs\virlog.dat Object is locked skipped
    C:\Program Files\Eset\logs\warnlog.dat Object is locked skipped
    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    C:\WINDOWS\CSC\00000001 Object is locked skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\Sti_Trace.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\default Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
    C:\WINDOWS\system32\config\NetLimit.evt Object is locked skipped
    C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
    C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\software Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\system Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\wiadebug.log Object is locked skipped
    C:\WINDOWS\wiaservc.log Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped
    D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    E:\Install\CD clone, image\Nero 8\Nero\Nero\Nero-8.2.8.0eng.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
    E:\Install\CD clone, image\Nero 8\Nero\Nero\Nero-8.2.8.0eng.exe 7-Zip: infected - 1 skipped
    E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

    Scan process completed.


    Deckard's System Scanner v20071014.68
    Run by Nenad on 2008-07-03 23:16:15
    Computer is in Normal Mode.
    --------------------------------------------------------------------------------

    System Drive C: has 1.4 GiB (less than 15%) free.


    -- HijackThis (run as Nenad.exe) -----------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 23:16:17, on 03.07.2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\LVCOMSX.EXE
    C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Logitech\Video\FxSvr2.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Nenad\Desktop\dss.exe
    C:\PROGRA~1\TRENDM~1\HIJACK~1\Nenad.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Xfire] Xfire.exe /minimize
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
    O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
    O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe "
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
    O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
    O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1199284012031
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 7066 bytes

    -- Files created between 2008-06-03 and 2008-07-03 -----------------------------

    2008-07-03 15:17:35 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
    2008-07-03 03:39:38 0 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
    2008-07-03 03:11:03 0 d-------- C:\Program Files\Bonjour
    2008-07-03 02:58:51 0 d-------- C:\Program Files\Common Files\Macrovision Shared
    2008-07-02 00:31:51 0 d-------- C:\Documents and Settings\Nenad\Application Data\Winamp
    2008-07-01 22:21:06 0 d-------- C:\Documents and Settings\Nenad\Application Data\Malwarebytes
    2008-07-01 22:21:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-07-01 22:20:57 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-07-01 18:19:11 0 d-------- C:\Fraps
    2008-07-01 18:18:50 53248 --a------ C:\WINDOWS\system32\uninstpw.exe
    2008-07-01 18:18:50 90112 --a------ C:\WINDOWS\system32\custmon2k.dll
    2008-07-01 18:18:49 24576 --a------ C:\WINDOWS\system32\custsave.exe <Not Verified; Acro Software Inc.; CutePDF Application>
    2008-07-01 18:18:49 0 d-------- C:\Program Files\PDF Writer
    2008-07-01 18:18:27 0 d-------- C:\Program Files\gs
    2008-07-01 18:12:01 0 d-------- C:\Program Files\Planetwide Games
    2008-06-29 23:01:03 24576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
    2008-06-29 22:54:10 0 d-------- C:\VundoFix Backups
    2008-06-29 20:40:08 20371 --a------ C:\WINDOWS\system32\MagicV2mEngine.dll
    2008-06-29 17:54:45 0 d-------- C:\Documents and Settings\Nenad\Application Data\PC Tools
    2008-06-29 13:57:44 0 d-------- C:\Program Files\XoftSpySE
    2008-06-28 23:50:49 4 -r-hs---- C:\Documents and Settings\All Users\Application Data\sysqcl0.dat
    2008-06-28 23:49:45 0 d-------- C:\Program Files\plasq
    2008-06-28 23:34:41 0 d--hs---- C:\WINDOWS\ftpcache
    2008-06-28 20:30:38 0 d-------- C:\Program Files\Common Files\DFX
    2008-06-28 20:03:42 0 d-------- C:\Documents and Settings\All Users\Application Data\DFX
    2008-06-28 20:03:40 0 d-------- C:\Program Files\DFX
    2008-06-28 20:02:12 0 d-------- C:\Program Files\QO Labs
    2008-06-17 20:22:07 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
    2008-06-17 20:21:29 0 d-------- C:\Program Files\Common Files\Skype
    2008-06-05 04:27:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Sony
    2008-06-05 04:23:24 0 d-------- C:\Program Files\MSBuild
    2008-06-05 04:10:52 0 d-------- C:\WINDOWS\system32\XPSViewer
    2008-06-05 04:08:34 0 d-------- C:\Program Files\Reference Assemblies
    2008-06-05 00:13:50 0 d-------- C:\Documents and Settings\Nenad\Application Data\Waves Preferences
    2008-06-05 00:11:25 0 d-------- C:\Documents and Settings\Nenad\Application Data\Waves Audio
    2008-06-05 00:05:26 0 d-------- C:\Program Files\Waves


    -- Find3M Report ---------------------------------------------------------------

    2008-07-03 23:14:37 0 d-------- C:\Documents and Settings\Nenad\Application Data\Skype
    2008-07-03 23:08:26 0 d-------- C:\Documents and Settings\Nenad\Application Data\Adobe
    2008-07-03 21:56:31 0 d-------- C:\Documents and Settings\Nenad\Application Data\skypePM
    2008-07-03 03:10:59 0 d-------- C:\Program Files\Common Files\Adobe
    2008-07-03 02:58:51 0 d-------- C:\Program Files\Common Files
    2008-07-02 05:11:07 0 d-------- C:\Documents and Settings\Nenad\Application Data\BitTorrent
    2008-07-02 03:21:00 0 d-------- C:\Program Files\Cakewalk
    2008-07-02 03:11:24 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-07-02 00:34:39 0 d-------- C:\Program Files\Winamp
    2008-07-01 22:09:40 0 d-------- C:\Program Files\Spyware Doctor
    2008-07-01 22:08:57 0 d-------- C:\Program Files\Readerware
    2008-06-29 23:01:25 0 d-------- C:\Program Files\PowerISO
    2008-06-29 22:52:44 0 d-------- C:\Program Files\eMule
    2008-06-23 11:07:11 0 d-------- C:\Program Files\SecondLife
    2008-06-17 22:00:44 467 --a------ C:\WINDOWS\system32\Datei9
    2008-06-17 22:00:44 467 --a------ C:\WINDOWS\system32\Datei8
    2008-06-17 22:00:44 469 --a------ C:\WINDOWS\system32\Datei7
    2008-06-17 22:00:44 465 --a------ C:\WINDOWS\system32\Datei6
    2008-06-17 22:00:44 469 --a------ C:\WINDOWS\system32\Datei5
    2008-06-17 22:00:44 471 --a------ C:\WINDOWS\system32\Datei4
    2008-06-17 22:00:44 470 --a------ C:\WINDOWS\system32\Datei3
    2008-06-17 22:00:44 471 --a------ C:\WINDOWS\system32\Datei2
    2008-06-17 22:00:44 467 --a------ C:\WINDOWS\system32\Datei10
    2008-06-17 22:00:44 470 --a------ C:\WINDOWS\system32\Datei1
    2008-06-17 22:00:44 468 --a------ C:\WINDOWS\system32\Datei0
    2008-06-17 20:25:21 0 d-------- C:\Program Files\Last.fm
    2008-06-07 12:41:26 0 d-------- C:\Program Files\BitTorrent
    2008-06-05 04:50:56 0 d-------- C:\Documents and Settings\Nenad\Application Data\Sony
    2008-06-05 04:27:24 0 d-------- C:\Program Files\Sony
    2008-06-05 04:01:32 0 d-------- C:\Documents and Settings\Nenad\Application Data\Sony Setup
    2008-06-05 00:52:33 0 d-------- C:\Program Files\Vstplugins
    2008-06-05 00:52:18 0 d-------- C:\Program Files\Native Instruments
    2008-06-04 23:24:20 0 d-------- C:\Program Files\Steinberg
    2008-06-04 23:23:59 0 d-------- C:\Program Files\Syncrosoft
    2008-06-01 18:35:24 0 d-------- C:\Program Files\Garritan Gofriller Cello
    2008-05-31 18:04:41 1700352 --a------ C:\WINDOWS\system32\gdiplus.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
    2008-05-31 17:55:42 0 d-------- C:\Program Files\Garritan Personal Orchestra
    2008-05-31 17:53:19 0 d-------- C:\Program Files\Garritan Jazz Big Band
    2008-05-31 17:45:11 0 d-------- C:\Program Files\Finale 2006
    2008-05-31 16:07:56 0 d-------- C:\Program Files\Common Files\Digidesign
    2008-05-31 04:10:18 0 d--h----- C:\Program Files\InstallShield Installation Information
    2008-05-31 03:43:56 0 d-------- C:\Documents and Settings\Nenad\Application Data\Garritan
    2008-05-31 03:40:05 0 d-------- C:\Program Files\Garritan
    2008-05-31 03:20:32 0 d-------- C:\Program Files\GenieSoft
    2008-05-31 02:30:12 0 d-------- C:\Program Files\GameSpy Arcade
    2008-05-30 16:35:47 0 d-------- C:\Documents and Settings\Nenad\Application Data\Cakewalk
    2008-05-30 16:33:36 118784 --a------ C:\WINDOWS\dsdxirmv.exe
    2008-05-30 15:47:05 0 d-------- C:\Program Files\Digidesign
    2008-05-25 01:28:42 0 d-------- C:\Documents and Settings\Nenad\Application Data\LimeWire
    2008-05-15 04:56:48 0 d-------- C:\Program Files\The Rosetta Stone
    2008-05-15 03:21:00 0 d-------- C:\Documents and Settings\Nenad\Application Data\Publish Providers
    2008-05-05 01:40:41 0 d-------- C:\Program Files\Grammatica32SG
    2008-04-19 18:15:09 74752 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic per Windows>


    -- Registry Dump ---------------------------------------------------------------

    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [18.12.2007 18:11]
    "Xfire "= "Xfire.exe" []
    "NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [20.07.2005 22:07]
    "nwiz "= "nwiz.exe" [20.07.2005 22:07 C:\WINDOWS\system32\nwiz.exe]
    "NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [20.07.2005 22:07]
    "TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [13.01.2008 04:38]
    "LVCOMSX "= "C:\WINDOWS\system32\LVCOMSX.EXE" [19.07.2005 18:32]
    "LogitechVideoTray "= "C:\Program Files\Logitech\Video\LogiTray.exe" [08.06.2005 16:14]
    "Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11.01.2008 23:16]
    "SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25.09.2007 02:11]
    "nod32kui "= "C:\Program Files\Eset\nod32kui.exe" [29.02.2008 01:55]
    "H2O "= "C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [01.11.2005 01:00]
    "NBKeyScan "= "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" []
    "KernelFaultCheck "= "C:\WINDOWS\system32\dumprep 0 -k" []

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE "= "C:\WINDOWS\system32\ctfmon.exe" [04.08.2004 00:56]
    "Uniblue RegistryBooster 2 "= "C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []
    "LogitechSoftwareUpdate "= "C:\Program Files\Logitech\Video\ManifestEngine.exe" [08.06.2005 15:44]
    "msnmsgr "= "C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18.10.2007 12:34]
    "IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" []
    "ProxyWay "= "C:\Program Files\ProxyWay\proxyway.exe" []
    "Skype "= "C:\Program Files\Skype\Phone\Skype.exe" [30.05.2008 15:54]
    "SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [28.01.2008 11:43]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA "=0 (0x0)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "DisableTaskMgr "=0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "appinit_dlls "=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,




    -- End of Deckard's System Scanner: finished at 2008-07-03 23:16:50 ------------
     
    Elisei,
    #3
  5. 2008/07/04
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    The Kaspersky results can be misleading. You actually have only 1 infection that is to be considered a threat, and it's not a threat because it's in quarantine by Eset (Nod32). So, delete any items in quarantine via the Nod32 interface.

    You should also delete any items quarantined by MBAM


    Scan again with HijackThis and place a check next to the following entries.

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k


    Close all other windows then click Fix Checked. Close HijackThis.


    Delete the following files and folder.

    VundoFix.exe, if present
    C:\WINDOWS\system32\VundoFixSVC.exe
    C:\VundoFix Backups

    Download ATF Cleaner by Atribune and save it to your Desktop.
    • Double click ATF-Cleaner.exe to run the program.
    • Check the boxes to the left of:

      • Windows Temp
      • Current User Temp
      • All Users Temp
      • Temporary Internet Files
      • Prefetch
      • Java Cache
      • Recycle bin

    • The rest are optional - if you want it to remove everything check "Select All ".
    • Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.
    Reboot

    If you're satisfied that the computer is working properly, clear the System Restore points. They are likely infected.

    Clear past system restore points and create a new one.
    Right click My Computer and select Properties. On the System Restore tab, check the box to turn System Restore off. Click Apply. Now, uncheck the box and click Apply to turn System Restore back on. Click OK, then OK to close the System Properties dialog.

    Verify a new restore point was created.
    Click Start>All Programs>Accessories>System Tools>System Restore
    Select 'Restore my computer to an earlier time', then click next.
    You should have a newly created System Checkpoint available. If so, click Cancel. If not, click Back and select 'Create a restore point' then click Next. Give the restore point a name and click next.


    Post back with a fresh HijackThis log and give me a status report.
     
    noahdfear,
    #4
  6. 2008/07/05
    Elisei

    Elisei Inactive Thread Starter

    Joined:
    2008/07/01
    Messages:
    10
    Likes Received:
    0
    I've done all that you asked, and created a new system restore point. Everything seems to be working fine now, but what do i know :) you should tell me... Here is the fresh HijackThis log:


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 15:05:23, on 05.07.2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\LVCOMSX.EXE
    C:\Program Files\Logitech\Video\LogiTray.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Logitech\Video\FxSvr2.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Xfire] Xfire.exe /minimize
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
    O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
    O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe "
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
    O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
    O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1199284012031
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 6912 bytes
     
    Elisei,
    #5
  7. 2008/07/05
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Hmmm, 1 entry remains in HijackThis. Please fix the following.

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

    After you've restarted the machine (doesn't have to be right now, just when you do) do another scan and see if that line has returned.
     
    noahdfear,
    #6
  8. 2008/07/05
    Elisei

    Elisei Inactive Thread Starter

    Joined:
    2008/07/01
    Messages:
    10
    Likes Received:
    0
    the file stays, even after i deleted it for the second time:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 18:40:15, on 05.07.2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\system32\LVCOMSX.EXE
    C:\Program Files\Logitech\Video\LogiTray.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\Logitech\Video\FxSvr2.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Skype\Plugin Manager\skypePM.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Xfire] Xfire.exe /minimize
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
    O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
    O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe "
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
    O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
    O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1199284012031
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 7063 bytes
     
    Elisei,
    #7
  9. 2008/07/05
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    It may just be HijackThis improperly reporting the associated file as missing. The entry is related to Windows Live Messenger and is probably being put back automatically partially due to WLM running at system startup. It should be fine to leave as is. Everything else looks good. :)
     
    noahdfear,
    #8
  10. 2008/07/05
    Elisei

    Elisei Inactive Thread Starter

    Joined:
    2008/07/01
    Messages:
    10
    Likes Received:
    0
    Thank you very much noah...i really appreciate for the help you gave me...i'm a teacher in italian language and letterature, so if you need any help, like translations or anything that i might do, i'd be happy to assist. Just pm me and i will leave you my mail. Thanks again.
     
    Elisei,
    #9
  11. 2008/07/05
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    You're quite welcome, Elisei. I'm happy I was able to help. :)

    Thank you for the offer. I will keep that in mind. ;)

    Geri has posted some very helpful information and recommendations regarding future protection in the following link.

    http://www.windowsbbs.com/showthread.php?t=67958

    Surf safe!
     
    noahdfear,
    #10

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...