Go Back   Cyber Tech Help Support Forums > Software > Malware Removal

Notices

Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs

Reply
 
Topic Tools
  #1  
Old January 17th, 2007, 05:55 AM
2337lover 2337lover is offline
Senior Member
 
Join Date: Jan 2002
Posts: 197
Spyware Issue?

Hi All,

Recent my IE has been acting up. After about 10-15 mins of surfing I get the following error which shuts down IE.

AppName: iexplore.exe AppVer: 6.0.2800.1106 ModName: ntdll.dll
ModVer: 5.1.2600.1217 Offset: 00019ecd

Could this be a spyware issue? I've also noticed that when I boot up svchost.exe hogs my system resources for a good 5 mins.

Here is a hijack this log that hopefully someone can make sense of.

Thanks in advance.

Logfile of HijackThis v1.99.1
Scan saved at 11:50:09 PM, on 1/16/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\SYSTEM32\tbctray.exe
C:\Program Files\IE New Window Maximizer\iemaximizer.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\1- Simon\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - blank (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\SYSTEM32\tbctray.exe
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://home.primus.ca
O15 - Trusted Zone: http://*.systemdoctor.com
O15 - Trusted Zone: http://www.winantivirus.com
O15 - Trusted Zone: http://www.winantiviruspro.com
O15 - Trusted Zone: http://download.cdn.winsoftware.com
O16 - DPF: TruePass EPF 7,0,100,684 - https://blrscr3.egs-seg.gc.ca/applet...applet-epf.cab
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applet...applet-epf.cab
O20 - Winlogon Notify: jkhhg - C:\WINDOWS\
O20 - Winlogon Notify: winrzf32 - winrzf32.dll (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
Reply With Quote
  #2  
Old January 17th, 2007, 09:40 AM
Acrobaze Acrobaze is offline
Malware Removal Team
 
Join Date: Nov 2003
O/S: Windows 10 Home
Location: France
Posts: 11,994
Hi,

There are some traces from malwares.

Download DelDomains on the desktop. Right click it and choose "Install".

Post this other log, to see more :
Download SilentRunners.vbs.
Run it. It generates a log, wait that the scan is complete (there is a popup at the end). Copy/paste it here, please.
(If your antivirus queries the script, allow it to run. It's not malicious.)
Reply With Quote
  #3  
Old January 17th, 2007, 02:08 PM
2337lover 2337lover is offline
Senior Member
 
Join Date: Jan 2002
Posts: 197
Thanks Acrobaze for your reply.

When I try to install DelDomains I get an "Installation Failed" error.Here is the Silent Runner log...

Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
"IE New Window Maximizer" = "C:\Program Files\IE New Window Maximizer\iemaximizer.exe" ["jiiSoft"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
"Zone Labs Client" = "C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe" ["Zone Labs Inc."]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k"
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"nod32kui" = ""C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE" ["Eset "]
"TraySantaCruz" = "C:\WINDOWS\SYSTEM32\tbctray.exe" ["Voyetra Turtle Beach, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx" [empty string]
{0A87E45F-537A-40B4-B812-E2544C21A09F}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SpywareBlock Class"
\InProcServer32\(Default) = "blank" [file not found]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{601ED020-FB6C-11D3-87D8-0050DA59922B}\(Default) = "Ipswitch.WsftpBrowserHelper"
-> {HKLM...CLSID} = "WsftpBrowserHelper Class"
\InProcServer32\(Default) = "C:\Program Files\WS_FTP Pro\wsbho2k0.dll" ["Ipswitch, Inc. 81 Hartwell Ave. Lexington, MA"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{D120D80B-BD26-4A74-8E43-2C2AF0966139}" = "QuickPar ContextMenu extension"
-> {HKLM...CLSID} = "QuickParContextMenu Class"
\InProcServer32\(Default) = "C:\Program Files\QuickPar\QuickParShlExt.dll" ["Peter B Clements"]
"{506F4668-F13E-4AA1-BB04-B43203AB3CC0}" = "{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"
-> {HKLM...CLSID} = "ImageExtractorShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Visio11\VISSHE.DLL" [null data]
"{D66DC78C-4F61-447F-942B-3FB6980118CF}" = "{D66DC78C-4F61-447F-942B-3FB6980118CF}"
-> {HKLM...CLSID} = "CInfoTipShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Visio11\VISSHE.DLL" [null data]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {HKLM...CLSID} = "AlcoholShellEx"
\InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\axshlex.dll" ["Alcohol Soft Development Team"]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}" = "TuneUp Shredder Shell Context Menu Extension"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Context Menu Extension"
\InProcServer32\(Default) = ""C:\Program Files\TuneUp Utilities 2006\sdshelex.dll"" ["TuneUp Software GmbH"]
"{B089FE88-FB52-11D3-BDF1-0050DA34150D}" = "NOD32 Context Menu Shell Extension"
-> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> winrzf32\DLLName = "winrzf32.dll" [file not found]

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandler s\
M2WShlExMenu\(Default) = "{DC6FA7E0-6666-11D5-8CE2-444553540000}"
-> {HKLM...CLSID} = "MP3ToWave Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Acoustica MP3 To Wave Converter PLUS\M2WShlEx.dll" ["Acoustica"]
NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"
-> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]
Quick Par\(Default) = "{D120D80B-BD26-4A74-8E43-2C2AF0966139}"
-> {HKLM...CLSID} = "QuickParContextMenu Class"
\InProcServer32\(Default) = "C:\Program Files\QuickPar\QuickParShlExt.dll" ["Peter B Clements"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}"
-> {HKLM...CLSID} = "RtClkCtxMenu Class"
\InProcServer32\(Default) = "C:\Program Files\WS_FTP Pro\wsftpsi.dll" ["Ipswitch, Inc. 81 Hartwell Ave. Lexington MA"]

HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\
NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"
-> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}"
-> {HKLM...CLSID} = "RtClkCtxMenu Class"
\InProcServer32\(Default) = "C:\Program Files\WS_FTP Pro\wsftpsi.dll" ["Ipswitch, Inc. 81 Hartwell Ave. Lexington MA"]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\

"DisallowRun" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\

"DisableTaskMgr" = (REG_DWORD) hex:0x00000000
{Remove Task Manager}

HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\

"Homepage" = (REG_DWORD) hex:0x00000000
{Disable changing home page settings}

HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Documents and Settings\1- Simon\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\1- Simon\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Startup items in "1- Simon" & "All Users" startup folders:
----------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Acrobat Assistant" -> shortcut to: "C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe" ["Adobe Systems Inc."]
"Logitech SetPoint" -> shortcut to: "C:\Program Files\Logitech\SetPoint\SetPoint.exe" ["Logitech Inc."]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\WINDOWS\System32\imon.dll ["Eset "], 01 - 05, 17
%SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 16
%SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{04849C74-016E-4A43-8AA5-1F01DE57F4A1}\
"ButtonText" = "Trace"
"MenuText" = "VisualRoute Trace"
"CLSIDExtension" = "{8C85E2EE-9FD6-11D5-B770-504D54C10000}"
-> {HKLM...CLSID} = "vrie"
\InProcServer32\(Default) = "C:\Program Files\VisualRoute\vrie.dll" ["VisualWare"]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Messenger"
"Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]


Miscellaneous IE Hijack Points
------------------------------

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\
<<H>> "TuneUp" = "file://C|/Documents and Settings/All Users/Application Data/TuneUp Software/Common/base.css" [file not found]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Netropa NHK Server, Nhksrv, "C:\WINDOWS\Nhksrv.exe" [null data]
NOD32 Kernel Service, NOD32krn, ""C:\Program Files\Eset\nod32krn.exe"" ["Eset "]
NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
StarWind iSCSI Service, StarWindService, "C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe -service" ["Zone Labs Inc."]


Keyboard Driver Filters:
------------------------

HKLM\System\CurrentControlSet\Control\Class\{4D36E 96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = <<!>> "msikbd2k" ["Netropa Corporation"]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monito rs\
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]


----------
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 129 seconds, including 12 seconds for message boxes)
Reply With Quote
  #4  
Old January 19th, 2007, 12:29 AM
2337lover 2337lover is offline
Senior Member
 
Join Date: Jan 2002
Posts: 197
Hi Acrobaze. Just wondering if you've had an opportunity to review my reply.

Thanks for your time.
Reply With Quote
  #5  
Old January 21st, 2007, 11:18 AM
Acrobaze Acrobaze is offline
Malware Removal Team
 
Join Date: Nov 2003
O/S: Windows 10 Home
Location: France
Posts: 11,994
Close all browser windows, run only HijackThis and tick :

O20 - Winlogon Notify: jkhhg - C:\WINDOWS\
O20 - Winlogon Notify: winrzf32 - winrzf32.dll (file missing)

Click "Fix checked" and close HijackThis.

Now :

- Download combofix.exe.

Double click combofix.exe & follow the prompts. A window will open with a warning. Type "Y" (and Enter) to start the fix.
When the scan completes it will open a text window. Please copy/paste that log back here together with a new HijackThis log.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Also :
Download Blacklite to C:\

F-Secure Blacklight: http://www.f-secure.com/blacklight/

Do not run it yet.
Go start>run and paste or type in

c:\blbeta.exe /expert

Click ok or press enter, scan with Blacklite > next then exit.
There will be a new log ( its name is fsblXXXXXXXXXXX.log) next to blacklite, post it after the reboot please.
Reply With Quote
  #6  
Old January 22nd, 2007, 05:29 PM
2337lover 2337lover is offline
Senior Member
 
Join Date: Jan 2002
Posts: 197
Thanks Acrobaze.

Here are the results of the scans requested...

Logfile of HijackThis v1.99.1
Scan saved at 11:24:38 AM, on 1/22/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\SYSTEM32\tbctray.exe
C:\Program Files\IE New Window Maximizer\iemaximizer.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\1- Simon\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - blank (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\SYSTEM32\tbctray.exe
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: TruePass EPF 7,0,100,684 - https://blrscr3.egs-seg.gc.ca/applet...applet-epf.cab
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applet...applet-epf.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe





"1- Simon" - 07-01-22 11:05:50 Service Pack 1
ComboFix 07-01-21 - Running from: "C:\Documents and Settings\1- Simon\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\components


((((((((((((((((((((((((((((((( Files Created from 2006-12-22 to 2007-01-22 ))))))))))))))))))))))))))))))))))


2007-01-14 21:49 512,096 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\amon.sys
2007-01-14 21:49 298,104 --a------ C:\WINDOWS\SYSTEM32\imon.dll
2007-01-14 21:49 15,424 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\nod32drv.sys
2007-01-03 16:41 <DIR> d-------- C:\DOCUME~1\1-SIMO~1\Application Data\Logitech
2007-01-03 16:29 51,072 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\i8042prt.sys
2007-01-03 16:29 23,424 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\kbdclass.sys
2007-01-03 16:29 22,016 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mouclass.sys
2007-01-03 16:27 89,088 --a------ C:\WINDOWS\SYSTEM32\atl71.dll
2007-01-03 16:27 499,712 --a------ C:\WINDOWS\SYSTEM32\msvcp71.dll
2007-01-03 16:27 348,160 --a------ C:\WINDOWS\SYSTEM32\msvcr71.dll
2007-01-03 16:27 258,352 --a------ C:\WINDOWS\SYSTEM32\unicows.dll
2007-01-03 16:27 13,440 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\L8042Kbd.sys
2007-01-03 16:27 1,060,864 --a------ C:\WINDOWS\SYSTEM32\MFC71.dll
2007-01-03 16:27 <DIR> d-------- C:\Program Files\Common Files\Logitech
2007-01-03 16:26 68,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\LMouKE.Sys
2007-01-03 16:26 55,040 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\L8042mou.Sys
2007-01-03 16:26 <DIR> d-------- C:\Program Files\Logitech
2006-12-27 17:48 <DIR> d-------- C:\Program Files\Runtime Software


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )))


2007-01-15 22:55 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-01-14 21:46 -------- d-------- C:\Program Files\registry mechanic
2007-01-14 21:31 -------- d-------- C:\DOCUME~1\1-SIMO~1\Application Data\symantec
2007-01-14 21:19 -------- d-------- C:\Program Files\microsoft money
2007-01-14 21:18 -------- d-------- C:\Program Files\kazaa lite
2007-01-03 16:26 -------- d--h----- C:\Program Files\installshield installation information
2006-12-27 14:49 -------- d-------- C:\Program Files\burrrn


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run]
"IE New Window Maximizer"="C:\\Program Files\\IE New Window Maximizer\\iemaximizer.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run\Disabled]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run]
"Zone Labs Client"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zapro.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72, 6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b ,00
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroChec k.exe"
"nod32kui"="\"C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE"
"TraySantaCruz"="C:\\WINDOWS\\SYSTEM32\\tbctray.ex e"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\Disabled]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-]
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-disabled]
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office10\\OSA.E XE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellTouch]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run"
"item"="MMKeybd"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\MMKeybd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run"
"item"="gcasServ"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run"
"item"="WCESCOMM"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run"
"item"="WksSb"
"hkey"="HKLM"
"command"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run"
"item"="wkfud"
"hkey"="HKLM"
"command"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NSCService"=dword:00000003

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"DisallowRun"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnph ost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0


Completion time: 07-01-22 11:08:43



01/22/07 11:12:10 [Info]: BlackLight Engine 1.0.55 initialized
01/22/07 11:12:10 [Info]: OS: 5.1 build 2600 (Service Pack 1)
01/22/07 11:12:10 [Note]: 7019 4
01/22/07 11:12:10 [Note]: 7005 0
01/22/07 11:12:13 [Note]: 7006 0
01/22/07 11:12:13 [Note]: 7022 0
01/22/07 11:12:13 [Note]: 7011 836
01/22/07 11:12:14 [Note]: 7026 0
01/22/07 11:12:14 [Note]: 7026 0
01/22/07 11:12:22 [Note]: FSRAW library version 1.7.1021
01/22/07 11:20:31 [Note]: 7007 0
Reply With Quote
  #7  
Old January 22nd, 2007, 06:46 PM
Acrobaze Acrobaze is offline
Malware Removal Team
 
Join Date: Nov 2003
O/S: Windows 10 Home
Location: France
Posts: 11,994
Ok. The HijackThis log looks clean, now. This computer was infected. One trojan was a "vundo" one ( "winantivirus" in the trusted zone and this Winlogon Notify: jkhhg ).

Run this online scan : http://www.pandasoftware.com/products/activescan.htm
It will not clean. But at the end, its report can be saved. Copy/paste it here.

Also :
Rename the file HijackThis.exe to, for example : Find.bat
And run it. Post its log plus the Panda report, please.
Reply With Quote
  #8  
Old January 22nd, 2007, 10:23 PM
2337lover 2337lover is offline
Senior Member
 
Join Date: Jan 2002
Posts: 197
Here are the additional requested scans...


Incident Status Location

Spyware:spyware/betterinet Not disinfected c:\windows\inf\biini.inf
Adware:adware/sidesearch Not disinfected C:\Documents and Settings\1- Simon\Application Data\Lycos
Adware:adware/searchaid Not disinfected C:\Documents and Settings\1- Simon\Application Data\winlink
Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\1- Simon\Application Data\Phoenix\Profiles\default\34xwf8n7.slt\cookies .txt[rightmedia.net/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\1- Simon\Cookies\1- simon@247realmedia[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\1- Simon\Cookies\1- simon@ad.yieldmanager[2].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\1- Simon\Cookies\1- simon@adtech[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\1- Simon\Cookies\1- simon@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\1- Simon\Cookies\1- simon@doubleclick[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\1- Simon\Cookies\1- simon@hitbox[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\1- Simon\Cookies\1- simon@mediaplex[1].txt
Spyware:Cookie/PayCounter Not disinfected C:\Documents and Settings\1- Simon\Cookies\1- simon@paycounter[1].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\1- Simon\Cookies\1- simon@statse.webtrendslive[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\1- Simon\Cookies\1- simon@tribalfusion[2].txt





Logfile of HijackThis v1.99.1
Scan saved at 4:21:53 PM, on 1/22/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\SYSTEM32\tbctray.exe
C:\Program Files\IE New Window Maximizer\iemaximizer.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Adobe\Acrobat 5.0\Acrobat\Acrobat.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\1- Simon\Desktop\find.bat

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - blank (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\SYSTEM32\tbctray.exe
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: TruePass EPF 7,0,100,684 - https://blrscr3.egs-seg.gc.ca/applet...applet-epf.cab
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applet...applet-epf.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
Reply With Quote
  #9  
Old January 22nd, 2007, 10:53 PM
Acrobaze Acrobaze is offline
Malware Removal Team
 
Join Date: Nov 2003
O/S: Windows 10 Home
Location: France
Posts: 11,994
- Download Pocket Killbox from HERE.
Unzip and run it.
In "Paste full path of file..", copy/paste : c:\windows\inf\biini.inf
Tick "Delete on reboot".
Click "Delete file" (the white cross).

Let the computer reboot and post a new log, please.

If it doesn't reboot, then reboot manually.

-----

Download and run IEFix as explained in this page.

Let me know how is running the computer.
Reply With Quote
  #10  
Old January 23rd, 2007, 01:05 AM
2337lover 2337lover is offline
Senior Member
 
Join Date: Jan 2002
Posts: 197
Updated scan below...

Logfile of HijackThis v1.99.1
Scan saved at 7:06:00 PM, on 1/22/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\SYSTEM32\tbctray.exe
C:\Program Files\IE New Window Maximizer\iemaximizer.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\1- Simon\Desktop\find.bat

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - blank (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\SYSTEM32\tbctray.exe
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: TruePass EPF 7,0,100,684 - https://blrscr3.egs-seg.gc.ca/applet...applet-epf.cab
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applet...applet-epf.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
Reply With Quote
  #11  
Old January 23rd, 2007, 02:23 AM
2337lover 2337lover is offline
Senior Member
 
Join Date: Jan 2002
Posts: 197
FYI... The problem has become more frequent the last few hours. I get the error every 10 mins or so.
Reply With Quote
  #12  
Old January 24th, 2007, 01:03 PM
Acrobaze Acrobaze is offline
Malware Removal Team
 
Join Date: Nov 2003
O/S: Windows 10 Home
Location: France
Posts: 11,994
Ok. I searched some infos about this error :
AppName: iexplore.exe AppVer: 6.0.2800.1106 ModName: ntdll.dll
ModVer: 5.1.2600.1217 Offset: 00019ecd

It doesn't appear as a malware problem.

I think that it will be better to post in the XP forum.

Good luck !
Reply With Quote
  #13  
Old January 30th, 2007, 04:15 PM
2337lover 2337lover is offline
Senior Member
 
Join Date: Jan 2002
Posts: 197
Thank you for all your efforts Acrobaze. I'll try the XP forum as suggested.
Reply With Quote
  #14  
Old January 30th, 2007, 07:10 PM
Acrobaze Acrobaze is offline
Malware Removal Team
 
Join Date: Nov 2003
O/S: Windows 10 Home
Location: France
Posts: 11,994
You're welcome.
Reply With Quote
Reply

Bookmarks

Topic Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Topics
Topic Topic Starter Forum Replies Last Post
spyware issue please help! lewislabram Malware Removal 9 June 3rd, 2008 05:02 PM
Spyware issue Demonstroke Malware Removal 4 May 21st, 2008 05:05 AM
Spyware issue ekvin5203 Malware Removal 1 March 25th, 2008 04:43 AM
Spyware issue. Stromstedt Malware Removal 5 November 27th, 2007 05:04 AM
Unknown Spyware Issue Stevenbox Malware Removal 1 March 13th, 2007 02:25 PM


All times are GMT +1. The time now is 09:22 PM.