|
Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs |
|
Topic Tools |
#1
|
|||
|
|||
LSP Issues???
I posted this originally in the XP forum but I think that maybe I was supposed to post here...
I am having what I think is an LSP issue and I can't figure out how to fix it. I have searched for a similar problem and found some but none with my exact problem. Any help would be appreciated. i am working on a laptop with windows xp 2 days ago I had a Malware issue... whatever it was attacked my desktop, changed the desktop picture to look like a popup window that informed me that i had spyware on my compter and that i should download xpantivirus2008 there was also a real popupwindow that asked me to accept and install xpantivirus2008 i did not accept it but instead shut down the computer (it was the only way to get rid of the popup) when i rebooted the popup was gone but the desktop "pop up" image was still there. i right clicked on the desktop to find that it had been attacked and my desktop and screensaver tabs were gone i rebooted in safe mode and started running spybot s&d and while running a screen saver started that was made to look like the laptop was restarting and it gave me a fake blue screen that told me to restart i have run the following spyware software: hjthis spybot s&d adaware se super antispyware malwarebytes hjthis was detecting an odd file: mdnsnsp.dll i ran lspfix and got rid of it and then ran all of my spyware programs in safe mode i was getting something about bonjour in my hjt so i uninstalled it then i ran my antivirus and rebooted i went into firefox and surfed the web with no issues i then, just to check, went into ie and then i started getting server can't be reached try again messages in ie and firefox i am guessing that this is now an lsp issue any help would be appreciated my hjt log: Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\S24EvMon.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\ZCfgSvc.exe C:\WINDOWS\system32\1XConfig.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Google\Update\GoogleUpdate.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\WINDOWS\system32\RegSrvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wuauclt.exe C:\HJT\HijackThis.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe |
#2
|
|||
|
|||
Welcome to CTH philstubbs,
That is an unusually small log you have there, did you fix everything else with HijackThis or is it incomplete? Specialized tools like HijackThis and LSPFix are not meant to be used by people who don't understand how they work and what they do. The "mdnsnsp.dll" file is legitimate and related to Apple's Bonjour, which is usually installed along with iTunes which I see you have in your system. Let me know the exact steps you followed to use LSPFix. At this point, since you requested assistance here, stop doing any more changes on your own please. Run HijackThis again and post back the new log it will create in full and I would also like to see another kind of scan, go here and download Silent Runners to your desktop. Run it, and post back here the log it creates. If your AV queries the script, allow it to run. It's not malicious. It will create a file named Startup Programs, and will notify when the scan is complete. Copy the log from the Startup Programs file back here. Please post back the HijackThis log and the Silent Runners log. |
#3
|
|||
|
|||
Thanks for your help.
My biggest mistake is trying to get advice from too many places.. that's why i settled down and decided to ask someone who knows what's going on. i ran the silent runners program but i can't find the startup programs silent runners file. if you can direct me to that log i will post it as well. all of the processes i had on my ignore list on hjthis i put back into the fold so you could see what was there also. here's the file: Logfile of HijackThis v1.98.2 Scan saved at 12:36:46 PM, on 8/24/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\S24EvMon.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\ZCfgSvc.exe C:\WINDOWS\system32\1XConfig.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Google\Update\GoogleUpdate.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\WINDOWS\system32\RegSrvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Mozilla Thunderbird\thunderbird.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\system32\cidaemon.exe C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/...oUploader5.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab |
#4
|
|||
|
|||
also, for what it's worth, at the moment i am able to use the laptop in firefox and it's not giving me any issues. i have not opened ie
|
#5
|
|||
|
|||
Figured out the other log:
"Silent Runners.vbs", revision 58, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run \ {++} "SUPERAntiSpyware" = "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" ["SUPERAntiSpyware.com"] "SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"] "ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++} "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS] "Logitech Utility" = "Logi_MwX.Exe" ["Logitech Inc."] "TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."] "QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Inc."] "iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Inc."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\ {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided) -> {HKLM...CLSID} = "Spybot-S&D IE Protection" \InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension" -> {HKLM...CLSID} = "Display Panning CPL Extension" \InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {HKLM...CLSID} = "Desktop Explorer" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{955B7B84-5308-419c-8ED8-0B9CA3C56985}" = "6 Months of AOL Included" -> {HKLM...CLSID} = "America Online" \InProcServer32\(Default) = "C:\Program Files\Common Files\aolshare\shell\us\shellext.dll" ["America Online, Inc."] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {HKLM...CLSID} = "RealOne Player Context Menu Class" \InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshellext.dll" ["RealNetworks"] "{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension" -> {HKLM...CLSID} = "Adaptec DirectCD Shell Extension" \InProcServer32\(Default) = "C:\PROGRA~1\Roxio\EASYCD~1\DirectCD\Shellex.d ll" ["Roxio"] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {HKLM...CLSID} = "Outlook File Icon Extension" \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS] "{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] "{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] "{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] "{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] "{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions" -> {HKLM...CLSID} = "VpshellEx Class" \InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class" -> {HKLM...CLSID} = "DesktopContext Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"] "{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper" -> {HKLM...CLSID} = "NVIDIA CPL Extension" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu" -> {HKLM...CLSID} = "nView Desktop Context Menu" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{8f7261d0-d2b9-11d2-9909-00605205b24c}" = "CuteFTP Shell Extension" -> {HKLM...CLSID} = "CuteFTP Shell Extension" \InProcServer32\(Default) = "C:\PROGRA~1\GlobalSCAPE\CuteFTP\CuteShell.dll " [empty string] "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu" -> {HKLM...CLSID} = "Acrobat Elements Context Menu" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."] "{2B3453E4-49DF-11D3-8229-0080BE509050}" = "GMail Drive" -> {HKLM...CLSID} = "GMail Drive" \InProcServer32\(Default) = "C:\WINDOWS\system32\ShellExt\GMailFS.dll" ["Bjarke Viksoe"] "{2B3453E4-49DF-11D3-8229-0080BE509052}" = "GMailFS Property Sheet" -> {HKLM...CLSID} = "GMailFS Property Sheet" \InProcServer32\(Default) = "C:\WINDOWS\system32\ShellExt\GMailFS.dll" ["Bjarke Viksoe"] "{2B3453E4-49DF-11D3-8229-0080BE509054}" = "GMailFS Drop Handler" -> {HKLM...CLSID} = "GMailFS Drop Handler" \InProcServer32\(Default) = "C:\WINDOWS\system32\ShellExt\GMailFS.dll" ["Bjarke Viksoe"] "{2B3453E4-49DF-11D3-8229-0080BE509056}" = "GMailFS Context Menu" -> {HKLM...CLSID} = "GMailFS Context Menu" \InProcServer32\(Default) = "C:\WINDOWS\system32\ShellExt\GMailFS.dll" ["Bjarke Viksoe"] "{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail" -> {HKLM...CLSID} = "YMailShellExt Class" \InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."] "{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler" -> {HKLM...CLSID} = "NeroDigitalIconHandler Class" \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"] "{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler" -> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class" \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"] "{a45cfb7d-6e23-40b5-94fa-290314f01dc5}" = "Better File Rename" -> {HKLM...CLSID} = "Better File Rename" \InProcServer32\(Default) = "C:\Program Files\Better File Series\BfrExt.dll" ["Informatique sur Mesure"] "{a5ae61b0-130e-4097-a7e3-ce7eb6597f15}" = "Better File Select" -> {HKLM...CLSID} = "Better File Select" \InProcServer32\(Default) = "C:\Program Files\Better File Series\BfsExt.dll" ["ISM"] "{04c71d05-8862-44e8-9e99-965b69494244}" = "Better File Attributes" -> {HKLM...CLSID} = "Better File Attributes" \InProcServer32\(Default) = "C:\Program Files\Better File Series\BfaExt.dll" ["ISM"] "{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders" -> {HKLM...CLSID} = "My Sharing Folders" \InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll" [MS] "{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes" -> {HKLM...CLSID} = "iTunes" \InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks\ <<!>> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided) -> {HKLM...CLSID} = "SABShellExecuteHook Class" \InProcServer32\(Default) = "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"] HKLM\SYSTEM\CurrentControlSet\Control\SecurityProv iders\ <<!>> ("msapsspc.dll schannel.dll digest.dll msnsspc.dll" [MS]) "SecurityProviders" = "msapsspc.dll schannel.dll digest.dll msnsspc.dll" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <<!>> !SASWinLogon\DLLName = "C:\Program Files\SUPERAntiSpyware\SASWINLO.dll" ["SUPERAntiSpyware.com"] <<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."] <<!>> NavLogon\DLLName = "C:\WINDOWS\System32\NavLogon.dll" [null data] <<!>> Sebring\DLLName = "C:\WINDOWS\system32\LgNotify.dll" ["Intel Corporation"] HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\ <<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS] HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandler s\ {7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler" -> {HKLM...CLSID} = "NeroDigitalColumnHandler Class" \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"] {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandler s\ Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" -> {HKLM...CLSID} = "Acrobat Elements Context Menu" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."] CuteFTP\(Default) = "{8f7261d0-d2b9-11d2-9909-00605205b24c}" -> {HKLM...CLSID} = "CuteFTP Shell Extension" \InProcServer32\(Default) = "C:\PROGRA~1\GlobalSCAPE\CuteFTP\CuteShell.dll " [empty string] LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}" -> {HKLM...CLSID} = "VpshellEx Class" \InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}" -> {HKLM...CLSID} = "YMailShellExt Class" \InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."] HKLM\SOFTWARE\Classes\Directory\shellex\ContextMen uHandlers\ CuteFTP\(Default) = "{8f7261d0-d2b9-11d2-9909-00605205b24c}" -> {HKLM...CLSID} = "CuteFTP Shell Extension" \InProcServer32\(Default) = "C:\PROGRA~1\GlobalSCAPE\CuteFTP\CuteShell.dll " [empty string] QuickFinderMenu\(Default) = "{C0E10002-0028-0004-C0E1-C0E1C0E1C0E1}" -> {HKLM...CLSID} = "QuickFinder Shell Extension" \InProcServer32\(Default) = "c:\Program Files\WordPerfect Office 11\Programs\PFSE110.DLL" ["Novell, Inc., c/o Corel Corporation Limited"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHa ndlers\ LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}" -> {HKLM...CLSID} = "VpshellEx Class" \InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"] MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}" -> {HKLM...CLSID} = "MBAMShlExt Class" \InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex \ContextMenuHandlers\ MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}" -> {HKLM...CLSID} = "MBAMShlExt Class" \InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"] |
#6
|
|||
|
|||
Group Policies {policy setting}:
-------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\ "SpecifyDefaultButtons" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "Btn_Search" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "NoBandCustomize" = (REG_DWORD) dword:0x00000000 {Disable customizing browser toolbars} "NoToolbarCustomize" = (REG_DWORD) dword:0x00000000 {Disable customizing browser toolbar buttons} HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\ "NoDispBackgroundPage" = (REG_DWORD) dword:0x00000000 {Hide Desktop tab} "NoDispScrSavPage" = (REG_DWORD) dword:0x00000000 {unrecognized setting} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\System\ "shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001 {Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) dword:0x00000001 {Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Loca l Settings\Application Data\Microsoft\Wallpaper1.bmp" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Documents and Settings\Wes\Local Settings\Application Data\Microsoft\Wallpaper1.bmp" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "C:\WINDOWS\System32\sstext3d.scr" [MS] Windows Portable Device AutoPlay Handlers ----------------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\AutoplayHandlers\Handlers\ DVDDecrypterPlayDVDMovieOnArrival\ "Provider" = "DVD Decrypter" "InvokeProgID" = "DVDDecrypter" "InvokeVerb" = "Decrypt using DVD Decrypter" HKLM\SOFTWARE\Classes\DVDDecrypter\shell\Decrypt using DVD Decrypter\Command\(Default) = ""C:\Program Files\DVD Decrypter\DVDDecrypter.exe" /MODE READ /SOURCE "%1"" ["LIGHTNING UK!"] iTunesBurnCDOnArrival\ "Provider" = "iTunes" "InvokeProgID" = "iTunes.BurnCD" "InvokeVerb" = "burn" HKLM\SOFTWARE\Classes\iTunes.BurnCD\shell\burn\com mand\(Default) = ""C:\Program Files\iTunes\iTunes.exe" /AutoPlayBurn "%L"" ["Apple Inc."] iTunesImportSongsOnArrival\ "Provider" = "iTunes" "InvokeProgID" = "iTunes.ImportSongsOnCD" "InvokeVerb" = "import" HKLM\SOFTWARE\Classes\iTunes.ImportSongsOnCD\shell \import\command\(Default) = ""C:\Program Files\iTunes\iTunes.exe" /AutoPlayImportSongs "%L"" ["Apple Inc."] iTunesPlaySongsOnArrival\ "Provider" = "iTunes" "InvokeProgID" = "iTunes.PlaySongsOnCD" "InvokeVerb" = "play" HKLM\SOFTWARE\Classes\iTunes.PlaySongsOnCD\shell\p lay\command\(Default) = ""C:\Program Files\iTunes\iTunes.exe" /playCD "%L"" ["Apple Inc."] iTunesShowSongsOnArrival\ "Provider" = "iTunes" "InvokeProgID" = "iTunes.ShowSongsOnCD" "InvokeVerb" = "showsongs" HKLM\SOFTWARE\Classes\iTunes.ShowSongsOnCD\shell\s howsongs\command\(Default) = ""C:\Program Files\iTunes\iTunes.exe" /AutoPlayShowSongs "%L"" ["Apple Inc."] IviDVDEventHandler\ "Provider" = "InterVideo WinDVD" "InvokeProgID" = "DVD" "InvokeVerb" = "play" HKLM\SOFTWARE\Classes\DVD\shell\play\command\(Defa ult) = "C:\Program Files\InterVideo\WinDVD\WinDVD.exe" ["InterVideo Inc."] IviVideoCDHandler\ "Provider" = "InterVideo WinDVD" "InvokeProgID" = "Ivi.MediaFile" "InvokeVerb" = "play" HKLM\SOFTWARE\Classes\Ivi.MediaFile\shell\play\com mand\(Default) = ""C:\Program Files\InterVideo\WinDVD\WinDVD.exe" %1" ["InterVideo Inc."] NeroAutoPlay7CDAudio\ "Provider" = "Nero SoundTrax" "InvokeProgID" = "Nero.AutoPlay3" "InvokeVerb" = "HandleCDBurningOnArrival_CDAudio" HKLM\SOFTWARE\Classes\Nero.AutoPlay3\shell\HandleC DBurningOnArrival_CDAudio\command\(Default) = "C:\Program Files\Nero\Nero 7\Nero SoundTrax\SoundTrax.exe /" ["Nero AG"] NeroAutoPlay7CopyCD\ "Provider" = "Nero Burning ROM" "InvokeProgID" = "Nero.AutoPlay3" "InvokeVerb" = "PlayMusicFilesOnArrival_CopyCD" HKLM\SOFTWARE\Classes\Nero.AutoPlay3\shell\PlayMus icFilesOnArrival_CopyCD\command\(Default) = "C:\Program Files\Nero\Nero 7\Core\nero.exe /DialogiscCopy /Drive:%L" ["Nero AG"] NeroAutoPlay7PlayAudioCD\ "Provider" = "Nero ShowTime" "InvokeProgID" = "Nero.AutoPlay3" "InvokeVerb" = "PlayCDAudioOnArrival_PlayAudioCD" HKLM\SOFTWARE\Classes\Nero.AutoPlay3\shell\PlayCDA udioOnArrival_PlayAudioCD\command\(Default) = "C:\Program Files\Nero\Nero 7\Nero ShowTime\ShowTime.exe /Play /Drive:%L" ["Nero AG"] PCLEVideoCameraArrival\ "Provider" = "Pinnacle Studio" "ProgID" = "Shell.HWEventHandlerShellExecute" "InitCmdLine" = "C:\Program Files\Pinnacle\Studio 9\programs\studio.exe" HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExe cute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" -> {HKLM...CLSID} = "ShellExecute HW Event Handler" \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS] PDVDPlayDVDMovieOnArrival\ "Provider" = "PowerDVD" "InvokeProgID" = "DVD" "InvokeVerb" = "PlayWithPowerDVD" HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPowerDVD\C ommand\(Default) = ""C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe" "%l"" ["CyberLink Corp."] RoxioSelectOnArrival\ "Provider" = "Roxio Easy CD Creator" "InvokeProgID" = "CreateCD50" "InvokeVerb" = "open" HKLM\SOFTWARE\Classes\CreateCD50\shell\open\Comman d\(Default) = ""C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -x" ["Roxio"] RPCDBurningOnArrival\ "Provider" = "RealOne Player" "InvokeProgID" = "RealPlayer.CDBurn.6" "InvokeVerb" = "open" HKLM\SOFTWARE\Classes\RealPlayer.CDBurn.6\shell\op en\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /burn "%1"" ["RealNetworks, Inc."] RPPlayCDAudioOnArrival\ "Provider" = "RealOne Player" "InvokeProgID" = "RealPlayer.AudioCD.6" "InvokeVerb" = "play" HKLM\SOFTWARE\Classes\RealPlayer.AudioCD.6\shell\p lay\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /play %1 " ["RealNetworks, Inc."] RPPlayDVDMovieOnArrival\ "Provider" = "RealOne Player" "InvokeProgID" = "RealPlayer.DVD.6" "InvokeVerb" = "play" HKLM\SOFTWARE\Classes\RealPlayer.DVD.6\shell\play\ command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /dvd %1 " ["RealNetworks, Inc."] RPPlayMediaOnArrival\ "Provider" = "RealOne Player" "InvokeProgID" = "RealPlayer.AutoPlay.6" "InvokeVerb" = "open" HKLM\SOFTWARE\Classes\RealPlayer.AutoPlay.6\shell\ open\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /autoplay "%1"" ["RealNetworks, Inc."] SonicVideoCameraArrival\ "Provider" = "Sonic Solutions" "ProgID" = "MyDVD.MyDVDAPHandler" "InitCmdLine" = "new" HKLM\SOFTWARE\Classes\MyDVD.MyDVDAPHandler\CLSID\( Default) = "{3D5EF619-F606-4FAA-97C0-222B7DCA05EC}" -> {HKLM...CLSID} = "MyDVDAPHandler Class" \LocalServer32\(Default) = "C:\Program Files\Sonic\MyDVD\MyDVD.exe -autoplay" ["Sonic Solutions"] SonicVideoCameraArrivalDirect\ "Provider" = "Sonic Solutions" "ProgID" = "MyDVD.MyDVDAPHandler" "InitCmdLine" = "direct" HKLM\SOFTWARE\Classes\MyDVD.MyDVDAPHandler\CLSID\( Default) = "{3D5EF619-F606-4FAA-97C0-222B7DCA05EC}" -> {HKLM...CLSID} = "MyDVDAPHandler Class" \LocalServer32\(Default) = "C:\Program Files\Sonic\MyDVD\MyDVD.exe -autoplay" ["Sonic Solutions"] WinampMTPHandler\ "Provider" = "Winamp" "ProgID" = "Shell.HWEventHandlerShellExecute" "InitCmdLine" = "C:\Program Files\Winamp\winamp.exe" HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExe cute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" -> {HKLM...CLSID} = "ShellExecute HW Event Handler" \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS] WinampPlayMediaOnArrival\ "Provider" = "Winamp" "InvokeProgID" = "Winamp.File" "InvokeVerb" = "Play" HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\comma nd\(Default) = ""C:\Program Files\Winamp\winamp.exe" "%1"" ["Nullsoft"] HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\DropT arget\CLSID = "{46986115-84D6-459c-8F95-52DD653E532E}" -> {HKLM...CLSID} = (no title provided) \LocalServer32\(Default) = ""C:\Program Files\Winamp\winamp.exe"" ["Nullsoft"] Enabled Scheduled Tasks: ------------------------ "AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."] "GoogleUpdateTask" -> launches: "C:\Program Files\Google\Update\GoogleUpdate.exe /c" ["Google Inc."] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000004\LibraryPath = "%SystemRoot%\system32\wshbth.dll" [MS] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 24 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" -> {HKLM...CLSID} = "Yahoo! Toolbar" \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll" ["Yahoo! Inc."] "{47833539-D0C5-4125-9FA8-0819E2EAAC93}" -> {HKLM...CLSID} = "Adobe PDF" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" [file not found] Explorer Bars HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\ {4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided) -> {HKLM...CLSID} = "&Yahoo! Messenger" \InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll" ["Yahoo! Inc."] HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ {182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = (no title provided) -> {HKLM...CLSID} = "Adobe PDF" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" [file not found] {4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided) -> {HKLM...CLSID} = "&Yahoo! Messenger" \InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll" ["Yahoo! Inc."] {FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided) -> {HKLM...CLSID} = "Real.com" \InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS] HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research" Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\ {AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\ "ButtonText" = "AIM" "Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Apple Mobile Device, Apple Mobile Device, ""C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple Inc."] Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."] Bluetooth Support Service, BthServ, "C:\WINDOWS\system32\svchost.exe -k bthsvcs" {"C:\WINDOWS\System32\bthserv.dll" [MS]} Cisco Systems, Inc. VPN Service, CVPND, "C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe" ["Cisco Systems, Inc."] DefWatch, DefWatch, "C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe" ["Symantec Corporation"] iPod Service, iPod Service, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Inc."] RegSrvc, RegSrvc, "C:\WINDOWS\system32\RegSrvc.exe" ["Intel Corporation"] Spectrum24 Event Monitor, S24EventMonitor, "C:\WINDOWS\system32\S24EvMon.exe" ["Intel Corporation "] Symantec AntiVirus Client, Norton AntiVirus Server, "C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe" ["Symantec Corporation"] WAN Miniport (ATW) Service, WANMiniportService, ""C:\WINDOWS\wanmpsvc.exe"" ["America Online, Inc."] Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS] WLTRYSVC, WLTRYSVC, "C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe" [null data] Print Monitors: --------------- HKLM\SYSTEM\CurrentControlSet\Control\Print\Monito rs\ Adobe PDF Port\Driver = "C:\WINDOWS\system32\AdobePDF.dll" ["Adobe Systems Incorporated."] EPSON V6 2KMonitor\Driver = "EBPMON24.DLL" ["SEIKO EPSON CORPORATION"] HPF00111\Driver = "HPFlpm11.dll" ["Hewlett-Packard Company"] Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS] ---------- (launch time: 2008-08-24 15:02:44) <<!>>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer "No" at the first message box and "Yes" at the second message box. ---------- (total run time: 81 seconds, including 5 seconds for message boxes) |
#7
|
|||
|
|||
Hello,
I'm sorry for the late reply, my time ran out yesterday. Quote:
No signs of active infection showing in your logs but the new HijackThis log is showing that the version you are using is outdated. Keep the HijackThis.exe copy you have for now, but download the latest version of HijackThis installer from here and install it (it will install in it's own folder) and run it again to produce a new log and post it back here please. Also give me an update on the current issues you are having with your system, apart from the connectivity problems. |
#8
|
|||
|
|||
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:12:47 PM, on 8/25/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\S24EvMon.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\Program Files\Google\Update\GoogleUpdate.exe C:\WINDOWS\system32\RegSrvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\ZCfgSvc.exe C:\WINDOWS\system32\1XConfig.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user') O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/...oUploader5.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: Google Update Service (gupdate1c8e1f15857f050) (gupdate1c8e1f15857f050) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE -- End of file - 5007 bytes |
#9
|
|||
|
|||
new hjthis log posted..
i have been able to use ie with no problems... maybe i am clean now... |
#10
|
|||
|
|||
I don't believe that was a malware related issue, probably one of the changes you performed on your system in your attempt to disinfect it caused this. Tracking back the steps you performed one by one will probably help pinpointing the cause.
No signs of infection in this log either. Disable your Antivirus and go here and run the Kaspersky online scan, and post back the log it creates (it requires IE). To use the scan, once the download has completed click Scan Settings, then make sure the "extended option" is checked (leave all others as they are) and click OK. Then click My Computer to begin the scan. Save the Report as a text file and post that back here. Also let me know if you have any problems with the system now and how it is running please. |
#11
|
|||
|
|||
Sorry had a busy few days... I started running the scan and it just froze up and stopped running... here's what it showed when i asked for the scan report... i started another scan that is running now... some problems show themselves here:
KASPERSKY ONLINE SCANNER 7 REPORT Wednesday, August 27, 2008 Last edited by philstubbs; August 28th, 2008 at 07:57 PM. |
#12
|
|||
|
|||
This report shows that you have been downloading/using cracks and unfortunately per our Terms of Service we will not be able to continue with assistance. See here.
From our Terms of Service: The posting of links or references to warez or any other type of illegal software is strictly forbidden. By doing so you risk having your user account terminated without warning. We will NOT help anyone we suspect of having obtained their software illegally. |
#13
|
|||
|
|||
I haven't been downloading anything illegal. Obviously someone has but the reason I am posting this is here is because I am hoping to delete it and anything else harmful to my system. I have a full kapersky scan now if you are still able to help.
Last edited by philstubbs; August 28th, 2008 at 07:58 PM. |
#14
|
|||
|
|||
I don't believe I can, we have strict rules regarding illegal material and even if you didn't download them I am not in a position to know that. I would suggest that you would be careful who you let on your system next time.
|
Bookmarks |
«
Previous Topic
|
Next Topic
»
Topic Tools | |
|
|
Similar Topics | ||||
Topic | Topic Starter | Forum | Replies | Last Post |
firefox issues and yahoo issues | perplexed | Internet / Browsers | 4 | September 11th, 2010 08:20 PM |
Windows Explorer navigation issues and virus removal issues | sepulverture | Windows XP | 5 | September 12th, 2008 02:42 PM |
IE 6 issues | chadi | Internet / Browsers | 3 | March 3rd, 2006 04:39 PM |
ie issues ! | saviiour | Windows 98 | 1 | June 24th, 2004 05:00 AM |
All times are GMT +1. The time now is 01:40 PM.