C:\WINDOWS\system32\rundll32.exe again!!

[miladbrain]

Hi
i have problem with this (C:\WINDOWS\system32\rundll32.exe) again.
i saw the previous post but it couldn't help me and as it was closed i had to post a new topic.
there you suggested to ''Go http://www.dougknox.com/xp/file_assoc.htm and download and run the EXE file association fix.''
i did it and when i click on it it saies: "Are you sure you want to add information in C:\Windows\System32\xp_exe_fix.reg to registry?" when i click yes it saies: "Can not import C:\Windows\System32\xp_exe_fix.reg:Not all data was successfully written to the registry. Some keys are open by the system or other process."
so as you understood i still have problem.
PLZ HELP ME...

[Jintan]

Welcome to CTH miladbrain,

I am not really sure what post you are referring to, and also not really sure what you are trying to accomplish using the Registry Search tool there. Let's go ahead and take a look at things for now, and see what all is there.


Please download HijackThis from Here. Then click on the downloaded file to install HijackThis. After it is installed open HijackThis and select Do a system scan and save logfile. Use copy/paste and post that log back here for review.


Also Go Here and download Silent Runners to your desktop. Run it, and post back here the log it creates. If your protective software queries the script, allow it to run. It's not malicious. It will create a file named Startup Programs, and will notify when the scan is complete. Copy the log from the Startup Programs file back here. Here are guidelines for using Silent Runners. You can use separate posts here when replying and posting the log files if needed.

[miladbrain]

thanx for your guide but i still have problem:

1- i'm referring to " http://www.cybertechhelp.com/forums/...d.php?t=129368 "

2- this virus doesn't let me install any thing and when i wanted to use hijackThis i received this message: Run-Time error '481' invalid picture

3- here is that you wanted:
"Silent Runners.vbs", revision 58, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"" ["Nero AG"]
"Yahoo! Pager" = ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet" ["Yahoo! Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"D_V_T" = "C:\\dvt.exe /S \C:\\d_v_t.reg\" [MS]
"DataLayer" = "C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EX E" ["Nokia Mobile Phones Ltd."]
"PCSuiteTrayApplication" = "D:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE" [empty string]
"QuickTime Task" = ""D:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"NWEReboot" = "(empty string)" [file not found]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"SpeedVPN" = "d:\Program files\SpeedVPN\svpn32.exe" [file not found]
"DownloadAccelerator" = ""D:\Program Files\DAP\DAP.EXE" /STARTUP" ["Speedbit Ltd."]
"Nitro PDF Printer Monitor" = ""D:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe"" [null data]
"ISUSPM Startup" = "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm .exe -startup" [file not found]
"ISUSScheduler" = ""C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start" ["InstallShield Software Corporation"]
"BitDefender Antiphishing Helper" = ""C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"" ["BitDefender"]
"BDAgent" = ""C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"" ["BitDefender S.R.L."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\
{02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Yahoo! Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Sign-in Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "D:\Program Files\WinZip\wzshlstb.dll" ["WinZip Computing LP"]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "D:\Program Files\WinZip\wzshlstb.dll" ["WinZip Computing LP"]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "D:\Program Files\WinZip\wzshlstb.dll" ["WinZip Computing LP"]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "D:\Program Files\WinZip\wzshlstb.dll" ["WinZip Computing LP"]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}" = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
-> {HKLM...CLSID} = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\Office12\ONFILTER.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.d ll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.d ll" [MS]
"{40950107-FEA6-4d53-A65F-B2DCBA57DD58}" = "Nokia Phone Browser"
-> {HKLM...CLSID} = "Nokia Phone Browser"
\InProcServer32\(Default) = "D:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll" ["Nokia"]
"{FBFE7864-D495-41f0-B7DC-4BB601CC295E}" = "Contact View"
-> {HKLM...CLSID} = "Contact View"
\InProcServer32\(Default) = "D:\Program Files\Nokia\Nokia PC Suite 6\ContactView.dll" ["Nokia"]
"{C0C4375A-5B72-4efe-929D-3B848C3A1E91}" = "Message View"
-> {HKLM...CLSID} = "Message View"
\InProcServer32\(Default) = "D:\Program Files\Nokia\Nokia PC Suite 6\MessageView.dll" ["Nokia"]
"{3AFCEAFB-FFC5-403D-AD33-5914AB4B7ECC}" = "Sldworks Shell Extension"
-> {HKLM...CLSID} = "SldShellExtension Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\SolidWorks Shared\sldshellutilsu.dll" [null data]
"{36A21736-36C2-4C11-8ACB-D4136F2B57BD}" = "AutoCAD Digital Signatures Icon Overlay Handler"
-> {HKLM...CLSID} = "AcSignIcon"
\InProcServer32\(Default) = "C:\WINDOWS\system32\AcSignIcon.dll" ["Autodesk"]
"{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}" = "Autodesk Drawing Preview"
-> {HKLM...CLSID} = "ACTHUMBNAIL"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll" ["Autodesk"]
"{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}" = "jetAudio"
-> {HKLM...CLSID} = "JetFlExt Class"
\InProcServer32\(Default) = "d:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "C:\Program Files\Windows Live\Messenger\fsshext.8.5.1302.1018.dll" [MS]
"{D0DC6B97-C6FA-4B42-9649-5891A97E5005}" = "N5ShellExtension Shell Extension"
-> {HKLM...CLSID} = "N5ShellExtension ContextMenu Shell Extension"
\InProcServer32\(Default) = "D:\Program Files\Nitro PDF\Professional\N5ShellExtension.dll" [null data]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> dimsntfy\DLLName = "C:\WINDOWS\System32\dimsntfy.dll" [MS]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.D LL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandler s\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandler s\
Autodesk.DWF.ContextMenu\(Default) = "{6C18531F-CA85-45F7-8278-FF33CF0A5964}"
-> {HKLM...CLSID} = "DWFShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Autodesk shared\dwf common\DWFShellExtension.dll" ["Autodesk, Inc."]
DAP_ShredMenu\(Default) = "{BED4C38B-F765-45AC-8C56-613F76BBF43E}"
-> {HKLM...CLSID} = "DAPMenuShellExt Class"
\InProcServer32\(Default) = "D:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL" ["Speedbit Ltd."]
MyPhoneExplorer\(Default) = "{2D30AAA2-9084-4686-B8B9-B9B62EEFFD4E}"
-> {HKLM...CLSID} = "MyPhoneExplorer_ShellEx.ShellExt"
\InProcServer32\(Default) = "C:\Program Files\MyPhoneExplorer\DLL\ShellMgr.dll" ["F.J. Wechselberger"]
N5ShellExtension\(Default) = "{D0DC6B97-C6FA-4B42-9649-5891A97E5005}"
-> {HKLM...CLSID} = "N5ShellExtension ContextMenu Shell Extension"
\InProcServer32\(Default) = "D:\Program Files\Nitro PDF\Professional\N5ShellExtension.dll" [null data]
Photo! 3D ScreenSaver\(Default) = "{AA7A03E6-7FA5-42E7-9D7A-9A2A4E344B3F}"
-> {HKLM...CLSID} = "MyPicturesContextMenu Class"
\InProcServer32\(Default) = "C:\Program Files\3d album\Photo! 3D ScreenSaver\Bin\Photo!3DSContext.dll" ["TODO: <Company name>"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "D:\Program Files\WinZip\wzshlstb.dll" ["WinZip Computing LP"]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMen uHandlers\
DAP_ShredMenu\(Default) = "{BED4C38B-F765-45AC-8C56-613F76BBF43E}"
-> {HKLM...CLSID} = "DAPMenuShellExt Class"
\InProcServer32\(Default) = "D:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL" ["Speedbit Ltd."]
jetAudio\(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"
-> {HKLM...CLSID} = "JetFlExt Class"
\InProcServer32\(Default) = "d:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]
Photo! 3D ScreenSaver\(Default) = "{AA7A03E6-7FA5-42E7-9D7A-9A2A4E344B3F}"
-> {HKLM...CLSID} = "MyPicturesContextMenu Class"
\InProcServer32\(Default) = "C:\Program Files\3d album\Photo! 3D ScreenSaver\Bin\Photo!3DSContext.dll" ["TODO: <Company name>"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "D:\Program Files\WinZip\wzshlstb.dll" ["WinZip Computing LP"]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHa ndlers\
jetAudio\(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"
-> {HKLM...CLSID} = "JetFlExt Class"
\InProcServer32\(Default) = "d:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "D:\Program Files\WinZip\wzshlstb.dll" ["WinZip Computing LP"]


Default executables:
--------------------

<<!>> HKCU\Software\Classes\.exe\(Default) = "exefile"
<<!>> HKLM\SOFTWARE\Classes\exefile\shell\open\command\( Default) = "soundmix "%1" %*" [file not found]

HKLM\SOFTWARE\Classes\.exe\(Default) = "exefile"
<<!>> HKLM\SOFTWARE\Classes\exefile\shell\open\command\( Default) = "soundmix "%1" %*" [file not found]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Loca l Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Milad\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\AutoplayHandlers\Handlers\

JABurnCDAudioOnArrival\
"Provider" = "jetAudio"
"InvokeProgID" = "jetAudio.MediaHandler"
"InvokeVerb" = "burncd"
HKLM\SOFTWARE\Classes\jetAudio.MediaHandler\shell\ burncd\command\(Default) = ""d:\Program Files\JetAudio\jetAudio.exe" /burncd "%1"" ["COWON America, Inc."]

JACreateAlbumOnArrival\
"Provider" = "jetAudio"
"InvokeProgID" = "jetAudio.MediaHandler"
"InvokeVerb" = "createalbum"
HKLM\SOFTWARE\Classes\jetAudio.MediaHandler\shell\ createalbum\command\(Default) = ""d:\Program Files\JetAudio\jetAudio.exe" /createalbum "%1"" ["COWON America, Inc."]

JAPlayCDAudioOnArrival\
"Provider" = "jetAudio"
"InvokeProgID" = "jetAudio.MediaHandler"
"InvokeVerb" = "playcd"
HKLM\SOFTWARE\Classes\jetAudio.MediaHandler\shell\ playcd\command\(Default) = ""d:\Program Files\JetAudio\jetAudio.exe" /playcd "%1"" ["COWON America, Inc."]

JAPlayDVDMovieOnArrival\
"Provider" = "jetAudio"
"InvokeProgID" = "jetAudio.MediaHandler"
"InvokeVerb" = "playdvd"
HKLM\SOFTWARE\Classes\jetAudio.MediaHandler\shell\ playdvd\command\(Default) = ""d:\Program Files\JetAudio\jetAudio.exe" /playdvd "%1"" ["COWON America, Inc."]

JAPlayMediaOnArrival\
"Provider" = "jetAudio"
"InvokeProgID" = "jetAudio.MediaHandler"
"InvokeVerb" = "playmedia"
HKLM\SOFTWARE\Classes\jetAudio.MediaHandler\shell\ playmedia\DropTarget\CLSID = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"
-> {HKLM...CLSID} = "JetFlExt Class"
\InProcServer32\(Default) = "d:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]

JARipCDAudioOnArrival\
"Provider" = "jetAudio"
"InvokeProgID" = "jetAudio.MediaHandler"
"InvokeVerb" = "ripcd"
HKLM\SOFTWARE\Classes\jetAudio.MediaHandler\shell\ ripcd\command\(Default) = ""d:\Program Files\JetAudio\jetAudio.exe" /ripcd "%1"" ["COWON America, Inc."]

MSWMEncVCArrival\
"Provider" = "Windows Media Encoder 9 Series"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "C:\Program Files\Windows Media Components\Encoder\WMEnc.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExe cute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

NeroAutoPlay7CDAudio\
"Provider" = "Nero SoundTrax"
"InvokeProgID" = "Nero.AutoPlay3"
"InvokeVerb" = "HandleCDBurningOnArrival_CDAudio"
HKLM\SOFTWARE\Classes\Nero.AutoPlay3\shell\HandleC DBurningOnArrival_CDAudio\command\(Default) = "C:\Program Files\Nero\Nero 7\Nero SoundTrax\SoundTrax.exe /" [file not found]

NeroAutoPlay7CopyCD\
"Provider" = "Nero Burning ROM"
"InvokeProgID" = "Nero.AutoPlay3"
"InvokeVerb" = "PlayMusicFilesOnArrival_CopyCD"
HKLM\SOFTWARE\Classes\Nero.AutoPlay3\shell\PlayMus icFilesOnArrival_CopyCD\command\(Default) = "C:\Program Files\Nero\Nero 7\Core\nero.exe /DialogiscCopy /Drive:%L" ["Nero AG"]

NeroAutoPlay7PlayAudioCD\
"Provider" = "Nero SoundTrax"
"InvokeProgID" = "Nero.AutoPlay3"
"InvokeVerb" = "PlayCDAudioOnArrival_PlayAudioCD"
HKLM\SOFTWARE\Classes\Nero.AutoPlay3\shell\PlayCDA udioOnArrival_PlayAudioCD\command\(Default) = "C:\Program Files\Nero\Nero 7\Nero SoundTrax\SoundTrax.exe /Play /Drive:%L" [file not found]


Startup items in "Milad" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\Milad\Start Menu\Programs\Startup
"OneNote 2007 Screen Clipper and Launcher" -> shortcut to: "D:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE /tsr" [MS]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Acrobat Assistant" -> shortcut to: "D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe" ["Adobe Systems Inc."]
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Adobe Reader Speed Launch" -> shortcut to: "D:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Adobe Reader Synchronizer" -> shortcut to: "D:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe" [null data]
"AudioDeck" -> shortcut to: "C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe -min" [empty string]
"AutoCAD Startup Accelerator" -> shortcut to: "C:\Program Files\Common Files\Autodesk Shared\acstart17.exe" [null data]
"WinZip Quick Pick" -> shortcut to: "D:\Program Files\WinZip\WZQKPICK.EXE" ["WinZip Computing, S.L."]

[miladbrain]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll" ["Yahoo! Inc."]
"{381FFDE8-2394-4F90-B10D-FC6124A40F8C}" = "IEToolbar"
-> {HKLM...CLSID} = "BitDefender Toolbar"
\InProcServer32\(Default) = "C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll" ["Bitdefender"]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{2670000A-7350-4F3C-8081-5663EE0C6C49}\
"ButtonText" = "Send to OneNote"
"MenuText" = "S&end to OneNote"
"CLSIDExtension" = "{48E73304-E1D6-4330-914C-F5F514E3486C}"
-> {HKLM...CLSID} = "Send to OneNote from Internet Explorer button"
\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll" [MS]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\
"ButtonText" = "FlashGet"
"MenuText" = "FlashGet"
"Exec" = "d:\Program Files\FlashGet\FlashGet.exe" ["FlashGet.com"]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


HOSTS file
----------

C:\WINDOWS\System32\drivers\etc\HOSTS

maps: 6 domain names to IP addresses,
4 of the IP addresses are *not* localhost!


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ANSYS FLEXlm license manager, ANSYS FLEXlm license manager, "C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgr d.exe" ["Macrovision Corporation"]
BitDefender Communicator, XCOMM, ""C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe" /service" ["BitDefender"]
BitDefender Desktop Update Service, LIVESRV, ""C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe" /service" ["BitDefender SRL"]
BitDefender Threat Scanner, scan, "C:\WINDOWS\System32\svchost.exe -kbdx" {"C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\scan.dll" ["S.C. BitDefender S.R.L"]}
McAfee Streaming Updates, McAfee Streaming Updates, "C:\Program Files\McAfee\McAfee Streaming Updates\SUService.exe" ["McAfee, Inc."]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monito rs\
CNAB4 Monitor\Driver = "CNAB4LMK.DLL" ["CANON INC."]
Send To Microsoft OneNote Monitor\Driver = "msonpmon.dll" [MS]

i'm really confused about this virus and appreciate your help

[Jintan]

Ahhh miladbrain, the logs show you've been stealing software, so I won't be able to help you this time. Right now at least this Nod32 hack shows, though I suspect other software is questionable as well:

"D_V_T" = "C:\\dvt.exe /S \C:\\d_v_t.reg\" [MS]

Best I can offer is you reformat and reinstall the operating system to remove the infection there.

From the CTH Terms of Service:

The posting of links or references to warez or any other type of illegal software is strictly forbidden. By doing so you risk having your user account terminated without warning. We will NOT help anyone we suspect of having obtained their software illegally.

[miladbrain]

thank you so much tom
now i have my computer safe even though i didn't reformat and reinstall my operating system but thanx for your help...

[Jintan]

To paraphrase what the old guy said in the end of that Last Crusade movie, you chose poorly. Then, and now. I will ask a Moderator to close this thread.