Tech Support Guy banner
  • Please post in our Community Feedback thread for help with the new forum software! If you are having trouble logging in, please Contact Us for assistance.
Status
Not open for further replies.
1 - 20 of 27 Posts

·
Registered
Joined
·
46,353 Posts
Hi Wyndia

Welcome to TSG! :)

Please do this. Click here to download Hijack This. Click on the Hijackthis.exe.

Click the "Scan" button when the scan is finished the scan button will become "Save Log" click that and save the log.

Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.

DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required. Someone here will be glad to advise you on what to fix.

*Note: When you download Hijack This Do Not download it to a temp folder or to the desktop. Create a permanent folder somewhere like in My Documents and name it Hijack This and put it in that folder.
 

·
Registered
Joined
·
23 Posts
Discussion Starter · #3 ·
Logfile of HijackThis v1.97.7
Scan saved at 9:36:49 PM, on 3/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sstray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
D:\Sysreset\mirc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AIM95\aim.exe
D:\My Documents\My Received Files\Utilities\Mozilla Firebird 0.7\MozillaFirebird\MozillaFirebird.exe
C:\Program Files\BitTorrent++\BT++.exe
D:\My Documents\My Received Files\Utilities\HiJackThis\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [EPoXUSDM] "C:\Program files\EPoX\USDM\USDM.EXE" "5000"
O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 

·
Registered
Joined
·
46,353 Posts
I don't see anything in your log. Is the home page still changing?

Restart and post a new log right afler restarting.
 

·
Registered
Joined
·
23 Posts
Discussion Starter · #5 ·
Logfile of HijackThis v1.97.7
Scan saved at 1:37:31 AM, on 3/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sstray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\HiJackThis\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [EPoXUSDM] "C:\Program files\EPoX\USDM\USDM.EXE" "5000"
O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Rebooted and HiJackThis again. Looks pretty much the same though.
 

·
Registered
Joined
·
46,353 Posts
Since you have already run CWShredder, Adaware and Spybot and nothing shows in your log, it's possible that you have been infected by the Look2Me parasite.

Please download the KillBox from here:

http://download.broadbandmedic.com/VbStuff/KillBox.zip

Unzip it to it's own folder and click on Find in the upper right corner then click on Find msg{}.dll. This will open a new window that will create a list of .dll's. In that window click on File then Create Log. A box will pop up asking if you want to "Show log in notepad?". Click Yes and the log will open in notepad. Got to Edit > Select All then Edit > Copy. Come back here and paste the contents of that log in a reply.

I'll be out until around 6 pm EDT. I'll check back then.
 

·
Registered
Joined
·
23 Posts
Discussion Starter · #7 ·
Log for KillBox ver.2.0.1
--------------------------

---msg{}dll search---
C:\WINDOWS\System32\msgina.dll
C:\WINDOWS\System32\msgsvc.dll
C:\WINDOWS\System32\dllcache\msgr3en.dll
C:\WINDOWS\System32\dllcache\msgsvc.dll
C:\WINDOWS\System32\Setup\msgrocm.dll
 

·
Registered
Joined
·
46,353 Posts
Well you don't have Look2Me either. Why is the Hot search page not showing in your log? It should. Are you changing it before you post the log?

Let's have a look at a startuplist.

Open HJT. Click on the "Config" button in the lower right corner. Now click on "Misc Tools" then under "Generate Startup List" put a check by "List also minor sections (full)". Now click on the "Generate Startup List" button and copy and paste the contents of the list back here in a reply.
 

·
Registered
Joined
·
23 Posts
Discussion Starter · #9 ·
I didn't reboot and I didn't set it back to my default (about:blank) page. My evil computer =X.

StartupList report, 3/24/2004, 11:24:22 PM
StartupList version: 1.52
Started from : D:\My Documents\My Received Files\Utilities\HiJackThis\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sstray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\Program Files\BitTorrent++\BT++.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
D:\My Documents\My Received Files\Utilities\Mozilla Firebird 0.7\MozillaFirebird\MozillaFirebird.exe
D:\My Documents\My Received Files\Utilities\HiJackThis\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

IMJPMIG8.1 = C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
PHIME2002ASync = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
nForce Tray Options = sstray.exe /r
ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
NeroCheck = C:\WINDOWS\system32\NeroCheck.exe
InCD = C:\Program Files\Ahead\InCD\InCD.exe
EPoXUSDM = "C:\Program files\EPoX\USDM\USDM.EXE" "5000"
avast! = C:\Program Files\Alwil Software\Avast4\ashDisp.exe
SunJavaUpdateSched = C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ATI Launchpad =
ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\INF\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

--------------------------------------------------

Enumerating Download Program Files:

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[Minesweeper Flags Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\minesweeper.dll
CODEBASE = http://messenger.zone.msn.com/binary/MineSweeper.cab

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll
CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsClient.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating Windows NT/2000/XP services

AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
avast! iAVS4 Control Service: C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (autostart)
Ati HotKey Poller: %SystemRoot%\System32\Ati2evxx.exe (autostart)
ATI Smart: C:\WINDOWS\system32\ati2sgag.exe (autostart)
ATI TV Wonder Video Capture: system32\drivers\atibtcap.sys (autostart)
ATI TV Wonder Video Crossbar: system32\drivers\atibtxbr.sys (autostart)
ATI TV Wonder TV Tuner: system32\drivers\ativtutw.sys (autostart)
ATI TV Wonder Audio Crossbar: system32\drivers\ativxstw.sys (autostart)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
avast! Antivirus: C:\Program Files\Alwil Software\Avast4\ashserv.exe (autostart)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Software Cinemaster NT4.0 Driver: \SystemRoot\SYSTEM32\DRIVERS\CINEMSUP.SYS (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SVKP: \??\C:\WINDOWS\System32\SVKP.sys (autostart)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 10,662 bytes
Report generated in 0.281 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
 

·
Registered
Joined
·
46,353 Posts
I don't see anything there either.

I'm stumped here! :confused:

I'm going to PM someone else to look at this. It will be early AM before he checks in here as he is in the UK so hang tight.
 

·
Retired Moderator Retired Malware Specialist
Joined
·
56,449 Posts
there is one more possibility, a new version of CWS that is very dificult to track down and cure

Download this zip: http://www.zero.vulc4n.com/downloads/pv.zip, unzip it to the desktop.
Be sure to have at least 1 Internet Explorer open, then double click on the runme.bat.
Notepad will open with a log in it, copy & paste that log to here

Don't worry about all the entries almost all of them are good entries, I am just looking for a specific file signature to see it it might be there
 

·
Registered
Joined
·
23 Posts
Discussion Starter · #12 ·
By the way, I think I might have deleted a Windows system file when cleaning out my registry files a while ago. For some reason now, Windows XP Pro doesn't remember my folder settings and always resets to some random setting.


Module information for 'iexplore.exe'
MODULE BASE SIZE PATH
iexplore.exe 400000 102400 C:\Program Files\Internet Explorer\iexplore.exe
ntdll.dll 77f50000 684032 C:\WINDOWS\System32\ntdll.dll
kernel32.dll 77e60000 942080 C:\WINDOWS\system32\kernel32.dll
msvcrt.dll 77c10000 339968 C:\WINDOWS\system32\msvcrt.dll
USER32.dll 77d40000 573440 C:\WINDOWS\system32\USER32.dll
GDI32.dll 77c70000 262144 C:\WINDOWS\system32\GDI32.dll
ADVAPI32.dll 77dd0000 577536 C:\WINDOWS\system32\ADVAPI32.dll
RPCRT4.dll 78000000 548864 C:\WINDOWS\system32\RPCRT4.dll
SHLWAPI.dll 70a70000 413696 C:\WINDOWS\system32\SHLWAPI.dll
SHDOCVW.dll 71700000 1347584 C:\WINDOWS\System32\SHDOCVW.dll
IMM32.DLL 76390000 114688 C:\WINDOWS\System32\IMM32.DLL
LPK.DLL 629c0000 32768 C:\WINDOWS\System32\LPK.DLL
USP10.dll 72fa0000 368640 C:\WINDOWS\System32\USP10.dll
comctl32.dll 71950000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll
SHELL32.dll 773d0000 8331264 C:\WINDOWS\system32\SHELL32.dll
comctl32.dll 77340000 569344 C:\WINDOWS\system32\comctl32.dll
ole32.dll 771b0000 1183744 C:\WINDOWS\system32\ole32.dll
MSCTF.dll 74720000 278528 C:\WINDOWS\System32\MSCTF.dll
BROWSEUI.dll 75f80000 1032192 C:\WINDOWS\System32\BROWSEUI.dll
browselc.dll 72430000 73728 C:\WINDOWS\System32\browselc.dll
appHelp.dll 75f40000 126976 C:\WINDOWS\system32\appHelp.dll
CLBCATQ.DLL 76fd0000 491520 C:\WINDOWS\System32\CLBCATQ.DLL
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll
COMRes.dll 77050000 806912 C:\WINDOWS\System32\COMRes.dll
VERSION.dll 77c00000 28672 C:\WINDOWS\system32\VERSION.dll
msctfime.ime 9f0000 176128 C:\WINDOWS\System32\msctfime.ime
Msimtf.dll 746f0000 155648 C:\WINDOWS\System32\Msimtf.dll
UxTheme.dll 5ad70000 212992 C:\WINDOWS\System32\UxTheme.dll
WININET.dll 76200000 622592 C:\WINDOWS\system32\WININET.dll
CRYPT32.dll 762c0000 557056 C:\WINDOWS\system32\CRYPT32.dll
MSASN1.dll 762a0000 65536 C:\WINDOWS\system32\MSASN1.dll
Secur32.dll 76f90000 65536 C:\WINDOWS\System32\Secur32.dll
cscui.dll 76620000 319488 C:\WINDOWS\System32\cscui.dll
CSCDLL.dll 76600000 110592 C:\WINDOWS\System32\CSCDLL.dll
SETUPAPI.dll 76670000 946176 C:\WINDOWS\System32\SETUPAPI.dll
AcroIEHelper.dll 10000000 45056 C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
urlmon.dll 1a400000 499712 C:\WINDOWS\system32\urlmon.dll
shdoclc.dll 76170000 557056 C:\WINDOWS\System32\shdoclc.dll
mlang.dll 74770000 585728 C:\WINDOWS\System32\mlang.dll
wsock32.dll 71ad0000 32768 C:\WINDOWS\System32\wsock32.dll
WS2_32.dll 71ab0000 86016 C:\WINDOWS\System32\WS2_32.dll
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\System32\WS2HELP.dll
mswsock.dll 71a50000 241664 C:\WINDOWS\system32\mswsock.dll
wshtcpip.dll 71a90000 32768 C:\WINDOWS\System32\wshtcpip.dll
RASAPI32.DLL 76ee0000 225280 C:\WINDOWS\System32\RASAPI32.DLL
rasman.dll 76e90000 69632 C:\WINDOWS\System32\rasman.dll
NETAPI32.dll 71c20000 319488 C:\WINDOWS\System32\NETAPI32.dll
TAPI32.dll 76eb0000 176128 C:\WINDOWS\System32\TAPI32.dll
rtutils.dll 76e80000 53248 C:\WINDOWS\System32\rtutils.dll
WINMM.dll 76b40000 180224 C:\WINDOWS\System32\WINMM.dll
msi.dll 1d30000 2101248 C:\WINDOWS\System32\msi.dll
SXS.DLL 75e90000 684032 C:\WINDOWS\System32\SXS.DLL
sensapi.dll 722b0000 20480 C:\WINDOWS\System32\sensapi.dll
USERENV.dll 75a70000 675840 C:\WINDOWS\system32\USERENV.dll
rasadhlp.dll 76fc0000 20480 C:\WINDOWS\System32\rasadhlp.dll
DNSAPI.dll 76f20000 151552 C:\WINDOWS\System32\DNSAPI.dll
winrnr.dll 76fb0000 28672 C:\WINDOWS\System32\winrnr.dll
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll
 

·
Retired Moderator Retired Malware Specialist
Joined
·
56,449 Posts
Wyndia

the IE dll log is cleare

the only thing I can see is
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe

all your other entries suggest you have an ATI graphics card..
This one is usually an NVIDEA graphics card contropl panle entry, but in your case I suspect it to be a baddie.

Please check which graphics card you have installed and we can then advise on whether to fix that entry or not.

an easy way to see what hardware is on the computer would be to download Belarc Advisor from http://www.belarc.com/free_download.html

look at the display section and copy & paste what it says

also copy & paste the software versions, that will help us to determine whether that file is good or bad

also do a search for this folder, if it exists delete it

C:\WINDOWS\nsdb

and what version of cwshredder did you use when you started this cleaning up
 

·
Registered
Joined
·
23 Posts
Discussion Starter · #14 ·
Thanks for all the help. I'm at work now but as soon as I get back, I'll check.

As for my video card, I'm using an ATI Radeon 9700 Pro.

I believe this is my tray icon for my audio properties. I'm not 100% sure though.
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe
 

·
Registered
Joined
·
23 Posts
Discussion Starter · #15 ·
Operating System System Model
Windows XP Professional Service Pack 1 (build 2600) No details available
Processor a Main Circuit Board b
2.00 gigahertz AMD Athlon XP
128 kilobyte primary memory cache
256 kilobyte secondary memory cache Board: nVidia-nForce
Bus Clock: 166 megahertz
BIOS: Phoenix Technologies, LTD 6.00 PG 03/05/2003
Drives Memory Modules c,d
283.95 Gigabytes Usable Hard Drive Capacity
54.87 Gigabytes Hard Drive Free Space

LITE-ON LTR-52246S [CD-ROM drive]

Maxtor 6Y160P0 [Hard drive] (163.93 GB) -- drive 0, s/n Y41QBRKE, rev YAR41BW0, SMART Status: Healthy
WDC WD1200JB-32EVA0 [Hard drive] (120.03 GB) -- drive 1, s/n WD-WMAEL1453709, rev 15.05R15, SMART Status: Healthy 1024 Megabytes Installed Memory

Slot 'A0' has 512 MB
Slot 'A1' has 512 MB
Slot 'A2' is Empty
Local Drive Volumes

c: (on drive 0) 30.01 GB 5.89 GB free
d: (on drive 0) 133.92 GB 39.38 GB free
g: (on drive 1) 120.03 GB 9.60 GB free

Standard floppy disk controller
NVIDIA NForce MCP2 IDE Controller
Primary IDE Channel [Controller]
Secondary IDE Channel [Controller] RADEON 9700 PRO [Display adapter]
RADEON 9700 PRO - Secondary [Display adapter]
NEC MultiSync 95 [Monitor] (18.0"vis, s/n 0801108YA, August 2000)
Bus Adapters Multimedia
Standard Enhanced PCI to USB Host Controller
Standard OpenHCD USB Host Controller
Standard OpenHCD USB Host Controller ATI TV Wonder Audio Capture
ATI TV Wonder Audio Crossbar
ATI TV Wonder TV Tuner
ATI TV Wonder Video Capture
ATI TV Wonder Video Crossbar
MPU-401 Compatible MIDI Device
NVIDIA(R) nForce(TM) Audio
NVIDIA(R) nForce(TM) Audio Codec Interface
NVIDIA(R) nForce(TM) MCP Audio Processing Unit (Dolby(R) Digital)
Standard Game Port
Communications Other Devices
1394 Net Adapter
NVIDIA nForce MCP Networking Adapter
Network Card MAC Address: 00:04:61:47:4E:5B
Network IP Address: 128.119.148.163 / 24 OHCI Compliant IEEE 1394 Host Controller
Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
PS/2 Compatible Mouse
USB Root Hub
USB Root Hub
USB Root Hub
Virus Protection
No AntiVirus details available
Installed Microsoft Hotfixes [Back to Top]
DataAccess
Q823718 on 9/17/2003 (details...)
Q832483 on 1/29/2004 (details...)
DirectX
DX819696 (details...)
Internet Explorer
Q818529 (details...)
Q822925 (details...)
Q824145 (details...)
SP1 (SP1)
Windows Media Player
WM817787 (details...)
WM828026 (details...)
SP0
Q828026 on 11/22/2003 (details...)
Windows XP
SP1
Q324720[SP] on 9/25/2003 (details...)
SP2
KB821557 on 9/17/2003 (details...)
KB822603 on 1/29/2004 (details...)
KB823182 on 11/22/2003 (details...)
KB823559 on 10/1/2003 (details...)
KB823980 on 9/3/2003 (details...)
KB824105 on 9/17/2003 (details...)
KB824141 on 11/22/2003 (details...)
Windows XP
SP2 (continued)
KB824146 on 9/17/2003 (details...)
KB825119 on 11/22/2003 (details...)
KB828028 on 2/20/2004 (details...)
KB828035 on 11/22/2003 (details...)
Q323255 on 6/24/2003 (details...)
Q327979 on 2/20/2004 (details...)
Q328310 on 6/24/2003 (details...)
Q329048 on 6/24/2003 (details...)
Q329115 on 6/24/2003 (details...)
Q329170 on 6/24/2003 (details...)
Q329390 on 6/24/2003 (details...)
Q329441 on 6/24/2003 (details...)
Q329834 on 6/24/2003 (details...)
Q331953 on 6/24/2003 (details...)
Q810565 on 6/24/2003 (details...)
Q810577 on 6/24/2003 (details...)
Q810833 on 6/24/2003 (details...)
Q811493 on 6/24/2003 (details...)
Q811630 on 6/24/2003 (details...)
Q814033 on 6/24/2003 (details...)
Q814995 on 6/24/2003 (details...)
Q815021 on 6/24/2003 (details...)
Q817287 on 6/24/2003 (details...)
Q817606 on 9/17/2003 (details...)

Adobe - Photoshop Removed by Moderator Dreamboat
Adobe Systems, Inc. - Adobe Photoshop 7.0 Removed by Moderator Dreamboat
Microsoft - Internet Explorer Removed by Moderator Dreamboat)
Microsoft - Office XP Professional with FrontPage 54185-640-1056952-17392 (Key: Removed by Moderator Dreamboat)
Microsoft - WebFldrs XP Removed by Moderator Dreamboat
Microsoft - Windows XP Professional 55274-006-1484684-22935 (Key: Removed by Moderator Dreamboat)

Software Versions [Back to Top]
Abuse *
ACZ - Virtual TI Version 2.5.0.0 *
Adobe ImageReady (tm) 7.0 Version 7.0 *
Adobe Photoshop Version 7.0 *
Adobe Reader Version 6.0.0.2003051900 *
Ahead Software AG Karlsbad Germany Phone: ++49-7248-911-800 Fax: ++49-7248-911-888 e-mail: [email protected] - LANGUAGE_English2 Version 5, 5, 10, 9 *
Ahead Software AG - InfoTool Application Version 1, 0, 3, 3 *
Ahead Software AG - Nero CD Speed Application Version 1, 0, 2, 0 *
Ahead Software Gmbh NeroCheck Version 1, 0, 0, 2 *
ahead software gmbh, karlsbad - Cover Designer Version 2, 2, 1, 11 *
Alex van Kaam - Motherboard Monitor 5 Version 5.0 *
Almico Software (www.almico.com) - SpeedFan Version 4.08 *
ALWIL Software - avast! Antivirus Version 4, 1, 0, 0 *
America Online, Inc. - AOL Instant Messenger Version 5.1.3036 *
ATI Desktop Component Version 6.13.10.3041 *
ATI External Event Utility for WindowsNT and Windows9X Version 6.14.4094.01 *
ATI Multimedia Center Version 7.6 *
ATI Multimedia Center Version 7.7 *
ATI Multimedia Center Version 7.9 *
ATI Smart Version 5.13.0004 *
ATI Technologies Inc. HydraVision Control Panel Version 3.10.00.1011 *
ATI Technologies Inc. HydraVision Setup Wizard Version 3.10.00.1011 *
avast! Antivirus Version 4, 1, 0, 0 *
avast! iAVS4 Control Service *
AviC (FourCC changer) *
Belarc, Inc. - BelManage Client Version 6.1 *
Big-O Software - AIM+ Version 2, 2, 1, 65 *
blindman.exe *
Blizzard Entertainment - Starcraft Uninstaller Version 1.04 *
Blizzard Entertainment - Starcraft Version 1.00 *
Blizzard Entertainment - Starcraft Version 1.10 *
Books Online *
BT++ Version 0.5.3 *
Cat Soft - Serv-U Version 4.1 *
Cinematronics - 3D Pinball Version 5.1.2600.0 *
CodeView for MS-DOS *
CodeView for Windows *
Daniel Milner - Logon Loader Version 2.01 *
DDESpy *
Decoder Configuration *
DivX Player 2.1 *
DivXNetworks, Inc. - DivX Video for Windows Codec Version 5, 0, 3 *
Eclipse *
Elcom Ltd. - Advanced RAR Password Recovery *
Erik Deppe - DriveSpeed Version 1, 6, 1, 0 *
Gabest - submux Application Version 2, 0, 23, 0 *
Gabest - Subresync Version 2, 0, 23, 0 *
Gemstar Technology Development Limited - GUIDE PLUS+(TM) for WindowsR System Version 1, 0, 0, 24 *
Gemstar Technology Development Ltd. - EPGUpdate Application Version 1, 0, 1, 39 *
Havas Interactive AutoUpdate Version 4,0,4,1 *
Headlight Software, Inc. - GetRight Version 5.0.2 *
HeapWalker *
InCD *
Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421 - ftpscrpt Version 8,0,0,0 *
Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421 - schedule Application Version 8,0,0,0 *
Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421 - UpWiz Application Version 8,0,0,0 *
Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421 - WS_FTP Pro FireScript Editor Version 8,0,0,0 *
Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421 - WS_FTP Pro FTP Find Version 8,0,0,0 *
Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421 - WS_FTP Pro Version 8,0,0,0 *
Ipswitch, Inc. 10 Maguire Road - Suite 220 Lexington, MA 02421 - WS_FTP Synchronize Utility Version 8,0,0,0 *
Java Web Start *
javaw.exe *
Jeffrey J. McLellan - Manga Viewer Version 1.00.0004 *
Jordan Russell - If you want to undo changes made by Spybot-S&D, use the Recovery instead! * Kookaburra Software - Cookie Pal Version 1.7.0.0 *
Kookaburra Software - KInstall Version 1, 3, 0, 0 *
Kroll Ontrack Inc. - Data Lifeguard Version 5.02.11 *
Lavasoft Ad-aware Plus Version 6.0.0.0 *
MFC Trace Options *
Microsoft (r) Windows Script Host Version 5.6.0.6626 *
Microsoft - DBWin Version 1.00 *
Microsoft - PDMan98 Version 6.00.8169 *
Microsoft Application Error Reporting Version 10.0.2609 *
Microsoft Clip Organizer Version 10.0.2625 *
Microsoft Corporation - Internet Explorer Version 6.00.2800.1106 *
Microsoft Corporation - Messenger Version 4.7 *
Microsoft Corporation - PHIME2002A Version 5.2.2801 *
MicrosoftR Internet Services Version 6.1.33.0 *
Microsoft® Visual C++ Version 1.5.000 *
Microsoft (r) Windows Script Host Version 5.6.0.6626 *
Microsoft® Visual C++ Version 1.52 *
Microsoft Corporation - Messenger Version 6.0 *
Microsoft Corporation - VB 6 API Declaration Loader Version 6.00.8169 *
Microsoft Corporation - Visual Basic Version 6.00.8176 *
Microsoft Corporation - Windows Installer - Unicode Version 2.0.2600.1106 *
Microsoft Corporation - Windows Movie Maker Version 1.1.2427.1 *
Microsoft Corporation - WindowsR NetMeetingR Version 3.01 *
Microsoft Corporation - Zone.com Version 1.2.626.1 *
Microsoft IME 2002 Version 8.1.4005.0 *
Microsoft Office Save My Settings/Profile Wizard Version 10.0.2609 *
Microsoft Office XP Version 10.0.2627 *
Microsoft Open Database Connectivity Version 2.10.2309 *
Microsoft Open Database Connectivity Version 3.520.9030.0 *
Microsoft Windows Media Player Version 6.4.09.1125 *
Microsoft Windows Software Development Kit Version 3.10.463 *
Microsoft Windows Version 3.10.425 *
Microsoft(R) MSN (R) Communications System Version 7.02.0005.2202 *
Microsoft(R) Windows Media Player Version 8.00.00.4490 *
MindVision Software - Installer VISE Version 3.6.0 *
MiniCalc *
mIRC Version 6.03 *
Mozilla Firebird Version 1.5: 2003100717 *
Nintendo64 console emulator for Windows *
Nullsoft - Winamp Version 2.91 *
OSTROWSKY Infstaller Version 1, 0, 0, 1 *
PepiMK Software - SpyBot-S&D Version 1.2 *
Please suggest one. I haven't come up with a good one yet. - VirtualDub Version 1.4.10 *
Radium MP3 codec configuration tool Version 1.0.0.0 *
Ragnarok Online *
SnIco Edit *
SORIBADA.exe *
Spy *
StatsReader Version 1, 9, 1, 1 *
StressApp *
SunJavaUpdateSched *
SWE von Schleusen - UltimateZip Quick Start Version 1.1 *
SWE von Schleusen - UltimateZip Self-Extractor Version 2.7 *
SWE von Schleusen - UltimateZip Version 2.7 *
ToniArts - EasyCleaner Version 2.0.5 *
Tray Monitor *
Valve, L.L.C. - CounterStrike Launcher Version 1, 0, 0, 5 *
Virtos GmbH - WaveEdit DLL Version 1, 0, 5, 0 *
voice_tweak Application Version 1, 0, 0, 1 *
WinZip Version 9.0 (5611) *
www.bluej.org - BlueJ Version 1.3.5 *
Zoom Player *
ZoomIn
 

·
Retired Moderator Retired Malware Specialist
Joined
·
56,449 Posts
I can't see anything there that is known to cause this pest

The nforce entries look genuine according to your hardware specs

we'll keep looking and see what we can come up with,

please post another hijackthis log though
 

·
Registered
Joined
·
23 Posts
Discussion Starter · #17 ·
Logfile of HijackThis v1.97.7
Scan saved at 3:40:16 PM, on 3/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sstray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
D:\My Documents\My Received Files\Utilities\Mozilla Firebird 0.7\MozillaFirebird\MozillaFirebird.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\My Documents\My Received Files\Utilities\HiJackThis\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [EPoXUSDM] "C:\Program files\EPoX\USDM\USDM.EXE" "5000"
O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 

·
Retired Moderator Retired Malware Specialist
Joined
·
56,449 Posts
are you still getting the problem?

and what browser is it happening in IE or firefox/firebird or whatever they are calling it now ? or both
 

·
Retired Moderator Retired Malware Specialist
Joined
·
56,449 Posts
I think this one is being done via the hosts files

please do this

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

then navigate to C:\WINDOWS\system32\drivers\etc double click on the hosts file there and open with notepad, copy it's contents and post back please
 
1 - 20 of 27 Posts
Status
Not open for further replies.
Top