Home search assistant does not fix my problem.
tartalacr--me
Groningen, The Netherlands
Hi,
My problem looks like a Coolwebsearch, however I preformed Home Search Assistant until step 4, then I could find any of the services provided. I tried also get Active Services but without great success. I am puzzled I still get the same popups ieautosearch: 69.20.16.183 etc... Here is my log hjck this:
Logfile of HijackThis v1.98.2
Scan saved at 21:42:19, on 03/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\e-Wallet\InterPay.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\QuickZip\QuickZip.exe
C:\My Downloads\trojan\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.fr
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ABN AMRO e-Wallet] C:\Program Files\e-Wallet\InterPay.exe /dontopenmycards
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CrocPopup+ ] C:\Program Files\crocpopup+\Crocpopup+.exe
O4 - HKLM\..\Run: [glgbalyv] C:\WINDOWS\glgbalyv.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Interpay - %VAR_IE_TOOLBAR_BUTTON_GUID% - C:\Program Files\e-Wallet\InterPay.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: ppctlcab - http://www.my-etrust.com/includes/pscanner/ppctlcab.CAB
O16 - DPF: {0990D180-4226-4530-9777-AB82315505B9} - https://ewallet.abnamro.nl/AABdownload/oinstall.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.my-etrust.com/includes/pscanner/axscanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.net/viruscenter/onlineviruscheck/cabs/cssweb.cab
Do you have any idea? http://www.short-media.com/forum/newthread.php?do=newthread&f=57#
Scratch Head
Thank you,
Tartalacrème.
My problem looks like a Coolwebsearch, however I preformed Home Search Assistant until step 4, then I could find any of the services provided. I tried also get Active Services but without great success. I am puzzled I still get the same popups ieautosearch: 69.20.16.183 etc... Here is my log hjck this:
Logfile of HijackThis v1.98.2
Scan saved at 21:42:19, on 03/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\e-Wallet\InterPay.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\QuickZip\QuickZip.exe
C:\My Downloads\trojan\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.fr
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ABN AMRO e-Wallet] C:\Program Files\e-Wallet\InterPay.exe /dontopenmycards
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CrocPopup+ ] C:\Program Files\crocpopup+\Crocpopup+.exe
O4 - HKLM\..\Run: [glgbalyv] C:\WINDOWS\glgbalyv.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Interpay - %VAR_IE_TOOLBAR_BUTTON_GUID% - C:\Program Files\e-Wallet\InterPay.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: ppctlcab - http://www.my-etrust.com/includes/pscanner/ppctlcab.CAB
O16 - DPF: {0990D180-4226-4530-9777-AB82315505B9} - https://ewallet.abnamro.nl/AABdownload/oinstall.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.my-etrust.com/includes/pscanner/axscanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.net/viruscenter/onlineviruscheck/cabs/cssweb.cab
Do you have any idea? http://www.short-media.com/forum/newthread.php?do=newthread&f=57#
Scratch Head
Thank you,
Tartalacrème.
0
Comments
I think I have fixed several things, however I still some pop ups from time to time. The computer doesn't stop by itself anymore. Here is the log:
Logfile of HijackThis v1.98.2
Scan saved at 23:08:08, on 05/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\e-Wallet\InterPay.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\My Downloads\trojan\HijackThis.exe
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [ABN AMRO e-Wallet] C:\Program Files\e-Wallet\InterPay.exe /dontopenmycards
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: Interpay - %VAR_IE_TOOLBAR_BUTTON_GUID% - C:\Program Files\e-Wallet\InterPay.exe
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise/products/housecall_pre.php (file missing)
O9 - Extra button: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0990D180-4226-4530-9777-AB82315505B9} - https://ewallet.abnamro.nl/AABdownload/oinstall.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
Thanks a lot if you can find something wrong with it, because I really become crazy! :banghead:
http://www.majorgeeks.com/download4166.html
Reboot and post a new hijackthis log.
Many thanks for your concern. I did what you said. It seems as if I am up to date with microsoft. Here is the new log:
Logfile of HijackThis v1.98.2
Scan saved at 08:40:13, on 06/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\e-Wallet\InterPay.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCCLIENT.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\PCCGUIDE.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\POP3TRAP.EXE
C:\My Downloads\trojan\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [ABN AMRO e-Wallet] C:\Program Files\e-Wallet\InterPay.exe /dontopenmycards
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: Interpay - %VAR_IE_TOOLBAR_BUTTON_GUID% - C:\Program Files\e-Wallet\InterPay.exe
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise/products/housecall_pre.php (file missing)
O9 - Extra button: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0990D180-4226-4530-9777-AB82315505B9} - https://ewallet.abnamro.nl/AABdownload/oinstall.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
Tartalacrème.
Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
Reboot and please post a new hijackthis log so we can see if they're still there.
Hi! Back again... I tried to fix them in either normal and safe mode but they come again as sure as the day after the night! The strange thing is that I have a bunch of antispyware and antivirus systems and some of them as Perfect Process Alert rings a bell as 'Divx4 codec:devldr32.exe in system32 added as a result of an unidentified virus.' Then I kill the process and delete the file, but the alert comes back a few minutes later if I use my browser... Of course the lines also appear in Spy Sweeper as an alert, and I can try to supress them as long as I am still awake but they are still somewhere back.
Here is the log
Logfile of HijackThis v1.98.2
Scan saved at 08:12:08, on 07/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\e-Wallet\InterPay.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\Program Files\Perfect Process\ppshield.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\My Downloads\trojan\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [ABN AMRO e-Wallet] C:\Program Files\e-Wallet\InterPay.exe /dontopenmycards
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Perfect Process shield] C:\Program Files\Perfect Process\ppshield.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: Interpay - %VAR_IE_TOOLBAR_BUTTON_GUID% - C:\Program Files\e-Wallet\InterPay.exe
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise/products/housecall_pre.php (file missing)
O9 - Extra button: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0990D180-4226-4530-9777-AB82315505B9} - https://ewallet.abnamro.nl/AABdownload/oinstall.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
Thank you! This nasty little guy is waiting for the sentence to be carried out... :smokin:
Can you please start off by downloading VX2Finder to your desktop from here:
http://downloads.subratam.org/VX2Finder(126).exe
Start vx2finder, then click on "Click to Find VX2.BetterInternet" and then click "Make Log" and copy and paste the entire contents of the log here.
Please download DLL Compare to your desktop from here:
http://www.atribune.org/downloads/DllCompare.exe
Start Dll Compare, then click on "Run Locate.com". When it tells you that's finished, click on "Compare" at the bottom right. When that finishes, click "Make a Log of What was Found" and answer "Yes" to View Log file. Copy and paste the contents of that log here.
Please also open the c:\Windows\System32 folder and see if there's a file there called Guard.tmp visible and report that here as well.
Can you please download the file "Find It.zip" to your desktop from here
http://computercops.biz/zx/Zupe/Find%20It%20NT-2K-XP.zip
Unzip the contents to a folder, then open the folder and double-click on Find.bat. It will run for a minute, then produce a log. Please copy and paste that log here.
VX2Finderlog:
Files Found---
Additional Files---
Keys Under Notify---
RunOnce
Guardian Key--- is called:
User Agent String---
{F1102748-C700-4A72-B672-35005F373415}
==============================================================================
As far as DLL Compare is concerned, I tried to view the log, however nothing happened, therefore I copied one by one the lines of the what I supposed the log was (the second window below) and here it is:
C:\WINDOWS\SYSTEM32\aza001~1.dll Sat 4 Dec 2004 13:34:54 ..S.R 225 998 220,70 K
C:\WINDOWS\SYSTEM32\cjmcat.dll Wed 1 Dec 2004 23:32:16 ..S.R 224 469 219,21 K
C:\WINDOWS\SYSTEM32\czl3d32.dll Thu 2 Dec 2004 17:14:30 ..S.R 223 082 217,85 K
C:\WINDOWS\SYSTEM32\d40m0e~1.dll Sat 4 Dec 2004 22:16:26 ..S.R 222 876 217,65 K
C:\WINDOWS\SYSTEM32\d6j02g~1.dll Fri 3 Dec 2004 19:49:48 ..S.R 223 216 217,98 K
C:\WINDOWS\SYSTEM32\dn4201~1.dll Thu 9 Dec 2004 21:04:04 ..S.R 222 887 217,66 K
C:\WINDOWS\SYSTEM32\dnj801~1.dll Fri 3 Dec 2004 18:43:36 ..S.R 225 948 220,65 K
C:\WINDOWS\SYSTEM32\dnl401~1.dll Sat 4 Dec 2004 16:31:58 ..S.R 223 537 218,30 K
C:\WINDOWS\SYSTEM32\dnnm01~1.dll Thu 2 Dec 2004 19:48:08 ..S.R 223 084 217,86 K
C:\WINDOWS\SYSTEM32\dnr001~1.dll Tue 30 Nov 2004 9:48:02 ..S.R 225 938 220,64 K
C:\WINDOWS\SYSTEM32\dqdmo.dll Fri 10 Dec 2004 8:10:16 ..S.R 222 887 217,66 K
C:\WINDOWS\SYSTEM32\eicapi.dll Sat 4 Dec 2004 19:18:14 ..S.R 225 635 220,34 K
C:\WINDOWS\SYSTEM32\en02l1~1.dll Fri 3 Dec 2004 22:43:22 ..S.R 224 150 218,89 K
C:\WINDOWS\SYSTEM32\f62m0g~1.dll Sun 5 Dec 2004 7:35:32 ..S.R 225 511 220,22 K
C:\WINDOWS\SYSTEM32\ftclient.dll Fri 3 Dec 2004 6:42:50 ..S.R 223 110 217,88 K
C:\WINDOWS\SYSTEM32\fwifs.dll Sat 4 Dec 2004 18:14:12 ..S.R 223 721 218,48 K
C:\WINDOWS\SYSTEM32\g4402e~1.dll Tue 30 Nov 2004 9:59:10 ..S.R 223 230 217,99 K
C:\WINDOWS\SYSTEM32\gpnol3~1.dll Sat 4 Dec 2004 13:09:42 ..S.R 222 884 217,66 K
C:\WINDOWS\SYSTEM32\h02o0a~1.dll Fri 3 Dec 2004 21:24:34 ..S.R 222 368 217,16 K
C:\WINDOWS\SYSTEM32\hr8u05~1.dll Wed 1 Dec 2004 8:15:40 ..S.R 226 116 220,82 K
C:\WINDOWS\SYSTEM32\hrn205~1.dll Sat 4 Dec 2004 8:08:50 ..S.R 223 204 217,97 K
C:\WINDOWS\SYSTEM32\irlql5~1.dll Fri 10 Dec 2004 8:10:16 ..S.R 224 422 219,16 K
C:\WINDOWS\SYSTEM32\irr2l5~1.dll Fri 3 Dec 2004 21:16:22 ..S.R 222 855 217,63 K
C:\WINDOWS\SYSTEM32\jt0o07~1.dll Tue 7 Dec 2004 7:47:02 ..S.R 224 277 219,02 K
C:\WINDOWS\SYSTEM32\jt4607~1.dll Mon 29 Nov 2004 19:03:22 ..S.R 223 286 218,05 K
C:\WINDOWS\SYSTEM32\jtp207~1.dll Wed 1 Dec 2004 22:29:24 ..S.R 223 279 218,04 K
C:\WINDOWS\SYSTEM32\k0lq0a~1.dll Wed 1 Dec 2004 22:40:34 ..S.R 223 532 218,29 K
C:\WINDOWS\SYSTEM32\k0pm0a~1.dll Fri 3 Dec 2004 19:49:54 ..S.R 222 979 217,75 K
C:\WINDOWS\SYSTEM32\kedinbe1.dll Thu 2 Dec 2004 16:32:22 ..S.R 223 125 217,89 K
C:\WINDOWS\SYSTEM32\kt8ol7~1.dll Sat 4 Dec 2004 10:46:28 ..S.R 225 287 220,00 K
C:\WINDOWS\SYSTEM32\ktr4l7~1.dll Tue 30 Nov 2004 10:14:42 ..S.R 222 956 217,73 K
C:\WINDOWS\SYSTEM32\l28mlc~1.dll Wed 1 Dec 2004 22:56:54 ..S.R 224 184 218,93 K
C:\WINDOWS\SYSTEM32\m2640c~1.dll Fri 3 Dec 2004 21:03:42 ..S.R 222 439 217,22 K
C:\WINDOWS\SYSTEM32\mvrml9~1.dll Sat 4 Dec 2004 16:16:26 ..S.R 222 807 217,58 K
C:\WINDOWS\SYSTEM32\n64slg~1.dll Fri 3 Dec 2004 16:40:32 ..S.R 224 992 219,72 K
C:\WINDOWS\SYSTEM32\nfdenb32.dll Fri 3 Dec 2004 18:45:14 ..S.R 226 243 220,94 K
C:\WINDOWS\SYSTEM32\nkwrsno.dll Fri 3 Dec 2004 21:03:42 ..S.R 226 243 220,94 K
C:\WINDOWS\SYSTEM32\p26s0c~1.dll Fri 3 Dec 2004 20:28:02 ..S.R 222 589 217,37 K
C:\WINDOWS\SYSTEM32\q4nu0e~1.dll Mon 29 Nov 2004 8:42:54 ..S.R 222 927 217,70 K
C:\WINDOWS\SYSTEM32\rfm.dll Thu 2 Dec 2004 16:42:50 ..S.R 226 155 220,85 K
C:\WINDOWS\SYSTEM32\s6rslg~1.dll Sat 4 Dec 2004 16:22:46 ..S.R 223 106 217,88 K
C:\WINDOWS\SYSTEM32\sns.dll Fri 3 Dec 2004 16:50:58 ..S.R 223 246 218,01 K
=============================================================================
No Guard.tmp in c:\Windows\System32 folder
=============================================================================
Find It.zip lo is here:
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
System Files in System32 Directory
Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1
Directory of C:\WINDOWS\System32
10/12/2004 08:12 <DIR> dllcache
10/12/2004 08:10 222ÿ887 dqdmo.dll
10/12/2004 08:10 224ÿ422 irlql5351.dll
09/12/2004 21:04 222ÿ887 dn4201hoe.dll
07/12/2004 07:47 224ÿ277 jt0o07d3e.dll
05/12/2004 07:35 225ÿ511 f62m0gf1e62.dll
04/12/2004 22:16 222ÿ876 d40m0ed1eh0.dll
04/12/2004 19:18 225ÿ635 eicapi.dll
04/12/2004 18:14 223ÿ721 fwifs.dll
04/12/2004 16:31 223ÿ537 dnl4013qe.dll
04/12/2004 16:22 223ÿ106 s6rslg9716.dll
04/12/2004 16:16 222ÿ807 mvrml9911.dll
04/12/2004 13:34 225ÿ998 aza0019me.dll
04/12/2004 13:09 222ÿ884 gpnol3531.dll
04/12/2004 10:46 225ÿ287 kt8ol7l31.dll
04/12/2004 08:08 223ÿ204 hrn2055oe.dll
03/12/2004 22:43 224ÿ150 en02l1do1.dll
03/12/2004 21:24 222ÿ368 h02o0af3ed2.dll
03/12/2004 21:16 222ÿ855 irr2l59o1.dll
03/12/2004 21:03 226ÿ243 nkwrsno.dll
03/12/2004 21:03 222ÿ439 m2640cjqefoe0.dll
03/12/2004 20:28 222ÿ589 p26s0cj7efo.dll
03/12/2004 19:49 222ÿ979 k0pm0a71ed.dll
03/12/2004 19:49 223ÿ216 d6j02g1mg6.dll
03/12/2004 18:45 226ÿ243 nfdenb32.dll
03/12/2004 18:43 225ÿ948 dnj8011ue.dll
03/12/2004 16:50 223ÿ246 sns.dll
03/12/2004 16:40 224ÿ992 n64slgh7164.dll
03/12/2004 06:42 223ÿ110 ftclient.dll
02/12/2004 19:48 223ÿ084 dnnm0151e.dll
02/12/2004 17:14 223ÿ082 czl3d32.dll
02/12/2004 16:42 226ÿ155 rfm.dll
02/12/2004 16:32 223ÿ125 kedinbe1.dll
01/12/2004 23:32 224ÿ469 cjmcat.dll
01/12/2004 22:56 224ÿ184 l28mlcl11fq.dll
01/12/2004 22:40 223ÿ532 k0lq0a35ed.dll
01/12/2004 22:29 223ÿ279 jtp2077oe.dll
01/12/2004 08:15 226ÿ116 hr8u05l9e.dll
30/11/2004 10:14 222ÿ956 ktr4l79q1.dll
30/11/2004 09:59 223ÿ230 g4402ehmgh4a2.dll
30/11/2004 09:48 225ÿ938 dnr0019me.dll
29/11/2004 19:03 223ÿ286 jt4607hse.dll
29/11/2004 08:42 222ÿ927 q4nu0e59eh.dll
29/10/2004 20:38 <DIR> Microsoft
42 File(s) 9ÿ404ÿ780 bytes
2 Dir(s) 63ÿ011ÿ893ÿ248 bytes free
Hidden Files in System32 Directory
Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1
Directory of C:\WINDOWS\System32
10/12/2004 08:12 <DIR> dllcache
09/12/2002 21:35 488 logonui.exe.manifest
09/12/2002 21:35 488 WindowsLogon.manifest
09/12/2002 21:35 749 nwc.cpl.manifest
09/12/2002 21:35 749 sapi.cpl.manifest
09/12/2002 21:35 749 ncpa.cpl.manifest
09/12/2002 21:35 749 wuaucpl.cpl.manifest
09/12/2002 21:35 749 cdplayer.exe.manifest
7 File(s) 4ÿ721 bytes
1 Dir(s) 63ÿ011ÿ893ÿ248 bytes free
Files Named "Guard"
Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1
Directory of C:\WINDOWS\System32
Temp Files in System32 Directory
Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1
Directory of C:\WINDOWS\System32
10/12/2004 08:11 1ÿ688 TRJ_NTAUTO.TMP
04/08/2004 08:56 713ÿ216 SET1D5.tmp
29/08/2002 13:00 2ÿ577 CONFIG.TMP
3 File(s) 717ÿ481 bytes
0 Dir(s) 63ÿ011ÿ889ÿ152 bytes free
User Agent
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{F1102748-C700-4A72-B672-35005F373415}"=""
Keys Under Notify
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnce]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\dn4201hoe.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
Xfind Results
'Xfind' is not recognized as an internal or external command,
operable program or batch file.
Locate.com Results
One thing I forgot to mention in the previous post. Do not reboot or log off until we complete this fix. If you have since this last post i will need you to run the tools again and post new logs. I don't want to give further instructions until that is confirmed.
In the meantime, download this tool and unzip it to the desktop. We will need it later.
http://www.downloads.subratam.org/KillBox.zip
Also please post a new hijackthis log.
Oups... I have left home since then, thus I shut the computer down. As soon as I can I send you everything back...
Files Found---
Additional Files---
Keys Under Notify---
ThemeManager
Guardian Key--- is called:
User Agent String---
{F1102748-C700-4A72-B672-35005F373415}
============================
Guard.tmp is still not a piece of cake from system32.
============================
Dll compare:
C:\WINDOWS\SYSTEM32\aza001~1.dll Sat 4 Dec 2004 13:34:54 ..S.R 225 998 220,70 K
C:\WINDOWS\SYSTEM32\cjmcat.dll Wed 1 Dec 2004 23:32:16 ..S.R 224 469 219,21 K
C:\WINDOWS\SYSTEM32\czl3d32.dll Thu 2 Dec 2004 17:14:30 ..S.R 223 082 217,85 K
C:\WINDOWS\SYSTEM32\d40m0e~1.dll Sat 4 Dec 2004 22:16:26 ..S.R 222 876 217,65 K
C:\WINDOWS\SYSTEM32\d6j02g~1.dll Fri 3 Dec 2004 19:49:48 ..S.R 223 216 217,98 K
C:\WINDOWS\SYSTEM32\dnj801~1.dll Fri 3 Dec 2004 18:43:36 ..S.R 225 948 220,65 K
C:\WINDOWS\SYSTEM32\dnl401~1.dll Sat 4 Dec 2004 16:31:58 ..S.R 223 537 218,30 K
C:\WINDOWS\SYSTEM32\dnnm01~1.dll Thu 2 Dec 2004 19:48:08 ..S.R 223 084 217,86 K
C:\WINDOWS\SYSTEM32\dnp201~1.dll Fri 10 Dec 2004 19:58:14 ..S.R 224 693 219,43 K
C:\WINDOWS\SYSTEM32\dnr001~1.dll Tue 30 Nov 2004 9:48:02 ..S.R 225 938 220,64 K
C:\WINDOWS\SYSTEM32\eicapi.dll Sat 4 Dec 2004 19:18:14 ..S.R 225 635 220,34 K
C:\WINDOWS\SYSTEM32\en02l1~1.dll Fri 3 Dec 2004 22:43:22 ..S.R 224 150 218,89 K
C:\WINDOWS\SYSTEM32\f62m0g~1.dll Sun 5 Dec 2004 7:35:32 ..S.R 225 511 220,22 K
C:\WINDOWS\SYSTEM32\ftclient.dll Fri 3 Dec 2004 6:42:50 ..S.R 223 110 217,88 K
C:\WINDOWS\SYSTEM32\fwifs.dll Sat 4 Dec 2004 18:14:12 ..S.R 223 721 218,48 K
C:\WINDOWS\SYSTEM32\g4402e~1.dll Tue 30 Nov 2004 9:59:10 ..S.R 223 230 217,99 K
C:\WINDOWS\SYSTEM32\gpnol3~1.dll Sat 4 Dec 2004 13:09:42 ..S.R 222 884 217,66 K
C:\WINDOWS\SYSTEM32\h02o0a~1.dll Fri 3 Dec 2004 21:24:34 ..S.R 222 368 217,16 K
C:\WINDOWS\SYSTEM32\hr8u05~1.dll Wed 1 Dec 2004 8:15:40 ..S.R 226 116 220,82 K
C:\WINDOWS\SYSTEM32\hrn205~1.dll Sat 4 Dec 2004 8:08:50 ..S.R 223 204 217,97 K
C:\WINDOWS\SYSTEM32\irr2l5~1.dll Fri 3 Dec 2004 21:16:22 ..S.R 222 855 217,63 K
C:\WINDOWS\SYSTEM32\jt0o07~1.dll Tue 7 Dec 2004 7:47:02 ..S.R 224 277 219,02 K
C:\WINDOWS\SYSTEM32\jt4607~1.dll Mon 29 Nov 2004 19:03:22 ..S.R 223 286 218,05 K
C:\WINDOWS\SYSTEM32\jtp207~1.dll Wed 1 Dec 2004 22:29:24 ..S.R 223 279 218,04 K
C:\WINDOWS\SYSTEM32\k0lq0a~1.dll Wed 1 Dec 2004 22:40:34 ..S.R 223 532 218,29 K
C:\WINDOWS\SYSTEM32\k0pm0a~1.dll Fri 3 Dec 2004 19:49:54 ..S.R 222 979 217,75 K
C:\WINDOWS\SYSTEM32\kedinbe1.dll Thu 2 Dec 2004 16:32:22 ..S.R 223 125 217,89 K
C:\WINDOWS\SYSTEM32\kt8ol7~1.dll Sat 4 Dec 2004 10:46:28 ..S.R 225 287 220,00 K
C:\WINDOWS\SYSTEM32\ktr4l7~1.dll Tue 30 Nov 2004 10:14:42 ..S.R 222 956 217,73 K
C:\WINDOWS\SYSTEM32\l28mlc~1.dll Wed 1 Dec 2004 22:56:54 ..S.R 224 184 218,93 K
C:\WINDOWS\SYSTEM32\m2640c~1.dll Fri 3 Dec 2004 21:03:42 ..S.R 222 439 217,22 K
C:\WINDOWS\SYSTEM32\mv42l9~1.dll Fri 10 Dec 2004 21:49:42 ..S.R 225 942 220,64 K
C:\WINDOWS\SYSTEM32\mvrml9~1.dll Sat 4 Dec 2004 16:16:26 ..S.R 222 807 217,58 K
C:\WINDOWS\SYSTEM32\n64slg~1.dll Fri 3 Dec 2004 16:40:32 ..S.R 224 992 219,72 K
C:\WINDOWS\SYSTEM32\nfdenb32.dll Fri 3 Dec 2004 18:45:14 ..S.R 226 243 220,94 K
C:\WINDOWS\SYSTEM32\nkwrsno.dll Fri 3 Dec 2004 21:03:42 ..S.R 226 243 220,94 K
C:\WINDOWS\SYSTEM32\p26s0c~1.dll Fri 3 Dec 2004 20:28:02 ..S.R 222 589 217,37 K
C:\WINDOWS\SYSTEM32\q4nu0e~1.dll Mon 29 Nov 2004 8:42:54 ..S.R 222 927 217,70 K
C:\WINDOWS\SYSTEM32\rfm.dll Thu 2 Dec 2004 16:42:50 ..S.R 226 155 220,85 K
C:\WINDOWS\SYSTEM32\s6rslg~1.dll Sat 4 Dec 2004 16:22:46 ..S.R 223 106 217,88 K
C:\WINDOWS\SYSTEM32\sns.dll Fri 3 Dec 2004 16:50:58 ..S.R 223 246 218,01 K
C:\WINDOWS\SYSTEM32\wofeman.dll Fri 10 Dec 2004 21:49:42 ..S.R 224 693 219,43 K
===================================
Hijack this new log:
Logfile of HijackThis v1.98.2
Scan saved at 22:05:57, on 10/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\e-Wallet\InterPay.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\Program Files\Perfect Process\ppshield.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\notepad.exe
C:\My Downloads\trojan\HijackThis.exe
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [ABN AMRO e-Wallet] C:\Program Files\e-Wallet\InterPay.exe /dontopenmycards
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Perfect Process shield] C:\Program Files\Perfect Process\ppshield.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: Interpay - %VAR_IE_TOOLBAR_BUTTON_GUID% - C:\Program Files\e-Wallet\InterPay.exe
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise/products/housecall_pre.php (file missing)
O9 - Extra button: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0990D180-4226-4530-9777-AB82315505B9} - https://ewallet.abnamro.nl/AABdownload/oinstall.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.net/viruscenter/onlineviruscheck/cabs/cssweb.cab
===============================
Indeed this stupid bin is not working properly since it says that there are 6 itens to be deleted when nothing is in the bin...bizarre...
===============================
I leave the computer on.
Good luck!
Double-click on Find.bat. It will run for a minute, then produce a log. Please copy and paste that log here.
Have you downloaded Killbox? We'll fix the recycle bin once we get rid of everything. In the meantime just be aware that anything you delete will probably not go to your recycle bin.
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
System Files in System32 Directory
Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1
Directory of C:\WINDOWS\System32
10/12/2004 22:10 <DIR> dllcache
10/12/2004 21:49 224ÿ693 wofeman.dll
10/12/2004 21:49 225ÿ942 mv42l9ho1.dll
10/12/2004 19:58 224ÿ693 dnp2017oe.dll
07/12/2004 07:47 224ÿ277 jt0o07d3e.dll
05/12/2004 07:35 225ÿ511 f62m0gf1e62.dll
04/12/2004 22:16 222ÿ876 d40m0ed1eh0.dll
04/12/2004 19:18 225ÿ635 eicapi.dll
04/12/2004 18:14 223ÿ721 fwifs.dll
04/12/2004 16:31 223ÿ537 dnl4013qe.dll
04/12/2004 16:22 223ÿ106 s6rslg9716.dll
04/12/2004 16:16 222ÿ807 mvrml9911.dll
04/12/2004 13:34 225ÿ998 aza0019me.dll
04/12/2004 13:09 222ÿ884 gpnol3531.dll
04/12/2004 10:46 225ÿ287 kt8ol7l31.dll
04/12/2004 08:08 223ÿ204 hrn2055oe.dll
03/12/2004 22:43 224ÿ150 en02l1do1.dll
03/12/2004 21:24 222ÿ368 h02o0af3ed2.dll
03/12/2004 21:16 222ÿ855 irr2l59o1.dll
03/12/2004 21:03 226ÿ243 nkwrsno.dll
03/12/2004 21:03 222ÿ439 m2640cjqefoe0.dll
03/12/2004 20:28 222ÿ589 p26s0cj7efo.dll
03/12/2004 19:49 222ÿ979 k0pm0a71ed.dll
03/12/2004 19:49 223ÿ216 d6j02g1mg6.dll
03/12/2004 18:45 226ÿ243 nfdenb32.dll
03/12/2004 18:43 225ÿ948 dnj8011ue.dll
03/12/2004 16:50 223ÿ246 sns.dll
03/12/2004 16:40 224ÿ992 n64slgh7164.dll
03/12/2004 06:42 223ÿ110 ftclient.dll
02/12/2004 19:48 223ÿ084 dnnm0151e.dll
02/12/2004 17:14 223ÿ082 czl3d32.dll
02/12/2004 16:42 226ÿ155 rfm.dll
02/12/2004 16:32 223ÿ125 kedinbe1.dll
01/12/2004 23:32 224ÿ469 cjmcat.dll
01/12/2004 22:56 224ÿ184 l28mlcl11fq.dll
01/12/2004 22:40 223ÿ532 k0lq0a35ed.dll
01/12/2004 22:29 223ÿ279 jtp2077oe.dll
01/12/2004 08:15 226ÿ116 hr8u05l9e.dll
30/11/2004 10:14 222ÿ956 ktr4l79q1.dll
30/11/2004 09:59 223ÿ230 g4402ehmgh4a2.dll
30/11/2004 09:48 225ÿ938 dnr0019me.dll
29/11/2004 19:03 223ÿ286 jt4607hse.dll
29/11/2004 08:42 222ÿ927 q4nu0e59eh.dll
29/10/2004 20:38 <DIR> Microsoft
42 File(s) 9ÿ409ÿ912 bytes
2 Dir(s) 63ÿ042ÿ990ÿ080 bytes free
Hidden Files in System32 Directory
Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1
Directory of C:\WINDOWS\System32
10/12/2004 22:10 <DIR> dllcache
09/12/2002 21:35 488 logonui.exe.manifest
09/12/2002 21:35 488 WindowsLogon.manifest
09/12/2002 21:35 749 nwc.cpl.manifest
09/12/2002 21:35 749 sapi.cpl.manifest
09/12/2002 21:35 749 ncpa.cpl.manifest
09/12/2002 21:35 749 wuaucpl.cpl.manifest
09/12/2002 21:35 749 cdplayer.exe.manifest
7 File(s) 4ÿ721 bytes
1 Dir(s) 63ÿ042ÿ990ÿ080 bytes free
Files Named "Guard"
Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1
Directory of C:\WINDOWS\System32
Temp Files in System32 Directory
Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1
Directory of C:\WINDOWS\System32
10/12/2004 21:50 1ÿ688 TRJ_NTAUTO.TMP
04/08/2004 08:56 713ÿ216 SET1D5.tmp
29/08/2002 13:00 2ÿ577 CONFIG.TMP
3 File(s) 717ÿ481 bytes
0 Dir(s) 63ÿ042ÿ990ÿ080 bytes free
User Agent
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{F1102748-C700-4A72-B672-35005F373415}"=""
Keys Under Notify
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ThemeManager]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\dnp2017oe.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
Xfind Results
'Xfind' is not recognized as an internal or external command,
operable program or batch file.
Locate.com Results
Next, start Killbox and click on Tools->Delete Temp Files.
When that finishes, copy and paste each of the following lines into the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each. Keep track of any files it tells you either could not be found or could not be deleted, as you'll need those in a minute:
C:\WINDOWS\SYSTEM32\aza0019me.dll
C:\WINDOWS\SYSTEM32\cjmcat.dll
C:\WINDOWS\SYSTEM32\czl3d32.dll
C:\WINDOWS\SYSTEM32\d40m0ed1eh0.dll
C:\WINDOWS\SYSTEM32\d6j02g1mg6.dll
C:\WINDOWS\SYSTEM32\dnj8011ue.dll
C:\WINDOWS\SYSTEM32\dnl4013qe.dll
C:\WINDOWS\SYSTEM32\dnnm0151e.dll
C:\WINDOWS\SYSTEM32\dnp2017oe.dll
C:\WINDOWS\SYSTEM32\dnr0019me.dll
C:\WINDOWS\SYSTEM32\eicapi.dll
C:\WINDOWS\SYSTEM32\en02l1do1.dll
C:\WINDOWS\SYSTEM32\f62m0gf1e62.dll
C:\WINDOWS\SYSTEM32\ftclient.dll
C:\WINDOWS\SYSTEM32\fwifs.dll
C:\WINDOWS\SYSTEM32\g4402ehmgh4a2.dll
C:\WINDOWS\SYSTEM32\gpnol3531.dll
C:\WINDOWS\SYSTEM32\h02o0af3ed2.dll
C:\WINDOWS\SYSTEM32\hr8u05l9e.dll
C:\WINDOWS\SYSTEM32\hrn2055oe.dll
C:\WINDOWS\SYSTEM32\irr2l59o1.dll
C:\WINDOWS\SYSTEM32\jt0o07d3e.dll
C:\WINDOWS\SYSTEM32\jt4607hse.dll
C:\WINDOWS\SYSTEM32\jtp2077oe.dll
C:\WINDOWS\SYSTEM32\k0lq0a35ed.dll
C:\WINDOWS\SYSTEM32\k0pm0a71ed.dll
C:\WINDOWS\SYSTEM32\kedinbe1.dll
C:\WINDOWS\SYSTEM32\kt8ol7l31.dll
C:\WINDOWS\SYSTEM32\ktr4l79q1.dll
C:\WINDOWS\SYSTEM32\l28mlcl11fq.dll
C:\WINDOWS\SYSTEM32\m2640cjqefoe0.dll
C:\WINDOWS\SYSTEM32\mv42l9ho1.dll
C:\WINDOWS\SYSTEM32\mvrml9911.dll
C:\WINDOWS\SYSTEM32\n64slgh7164.dll
C:\WINDOWS\SYSTEM32\nfdenb32.dll
C:\WINDOWS\SYSTEM32\nkwrsno.dll
C:\WINDOWS\SYSTEM32\p26s0cj7efo.dll
C:\WINDOWS\SYSTEM32\q4nu0e59eh.dll
C:\WINDOWS\SYSTEM32\rfm.dll
C:\WINDOWS\SYSTEM32\s6rslg9716.dll
C:\WINDOWS\SYSTEM32\sns.dll
C:\WINDOWS\SYSTEM32\wofeman.dll
For the files that it either couldn't find or couldn't delete, run killbox again, but this time, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer "No" until after you've pasted the last file name, at which time you should answer "Yes".
When it reboots, please post a new Find.bat log and a new Hijack This log.
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
Find.bat:
System Files in System32 Directory
Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1
Directory of C:\WINDOWS\System32
10/12/2004 22:10 <DIR> dllcache
29/10/2004 20:38 <DIR> Microsoft
0 File(s) 0 bytes
2 Dir(s) 63ÿ042ÿ265ÿ088 bytes free
Hidden Files in System32 Directory
Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1
Directory of C:\WINDOWS\System32
10/12/2004 22:10 <DIR> dllcache
09/12/2002 21:35 488 logonui.exe.manifest
09/12/2002 21:35 488 WindowsLogon.manifest
09/12/2002 21:35 749 nwc.cpl.manifest
09/12/2002 21:35 749 sapi.cpl.manifest
09/12/2002 21:35 749 ncpa.cpl.manifest
09/12/2002 21:35 749 wuaucpl.cpl.manifest
09/12/2002 21:35 749 cdplayer.exe.manifest
7 File(s) 4ÿ721 bytes
1 Dir(s) 63ÿ042ÿ265ÿ088 bytes free
Files Named "Guard"
Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1
Directory of C:\WINDOWS\System32
Temp Files in System32 Directory
Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1
Directory of C:\WINDOWS\System32
11/12/2004 08:57 1ÿ688 TRJ_NTAUTO.TMP
04/08/2004 08:56 713ÿ216 SET1D5.tmp
29/08/2002 13:00 2ÿ577 CONFIG.TMP
3 File(s) 717ÿ481 bytes
0 Dir(s) 63ÿ042ÿ265ÿ088 bytes free
User Agent
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{F1102748-C700-4A72-B672-35005F373415}"=""
Keys Under Notify
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Applets]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\mv42l9ho1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
Xfind Results
'Xfind' is not recognized as an internal or external command,
operable program or batch file.
Locate.com Results
===============================================
Hijack this:
Logfile of HijackThis v1.98.2
Scan saved at 09:00:01, on 11/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\e-Wallet\InterPay.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\Program Files\Perfect Process\ppshield.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\My Downloads\trojan\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = ˜/µ
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [ABN AMRO e-Wallet] C:\Program Files\e-Wallet\InterPay.exe /dontopenmycards
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Perfect Process shield] C:\Program Files\Perfect Process\ppshield.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: Interpay - %VAR_IE_TOOLBAR_BUTTON_GUID% - C:\Program Files\e-Wallet\InterPay.exe
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise/products/housecall_pre.php (file missing)
O9 - Extra button: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0990D180-4226-4530-9777-AB82315505B9} - https://ewallet.abnamro.nl/AABdownload/oinstall.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.net/viruscenter/onlineviruscheck/cabs/cssweb.cab
Locate fixme.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer "Yes" and wait for a message to appear similar to "Merged Successfully".
Next, start Killbox again and put a mark next to delete on reboot. Copy and paste this line into the "Full Path of File to Delete" box, clicking the red button with the white X on it. Then answer Yes to reboot:
C:\WINDOWS\system32\mv42l9ho1.dll
Then open VX2Finder which you ran earlier.
1) Click "Click To find Find VX2.Abetterinternet"
2) Click "User Agent$"
3) Click "Restore Policy" (requires reboot to apply).
After the above ...
4) Click "Click To find Find VX2.Abetterinternet" and post the log
Please post a new hijackthis log, find.bat log, and the VX2 Finder log. How is your computer running?
"PendingFileRenameOperations RegistryData has been removed by external process!
OK"
So the process who indicated me does not work untill the end. What do you think?
"PendingFileRenameOperationsRegistryData has been removed by external process! OK"
What do you think? I did not reboot the computer manually so far.
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
System Files in System32 Directory
Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1
Directory of C:\WINDOWS\System32
11/12/2004 19:08 <DIR> dllcache
29/10/2004 20:38 <DIR> Microsoft
0 File(s) 0 bytes
2 Dir(s) 63ÿ037ÿ792ÿ256 bytes free
Hidden Files in System32 Directory
Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1
Directory of C:\WINDOWS\System32
11/12/2004 19:08 <DIR> dllcache
09/12/2002 21:35 488 logonui.exe.manifest
09/12/2002 21:35 488 WindowsLogon.manifest
09/12/2002 21:35 749 nwc.cpl.manifest
09/12/2002 21:35 749 sapi.cpl.manifest
09/12/2002 21:35 749 ncpa.cpl.manifest
09/12/2002 21:35 749 wuaucpl.cpl.manifest
09/12/2002 21:35 749 cdplayer.exe.manifest
7 File(s) 4ÿ721 bytes
1 Dir(s) 63ÿ037ÿ792ÿ256 bytes free
Files Named "Guard"
Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1
Directory of C:\WINDOWS\System32
Temp Files in System32 Directory
Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1
Directory of C:\WINDOWS\System32
11/12/2004 08:57 1ÿ688 TRJ_NTAUTO.TMP
04/08/2004 08:56 713ÿ216 SET1D5.tmp
29/08/2002 13:00 2ÿ577 CONFIG.TMP
3 File(s) 717ÿ481 bytes
0 Dir(s) 63ÿ037ÿ792ÿ256 bytes free
User Agent
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{F1102748-C700-4A72-B672-35005F373415}"=""
Keys Under Notify
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Applets]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\mv42l9ho1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
Xfind Results
'Xfind' is not recognized as an internal or external command,
operable program or batch file.
Locate.com Results
===========================================================
Here is Hijack:
Logfile of HijackThis v1.98.2
Scan saved at 22:14:52, on 11/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\e-Wallet\InterPay.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\Program Files\Perfect Process\ppshield.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\My Downloads\trojan\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = ˜/µ
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [ABN AMRO e-Wallet] C:\Program Files\e-Wallet\InterPay.exe /dontopenmycards
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Perfect Process shield] C:\Program Files\Perfect Process\ppshield.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: Interpay - %VAR_IE_TOOLBAR_BUTTON_GUID% - C:\Program Files\e-Wallet\InterPay.exe
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise/products/housecall_pre.php (file missing)
O9 - Extra button: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0990D180-4226-4530-9777-AB82315505B9} - https://ewallet.abnamro.nl/AABdownload/oinstall.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.net/viruscenter/onlineviruscheck/cabs/cssweb.cab
Next, start Killbox again and put a mark next to delete on reboot. Copy and paste this line into the "Full Path of File to Delete" box, clicking the red button with the white X on it. Then answer Yes to reboot:
C:\WINDOWS\system32\mv42l9ho1.dll
Reboot manually if it doesn't reboot automatically.
After reboot post a new hijackthis log and find.bat log.
Logfile of HijackThis v1.98.2
Scan saved at 22:44:58, on 11/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\e-Wallet\InterPay.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\Program Files\Perfect Process\ppshield.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\My Downloads\trojan\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = ˜/µ
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [ABN AMRO e-Wallet] C:\Program Files\e-Wallet\InterPay.exe /dontopenmycards
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Perfect Process shield] C:\Program Files\Perfect Process\ppshield.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: Interpay - %VAR_IE_TOOLBAR_BUTTON_GUID% - C:\Program Files\e-Wallet\InterPay.exe
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise/products/housecall_pre.php (file missing)
O9 - Extra button: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0990D180-4226-4530-9777-AB82315505B9} - https://ewallet.abnamro.nl/AABdownload/oinstall.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.net/viruscenter/onlineviruscheck/cabs/cssweb.cab
==================================
Find bat
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
System Files in System32 Directory
Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1
Directory of C:\WINDOWS\System32
11/12/2004 22:39 <DIR> dllcache
29/10/2004 20:38 <DIR> Microsoft
0 File(s) 0 bytes
2 Dir(s) 63ÿ047ÿ077ÿ888 bytes free
Hidden Files in System32 Directory
Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1
Directory of C:\WINDOWS\System32
11/12/2004 22:39 <DIR> dllcache
09/12/2002 21:35 488 logonui.exe.manifest
09/12/2002 21:35 488 WindowsLogon.manifest
09/12/2002 21:35 749 nwc.cpl.manifest
09/12/2002 21:35 749 sapi.cpl.manifest
09/12/2002 21:35 749 ncpa.cpl.manifest
09/12/2002 21:35 749 wuaucpl.cpl.manifest
09/12/2002 21:35 749 cdplayer.exe.manifest
7 File(s) 4ÿ721 bytes
1 Dir(s) 63ÿ047ÿ077ÿ888 bytes free
Files Named "Guard"
Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1
Directory of C:\WINDOWS\System32
Temp Files in System32 Directory
Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1
Directory of C:\WINDOWS\System32
11/12/2004 22:43 1ÿ688 TRJ_NTAUTO.TMP
04/08/2004 08:56 713ÿ216 SET1D5.tmp
29/08/2002 13:00 2ÿ577 CONFIG.TMP
3 File(s) 717ÿ481 bytes
0 Dir(s) 63ÿ047ÿ077ÿ888 bytes free
User Agent
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{F1102748-C700-4A72-B672-35005F373415}"=""
Keys Under Notify
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Applets]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\mv42l9ho1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
Xfind Results
'Xfind' is not recognized as an internal or external command,
operable program or batch file.
Locate.com Results
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
Show hidden files
http://www.short-media.com/forum/showpost.php?p=172588&postcount=3
See if you can find and delete this file:
C:\WINDOWS\system32\mv42l9ho1.dll
Let me know if you can't find it.
Reboot and post a new find.bat log and hijackthis log.
Here are the logs:
Logfile of HijackThis v1.98.2
Scan saved at 23:00:10, on 11/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\e-Wallet\InterPay.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\Program Files\Perfect Process\ppshield.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\My Downloads\trojan\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = ˜/µ
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [ABN AMRO e-Wallet] C:\Program Files\e-Wallet\InterPay.exe /dontopenmycards
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Perfect Process shield] C:\Program Files\Perfect Process\ppshield.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: Interpay - %VAR_IE_TOOLBAR_BUTTON_GUID% - C:\Program Files\e-Wallet\InterPay.exe
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise/products/housecall_pre.php (file missing)
O9 - Extra button: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0990D180-4226-4530-9777-AB82315505B9} - https://ewallet.abnamro.nl/AABdownload/oinstall.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.net/viruscenter/onlineviruscheck/cabs/cssweb.cab
=======================
Find bat
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
System Files in System32 Directory
Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1
Directory of C:\WINDOWS\System32
11/12/2004 23:00 <DIR> dllcache
29/10/2004 20:38 <DIR> Microsoft
0 File(s) 0 bytes
2 Dir(s) 63ÿ043ÿ862ÿ528 bytes free
Hidden Files in System32 Directory
Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1
Directory of C:\WINDOWS\System32
11/12/2004 23:00 <DIR> dllcache
09/12/2002 21:35 488 logonui.exe.manifest
09/12/2002 21:35 488 WindowsLogon.manifest
09/12/2002 21:35 749 nwc.cpl.manifest
09/12/2002 21:35 749 sapi.cpl.manifest
09/12/2002 21:35 749 ncpa.cpl.manifest
09/12/2002 21:35 749 wuaucpl.cpl.manifest
09/12/2002 21:35 749 cdplayer.exe.manifest
7 File(s) 4ÿ721 bytes
1 Dir(s) 63ÿ043ÿ862ÿ528 bytes free
Files Named "Guard"
Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1
Directory of C:\WINDOWS\System32
Temp Files in System32 Directory
Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1
Directory of C:\WINDOWS\System32
11/12/2004 22:43 1ÿ688 TRJ_NTAUTO.TMP
04/08/2004 08:56 713ÿ216 SET1D5.tmp
29/08/2002 13:00 2ÿ577 CONFIG.TMP
3 File(s) 717ÿ481 bytes
0 Dir(s) 63ÿ043ÿ862ÿ528 bytes free
User Agent
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{F1102748-C700-4A72-B672-35005F373415}"=""
Keys Under Notify
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Applets]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\mv42l9ho1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
Xfind Results
'Xfind' is not recognized as an internal or external command,
operable program or batch file.
Locate.com Results
Logfile of HijackThis v1.98.2
Scan saved at 23:05:03, on 11/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\e-Wallet\InterPay.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\Program Files\Perfect Process\ppshield.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\My Downloads\trojan\HijackThis.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [ABN AMRO e-Wallet] C:\Program Files\e-Wallet\InterPay.exe /dontopenmycards
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Perfect Process shield] C:\Program Files\Perfect Process\ppshield.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: Interpay - %VAR_IE_TOOLBAR_BUTTON_GUID% - C:\Program Files\e-Wallet\InterPay.exe
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise/products/housecall_pre.php (file missing)
O9 - Extra button: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0990D180-4226-4530-9777-AB82315505B9} - https://ewallet.abnamro.nl/AABdownload/oinstall.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.net/viruscenter/onlineviruscheck/cabs/cssweb.cab
================================
Find bat
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
System Files in System32 Directory
Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1
Directory of C:\WINDOWS\System32
11/12/2004 23:06 <DIR> dllcache
29/10/2004 20:38 <DIR> Microsoft
0 File(s) 0 bytes
2 Dir(s) 63ÿ045ÿ488ÿ640 bytes free
Hidden Files in System32 Directory
Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1
Directory of C:\WINDOWS\System32
11/12/2004 23:06 <DIR> dllcache
09/12/2002 21:35 488 logonui.exe.manifest
09/12/2002 21:35 488 WindowsLogon.manifest
09/12/2002 21:35 749 nwc.cpl.manifest
09/12/2002 21:35 749 sapi.cpl.manifest
09/12/2002 21:35 749 ncpa.cpl.manifest
09/12/2002 21:35 749 wuaucpl.cpl.manifest
09/12/2002 21:35 749 cdplayer.exe.manifest
7 File(s) 4ÿ721 bytes
1 Dir(s) 63ÿ045ÿ488ÿ640 bytes free
Files Named "Guard"
Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1
Directory of C:\WINDOWS\System32
Temp Files in System32 Directory
Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1
Directory of C:\WINDOWS\System32
11/12/2004 23:04 1ÿ688 TRJ_NTAUTO.TMP
04/08/2004 08:56 713ÿ216 SET1D5.tmp
29/08/2002 13:00 2ÿ577 CONFIG.TMP
3 File(s) 717ÿ481 bytes
0 Dir(s) 63ÿ045ÿ488ÿ640 bytes free
User Agent
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{F1102748-C700-4A72-B672-35005F373415}"=""
Keys Under Notify
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Applets]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\mv42l9ho1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
Xfind Results
'Xfind' is not recognized as an internal or external command,
operable program or batch file.
Locate.com Results
I want to run one more scan to possibly pick up any remnants that we missed.
Download and install Adaware. Once installed, look in the bottom right corner and click on Check for updates now and download the latest reference files.
http://www.lavasoftusa.com/software/adaware/
Download and install the VX2 Cleaner addon for Adaware. Instructions are on this page.
http://www.lavasoftusa.com/software/addons/vx2cleaner.shtml
Reboot and post a hijackthis log.
added as the result of an unknown virus' then I click on delete, but the window keeps appearing every now and then, as well as spysweeper telling me that my ie home adress has been changed, etc..
Logfile of HijackThis v1.98.2
Scan saved at 23:25:53, on 11/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\e-Wallet\InterPay.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\Program Files\Perfect Process\ppshield.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\My Downloads\trojan\HijackThis.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [ABN AMRO e-Wallet] C:\Program Files\e-Wallet\InterPay.exe /dontopenmycards
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Perfect Process shield] C:\Program Files\Perfect Process\ppshield.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: Interpay - %VAR_IE_TOOLBAR_BUTTON_GUID% - C:\Program Files\e-Wallet\InterPay.exe
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise/products/housecall_pre.php (file missing)
O9 - Extra button: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0990D180-4226-4530-9777-AB82315505B9} - https://ewallet.abnamro.nl/AABdownload/oinstall.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.net/viruscenter/onlineviruscheck/cabs/cssweb.cab