msblank.html

Unknown
edited September 2005 in Spyware & Virus Removal
"C:\WINDOWS\system32\msblank.html" is my startside in Internet explorer and I can´t change it. Need help!

This is my log



"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"MsnMsgr" = ""C:\Program\MSN Messenger\MsnMsgr.Exe" /background" [file not found]
"WallpaperSS" = "C:\Program\WallpaperSS\WallpaperSS.exe" [file not found]
"TransparentIcons" = (empty string)
"Tweak-XP" = (empty string)
"TransTask" = (empty string)
"BlockAds" = (empty string)
"Spyware Doctor" = ""C:\Program\Spyware Doctor\swdoctor.exe" /Q" ["PCTools"]
"AutoUpdate" = "C:\Program\Serials3k\s3k_autoupdate.exe" [file not found]
"PhotoShow Deluxe Media Manager" = "C:\Program\Ahead\Ahead\data\Xtras\mssysmgr.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE NvQTwk,NvCplDaemon initialize" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"PROMon.exe" = "PROMon.exe" ["Intel Corporation"]
"UC_SMB" = (empty string)
"Microsoft Works Update Detection" = "c:\Program\Microsoft Works\WkDetect.exe" ["Microsoft® Corporation"]
"WorksFUD" = "c:\Program\Microsoft Works\wkfud.exe" ["Microsoft® Corporation"]
"Microsoft Works Portfolio" = "c:\Program\Microsoft Works\WksSb.exe /AllUsers" ["Microsoft® Corporation"]
"Hot Key Kbd Daemon" = "SKDAEMON.EXE" [empty string]
"Mouse Suite 98 Daemon" = "ICO.EXE" ["Primax Electronics Ltd."]
"RealTray" = "C:\Program\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER" ["RealNetworks, Inc."]
"PinnacleDriverCheck" = "C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg" [empty string]
"Omnipage" = "C:\Program\ScanSoft\OmniPageSE\opware32.exe" ["ScanSoft, Inc"]
"iamapp" = "C:\Program\Norton Internet Security\IAMAPP.EXE" ["Symantec Corporation"]
"NAV Agent" = "C:\Program\NORTON~1\navapw32.exe" ["Symantec Corporation"]
"Symantec NetDriver Monitor" = "C:\Program\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
"UpdateManager" = ""C:\Program\Delade filer\Sonic\Update Manager\sgtray.exe" /r" ["Sonic Solutions"]
"QuickTime Task" = ""C:\Program\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"msnappau" = ""C:\Program\MSN Apps\Updater\01.02.0002.1001\sv\msnappau.exe"" [file not found]
"dmrts.exe" = "C:\WINDOWS\system32\dmrts.exe" [null data]
"TraySantaCruz" = "C:\WINDOWS\system32\tbctray.exe" ["Voyetra Turtle Beach, Inc."]
"StopSignSsTsMon" = "Rundll32.exe "C:\Program\Acceleration Software\Anti-Virus\sstsmon.dll",VerifyStatus" [MS]
"webscan" = ""C:\Program\Acceleration Software\Anti-Virus\stopsignav.exe" -k" ["eAcceleration Corp"]
"Eac_Installer" = "C:\Program\DELADE~1\EACCEL~1\INSTAL~1\eaccelsetup.exe -AskToResumeDL" ["eAcceleration Corp"]

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE" [MS]
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{1C900459-DEEF-4aa9-B260-1EF0F0C70A8D}\(Default) = "e-kort Browser Helper Object"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Bhoekort.dll" ["Orbiscom Ltd. All rights reserved."]
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}\(Default) = "PCTools Site Guard" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program\SPYWAR~1\tools\iesdsg.dll" ["PC Tools"]
{601ED020-FB6C-11D3-87D8-0050DA59922B}\(Default) = "Ipswitch.WsftpBrowserHelper"
-> {CLSID}\InProcServer32\(Default) = "C:\Program\WS_FTP Pro\wsbho2k0.dll" ["Ipswitch, Inc. 81 Hartwell Ave. Lexington, MA"]
{A7327C09-B521-4EDB-8509-7D2660C9EC98}\(Default) = "Viewpoint Toolbar BHO" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll" ["Viewpoint Corporation"]
{B56A7D7D-6927-48C8-A975-17DF180C71AC}\(Default) = "PCTools Browser Monitor" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program\SPYWAR~1\tools\iesdpb.dll" ["GuideWorks Pty. Ltd."]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Program\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Kontrollpanelstillägg för bildskärmspanorering"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal-ikontillägg"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Skrivbordsutforskaren"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program\Microsoft Office\Office10\msohev.dll" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{7F29C172-E470-11D4-A635-0010A4FF64C9}" = "Finale Viewer Sheet Music"
-> {CLSID}\InProcServer32\(Default) = "C:\Program\Finale Viewer\smxplore.dll" ["MakeMusic! Inc."]
"{7CDDBD23-1B50-47b2-B28D-1B84D9A40ED1}" = "Sony Digital Voice File Shell Extention Module"
-> {CLSID}\InProcServer32\(Default) = "IcdShlex.dll" ["Sony Corporation"]
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt"
-> {CLSID}\InProcServer32\(Default) = "C:\Program\IBM RecordNow!\shlext.dll" [null data]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play-enheter"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program\WinRAR\rarext.dll" [null data]
"{BB83FD23-AC96-472D-8AA2-7D8560A61D1A}" = "StopSignRCS"
-> {CLSID}\InProcServer32\(Default) = "C:\Program\Acceleration Software\Anti-Virus\dsshell.dll" ["eAcceleration Corp"]

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
"load" = (value not set)
"run" = (value not set)

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
"AppInit_DLLs" = (value not set)

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csfij.exe" [null data]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
StopSignRCS\(Default) = "{BB83FD23-AC96-472D-8AA2-7D8560A61D1A}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program\Acceleration Software\Anti-Virus\dsshell.dll" ["eAcceleration Corp"]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program\WinRAR\rarext.dll" [null data]
WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program\WS_FTP Pro\wsftpsi.dll" ["Ipswitch, Inc. 81 Hartwell Ave. Lexington MA"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
StopSignRCS\(Default) = "{BB83FD23-AC96-472D-8AA2-7D8560A61D1A}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program\Acceleration Software\Anti-Virus\dsshell.dll" ["eAcceleration Corp"]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program\WinRAR\rarext.dll" [null data]
WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program\WS_FTP Pro\wsftpsi.dll" ["Ipswitch, Inc. 81 Hartwell Ave. Lexington MA"]


Active Desktop and Wallpaper:

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Holm Raimo\Application Data\WallpaperSS\Wallpaper.bmp"


Startup items in "Holm Raimo" & "All Users" startup folders:

C:\Documents and Settings\All Users\Start-meny\Program\Autostart
"Adobe Gamma Loader" -> shortcut to: "C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Microsoft Office" -> shortcut to: "C:\Program\Microsoft Office\Office10\OSA.EXE -b -l" [MS]


Enabled Scheduled Tasks:

"Norton AntiVirus - Sök igenom datorn" -> launches: "C:\Program\NORTON~1\NAVW32.exe /task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "C:\WINDOWS\system32\pnrpnsp.dll" [MS]
000000000005\LibraryPath = "C:\WINDOWS\system32\pnrpnsp.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 28
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = "MSN Verktygslåda" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program\MSN Toolbar\01.01.2607.0\sv\msntb.dll" [file not found]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

"{F8AD5AA5-D966-4667-9DAF-2561D68B2012}" = "Viewpoint Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program\Viewpoint\Viewpoint Toolbar\ViewBar.dll" ["Viewpoint Corporation"]

"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = "0"
-> {CLSID}\InProcServer32\(Default) = "C:\Program\MSN Toolbar\01.01.2607.0\sv\msntb.dll" [file not found]

"{08BEC6AA-49FC-4379-3587-4B21E286C19E}" = "SearchToolbar"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\bcomc.dll" [null data]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{9455301C-CF6B-11D3-A266-00C04F689C50}\ = "Encarta &Informationshanteraren" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\Program\Delade filer\Microsoft Shared\Reference 2001\EROProj.dll" [MS]

{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}\
"ButtonText" = "Spyware Doctor"
"CLSIDExtension" = "{A1EDC4A1-940F-48E0-8DFD-E38F1D501021}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program\SPYWAR~1\tools\iesdpb.dll" ["GuideWorks Pty. Ltd."]

{9455301C-CF6B-11D3-A266-00C04F689C50}\
"ButtonText" = "Informationshanteraren"

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program\Messenger\msmsgs.exe" [file not found]


Miscellaneous IE Hijack Points

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Missing lines (compared with English-language version):
[Strings]: 1 line


Running Services (Display Name, Service Name, Path {Service DLL}):

Intel(R) NMS, NMSSvc, "C:\WINDOWS\System32\NMSSvc.exe" ["Intel Corporation"]
IPv6 Helper Service, 6to4, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\6to4svc.dll" [MS]}
Machine Debug Manager, MDM, ""C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
Norton AntiVirus Auto-Protect, navapsvc, "C:\Program\Norton AntiVirus\navapsvc.exe" ["Symantec Corporation"]
Norton Internet Security Accounts Manager, NISUM, ""C:\Program\Norton Internet Security\NISUM.EXE"" ["Symantec Corporation"]
Norton Internet Security Proxy Service, SymProxySvc, ""C:\Program\Norton Internet Security\SymProxySvc.exe"" ["Symantec Corporation"]
Norton Internet Security Service, NISSERV, ""C:\Program\Norton Internet Security\NISSERV.EXE"" ["Symantec Corporation"]
NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
RIP Listener, Iprip, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\iprip.dll" [MS]}
Simple TCP/IP Services, SimpTcp, "C:\WINDOWS\System32\tcpsvcs.exe" [MS]
SymWMI Service, SymWSC, ""C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe"" ["Symantec Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
(total run time: 45 seconds, including 6 seconds for message boxes)

Comments

  • Harv120
    edited September 2005
    Please make sure all hidden system files and folders are visible:

    Open "My Computer">click TOOLS>click FOLDER OPTIONS>click the "View" tab>tick "show hidden files and folders" and uncheck hide file extensions>click apply, ok and then exit.


    Place a checkmark next to these entries and then click Fix Checked. Be sure you close all other open windows before proceeding:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINNT3\System32\msblank.html
    O2 - BHO: Class - {9401C07C-61CA-FA08-FF6C-4846E0E6479F} - C:\WINNT3\msia32.dll (file missing)
    O4 - HKLM\..\Run: [ControlPanel] C:\WINNT3\System32\popcorn72.exe rundll.dll,LoadMouseProfile
    O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://195.95.218.83/users/sex/web/cool.chm::/on.exe

    Delete these files or folders if they exist:

    C:\WINNT3\System32\msblank.html
    C:\WINNT3\msia32.dll
    C:\WINNT3\System32\popcorn72.exe

    Download the trial version of ewido security suite. Save the setup file to a convenient location. Run the setup file for ewido and then open it when setup is complete. Update ewido with the latest signatures. Run ewido and remove all infected objects.

    Post a new log when finished.
  • railas
    edited September 2005
    Thank You

    Theproblem with msblank.html is solved and I put my new log here
    "Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
    Operating System: Windows XP SP2
    Output limited to non-default values, except where indicated by "{++}"


    Startup items buried in registry:

    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
    "CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
    "MsnMsgr" = ""C:\Program\MSN Messenger\MsnMsgr.Exe" /background" [file not found]
    "WallpaperSS" = "C:\Program\WallpaperSS\WallpaperSS.exe" [file not found]
    "TransparentIcons" = (empty string)
    "Tweak-XP" = (empty string)
    "TransTask" = (empty string)
    "BlockAds" = (empty string)
    "Spyware Doctor" = ""C:\Program\Spyware Doctor\swdoctor.exe" /Q" [file not found]
    "AutoUpdate" = "C:\Program\Serials3k\s3k_autoupdate.exe" [file not found]
    "PhotoShow Deluxe Media Manager" = "C:\Program\Ahead\Ahead\data\Xtras\mssysmgr.exe" [file not found]

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
    "NvCplDaemon" = "RUNDLL32.EXE NvQTwk,NvCplDaemon initialize" [MS]
    "nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
    "PROMon.exe" = "PROMon.exe" ["Intel Corporation"]
    "UC_SMB" = (empty string)
    "Microsoft Works Update Detection" = "c:\Program\Microsoft Works\WkDetect.exe" ["Microsoft® Corporation"]
    "WorksFUD" = "c:\Program\Microsoft Works\wkfud.exe" ["Microsoft® Corporation"]
    "Microsoft Works Portfolio" = "c:\Program\Microsoft Works\WksSb.exe /AllUsers" ["Microsoft® Corporation"]
    "Hot Key Kbd Daemon" = "SKDAEMON.EXE" [empty string]
    "Mouse Suite 98 Daemon" = "ICO.EXE" ["Primax Electronics Ltd."]
    "RealTray" = "C:\Program\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER" ["RealNetworks, Inc."]
    "PinnacleDriverCheck" = "C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg" [empty string]
    "Omnipage" = "C:\Program\ScanSoft\OmniPageSE\opware32.exe" ["ScanSoft, Inc"]
    "UpdateManager" = ""C:\Program\Delade filer\Sonic\Update Manager\sgtray.exe" /r" ["Sonic Solutions"]
    "QuickTime Task" = ""C:\Program\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
    "NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
    "msnappau" = ""C:\Program\MSN Apps\Updater\01.02.0002.1001\sv\msnappau.exe"" [file not found]
    "iamapp" = "C:\Program\Norton Internet Security\IAMAPP.EXE" ["Symantec Corporation"]
    "Symantec NetDriver Monitor" = "C:\Program\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
    "dmazq.exe" = "C:\WINDOWS\system32\dmazq.exe" [null data]
    "NAV Agent" = "C:\Program\NORTON~2\navapw32.exe" ["Symantec Corporation"]

    HKLM\Software\Microsoft\Active Setup\Installed Components\
    >{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer"
    \StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE" [MS]
    >{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
    \StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
    -> {CLSID}\InProcServer32\(Default) = "C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
    {1C900459-DEEF-4aa9-B260-1EF0F0C70A8D}\(Default) = "e-kort Browser Helper Object"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Bhoekort.dll" ["Orbiscom Ltd. All rights reserved."]
    {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}\(Default) = "PCTools Site Guard" [from CLSID]
    -> {CLSID}\InProcServer32\(Default) = "C:\Program\SPYWAR~1\tools\iesdsg.dll" [file not found]
    {601ED020-FB6C-11D3-87D8-0050DA59922B}\(Default) = "Ipswitch.WsftpBrowserHelper"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program\WS_FTP Pro\wsbho2k0.dll" ["Ipswitch, Inc. 81 Hartwell Ave. Lexington, MA"]
    {A7327C09-B521-4EDB-8509-7D2660C9EC98}\(Default) = "Viewpoint Toolbar BHO" [from CLSID]
    -> {CLSID}\InProcServer32\(Default) = "C:\Program\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll" ["Viewpoint Corporation"]
    {B56A7D7D-6927-48C8-A975-17DF180C71AC}\(Default) = "PCTools Browser Monitor" [from CLSID]
    -> {CLSID}\InProcServer32\(Default) = "C:\Program\SPYWAR~1\tools\iesdpb.dll" [file not found]
    {BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program\Norton Antivirus\NavShExt.dll" ["Symantec Corporation"]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
    "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Kontrollpanelstillägg för bildskärmspanorering"
    -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
    "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal-ikontillägg"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
    "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Skrivbordsutforskaren"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
    "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
    "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program\Microsoft Office\Office10\msohev.dll" [MS]
    "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
    "{7F29C172-E470-11D4-A635-0010A4FF64C9}" = "Finale Viewer Sheet Music"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program\Finale Viewer\smxplore.dll" ["MakeMusic! Inc."]
    "{7CDDBD23-1B50-47b2-B28D-1B84D9A40ED1}" = "Sony Digital Voice File Shell Extention Module"
    -> {CLSID}\InProcServer32\(Default) = "IcdShlex.dll" ["Sony Corporation"]
    "{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program\IBM RecordNow!\shlext.dll" [null data]
    "{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play-enheter"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
    "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
    "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
    "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program\WinRAR\rarext.dll" [null data]

    HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
    "load" = (value not set)
    "run" = (value not set)

    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
    "AppInit_DLLs" = (value not set)

    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
    INFECTION WARNING! "System" = "csfcm.exe" [null data]

    HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
    Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program\Norton Antivirus\NavShExt.dll" ["Symantec Corporation"]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program\WinRAR\rarext.dll" [null data]
    WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program\WS_FTP Pro\wsftpsi.dll" ["Ipswitch, Inc. 81 Hartwell Ave. Lexington MA"]

    HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program\WinRAR\rarext.dll" [null data]

    HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
    Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program\Norton Antivirus\NavShExt.dll" ["Symantec Corporation"]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program\WinRAR\rarext.dll" [null data]
    WS_FTP\(Default) = "{797F3885-5429-11D4-8823-0050DA59922B}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program\WS_FTP Pro\wsftpsi.dll" ["Ipswitch, Inc. 81 Hartwell Ave. Lexington MA"]


    Active Desktop and Wallpaper:

    Active Desktop is disabled at this entry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

    HKCU\Control Panel\Desktop\
    "Wallpaper" = "C:\Documents and Settings\Holm Raimo\Application Data\WallpaperSS\Wallpaper.bmp"


    Startup items in "Holm Raimo" & "All Users" startup folders:

    C:\Documents and Settings\All Users\Start-meny\Program\Autostart
    "Adobe Gamma Loader" -> shortcut to: "C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
    "Microsoft Office" -> shortcut to: "C:\Program\Microsoft Office\Office10\OSA.EXE -b -l" [MS]


    Enabled Scheduled Tasks:

    "Norton AntiVirus - Sök igenom datorn" -> launches: "C:\Program\NORTON~2\NAVW32.exe /task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca" ["Symantec Corporation"]


    Winsock2 Service Provider DLLs:

    Namespace Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
    000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
    000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
    000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
    000000000004\LibraryPath = "C:\WINDOWS\system32\pnrpnsp.dll" [MS]
    000000000005\LibraryPath = "C:\WINDOWS\system32\pnrpnsp.dll" [MS]

    Transport Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
    0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
    %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 28
    %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


    Toolbars, Explorer Bars, Extensions:

    Toolbars

    HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
    "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
    -> {CLSID}\InProcServer32\(Default) = "C:\Program\Norton Antivirus\NavShExt.dll" ["Symantec Corporation"]

    HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
    "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
    -> {CLSID}\InProcServer32\(Default) = "C:\Program\Norton Antivirus\NavShExt.dll" ["Symantec Corporation"]

    "{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = "MSN Verktygslåda" [from CLSID]
    -> {CLSID}\InProcServer32\(Default) = "C:\Program\MSN Toolbar\01.01.2607.0\sv\msntb.dll" [file not found]

    HKLM\Software\Microsoft\Internet Explorer\Toolbar\
    "{F8AD5AA5-D966-4667-9DAF-2561D68B2012}" = "Viewpoint Toolbar" [from CLSID]
    -> {CLSID}\InProcServer32\(Default) = "C:\Program\Viewpoint\Viewpoint Toolbar\ViewBar.dll" ["Viewpoint Corporation"]

    "{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = "0"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program\MSN Toolbar\01.01.2607.0\sv\msntb.dll" [file not found]

    "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program\Norton Antivirus\NavShExt.dll" ["Symantec Corporation"]

    Explorer Bars

    HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
    {9455301C-CF6B-11D3-A266-00C04F689C50}\ = "Encarta &Informationshanteraren" [from CLSID]
    -> {CLSID}\InProcServer32\(Default) = "c:\Program\Delade filer\Microsoft Shared\Reference 2001\EROProj.dll" [MS]

    {FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID]
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

    Extensions (Tools menu items, main toolbar menu buttons)

    HKLM\Software\Microsoft\Internet Explorer\Extensions\
    {2D663D1A-8670-49D9-A1A5-4C56B4E14E84}\
    "ButtonText" = "Spyware Doctor"
    "CLSIDExtension" = "{A1EDC4A1-940F-48E0-8DFD-E38F1D501021}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program\SPYWAR~1\tools\iesdpb.dll" [file not found]

    {9455301C-CF6B-11D3-A266-00C04F689C50}\
    "ButtonText" = "Informationshanteraren"

    {CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
    "ButtonText" = "Real.com"

    {FB5F1910-F110-11D2-BB9E-00C04F795683}\
    "ButtonText" = "Messenger"
    "MenuText" = "Windows Messenger"
    "Exec" = "C:\Program\Messenger\msmsgs.exe" [file not found]


    Miscellaneous IE Hijack Points

    C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

    Added lines (compared with English-language version):
    [Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

    Missing lines (compared with English-language version):
    [Strings]: 1 line


    Running Services (Display Name, Service Name, Path {Service DLL}):

    Intel(R) NMS, NMSSvc, "C:\WINDOWS\System32\NMSSvc.exe" ["Intel Corporation"]
    IPv6 Helper Service, 6to4, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\6to4svc.dll" [MS]}
    Machine Debug Manager, MDM, ""C:\Program\Delade filer\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
    Norton AntiVirus Auto-Protect, navapsvc, "C:\Program\Norton Antivirus\navapsvc.exe" ["Symantec Corporation"]
    Norton Internet Security Accounts Manager, NISUM, ""C:\Program\Norton Internet Security\NISUM.EXE"" ["Symantec Corporation"]
    Norton Internet Security Proxy Service, SymProxySvc, ""C:\Program\Norton Internet Security\SymProxySvc.exe"" ["Symantec Corporation"]
    Norton Internet Security Service, NISSERV, ""C:\Program\Norton Internet Security\NISSERV.EXE"" ["Symantec Corporation"]
    NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
    RIP Listener, Iprip, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\iprip.dll" [MS]}
    Simple TCP/IP Services, SimpTcp, "C:\WINDOWS\System32\tcpsvcs.exe" [MS]
    SymWMI Service, SymWSC, ""C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe"" ["Symantec Corporation"]
    Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]

    + This report excludes default entries except where indicated.
    + To see *everywhere* the script checks and *everything* it finds,
    launch it from a command prompt or a shortcut with the -all parameter.
    + To search all directories of local fixed drives for DESKTOP.INI
    DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
    use the -supp parameter or answer "No" at the first message box.
    (total run time: 39 seconds, including 13 seconds for message boxes)
  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited September 2005
    Sorry about the long delay. We're working on beefing up our SWAT TEAM staff. Do you still need help with this issue?

    If so, make sure you read the instructions here, and post an updated HJT log, and someone will take care of you very soon.

    Thanks for your patience!

    :)
  • railas
    edited September 2005
    Thank You
    My problem is solved and I don´t need help with this issue

    railas
This discussion has been closed.