Post by: Havasivi on February 18, 2005, 01:57:09 PM
I have a problem with my task manager to show up when i press CTRL ALT DEL. (also when i right click and choose task manager)
Sometimes i can see it for a brief second but then it closes, also at startup it works but after a certain program starts (not sure wich) it closes as usual.
This also happens with regedit and services.msc in the "Run..." thingie.
I suspect a virus or something but i have searched for viruses with NOD32 both in normal windows and in safe mode, and i havn't found anything.
I see people have posted Hijackthis logs so i guess i should too...
here it is:
Logfile of HijackThis v1.99.0
Scan saved at 18:59:40, on 2005-02-18
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program\D-Tools\daemon.exe
C:\WINDOWS\System32\CTHELPER.EXE
E:\Program\Winamp\winampa.exe
C:\Program\Messenger Plus! 3\MsgPlus.exe
C:\Program\MSN Apps\Updater\01.02.3000.1001\sv\msnappau.exe
C:\Program\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program\Logitech\iTouch\iTouch.exe
C:\Program\Logitech\MouseWare\system\em_exec.exe
E:\Program\RedLine\Taskbar.exe
C:\WINDOWS\System32\wsmct.exe
C:\Program\QuickTime\qttask.exe
C:\Program\Eset\nod32kui.exe
C:\WINDOWS\System32\DNSCHDQV.EXE
E:\Program\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe
C:\Program\GrabClipSave\GrabClipSave.exe
C:\Program\MessengerDiscovery\MessengerDiscovery.exe
C:\Program\PeerGuardian pr14\PeerGuardian_1.99b_pr14.exe
E:\program\redline\gameutil.exe
E:\Program\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program\MSN Messenger\MsnMsgr.Exe
E:\Program\Winamp\winamp.exe
E:\Program\Alias\Maya6.0\docs\Wrapper.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program\Eset\nod32krn.exe
E:\Program\Alias\Maya6.0\docs\jre\bin\java.exe
E:\Program\RealVNC\VNC4\WinVNC4.exe
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Nemo\Mina dokument\Unzipped\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/ (http://\"http://www.google.se/\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NaviHelperObj Class - {3E422F49-1566-40D3-B43D-077EF739AC32} - C:\WINDOWS\System32\NaviHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.3000.1001\sv\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.3000.1001\sv\msntb.dll
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [WinampAgent] E:\Program\Winamp\winampa.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Program\MSN Apps\Updater\01.02.3000.1001\sv\msnappau.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [awxDTools] rundll32 C:\Program\arniWORX\AWXDTO~1\awxDTools.dll,awxRegisterDll /r /s
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [RedLine Taskbar] E:\Program\RedLine\Taskbar.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [*wuauclt.exe] wsmct.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] C:\Program\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Windows Config] DNSCHDQV.EXE
O4 - HKLM\..\RunServices: [*wuauclt.exe] wsmct.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Bandwidth Monitor Pro] "E:\Program\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" /minimized
O4 - HKCU\..\Run: [Steam] "e:\program\steam\steam.exe" -silent
O4 - HKCU\..\Run: [GCS] "C:\Program\GrabClipSave\GrabClipSave.exe"
O4 - HKCU\..\Run: [*wuauclt.exe] wsmct.exe
O4 - HKCU\..\Run: [MessengerDiscovery] C:\Program\MessengerDiscovery\MessengerDiscovery.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program\PeerGuardian pr14\PeerGuardian_1.99b_pr14.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunOnce: [Windows Config] DNSCHDQV.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: gameutil.exe.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = E:\Program\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht!http://82.179.166.145/x15.chm::/trs15.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab (http://\"http://messenger.msn.com/download/msnmessengersetupdownloader.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{87C9DF7C-B0B9-4DD5-BC8A-DDC82D201555}: NameServer = 81.26.226.3,81.26.229.3
O23 - Service: *wuauclt.exe - Unknown - C:\WINDOWS\System32\wsmct.exe
O23 - Service: Adobe LM Service - Unknown - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Alias Documentation Server - Unknown - E:\Program\Alias\Maya6.0\docs\Wrapper.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: NOD32 Kernel Service - Unknown - C:\Program\Eset\nod32krn.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows 32-bit PnP Driver - Unknown - C:\WINDOWS\System32\winpnp32.exe
O23 - Service: VNC Server Version 4 - RealVNC Ltd. - E:\Program\RealVNC\VNC4\WinVNC4.exe
------------------------------
here it ends
/tongue.gif\' class=\'bbc_emoticon\' alt=\':P\' />Ok i'm gratefull for any reply and help i can get, thanks in advance.
PS. sorry if the english sucks
/tongue.gif\' class=\'bbc_emoticon\' alt=\':P\' /> i'm swedish /rolleyes.gif\' class=\'bbc_emoticon\' alt=\':rolleyes:\' />
Post by: guestolo on February 18, 2005, 03:04:12 PM
Can I get you to do me a favor
I need you to update your version of Hijackthis
You can get the latest copy from my signature below
Save it to a Permanent folder
Post back a log from this version
Post by: Havasivi on February 18, 2005, 07:57:25 PM
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />the site were down or something so i couldn't answer before but here's another log with the newer Hijackthis.
---------------------------------start
Logfile of HijackThis v1.99.1
Scan saved at 01:45:22, on 2005-02-19
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wsmct.exe
C:\Program\D-Tools\daemon.exe
C:\WINDOWS\System32\CTHELPER.EXE
E:\Program\Winamp\winampa.exe
C:\Program\Messenger Plus! 3\MsgPlus.exe
C:\Program\MSN Apps\Updater\01.02.3000.1001\sv\msnappau.exe
C:\Program\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program\Logitech\iTouch\iTouch.exe
C:\Program\Logitech\MouseWare\system\em_exec.exe
E:\Program\RedLine\Taskbar.exe
C:\Program\QuickTime\qttask.exe
C:\Program\Eset\nod32kui.exe
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\DNSCHDQV.EXE
E:\Program\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe
C:\Program\GrabClipSave\GrabClipSave.exe
C:\Program\MessengerDiscovery\MessengerDiscovery.exe
C:\Program\PeerGuardian pr14\PeerGuardian_1.99b_pr14.exe
E:\program\redline\gameutil.exe
E:\Program\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program\MSN Messenger\MsnMsgr.Exe
E:\Program\Winamp\winamp.exe
E:\Program\Alias\Maya6.0\docs\Wrapper.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program\Eset\nod32krn.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\Program\Alias\Maya6.0\docs\jre\bin\java.exe
E:\Program\RealVNC\VNC4\WinVNC4.exe
C:\Program\MSN Apps\Updater\01.02.3000.1001\sv\msnappau.exe
C:\Program\MSN Apps\Updater\01.02.3000.1001\sv\msnappau.exe
C:\Program\Internet Explorer\IEXPLORE.EXE
C:\Program\MSN Apps\Updater\01.02.3000.1001\sv\msnappau.exe
C:\Program\MSN Apps\Updater\01.02.3000.1001\sv\msnappau.exe
C:\Documents and Settings\Nemo\Mina dokument\Unzipped\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/ (http://\"http://www.google.se/\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NaviHelperObj Class - {3E422F49-1566-40D3-B43D-077EF739AC32} - C:\WINDOWS\System32\NaviHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.3000.1001\sv\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.3000.1001\sv\msntb.dll
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [WinampAgent] E:\Program\Winamp\winampa.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Program\MSN Apps\Updater\01.02.3000.1001\sv\msnappau.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [awxDTools] rundll32 C:\Program\arniWORX\AWXDTO~1\awxDTools.dll,awxRegisterDll /r /s
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [RedLine Taskbar] E:\Program\RedLine\Taskbar.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [*wuauclt.exe] wsmct.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] C:\Program\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Windows Config] DNSCHDQV.EXE
O4 - HKLM\..\RunServices: [*wuauclt.exe] wsmct.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Bandwidth Monitor Pro] "E:\Program\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" /minimized
O4 - HKCU\..\Run: [Steam] "e:\program\steam\steam.exe" -silent
O4 - HKCU\..\Run: [GCS] "C:\Program\GrabClipSave\GrabClipSave.exe"
O4 - HKCU\..\Run: [*wuauclt.exe] wsmct.exe
O4 - HKCU\..\Run: [MessengerDiscovery] C:\Program\MessengerDiscovery\MessengerDiscovery.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program\PeerGuardian pr14\PeerGuardian_1.99b_pr14.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunOnce: [Windows Config] DNSCHDQV.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: gameutil.exe.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = E:\Program\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht!http://82.179.166.145/x15.chm::/trs15.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab (http://\"http://messenger.msn.com/download/msnmessengersetupdownloader.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{87C9DF7C-B0B9-4DD5-BC8A-DDC82D201555}: NameServer = 81.26.226.3,81.26.229.3
O20 - Winlogon Notify: WB - C:\Program\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Alias Documentation Server (aliasdocserver) - Unknown owner - E:\Program\Alias\Maya6.0\docs\Wrapper.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program\Eset\nod32krn.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows 32-bit PnP Driver (winpnp32) - Unknown owner - C:\WINDOWS\System32\winpnp32.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - E:\Program\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
----------------end
i think it looks the same but then again, i don't get much of it at all...
anyways i'm sitting here happily waiting for a reply
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' /> (not now.. i'm going to bed /tongue.gif\' class=\'bbc_emoticon\' alt=\':P\' /> good night)
Post by: guestolo on February 19, 2005, 01:05:46 AM
Quote
the site were down or something so i couldn't answer before but here's another log with the newer HijackthisNo worries, I had the same trouble accessing the site on my side
Download the trial version of tds-3 anti trojan from here:
http://www.diamondcs.com.au/tds/downloads/...s/tds3setup.exe (http://\"http://www.diamondcs.com.au/tds/downloads/tds3setup.exe\")
Install it and Restart your computer when prompted
Don't run a scan yet
When your back in Windows it's important to update the latest RADIUS database
IMPORTANT>>>Right click the link below, select "save target as" or save link as
http://www.diamondcs.com.au/tds/radius.td3 (http://\"http://www.diamondcs.com.au/tds/radius.td3\")
Save it to the directory where you installed TDS-3
The default location should be
C:\Program Files\TDS3
Allow it to overwrite the previous radius.td3
If your unsure how to update it follow the instructions from this link
http://tds.diamondcs.com.au/index.php?page=update (http://\"http://tds.diamondcs.com.au/index.php?page=update\")
Follow the Manual update procedure
Again, don't run a scan yet
Print this out or save to a Notepad file for easy access
Restart into Safe mode without Network connection
You can do this by tapping the F8 key as The system is booting up
Launch TDS-3. In the top bar of tds window click system testing> full systemscan.
Let it completely finish scanning---Even if it appears to hesitate at times
Detections will appear in the lower pane of tds window after the scan is finished Right click the list> select save as txt.>> save this to a convenient location, I'll need to see it later
After saving the scandump.txt go ahead and right click the list of alarms again, this time select delete...only delete those with POSITIVE IDENTIFICATION
Restart back to Normal mode
Post a fresh Hijackthis log and the scandump.txt from TDS-3
Post by: Havasivi on February 19, 2005, 11:22:19 AM
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> taskmanager is working again.thank you thank you thank you
/laugh.gif\' class=\'bbc_emoticon\' alt=\':lol:\' /> it took a long time to scan but it was worth it.
here's the logs if you still wanna see them:
------------------start
Logfile of HijackThis v1.99.1
Scan saved at 17:14:37, on 2005-02-19
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program\D-Tools\daemon.exe
C:\WINDOWS\System32\CTHELPER.EXE
E:\Program\Winamp\winampa.exe
C:\Program\Messenger Plus! 3\MsgPlus.exe
C:\Program\MSN Apps\Updater\01.02.3000.1001\sv\msnappau.exe
C:\Program\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program\Logitech\iTouch\iTouch.exe
E:\Program\RedLine\Taskbar.exe
C:\Program\QuickTime\qttask.exe
C:\Program\Eset\nod32kui.exe
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program\Logitech\MouseWare\system\em_exec.exe
E:\Program\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe
E:\Program\Alias\Maya6.0\docs\Wrapper.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program\Eset\nod32krn.exe
C:\Program\GrabClipSave\GrabClipSave.exe
C:\Program\MessengerDiscovery\MessengerDiscovery.exe
E:\Program\Alias\Maya6.0\docs\jre\bin\java.exe
C:\Program\PeerGuardian pr14\PeerGuardian_1.99b_pr14.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\Program\RealVNC\VNC4\WinVNC4.exe
E:\program\redline\gameutil.exe
E:\Program\InterVideo\Common\Bin\WinCinemaMgr.exe
E:\Program\Winamp\winamp.exe
C:\Program\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Nemo\Mina dokument\Unzipped\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/ (http://\"http://www.google.se/\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NaviHelperObj Class - {3E422F49-1566-40D3-B43D-077EF739AC32} - C:\WINDOWS\System32\NaviHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.3000.1001\sv\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.3000.1001\sv\msntb.dll
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [WinampAgent] E:\Program\Winamp\winampa.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Program\MSN Apps\Updater\01.02.3000.1001\sv\msnappau.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [awxDTools] rundll32 C:\Program\arniWORX\AWXDTO~1\awxDTools.dll,awxRegisterDll /r /s
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [RedLine Taskbar] E:\Program\RedLine\Taskbar.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [*wuauclt.exe] wsmct.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] C:\Program\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Windows Config] DNSCHDQV.EXE
O4 - HKLM\..\RunServices: [*wuauclt.exe] wsmct.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Bandwidth Monitor Pro] "E:\Program\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" /minimized
O4 - HKCU\..\Run: [Steam] "e:\program\steam\steam.exe" -silent
O4 - HKCU\..\Run: [GCS] "C:\Program\GrabClipSave\GrabClipSave.exe"
O4 - HKCU\..\Run: [*wuauclt.exe] wsmct.exe
O4 - HKCU\..\Run: [MessengerDiscovery] C:\Program\MessengerDiscovery\MessengerDiscovery.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program\PeerGuardian pr14\PeerGuardian_1.99b_pr14.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: gameutil.exe.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = E:\Program\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht!http://82.179.166.145/x15.chm::/trs15.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab (http://\"http://messenger.msn.com/download/msnmessengersetupdownloader.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{87C9DF7C-B0B9-4DD5-BC8A-DDC82D201555}: NameServer = 81.26.226.3,81.26.229.3
O20 - Winlogon Notify: WB - C:\Program\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Alias Documentation Server (aliasdocserver) - Unknown owner - E:\Program\Alias\Maya6.0\docs\Wrapper.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program\Eset\nod32krn.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows 32-bit PnP Driver (winpnp32) - Unknown owner - C:\WINDOWS\System32\winpnp32.exe (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - E:\Program\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
-----------------end
and:
--------------------start
Scan Control Dumped @ 17:09:16 19-02-05
Positive identification: Worm.Win32.Small.b
File: c:\windows\system32\winpnp32.exe
Suspicious Filename: Dual extensions
File: c:\documents and settings\nemo\mina dokument\mina filer\bsplayer100.811.exe
Positive identification <Adv>: Possible WebDownloader
File: c:\documents and settings\nemo\mina dokument\mina filer\cs\furious sp\furioussp.exe
Positive identification <Adv>: Possible WebDownloader
File: c:\documents and settings\nemo\mina dokument\mina filer\cs\furioussp\furioussp.exe
Suspicious Filename: Dual extensions
File: c:\documents and settings\nemo\mina dokument\mina filer\max payne 2\hellsing.mod.exe
Positive identification (embedded in file): Keylog.HotKeysHook (dll) (Possible Keylog DLL)
File: c:\documents and settings\nemo\mina dokument\mina filer\the punisher\punisherscoretrainer\trainer.exe
Positive identification (embedded in file): Keylog.HotKeysHook (dll) (Possible Keylog DLL)
File: c:\documents and settings\nemo\mina dokument\mina filer\thief 3\t3trainer15\thief 3 +15 trainer.exe
Positive identification: Riskware.ProcessRestart
File: c:\program\logitech\desktop messenger\8876480\6.1.4.61-8876480l\program\restart.exe
Suspicious Filename: Dual extensions
File: c:\program\messenger plus! 3\plugins\stuffplug-ng\talker.bub.vbs
Positive identification: RAT.Spyboter.fn
File: c:\recycler\nprotect\00024892.exe
Positive identification: RAT.Spyboter.fn
File: c:\windows\system32\dnschdqv.exe
Positive identification: RAT.Spyboter.fn
File: c:\windows\system32\wingated.exe
Positive identification: Worm.Win32.Small.b
File: c:\windows\system32\winpnp32.exe
Positive identification: DDoS.RAT.rBot.att
File: c:\windows\system32\wsmct.exe
Positive identification: RAT.Agent.dn
File: c:\windows\system32\wtmsv.exe
Suspicious Filename: Dual extensions
File: d:\backup\mina dokument\mina filer\bsplayer100.811.exe
Positive identification <Adv>: Possible WebDownloader
File: d:\backup\mina dokument\mina filer\cs\furious sp\furioussp.exe
Positive identification <Adv>: Possible WebDownloader
File: d:\backup\mina dokument\mina filer\cs\furioussp\furioussp.exe
Suspicious Filename: Dual extensions
File: d:\backup\mina dokument\mina filer\max payne 2\hellsing.mod.exe
Positive identification (embedded in file): Keylog.HotKeysHook (dll) (Possible Keylog DLL)
File: d:\backup\mina dokument\mina filer\thief 3\t3trainer15\thief 3 +15 trainer.exe
Suspicious Filename: Dual extensions
File: d:\backup\program\messenger plus! 3\plugins\stuffplug-ng\talker.bub.vbs
Suspicious Filename: Dual extensions
File: d:\my downloads\dc++\converting to vcd from avi,divx,dv,asf,mov,smr,wmv,mpeg tmpgenc-0.11.26.110.exe
------------------end
again thank you thank you thank you!
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Post by: guestolo on February 19, 2005, 12:01:21 PM
I need you to do a couple of things
I've uploaded a couple of files at the bottom of this reply box
NoNav.zip and RemoveWin.zip
Save them both to your desktop and UNZIP the contents to your desktop
We'll need these later
Download and Install the free version of Ad-Aware SE Personal 1.05 (http://\"http://www.lavasoftusa.com/support/download/\")
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
When Installing Ad-Aware may update and start a scan
Ensure it is updated but don't run a scan yet
Print the rest of this out or save it to a Notepad file on the desktop for reference
Do another scan with Hijackthis and put a check next to these entries:
O2 - BHO: NaviHelperObj Class - {3E422F49-1566-40D3-B43D-077EF739AC32} - C:\WINDOWS\System32\NaviHelper.dll
O4 - HKLM\..\Run: [*wuauclt.exe] wsmct.exe
O4 - HKLM\..\Run: [Windows Config] DNSCHDQV.EXE
O4 - HKLM\..\RunServices: [*wuauclt.exe] wsmct.exe
O4 - HKCU\..\Run: [*wuauclt.exe] wsmct.exe
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht!http://82.179.166.145/x15.chm::/trs15.exe
O23 - Service: Windows 32-bit PnP Driver (winpnp32) - Unknown owner - C:\WINDOWS\System32\winpnp32.exe (file missing)
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Restart into Safe mode
Delete these files if found
C:\foo.mht <--file
C:\WINDOWS\Debug\dcpromo.log <--file
Double click on NoNav.reg and allow it to merge to the registry
Double click on RemoveWin.reg and allow it too
Go to START>>RUN>>type in
%temp%
Hit OK
Click EDIT>>SELECT ALL
Delete the Selected
Access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content
Stay in safe mode
Open Ad-Aware
Perform a Full system scan--"Uncheck Search for Negligible Risk Entries" before scanning
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button
RESTART your computer back to Normal mode
Post back with a fresh Hijackthis log
Could you also
===Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the Whole contents of the Quote box to notepad, not including the word Quote
In Notepad click FILE>>SAVE AS
Name the file as LSA.bat
and save it on the Desktop
Quote
regedit /e LSA.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa"
Double click on LSA.bat
A new file will be produced called LSA.reg
Right click on LSA.reg and select EDIT
Copy and paste back the contents, thanks
Post by: Havasivi on February 19, 2005, 02:24:00 PM
I also removed those things you said in Hijackthis.
How do you know what to be removed? i didn't see anything wierd with those files, but i guess you're the pro here so you know best.
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />I couldn't find C:\foo.mht but i found something similar and i removed that one and another file that had the same filesize that i didn't know what it was. And i also removed C:\WINDOWS\Debug\dcpromo.log. And all temp files.
And i did the other thing you said.
So here's the LSA.reg file:
---------start
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"restrictanonymous"=dword:00000001
---------end >>Edited unneeded entries ~guestolo~
and the Hijackthis logfile:
---------start
Logfile of HijackThis v1.99.1
Scan saved at 20:07:12, on 2005-02-19
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program\D-Tools\daemon.exe
C:\WINDOWS\System32\CTHELPER.EXE
E:\Program\Winamp\winampa.exe
C:\Program\Messenger Plus! 3\MsgPlus.exe
C:\Program\MSN Apps\Updater\01.02.3000.1001\sv\msnappau.exe
C:\Program\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program\Logitech\iTouch\iTouch.exe
C:\Program\Logitech\MouseWare\system\em_exec.exe
E:\Program\RedLine\Taskbar.exe
C:\Program\QuickTime\qttask.exe
C:\Program\Eset\nod32kui.exe
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
E:\Program\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe
E:\Program\Alias\Maya6.0\docs\Wrapper.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program\GrabClipSave\GrabClipSave.exe
C:\Program\MessengerDiscovery\MessengerDiscovery.exe
C:\Program\Eset\nod32krn.exe
C:\Program\PeerGuardian pr14\PeerGuardian_1.99b_pr14.exe
E:\Program\Alias\Maya6.0\docs\jre\bin\java.exe
E:\program\redline\gameutil.exe
E:\Program\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\Program\RealVNC\VNC4\WinVNC4.exe
E:\Program\Winamp\winamp.exe
C:\Documents and Settings\Nemo\Mina dokument\Unzipped\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/ (http://\"http://www.google.se/\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.3000.1001\sv\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.3000.1001\sv\msntb.dll
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [WinampAgent] E:\Program\Winamp\winampa.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Program\MSN Apps\Updater\01.02.3000.1001\sv\msnappau.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [awxDTools] rundll32 C:\Program\arniWORX\AWXDTO~1\awxDTools.dll,awxRegisterDll /r /s
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [RedLine Taskbar] E:\Program\RedLine\Taskbar.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] C:\Program\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Bandwidth Monitor Pro] "E:\Program\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" /minimized
O4 - HKCU\..\Run: [Steam] "e:\program\steam\steam.exe" -silent
O4 - HKCU\..\Run: [GCS] "C:\Program\GrabClipSave\GrabClipSave.exe"
O4 - HKCU\..\Run: [MessengerDiscovery] C:\Program\MessengerDiscovery\MessengerDiscovery.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program\PeerGuardian pr14\PeerGuardian_1.99b_pr14.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: gameutil.exe.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = E:\Program\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab (http://\"http://messenger.msn.com/download/msnmessengersetupdownloader.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{87C9DF7C-B0B9-4DD5-BC8A-DDC82D201555}: NameServer = 81.26.226.3,81.26.229.3
O20 - Winlogon Notify: WB - C:\Program\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Alias Documentation Server (aliasdocserver) - Unknown owner - E:\Program\Alias\Maya6.0\docs\Wrapper.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program\Eset\nod32krn.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - E:\Program\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
--------end
Okay i think that's it, thank you again for your help. I think that one annoying popup i've been having actually has stopped now
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Post by: guestolo on February 19, 2005, 02:54:01 PM
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' /> Go to start>>Run>>type in regedit
Hit OK
Navigate to this key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
as follows>>Expand(+)
+HKEY_LOCAL_MACHINE
+SYSTEM
+CurrentControlSet
+Control
Left click and Highligt Lsa
On the right hand side look for this entry with the exact name
restrictanonymous
Right click on it and left click Modify
Change the value data to 0
Hit OK
Exit the Registry Editor
If everything is running better
You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")
Once back in Windows and System Restore is reenabled
You should set up protection against future attacks
SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
Scroll down and click on IE-SPYAD.EXE Free! or IE-SPYAD2.EXE Free!
Regular IE-Spyad for the individual user or IE-Spyad 2 for global protection(All users) on your computer
You only need one or the other
With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection
This entry in your log
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
Is related too TDS-3, as mentioned it's good for 30 days
You may choose to hold onto for the full amount of time
If you do you should Manually update TDS-3 again before your time expires and run another scan
After you uninstall TDS-3 and restart your computer if that entry is still in your Hijackthis log you can have Hijackthis fix it......
Stay safe
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Post by: Havasivi on February 20, 2005, 03:29:56 PM
thank you once again
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> hopefully everything will work fine from now on.Thank you!
/ph34r.gif\' class=\'bbc_emoticon\' alt=\':ph34r:\' />
Post by: guestolo on February 20, 2005, 03:58:27 PM
I'll lock this topic as your problems appear to be resolved
If you need it reopened PM a Mod or the site Admin
Supply a link to this thread