Post by: media on February 03, 2006, 03:51:56 AM
Logfile of HijackThis v1.99.1
Scan saved at 12:49:16 AM, on 2/3/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\program files\valve\steam\steam.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Danny\My Documents\HJT\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Repair Registry Pro] C:\Program Files\Repair Registry Pro\RepairRegistryPro.exe -s
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [TaskTray] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTray.exe"
O4 - HKCU\..\Run: [TaskBar] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134343202906 (http://\"http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134343202906\")
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134343190750 (http://\"http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134343190750\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab (http://\"http://acs.pandasoftware.com/activescan/as5free/asinst.cab\")
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab (http://\"http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab\")
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
i run avast, adaware se, ewido, and cleanup, and everything is good :/ ive also tried that panda online scanner too. please help
Post by: guestolo on February 03, 2006, 11:05:43 AM
First off, let me warn you
DO NOT Trust any software you see from Popups on your computer
Most are not recommended software to be running on your machine
Can you do the following please
Go to START>>>RUN>>>type in services.msc
Hit OK
In the next window, look on the right hand side for this service
name---- MESSENGER
Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled
APPLY it and exit out
This will stop the popups>>Spam you see thru the Messenger service
That service is not the same as Msn messenger fyi
NEXT:
Access your add/remove programs and remove the registry cleaner you downloaded thru popups
Repair Registry Pro
Reboot the computer afterwards
Back in Windows
******************************************************
When I ask you too download a zip file, make sure you choose SAVE TO DISK rather than Open
Can you open "MyComputer"
Double click to open Local Disk C: drive
Right click an empty spot and left click NEW>>Folder
A new folder will be placed in the C: folder , name it BFU
So you now have C:\BFU
Please download Brute Force Uninstaller (http://\"http://www.merijn.org/files/bfu.zip\")
Reminder, choose SAVE rather than OPEN
Then Extract (UNZIP) the contents to the (C:\BFU) folder you just made
[color=\"#CC0000\"]RIGHT CLICK HERE[/color] (http://\"http://metallica.geekstogo.com/p2pnetwork.bfu\")
and choose "Save As" (in IE it's "Save Target As") in order to download Alcra Remover.
Save it in the folder you made earlier (c:\BFU)
********************************************************
==Please download ATF Cleaner (http://\"http://www.atribune.org/ccount/click.php?id=1\") by Atribune.
This program is for XP and Windows 2000 only
Don't run it yet
==Download and then Install
Ewido anti-malware 3.5 (http://\"http://download.ewido.net/ewido-setup.exe\")
When installing, under "Additional Options" Uncheck
"Install background guard" and "Install scan via context menu".
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/ (http://\"http://www.ewido.net/en/download/updates/\")
==Ad-Aware is a great program, but can I also have you
Download and Install Spybot 1.4 from
HERE (http://\"http://www.download.com/3000-2144-10122137.html?part=104443&subj=dlpage&tag=button\")
or HERE (http://\"http://www.safer-networking.org/en/download/index.html\")
After installation--Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
Check the boxes and then download all updates
After update is complete
Close out, we'll need it later
Now that you have the tools, let's try some fixes
Please save these instructions to a Notepad file and save it to your Desktop for reference
or Print them out!
RESTART your Computer into SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Choose Safe mode from the startup menu and hit Enter
Once in safe mode
Open the C:\BFU folder
Double click to run BFU.exe
Use the "Open Script file" button (the folder icon next to Scriptfile to execute)
Navigate to p2pnetwork.bfu in the C:\BFU folder
Right click p2pnetwork.bfu and choose Select
In Brute Force Uninstaller select Execute
Wait for the "complete script execution" box to pop up and press OK.
Press exit to terminate the BFU program.
=======================================
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
===================================================
==Open Ewido anti-malware
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido
NOTE: When Ewido is running, don't open any other Windows
Do a "System scan only" with Hijackthis and put a check next to these entries:
I've purposely omitted one entry to fix whith hijackthis, but if everything went well earlier, it will be gone now, but tick the below one if still found
O4 - HKLM\..\Run: [Repair Registry Pro] C:\Program Files\Repair Registry Pro\RepairRegistryPro.exe -s
After you have ticked the above entries, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Open Spybot 1.4
Click the "Search & Destroy" button on the left
"Check for Problems"---When the Scan is complete
FIX all selected promblems in RED
RESTART your computer back to Normal mode
Back in Windows can I see the following logs please
1. Run a "Scan and Save logfile" with Hijackthis and post the fresh log
2. Post the whole report you saved earlier from Ewido's <-I forgot to add the bold, sorry for any confusion, but can I see the Ewido report too
Post by: media on February 03, 2006, 03:11:20 PM
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 11:24:52 AM, 2/3/2006
+ Report-Checksum: 8A3C360B
+ Scan result:
No infected objects found.
::Report End
and here is my latest HJT log,
Logfile of HijackThis v1.99.1
Scan saved at 11:55:39 AM, on 2/3/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Danny\My Documents\HJT\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [TaskTray] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTray.exe"
O4 - HKCU\..\Run: [TaskBar] "C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134343202906 (http://\"http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134343202906\")
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134343190750 (http://\"http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134343190750\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab (http://\"http://acs.pandasoftware.com/activescan/as5free/asinst.cab\")
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab (http://\"http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab\")
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
tell me what to do next, by the way my internet is still suppppper slow, ive called them and they blamed my router, any ideas ? im on adelphia cable. thanks
Post by: guestolo on February 03, 2006, 03:39:08 PM
Although this is not malicious, it may be the cause
I wish I could of seen the report from Panda's that you ran earlier, may of given some indication
Do you have Apples Itunes installed?
Let's try the following
Make a new restore point please
Go to START>>RUN>>In the open field
Type in msconfig
Click OK
Click the "Launch System Restore" button
Click the Create a New Restore Point
Name it and then click Create
This is just a restore point to fall back on in case we must undo a change
From this link
http://www.cexx.org/lspfix.htm (http://\"http://www.cexx.org/lspfix.htm\")
Download and save to your desktop LSPFix.exe
Open LSPFix
Disconnect completely from the Internet
Close down all Browser windows, including this one
With ONLY LSP fix open
Check "I know what I'm doing".
Then select all instances of mdnsnsp.dll (and nothing else) in the left pane,
click the arrow button to have them moved into the right hand panel.(The Removal Pane) Click Finish <--you may have to scroll down a bit to see it, Finish is NOT the X button at the top
Reboot the computer
Any better?
Post by: media on February 03, 2006, 03:56:44 PM
Post by: guestolo on February 03, 2006, 03:58:18 PM
Download F-Secure's BlackLight from HERE (http://\"http://www.europe.f-secure.com/exclude/blacklight/blbeta.exe\") and save it to your Desktop.
Locate and double click blbeta.exe to run it - you will need to accept the license agreement.
Click the Scan button to start and then Next when it has finished scanning.(this scan won't take too long)
A text file, fsbl-date/time, will be saved to your Desktop, copy and paste this into your next post.
Post by: media on February 03, 2006, 04:01:58 PM
02/03/06 12:59:53 [Info]: BlackLight Engine 1.0.30 initialized
02/03/06 12:59:53 [Info]: OS: 5.1 build 2600 (Service Pack 1)
02/03/06 12:59:53 [Note]: 7019 4
02/03/06 12:59:53 [Note]: 7005 0
02/03/06 12:59:56 [Note]: 7006 0
02/03/06 12:59:56 [Note]: 7011 1424
02/03/06 12:59:57 [Note]: FSRAW library version 1.7.1014
02/03/06 12:59:57 [Error]: 4000 5
02/03/06 12:59:57 [Note]: 4005 5
02/03/06 12:59:57 [Error]: 4000 5
02/03/06 12:59:57 [Note]: 4005 5
02/03/06 12:59:58 [Error]: 4000 5
02/03/06 12:59:58 [Note]: 4005 5
02/03/06 12:59:58 [Error]: 4000 5
02/03/06 12:59:58 [Note]: 4005 5
02/03/06 12:59:58 [Error]: 4000 5
02/03/06 12:59:58 [Note]: 4005 5
02/03/06 12:59:58 [Error]: 4000 5
02/03/06 12:59:58 [Note]: 4005 5
02/03/06 12:59:58 [Error]: 4000 5
02/03/06 12:59:58 [Note]: 4005 5
02/03/06 12:59:58 [Error]: 4000 5
02/03/06 12:59:58 [Note]: 4005 5
02/03/06 12:59:59 [Error]: 4000 5
02/03/06 12:59:59 [Note]: 4005 5
02/03/06 12:59:59 [Error]: 4000 5
02/03/06 12:59:59 [Note]: 4005 5
02/03/06 12:59:59 [Error]: 4000 5
02/03/06 12:59:59 [Note]: 4005 5
02/03/06 12:59:59 [Error]: 4000 5
02/03/06 12:59:59 [Note]: 4005 5
02/03/06 12:59:59 [Error]: 4000 5
02/03/06 12:59:59 [Note]: 4005 5
02/03/06 13:00:00 [Error]: 4000 5
02/03/06 13:00:00 [Note]: 4005 5
02/03/06 13:00:00 [Error]: 4000 5
02/03/06 13:00:00 [Note]: 4005 5
02/03/06 13:00:01 [Error]: 4000 5
02/03/06 13:00:01 [Note]: 4005 5
02/03/06 13:00:02 [Error]: 4000 5
02/03/06 13:00:02 [Note]: 4005 5
02/03/06 13:00:02 [Error]: 4000 5
02/03/06 13:00:02 [Note]: 4005 5
02/03/06 13:00:02 [Error]: 4000 5
02/03/06 13:00:02 [Note]: 4005 5
02/03/06 13:00:02 [Error]: 4000 5
02/03/06 13:00:02 [Note]: 4005 5
02/03/06 13:00:03 [Error]: 4000 5
02/03/06 13:00:03 [Note]: 4005 5
02/03/06 13:00:03 [Error]: 4000 5
02/03/06 13:00:03 [Note]: 4005 5
02/03/06 13:00:04 [Error]: 4000 5
02/03/06 13:00:04 [Note]: 4005 5
02/03/06 13:00:05 [Error]: 4000 5
02/03/06 13:00:05 [Note]: 4005 5
02/03/06 13:00:05 [Error]: 4000 5
02/03/06 13:00:05 [Note]: 4005 5
now what?
Post by: guestolo on February 03, 2006, 04:09:20 PM
Now you will have to track down whether you have a Router problem
Can I see a hijackthis log from the other computer
Post by: guestolo on February 03, 2006, 04:21:09 PM
Save Silent Runners.vbs (http://\"http://www.silentrunners.org/Silent%20Runners.vbs\") to your desktop and double click on it to run.
If prompted by your AV, please let this script run, we are just collecting information
This will create a text file on your desktop
Open the text file and copy and paste the contents back here
NOTE: let silentrunners completely finish, it should prompt when it is done
Post by: media on February 03, 2006, 05:24:53 PM
"Silent Runners.vbs", revision 43, http://www.silentrunners.org/ (http://\"http://www.silentrunners.org/\")
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"AIM" = "C:\Program Files\AIM\aim.exe -cnetwait.odl" ["America Online, Inc."]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit" [MS]
"TaskTray" = ""C:\Program Files\Creative\SBAudigy\TaskBar\CTLTray.exe"" [file not found]
"TaskBar" = ""C:\Program Files\Creative\SBAudigy\TaskBar\CTLTask.exe"" [file not found]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"Steam" = ""c:\program files\valve\steam\steam.exe" -silent" ["Valve Corporation"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"WINDVDPatch" = "CTHELPER.EXE" ["Creative Technology Ltd"]
"UpdReg" = "C:\WINDOWS\UpdReg.EXE" ["Creative Technology Ltd."]
"Jet Detection" = ""C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"" [empty string]
"CTStartup" = "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run" ["Creative Technology Ltd."]
"Logitech Utility" = "Logi_MwX.Exe" ["Logitech Inc."]
"NeroCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"DAEMON Tools-1033" = ""C:\Program Files\D-Tools\daemon.exe" -lang 1033" ["DAEMON'S HOME"]
HKLM\Software\Microsoft\Active Setup\Installed Components\
{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
\StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" [file not found]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Danny\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll" [file not found]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]
NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]
WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\System32\MsPMSPSv.exe" [MS]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 46 seconds, including 15 seconds for message boxes)
good/bad ? let me kno whats goin on with this thing please, whats its purpose? "we are just collecting information" <- ?
Post by: guestolo on February 03, 2006, 06:11:38 PM
Not sure why Blacklight showed so many errors
Can you try one more scan that won't take long
Then we can nail it down to the Router
Download RootkitRevealer
Scroll to the bottom of that page for the download link
http://www.sysinternals.com/Utilities/RootkitRevealer.html (http://\"http://www.sysinternals.com/Utilities/RootkitRevealer.html\")
Unzip Rootkitreavler.zip to desktop and double click on RootKitReavler.exe
Once open click on SCAN
Sit back and wait for the scan to finish
Once finished
Copy and paste back here the whole log
Post by: media on February 03, 2006, 06:21:50 PM
02/03/06 15:13:13 [Info]: BlackLight Engine 1.0.30 initialized
02/03/06 15:13:13 [Info]: OS: 5.1 build 2600 (Service Pack 1)
02/03/06 15:13:13 [Note]: 7019 4
02/03/06 15:13:13 [Note]: 7005 0
02/03/06 15:13:18 [Note]: 7006 0
02/03/06 15:13:18 [Note]: 7011 1408
02/03/06 15:13:18 [Note]: FSRAW library version 1.7.1014
02/03/06 15:13:19 [Error]: 4000 5
02/03/06 15:13:19 [Note]: 4005 5
02/03/06 15:13:20 [Error]: 4000 5
02/03/06 15:13:20 [Note]: 4005 5
02/03/06 15:13:20 [Error]: 4000 5
02/03/06 15:13:20 [Note]: 4005 5
02/03/06 15:13:20 [Error]: 4000 5
02/03/06 15:13:20 [Note]: 4005 5
02/03/06 15:13:20 [Error]: 4000 5
02/03/06 15:13:20 [Note]: 4005 5
02/03/06 15:13:21 [Error]: 4000 5
02/03/06 15:13:21 [Note]: 4005 5
02/03/06 15:13:21 [Error]: 4000 5
02/03/06 15:13:21 [Note]: 4005 5
02/03/06 15:13:21 [Error]: 4000 5
02/03/06 15:13:21 [Note]: 4005 5
02/03/06 15:13:21 [Error]: 4000 5
02/03/06 15:13:21 [Note]: 4005 5
02/03/06 15:13:21 [Error]: 4000 5
02/03/06 15:13:21 [Note]: 4005 5
02/03/06 15:13:21 [Error]: 4000 5
02/03/06 15:13:21 [Note]: 4005 5
02/03/06 15:13:22 [Error]: 4000 5
02/03/06 15:13:22 [Note]: 4005 5
02/03/06 15:13:22 [Error]: 4000 5
02/03/06 15:13:22 [Note]: 4005 5
02/03/06 15:13:22 [Error]: 4000 5
02/03/06 15:13:22 [Note]: 4005 5
02/03/06 15:13:23 [Error]: 4000 5
02/03/06 15:13:23 [Note]: 4005 5
02/03/06 15:13:24 [Error]: 4000 5
02/03/06 15:13:24 [Note]: 4005 5
02/03/06 15:13:24 [Error]: 4000 5
02/03/06 15:13:24 [Note]: 4005 5
02/03/06 15:13:24 [Error]: 4000 5
02/03/06 15:13:24 [Note]: 4005 5
02/03/06 15:13:25 [Error]: 4000 5
02/03/06 15:13:25 [Note]: 4005 5
02/03/06 15:13:25 [Error]: 4000 5
02/03/06 15:13:25 [Note]: 4005 5
02/03/06 15:13:26 [Error]: 4000 5
02/03/06 15:13:26 [Note]: 4005 5
02/03/06 15:13:26 [Error]: 4000 5
02/03/06 15:13:26 [Note]: 4005 5
02/03/06 15:13:26 [Error]: 4000 5
02/03/06 15:13:26 [Note]: 4005 5
02/03/06 15:13:27 [Error]: 4000 5
02/03/06 15:13:27 [Note]: 4005 5
02/03/06 15:13:27 [Error]: 4000 5
02/03/06 15:13:27 [Note]: 4005 5
02/03/06 15:13:27 [Error]: 4000 5
02/03/06 15:13:27 [Note]: 4005 5
02/03/06 15:13:27 [Error]: 4000 5
02/03/06 15:13:27 [Note]: 4005 5
02/03/06 15:13:27 [Error]: 4000 5
02/03/06 15:13:27 [Note]: 4005 5
02/03/06 15:13:28 [Error]: 4000 5
02/03/06 15:13:28 [Note]: 4005 5
02/03/06 15:13:28 [Error]: 4000 5
02/03/06 15:13:28 [Note]: 4005 5
02/03/06 15:13:28 [Error]: 4000 5
02/03/06 15:13:28 [Note]: 4005 5
02/03/06 15:13:29 [Error]: 4000 5
02/03/06 15:13:29 [Note]: 4005 5
02/03/06 15:13:29 [Error]: 4000 5
02/03/06 15:13:29 [Note]: 4005 5
02/03/06 15:13:29 [Error]: 4000 5
02/03/06 15:13:29 [Note]: 4005 5
02/03/06 15:13:30 [Error]: 4000 5
02/03/06 15:13:30 [Note]: 4005 5
02/03/06 15:13:31 [Error]: 4000 5
02/03/06 15:13:31 [Note]: 4005 5
02/03/06 15:13:32 [Error]: 4000 5
02/03/06 15:13:32 [Note]: 4005 5
02/03/06 15:13:40 [Note]: 7007 0
and here is rootkits log,
HKLM\SYSTEM\ControlSet001\Services\d347prt\Cfg\0Jf40 2/3/2006 1:28 PM 0 bytes Hidden from Windows API.
C:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf 2/3/2006 3:16 PM 44.58 KB Hidden from Windows API.
and one more time, whats silentrunners?
Post by: guestolo on February 03, 2006, 08:05:43 PM
Read it for yourself
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' /> http://www.silentrunners.org/sr_thescript.html (http://\"http://www.silentrunners.org/sr_thescript.html\")
Do you have your documentation for your Router is there help files on the Routers website
May be a configuration setting
Just one more check please
Can you download winsockxpfix.exe (http://\"http://www.snapfiles.com/get/winsockxpfix.html\")
Save it to your desktop
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Open Winsockxp fix and with all other windows closed, including this one
Run the FIX please
The computer should reboot, or reboot manually
Does that help your connection?
It won't help the Router issue, but you may be able to manually reset the Router
And then reconfigure the router settings
May or may not help
Post by: media on February 05, 2006, 01:22:37 AM
Post by: guestolo on February 05, 2006, 01:46:41 AM
Quote
everything is opening on command in the internet and my computer itself, but i didnt have a lil problem when was looking through my windows folder, my toolbar froze at the bottom, so i minimized everything open and my desktop icons were gone, wallpaper up but everything was frozen, i ctrl alt del and closed my applications that were open and its fine so far, no idea why it did that, i know im kinda low on memory in my HD, like 15 gigs left, that have anything to do with it ?I don't know what you mean by all that???
/unsure.gif\' class=\'bbc_emoticon\' alt=\':unsure:\' /> Quote
dad is using my computer now and downloaded partypoker, ya i deleted it and everything to do with it, execpt in my internet explorer, i go to tools at the top and right above internet options it says "partypoker.com" i guess not a problem but its bugging me that its there, can i get rid of itCan you show me a new hijackthis log please
Post by: media on February 05, 2006, 02:33:01 AM
2nd quote: nevermind all that i already fixed it but thanks.
Post by: guestolo on February 06, 2006, 05:02:47 PM