DuarteR
asked on
Cannot get rid of adware/trojan - runsrv32.exe , a.exe , users32.exe...
Last couple of days i have been infected with adware.
What happens is that on opening IE the default home page comes up as a windows security center clone saying "alert spyware detected on your computer!" It is made to look like a bonafide windows page but it redirects to anti-spyware box.com.
There are also popups in the bottom right of the screen and in the middle warning of spyware (nothing to do with my resident software). It also prevents you from ending processes in the windows task manager.
I have tried all of the usual anti-virus/adware/spyware scans but they cannot remove this.
The problem stems from the system32 folder which on startup runs runsrv32.exe (i have deleted it with regedit in safemode and from the folder but it comes back) also there is a runsrv32.dll. I think the main daddy is a.exe in system32. I cannot delete it in safe mode or otherwise - says it is being used by another program but it doesnt show as a running process I have also tried after having killed runsrv32.exe with Process Explorer. In the processes there is also a user32.exe which spawns qirkvy.exe(the popup).
Any ideas appreciated.
What happens is that on opening IE the default home page comes up as a windows security center clone saying "alert spyware detected on your computer!" It is made to look like a bonafide windows page but it redirects to anti-spyware box.com.
There are also popups in the bottom right of the screen and in the middle warning of spyware (nothing to do with my resident software). It also prevents you from ending processes in the windows task manager.
I have tried all of the usual anti-virus/adware/spyware scans but they cannot remove this.
The problem stems from the system32 folder which on startup runs runsrv32.exe (i have deleted it with regedit in safemode and from the folder but it comes back) also there is a runsrv32.dll. I think the main daddy is a.exe in system32. I cannot delete it in safe mode or otherwise - says it is being used by another program but it doesnt show as a running process I have also tried after having killed runsrv32.exe with Process Explorer. In the processes there is also a user32.exe which spawns qirkvy.exe(the popup).
Any ideas appreciated.
ASKER
here is the hijack this log file to help
http://www.hijackthis.de/logfiles/a2dba9ec08d59392c07c53dea6f9a0c5.html
http://www.hijackthis.de/logfiles/a2dba9ec08d59392c07c53dea6f9a0c5.html
The following looks like they will need deleting
C:\WINDOWS\system32\users3 2.exe (THIS WILL NEED DELETING ON REBOOT TO STOP INFECTION AGAIN)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System 32\Userini t.exe
O2 - BHO: (no name) - {00000000-59D4-4008-9058-0 8001100120 0} - (no file)
O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4 D030000000 0} - (no file)
O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-A D030000000 0} - (no file)
O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-f f7415288c3 b} - (no file)
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7 bd156758a3 7} - (no file)
O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b 136188f5de b} - (no file)
O2 - BHO: (no name) - {8333c319-0669-4893-a418-f 56d9249fca 6} - (no file)
O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c 176083f35c f} - (no file)
O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c 48160800e8 1} - (no file)
O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-5 18f53a8261 f} - (no file)
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv 32.exe (THIS WILL NEED DELETING ON REBOOT TO STOP INFECTION AGAIN)
Hijack this enalbles deletion on reboot. The users32.exe entry is what keeps infecting you. There seems to be a lot of possible spyware programs listed, and other appilcations, but you will have to look at directories and names to decided weather they are of importance.
C:\WINDOWS\system32\users3
F2 - REG:system.ini: UserInit=C:\WINDOWS\System
O2 - BHO: (no name) - {00000000-59D4-4008-9058-0
O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4
O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-A
O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-f
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7
O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b
O2 - BHO: (no name) - {8333c319-0669-4893-a418-f
O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c
O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c
O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-5
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv
Hijack this enalbles deletion on reboot. The users32.exe entry is what keeps infecting you. There seems to be a lot of possible spyware programs listed, and other appilcations, but you will have to look at directories and names to decided weather they are of importance.
Sorry, you will need to run hijack this, then click on config and then select "delete file on reboot", browse to the files and then restart your computer as well as deleting the above entries.
"F2 - REG:system.ini: UserInit=C:\WINDOWS\System 32\Userini t.exe"
I don't think this is anything bad, please don't remove this entry.
I don't think this is anything bad, please don't remove this entry.
YEAH, SORRY DON'T DELETE F2 - REG:system.ini: UserInit=C:\WINDOWS\System 32\Userini t.exe
Are you familiar with application?
"O23 - Service: SSO Plus (pgpwdmon) - PassGo Technologies - C:\PROGRA~1\PASSGO~1\SSOPL U~1\pgpwdm on.exe"
"O23 - Service: SSO Plus (pgpwdmon) - PassGo Technologies - C:\PROGRA~1\PASSGO~1\SSOPL
You can follow steps suggested by johnsy32 and then reboot and see if things are better.
If not, follow the steps at this link:
http://www.technibble.com/case-study-removing-a-virusadware-not-detected-by-scanners/
If that doesn't do it post back and I have some more specific tips. Thanks.
If not, follow the steps at this link:
http://www.technibble.com/case-study-removing-a-virusadware-not-detected-by-scanners/
If that doesn't do it post back and I have some more specific tips. Thanks.
Hi,
Your log is showing rougescan app and purityscan.
Please follow these:
1. Download roguescanfix_setup.
http://users.telenet.be/Beamerke/tools/roguescanfix_setup.exe
Doubleclick roguescanfix_setup to install it.
After the installation, you will be prompted if you would like to run roguescanfix now. Click "YES" to start the tool.
Note: This tool needs internet connection because it downloads an additional file to let the tool work properly.
If your firewall gives an alert, allow it instead of blocking it.
In case you still get the message BFU.exe is not present, download BFU.zip from here. http://www.merijn.org/files/bfu.zip
Unzip it and place BFU.exe in the c:\program files\roguescanfix-folder. Then doubleclick Roguescanfix.bat again.
The tool will uninstall some programs and delete related files and registry keys.
When some files won't get deleted, it will ask you to reboot your system to delete the files after reboot.
Please make sure the uninstall of the programs are finished before you click Yes to reboot.
A textfile will open. Place the contents of that file in your next reply, along with a new Hijackthis logfile.
(The textfile can also be found at c:\program files\roguescanfix\task.tx t)
2. Your log is showing purityscan/OIN
If you do not see any icon for "OIN" or "(program) by OIN" in Add/Remove Programs, please download their stand-alone uninstaller.
http://www.outerinfo.com/OiUninstaller.exe.
Your log is showing rougescan app and purityscan.
Please follow these:
1. Download roguescanfix_setup.
http://users.telenet.be/Beamerke/tools/roguescanfix_setup.exe
Doubleclick roguescanfix_setup to install it.
After the installation, you will be prompted if you would like to run roguescanfix now. Click "YES" to start the tool.
Note: This tool needs internet connection because it downloads an additional file to let the tool work properly.
If your firewall gives an alert, allow it instead of blocking it.
In case you still get the message BFU.exe is not present, download BFU.zip from here. http://www.merijn.org/files/bfu.zip
Unzip it and place BFU.exe in the c:\program files\roguescanfix-folder.
The tool will uninstall some programs and delete related files and registry keys.
When some files won't get deleted, it will ask you to reboot your system to delete the files after reboot.
Please make sure the uninstall of the programs are finished before you click Yes to reboot.
A textfile will open. Place the contents of that file in your next reply, along with a new Hijackthis logfile.
(The textfile can also be found at c:\program files\roguescanfix\task.tx
2. Your log is showing purityscan/OIN
If you do not see any icon for "OIN" or "(program) by OIN" in Add/Remove Programs, please download their stand-alone uninstaller.
http://www.outerinfo.com/OiUninstaller.exe.
Can you please scan with hijackthis again and post the link to a new hijackthis log?
We want to look at it again after you've run the rougescanfix and the OIN uninstaller.
We want to look at it again after you've run the rougescanfix and the OIN uninstaller.
Some files like a.exe etc where rougescanfix can't take care , but smitrem will.
Please also run smitrem by Noahdfear.
Download SmitRem.exe and save the file to the Desktop.
http://noahdfear.geekstogo.com/click%20counter/click.php?id=1
Double click on the file to extract it to it's own folder on the Desktop.
Now, reboot to Safe Mode:
Next, open the SmitRem folder
-Double click the "RunThis.bat" file to start the tool.
-Follow the prompts on screen.
The Desktop and icons disappear and then reappear again --- this is normal.
Wait for the tool to complete and Disk Cleanup to finish --- this may take a while.
When done, the log created by the smitRem tool is located at C:\smitfiles.txt
Restart your computer.
Please also run smitrem by Noahdfear.
Download SmitRem.exe and save the file to the Desktop.
http://noahdfear.geekstogo.com/click%20counter/click.php?id=1
Double click on the file to extract it to it's own folder on the Desktop.
Now, reboot to Safe Mode:
Next, open the SmitRem folder
-Double click the "RunThis.bat" file to start the tool.
-Follow the prompts on screen.
The Desktop and icons disappear and then reappear again --- this is normal.
Wait for the tool to complete and Disk Cleanup to finish --- this may take a while.
When done, the log created by the smitRem tool is located at C:\smitfiles.txt
Restart your computer.
You can also use SmitfraudFix instead of Smitrem, they both do the same thing.
SmitfraudFix:
http://siri.geekstogo.com/SmitfraudFix.php
Tell us if "user32.exe" still exist after you run those tools.
>>>"F2 - REG:system.ini: UserInit=C:\WINDOWS\System 32\Userini t.exe"
I don't think this is anything bad, please don't remove this entry.<<<
Yes that entry is valid. Fixing or not Fixing it won't hurt your system.
It appears in hijackthis log is because the line in the registry is wrong that's why hijackthis picked it up.(it could only be the comma "," missing in the registry)caused by a legit app or by malware.
Fixing it with hijackthis won't do any harm, hijackthis will revert the entry back to its default correct entry.
Fixing does not delete the file, fixing it will correct the line in the registry.
Not fixing it is also okay, so it's up to you.
The entry in the registry looks like this:
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows NT\CurrentVersion\Winlogon ]
"Userinit"="C:\WINDOWS\Sys tem32\User init.exe,"
if the comma is missing, hijackthis will pick up that line as suspicious and when you fix the entry, hijackthis will put the comma back to correct it.
SmitfraudFix:
http://siri.geekstogo.com/SmitfraudFix.php
Tell us if "user32.exe" still exist after you run those tools.
>>>"F2 - REG:system.ini: UserInit=C:\WINDOWS\System
I don't think this is anything bad, please don't remove this entry.<<<
Yes that entry is valid. Fixing or not Fixing it won't hurt your system.
It appears in hijackthis log is because the line in the registry is wrong that's why hijackthis picked it up.(it could only be the comma "," missing in the registry)caused by a legit app or by malware.
Fixing it with hijackthis won't do any harm, hijackthis will revert the entry back to its default correct entry.
Fixing does not delete the file, fixing it will correct the line in the registry.
Not fixing it is also okay, so it's up to you.
The entry in the registry looks like this:
[HKEY_LOCAL_MACHINE\SOFTWA
"Userinit"="C:\WINDOWS\Sys
if the comma is missing, hijackthis will pick up that line as suspicious and when you fix the entry, hijackthis will put the comma back to correct it.
In addition, if you know a file needs to be deleted you can download Unlocker to unlock the process that is holding the file. Then it can be deleted.
http://ccollomb.free.fr/unlocker/
You can also use the Recovery console from your Windows CD to login via an MS-DOS based shell and delete the file that way. Though this can sometimes be a pain if you use RAID or SCSI because you will need the driver disk handy.
http://ccollomb.free.fr/unlocker/
You can also use the Recovery console from your Windows CD to login via an MS-DOS based shell and delete the file that way. Though this can sometimes be a pain if you use RAID or SCSI because you will need the driver disk handy.
ASKER
new log:
http://www.hijackthis.de/logfiles/e2323bbae6b60da662295c3ec80ef7a6.html
i have used Unlocker to delete a.exe as well as runsrv32.exe , runsrv32.dll , users32.exe but they all respawn. a.exe is connected to explorer.exe as shown by unlocker.
rpgamergirls software suggestions have not worked.
This one tough little biatch
http://www.hijackthis.de/logfiles/e2323bbae6b60da662295c3ec80ef7a6.html
i have used Unlocker to delete a.exe as well as runsrv32.exe , runsrv32.dll , users32.exe but they all respawn. a.exe is connected to explorer.exe as shown by unlocker.
rpgamergirls software suggestions have not worked.
This one tough little biatch
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.e xe
this one also needs deleting, described as Browser Helper Object that displays advertisements and downloads and installs files, could be re-infecting you over and over.
As well as the ones the ones that need deleting on boot, as I mentioned before.
Are the directories and entries with pass go technologies ones that you now are safe?
this one also needs deleting, described as Browser Helper Object that displays advertisements and downloads and installs files, could be re-infecting you over and over.
As well as the ones the ones that need deleting on boot, as I mentioned before.
Are the directories and entries with pass go technologies ones that you now are safe?
ASKER
deleted susp.exe with hijackthis and the others mentionedu
but that entry aswell as the runsrv32.exe and the (no name) entries all come back after reboot so does a.exe - all the files reappear in system32
the passgo go stuff is legit - it automatically inputs passwords on websites for me.
but that entry aswell as the runsrv32.exe and the (no name) entries all come back after reboot so does a.exe - all the files reappear in system32
the passgo go stuff is legit - it automatically inputs passwords on websites for me.
is there anything suspicious in your start up folder?
Start > All Programs > Startup
Are the PartyPoker entries also legit?
Start > All Programs > Startup
Are the PartyPoker entries also legit?
ASKER
the party poker entries are just left overs from when I uninstalled party poker
as for starting programs i use jv16 powertools and the only sus thing is the runsrv32.exe which spawns itself even after deleting the file and registry enries.
as for starting programs i use jv16 powertools and the only sus thing is the runsrv32.exe which spawns itself even after deleting the file and registry enries.
ASKER
if this helps here are my running processes shown in process explorer:
Process PID CPU Description Company Name
System Idle Process 0 93.08
Interrupts n/a Hardware Interrupts
DPCs n/a 0.77 Deferred Procedure Calls
System 4 0.77
smss.exe 596 Windows NT Session Manager Microsoft Corporation
csrss.exe 792 Client Server Runtime Process Microsoft Corporation
winlogon.exe 824 Windows NT Logon Application Microsoft Corporation
services.exe 884 0.77 Services and Controller app Microsoft Corporation
svchost.exe 1084 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1144 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1216 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1316 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1368 Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 1548 Spooler SubSystem App Microsoft Corporation
pgpwdmon.exe 1716 SSO Plus Password Player Service PassGo Technologies
pgpwdmon.exe 1748 SSO Plus Password Player Service PassGo Technologies
schedul2.exe 1740 Acronis Scheduler 2 Acronis
aswUpdSv.exe 1792
ashServ.exe 1824 avast! antivirus service
svchost.exe 1864 Generic Host Process for Win32 Services Microsoft Corporation
ewidoctrl.exe 216 ewido control ewido networks
nvsvc32.exe 244 NVIDIA Driver Helper Service, Version 53.03 NVIDIA Corporation
sdhelp.exe 296 PC Tools Research Pty Ltd
svchost.exe 756 Generic Host Process for Win32 Services Microsoft Corporation
wdfmgr.exe 844 Windows User Mode Driver Manager Microsoft Corporation
ashMaiSv.exe 2620 avast! e-Mail Scanner Service ALWIL Software
ashWebSv.exe 2740 avast! Web Scanner ALWIL Software
alg.exe 3032 Application Layer Gateway Service Microsoft Corporation
svchost.exe 3540 Generic Host Process for Win32 Services Microsoft Corporation
lsass.exe 896 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 576 Windows Explorer Microsoft Corporation
rundll32.exe 1948 Run a DLL as an App Microsoft Corporation
pctspk.exe 2000 pctvoice MFC Application
jusched.exe 2040 Java(TM) 2 Platform Standard Edition binary Sun Microsystems, Inc.
ashDisp.exe 2096 avast! service GUI component
issch.exe 2232 InstallShield Update Service Scheduler InstallShield Software Corporation
TrueImageMonitor.exe 2304 TrueImage Acronis
schedhlp.exe 2352 Acronis Scheduler Helper Acronis
ssotray.exe 2544 SSO Plus System Tray App PassGo Technologies
realsched.exe 2588 RealNetworks Scheduler RealNetworks, Inc.
procexp.exe 2956 4.62 Sysinternals Process Explorer Sysinternals
iexplore.exe 3788 Internet Explorer Microsoft Corporation
jv16 PowerTools.exe 508 jv16 PowerTools
iexplore.exe 3792 Internet Explorer Microsoft Corporation
EM_EXEC.EXE 2108 Logitech Events Handler Application Logitech Inc.
Process PID CPU Description Company Name
System Idle Process 0 93.08
Interrupts n/a Hardware Interrupts
DPCs n/a 0.77 Deferred Procedure Calls
System 4 0.77
smss.exe 596 Windows NT Session Manager Microsoft Corporation
csrss.exe 792 Client Server Runtime Process Microsoft Corporation
winlogon.exe 824 Windows NT Logon Application Microsoft Corporation
services.exe 884 0.77 Services and Controller app Microsoft Corporation
svchost.exe 1084 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1144 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1216 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1316 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1368 Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 1548 Spooler SubSystem App Microsoft Corporation
pgpwdmon.exe 1716 SSO Plus Password Player Service PassGo Technologies
pgpwdmon.exe 1748 SSO Plus Password Player Service PassGo Technologies
schedul2.exe 1740 Acronis Scheduler 2 Acronis
aswUpdSv.exe 1792
ashServ.exe 1824 avast! antivirus service
svchost.exe 1864 Generic Host Process for Win32 Services Microsoft Corporation
ewidoctrl.exe 216 ewido control ewido networks
nvsvc32.exe 244 NVIDIA Driver Helper Service, Version 53.03 NVIDIA Corporation
sdhelp.exe 296 PC Tools Research Pty Ltd
svchost.exe 756 Generic Host Process for Win32 Services Microsoft Corporation
wdfmgr.exe 844 Windows User Mode Driver Manager Microsoft Corporation
ashMaiSv.exe 2620 avast! e-Mail Scanner Service ALWIL Software
ashWebSv.exe 2740 avast! Web Scanner ALWIL Software
alg.exe 3032 Application Layer Gateway Service Microsoft Corporation
svchost.exe 3540 Generic Host Process for Win32 Services Microsoft Corporation
lsass.exe 896 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 576 Windows Explorer Microsoft Corporation
rundll32.exe 1948 Run a DLL as an App Microsoft Corporation
pctspk.exe 2000 pctvoice MFC Application
jusched.exe 2040 Java(TM) 2 Platform Standard Edition binary Sun Microsystems, Inc.
ashDisp.exe 2096 avast! service GUI component
issch.exe 2232 InstallShield Update Service Scheduler InstallShield Software Corporation
TrueImageMonitor.exe 2304 TrueImage Acronis
schedhlp.exe 2352 Acronis Scheduler Helper Acronis
ssotray.exe 2544 SSO Plus System Tray App PassGo Technologies
realsched.exe 2588 RealNetworks Scheduler RealNetworks, Inc.
procexp.exe 2956 4.62 Sysinternals Process Explorer Sysinternals
iexplore.exe 3788 Internet Explorer Microsoft Corporation
jv16 PowerTools.exe 508 jv16 PowerTools
iexplore.exe 3792 Internet Explorer Microsoft Corporation
EM_EXEC.EXE 2108 Logitech Events Handler Application Logitech Inc.
How about manually going into the registry and deleting suspicious entries in
HKEY_LOCAL_MACHINE > SOFTWARE > MICROSOFT > WINDOWS > CURRENT VERSION > RUN
Then deleting any entries with hijackthis again, and deleting files again on reboot.
HKEY_LOCAL_MACHINE > SOFTWARE > MICROSOFT > WINDOWS > CURRENT VERSION > RUN
Then deleting any entries with hijackthis again, and deleting files again on reboot.
Here is what I suggest:
First identify and locate all the bad .exe and .dll files (probably in c:\windows or c:\windows\system32)
Then:
(0) If running XP Home, boot in safe mode, if XP Pro, then start with step (1)
(1) Right click on the file in Windows Explorer or My Computer, select Properties
(2) Click on the Security tab.
(3) Click on the Advanced button.
(4) Uncheck the box labeled "Inherit from Parent...", then click "Remove"
(5) Repeat steps (1) to (4) for each of the other files
(6) Close all windows.
(7) Reboot. (normal mode).
After reboot the file(s) will be unable to run (because no one can access them any more). The symptoms should be gone.
At this point you can clean up with HJT and with standard anti-spyware programs.
The success of this method depends on getting all the files in one go (steps (1) to (4) repeated for each)
First identify and locate all the bad .exe and .dll files (probably in c:\windows or c:\windows\system32)
Then:
(0) If running XP Home, boot in safe mode, if XP Pro, then start with step (1)
(1) Right click on the file in Windows Explorer or My Computer, select Properties
(2) Click on the Security tab.
(3) Click on the Advanced button.
(4) Uncheck the box labeled "Inherit from Parent...", then click "Remove"
(5) Repeat steps (1) to (4) for each of the other files
(6) Close all windows.
(7) Reboot. (normal mode).
After reboot the file(s) will be unable to run (because no one can access them any more). The symptoms should be gone.
At this point you can clean up with HJT and with standard anti-spyware programs.
The success of this method depends on getting all the files in one go (steps (1) to (4) repeated for each)
Try this from the GeeksToGo forum:
http://www.geekstogo.com/forum/You_Must_Read_This_Before_Posting_A_Hijackthis_Log-t2852.html
These steps remove most spyware/malware without any additional steps. Once you complete the steps let us see the new HJT log.
http://www.geekstogo.com/forum/You_Must_Read_This_Before_Posting_A_Hijackthis_Log-t2852.html
These steps remove most spyware/malware without any additional steps. Once you complete the steps let us see the new HJT log.
ASKER
r-k just tried your method but no luck. when i click internet explorer to get to this page users32.exe runs in the processes
<<i have deleted it with regedit in safemode and from the folder but it comes back) >>
have you stopped system restore?
d_may
have you stopped system restore?
d_may
"when i click internet explorer to get to this page users32.exe runs in the processes"
Can you double-check by looking at the Security Properties for that file that all permissions have been removed?
Can you double-check by looking at the Security Properties for that file that all permissions have been removed?
ASKER
r-k i double checked that permissions had been removed but the check box is now ticked again
ASKER
pyroman - my first course of action when this virus/adware first appeared was to use spybot + cwshredder + adaware se + spysweeper + ediwoo + avast + spyware doctor
Are you saying that permissions to that file got restored again? The malware is getting very clever these days!
Try the following:
(1) Download Autoruns from: http://www.sysinternals.com/Utilities/Autoruns.html
(2) Run the program. It lists a bunch of things that start when Windows starts.
(3) From the menu bar, select Options, and uncheck "Include Empty Locations" and "check" "Hide Microsoft Entries"
then click on the Refresh button in the toolbar.
(4) This will give you a shorter, more meaningful list.
(5) Examine that list and disable anything clearly bad by un-checking it. Then reboot and see if it helped.
(6) If not, or if not sure, you can use the File -> Save as.. option in Autoruns to save the list to a text file and then copy and paste it here.
Try the following:
(1) Download Autoruns from: http://www.sysinternals.com/Utilities/Autoruns.html
(2) Run the program. It lists a bunch of things that start when Windows starts.
(3) From the menu bar, select Options, and uncheck "Include Empty Locations" and "check" "Hide Microsoft Entries"
then click on the Refresh button in the toolbar.
(4) This will give you a shorter, more meaningful list.
(5) Examine that list and disable anything clearly bad by un-checking it. Then reboot and see if it helped.
(6) If not, or if not sure, you can use the File -> Save as.. option in Autoruns to save the list to a text file and then copy and paste it here.
Did you disable system restore as d_may suggested? Also run CleanUp to remove any unnecessary files and make your scans run faster.
You mentioned using Unlocker, did you also try deleting the files from Recovery Console? That way no Windows processes will be running when you delete the files.
You mentioned using Unlocker, did you also try deleting the files from Recovery Console? That way no Windows processes will be running when you delete the files.
ASKER
ok I have just tried r-k's method again in safe mode with system rostore off - permissions all denied in the 4 files that i believe are causing the problems. then deleted them (still in safe mode) removed registry entries with reg edit and hijackthis and double checked all traces have been removed with jv16 power tools. Also made sure the about:blank IE start page was gone. The processes running during this seemed safe.
Then I restarted again in safe mode and checked if they had returned - the files were not present so I thought i'd done it.
restarted in normal mode - the files are back again.
I think there must be another file in there somewhere that i'm missing but I hav'nt a clue what it could be.
I still have to try the recovery console thing but this is my 3rd night in a row trying to solve this thing, I'm getting tired.
Then I restarted again in safe mode and checked if they had returned - the files were not present so I thought i'd done it.
restarted in normal mode - the files are back again.
I think there must be another file in there somewhere that i'm missing but I hav'nt a clue what it could be.
I still have to try the recovery console thing but this is my 3rd night in a row trying to solve this thing, I'm getting tired.
Try using NirSoft's CurrProcess to find out what modules are loading with the processes you have running. Maybe that will help you find any other files that shouldn't be loading a startup so you can delete them.
http://www.nirsoft.net/utils/cprocess.html
http://www.nirsoft.net/utils/cprocess.html
" think there must be another file in there somewhere..."
Yes, I would say that. The Autoruns log is about as complete as you can get. Try that when you have the time.
Yes, I would say that. The Autoruns log is about as complete as you can get. Try that when you have the time.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Can we please see the smitfraudfix log? there might be a bad entry on sharedtask sheduler.
If you used Smitfraudfix, run option 2
If you used Smitfraudfix, run option 2
Save yourself some time and just do System Restore...
Sorry.. I had spent around ten minutes typing a fix to your problem
and the page refreshed by mistake..
good luck.
Sorry.. I had spent around ten minutes typing a fix to your problem
and the page refreshed by mistake..
good luck.
ASKER
cannot do a system restore as i had turned it off.
used the smitfraud fix and it semmed to do the trick:
SmitFraudFix v2.56
Scan done at 20:38:32.29, 09/06/2006
Run from C:\Documents and Settings\Dooey\Desktop\New Folder
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\WINDOWS\alexaie.dll Deleted
C:\WINDOWS\alxie328.dll Deleted
C:\WINDOWS\alxtb1.dll Deleted
C:\WINDOWS\bg.gif Deleted
C:\WINDOWS\BTGrab.dll Deleted
C:\WINDOWS\close-bar.gif Deleted
C:\WINDOWS\dlmax.dll Deleted
C:\WINDOWS\infected.gif Deleted
C:\WINDOWS\Pynix.dll Deleted
C:\WINDOWS\star.gif Deleted
C:\WINDOWS\susp.exe Deleted
C:\WINDOWS\warning-bar-ico .gif Deleted
C:\WINDOWS\ZServ.dll Deleted
C:\WINDOWS\system32\a.exe Deleted
C:\WINDOWS\system32\alxres .dll Deleted
C:\WINDOWS\system32\bridge .dll Deleted
C:\WINDOWS\system32\dailyt oolbar.dll Deleted
C:\WINDOWS\system32\jao.dl l Deleted
C:\WINDOWS\system32\questm od.dll Deleted
C:\WINDOWS\system32\runsrv 32.dll Deleted
C:\WINDOWS\system32\runsrv 32.exe Deleted
C:\WINDOWS\system32\tcpser vice2.exe Deleted
C:\WINDOWS\system32\txfdb3 2.dll Deleted
C:\WINDOWS\system32\udpmod .dll Deleted
C:\WINDOWS\system32\wstart .dll Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
but users32.exe comes back and starts the pop ups.
By the way like an idiot i was in jv16 in the file tools i clicked show system dll files and thinking it was 'unused' dll files I selected all and clicked remove - i canceled when i realised my mistake but i fear i may have removed vital dll files although i havnt noticed any system malfunctions as of yet.
used the smitfraud fix and it semmed to do the trick:
SmitFraudFix v2.56
Scan done at 20:38:32.29, 09/06/2006
Run from C:\Documents and Settings\Dooey\Desktop\New
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\WINDOWS\alexaie.dll Deleted
C:\WINDOWS\alxie328.dll Deleted
C:\WINDOWS\alxtb1.dll Deleted
C:\WINDOWS\bg.gif Deleted
C:\WINDOWS\BTGrab.dll Deleted
C:\WINDOWS\close-bar.gif Deleted
C:\WINDOWS\dlmax.dll Deleted
C:\WINDOWS\infected.gif Deleted
C:\WINDOWS\Pynix.dll Deleted
C:\WINDOWS\star.gif Deleted
C:\WINDOWS\susp.exe Deleted
C:\WINDOWS\warning-bar-ico
C:\WINDOWS\ZServ.dll Deleted
C:\WINDOWS\system32\a.exe Deleted
C:\WINDOWS\system32\alxres
C:\WINDOWS\system32\bridge
C:\WINDOWS\system32\dailyt
C:\WINDOWS\system32\jao.dl
C:\WINDOWS\system32\questm
C:\WINDOWS\system32\runsrv
C:\WINDOWS\system32\runsrv
C:\WINDOWS\system32\tcpser
C:\WINDOWS\system32\txfdb3
C:\WINDOWS\system32\udpmod
C:\WINDOWS\system32\wstart
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
but users32.exe comes back and starts the pop ups.
By the way like an idiot i was in jv16 in the file tools i clicked show system dll files and thinking it was 'unused' dll files I selected all and clicked remove - i canceled when i realised my mistake but i fear i may have removed vital dll files although i havnt noticed any system malfunctions as of yet.
For all those idiots telling people to turn off system restore they have no idea what they are talking about.
The first reason people tell others to disable system restore is because viruses and other malaware may be hiding in certain restore points and/or you will not be able to detect them with anti-virus/anti-spyware applications. In a sense this is true, the folder that they never tell you about C:\System Volume Information. This is where all those restore points are kept and this folder is by default hidden. If you choose to display hidden and system files and then try to access it you will be given a access denied error. But there is a way to bypass this restriction with a simple command in the command line
CACLS "C:\System Volume Information" /E /C /G (Username):F
*Use the above without parenthesis*
Other variations:
http://www.theeldergeek.com/system_volume_information_folder1.htm
After you have granted yourself permission to access the folder you may now proceed to use anti-spyware and anti-virus programs that will now be able to scan for files in that folder.
And as always though viruses/malaware may be in certain restore points restoring to more earlier ones will almost always guarentee a virus/malaware free environment which you can then delete the system restore points and be proud that you may have saved yourself a lot of time.
The first reason people tell others to disable system restore is because viruses and other malaware may be hiding in certain restore points and/or you will not be able to detect them with anti-virus/anti-spyware applications. In a sense this is true, the folder that they never tell you about C:\System Volume Information. This is where all those restore points are kept and this folder is by default hidden. If you choose to display hidden and system files and then try to access it you will be given a access denied error. But there is a way to bypass this restriction with a simple command in the command line
CACLS "C:\System Volume Information" /E /C /G (Username):F
*Use the above without parenthesis*
Other variations:
http://www.theeldergeek.com/system_volume_information_folder1.htm
After you have granted yourself permission to access the folder you may now proceed to use anti-spyware and anti-virus programs that will now be able to scan for files in that folder.
And as always though viruses/malaware may be in certain restore points restoring to more earlier ones will almost always guarentee a virus/malaware free environment which you can then delete the system restore points and be proud that you may have saved yourself a lot of time.
where exactly is that users32.exe located?
can you give us the exact location, have you tried Killboxing it using "delete on reboot" option?
Try these too:
1. download About:Buster 6.0.
http://www.malwarebytes.org/AboutBuster.zip
Then unzip all files from the zip folder to a folder or your desktop. Start it by double-clicking on the "aboutbuster.exe" icon and then click on the "Update" button to check for new updates. If any updates exist, please install them.
Exit AboutBuster and reboot into safe mode.
Once in safe mode double-click on the "aboutbuster.exe" icon again and click on the "Begin Removal" button. When it has finished scanning you will see a message stating that the Scan Completed and you should press OK. When the next information window opens press the Exit button. Then finally press the OK button again when it tells you a log has been saved.
2. CWSShredder.
http://www.majorgeeks.com/download4086.html
can you give us the exact location, have you tried Killboxing it using "delete on reboot" option?
Try these too:
1. download About:Buster 6.0.
http://www.malwarebytes.org/AboutBuster.zip
Then unzip all files from the zip folder to a folder or your desktop. Start it by double-clicking on the "aboutbuster.exe" icon and then click on the "Update" button to check for new updates. If any updates exist, please install them.
Exit AboutBuster and reboot into safe mode.
Once in safe mode double-click on the "aboutbuster.exe" icon again and click on the "Begin Removal" button. When it has finished scanning you will see a message stating that the Scan Completed and you should press OK. When the next information window opens press the Exit button. Then finally press the OK button again when it tells you a log has been saved.
2. CWSShredder.
http://www.majorgeeks.com/download4086.html
ASKER
users32.exe and all the other files I have mentioned are in windows/system32
at this moment in time I'm not having any symptoms a.exe, runsrv32.exe, runsrv32.dll, and qirkvy.exe(the popup spawned by users32.exe) have gone although users32.exe is still present thanks to smitfraudfix although because users32.exe still exists (and i have already got to this stage before and deleted users32.exe but it returned with the other files until I used smitfraudfic again) i'm not sure if it will last. At the moment IE bowser is not hijacked when I open a new occurance.
I am quite worried about the removed .dll files that happened with jv16 powertools - is this going to cause major problems?
at this moment in time I'm not having any symptoms a.exe, runsrv32.exe, runsrv32.dll, and qirkvy.exe(the popup spawned by users32.exe) have gone although users32.exe is still present thanks to smitfraudfix although because users32.exe still exists (and i have already got to this stage before and deleted users32.exe but it returned with the other files until I used smitfraudfic again) i'm not sure if it will last. At the moment IE bowser is not hijacked when I open a new occurance.
I am quite worried about the removed .dll files that happened with jv16 powertools - is this going to cause major problems?
It's hard to say for certain about the DLL files because we don't know which ones got deleted. Does jv16 have a recovery option?
If you think you may have deletd important system files then do the following:
> sfc /scannow
from a command prompt.
This will rstore any critical system file, but you may need the XP CD on hand.
Re. user32.exe coming back, try the Autoruns as suggested above, and post the (shortened) log here.
> sfc /scannow
from a command prompt.
This will rstore any critical system file, but you may need the XP CD on hand.
Re. user32.exe coming back, try the Autoruns as suggested above, and post the (shortened) log here.
ASKER
just realised jv16 has a backup option and had all the dll's there for me to restore. thanks pyroman1
here is the shortened autorun log:
HKLM\SOFTWARE\Microsoft\Wi ndows\Curr entVersion \Run
+ avast! avast! service GUI component c:\program files\alwil software\avast4\ashdisp.ex e
+ CloneDVDElbyDelay ElbyCheck Elaborate Bytes AG c:\program files\elaborate bytes\clonedvd\elbycheck.e xe
+ Cmaudio CmiCnfg DLL C-Media Corporation c:\windows\system\cmicnfg. cpl
+ ISUSPM Startup InstallShield Update Service Update Manager InstallShield Software Corporation c:\program files\common files\installshield\update service\is uspm.exe
+ ISUSScheduler InstallShield Update Service Scheduler InstallShield Software Corporation c:\program files\common files\installshield\update service\is sch.exe
+ Logitech Utility Logitech Launcher Application Logitech Inc. c:\windows\logi_mwx.exe
+ LogitechVideoRepair Logitech QuickCam Startup Application Logitech Inc. c:\program files\logitech\video\issta rt.exe
+ LogitechVideoTray ImageStudio Tray Application Logitech Inc. c:\program files\logitech\video\logit ray.exe
+ NvCplDaemon NVIDIA Display Properties Extension NVIDIA Corporation c:\windows\system32\nvcpl. dll
+ nwiz File not found: nwiz.exe
+ PCDRealtime Dell c:\windows\realtime.exe
+ PCTVOICE pctvoice MFC Application c:\windows\system32\pctspk .exe
+ PinnacleDriverCheck c:\windows\system32\psdrvc heck.exe
+ QuickTime Task Apple Computer, Inc. c:\program files\quicktime\qttask.exe
+ SSOTRAY SSO Plus System Tray App PassGo Technologies c:\program files\passgo technologies\sso plus\ssotray.exe
+ SunJavaUpdateSched Java(TM) 2 Platform Standard Edition binary Sun Microsystems, Inc. c:\program files\java\jre1.5.0_06\bin \jusched.e xe
+ TkBellExe RealNetworks Scheduler RealNetworks, Inc. c:\program files\common files\real\update_ob\reals ched.exe
C:\WINDOWS\system32\MsSvc3 2
+ Adobe Gamma Loader.lnk Adobe Gamma Loader Adobe Systems, Inc. c:\program files\common files\adobe\calibration\ad obe gamma loader.exe
+ Adobe Reader Speed Launch.lnk Adobe Acrobat SpeedLauncher Adobe Systems Incorporated c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
+ Logitech Desktop Messenger.lnk LDM Configuration Application Logitech c:\program files\logitech\desktop messenger\8876480\program\ ldmconf.ex e
HKLM\Software\Microsoft\Wi ndows\Curr entVersion \Explorer\ ShellExecu teHooks
+ ewido shell guard c:\program files\ewido anti-malware\shellhook.dll
HKLM\Software\Microsoft\Wi ndows\Curr entVersion \Shell Extensions\Approved
+ avast avast! Shell Extension ALWIL Software c:\program files\alwil software\avast4\ashshell.d ll
+ dBpowerAMP Music Converter dMCShell Module c:\program files\illustrate\dbpoweram p\dmcshell .dll
+ dBpowerAMP Music Converter 1 dBShell Module c:\program files\illustrate\dbpoweram p\dbshell. dll
+ Display Panning CPL Extension File not found: deskpan.dll
+ Haali Column Provider c:\program files\avi2dvd\programs\fil ters\haali media splitter\mmfinfo.dll
+ HyperTerminal Icon Ext HyperTerminal Applet Library Hilgraeve, Inc. c:\windows\system32\hticon s.dll
+ My Logitech Pictures Logitech Namespace2 Logitech Inc. c:\program files\logitech\video\names pc2.dll
+ Shell Extensions for RealOne Player RealPlayer Shell Extensions RealNetworks, Inc. c:\program files\real\realplayer\rpsh ell.dll
+ SmartFTP Shell Extension DLL SmartFTP Shell Extension SmartFTP c:\program files\smartftp\smarthook.d ll
+ UnlockerShellExtension c:\program files\unlocker\unlockercom .dll
+ WinRAR shell extension c:\program files\winrar\rarext.dll
+ WinZip WinZip Shell Extension DLL WinZip Computing, Inc. c:\program files\winzip\wzshlstb.dll
+ WinZip WinZip Shell Extension DLL WinZip Computing, Inc. c:\program files\winzip\wzshlstb.dll
+ WinZip WinZip Shell Extension DLL WinZip Computing, Inc. c:\program files\winzip\wzshlstb.dll
+ WinZip WinZip Shell Extension DLL WinZip Computing, Inc. c:\program files\winzip\wzshlstb.dll
HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Shell Extensions\Approved
+ StuffIt Archive Menu StuffIt Archive Shell Extension Allume Systems, Inc. c:\program files\allume systems\stuffit\archivemen u.dll
+ StuffIt Compress Menu StuffIt Compress Shell Extension Allume Systems, Inc. c:\program files\allume systems\stuffit\compressme nu.dll
HKLM\Software\Classes\Fold er\Shellex \ColumnHan dlers
+ dBpShell Class dBShell Module c:\program files\illustrate\dbpoweram p\dbshell. dll
+ Haali Column Provider c:\program files\avi2dvd\programs\fil ters\haali media splitter\mmfinfo.dll
+ PDF Shell Extension PDF Shell Extension Adobe Systems, Inc. c:\program files\adobe\acrobat 7.0\activex\pdfshell.dll
HKLM\Software\Microsoft\Wi ndows\Curr entVersion \Explorer\ Browser Helper Objects
+ Adobe PDF Reader Link Helper Adobe Acrobat IE Helper Version 7.0 for ActiveX Adobe Systems Incorporated c:\program files\adobe\acrobat 7.0\activex\acroiehelper.d ll
+ adobepnl.ADOBE_PANEL Laguna Media c:\windows\system32\adobep nl.dll
+ Google Toolbar Helper Google IE Client Toolbar Google Inc. c:\program files\google\googletoolbar 1.dll
+ Kwyshell MidpX Kwyshell J2ME Midp Emulator IE Toolbar Kwyshell G.Corp c:\program files\kwyshell\midpx\jadin voker\midp invoker.dl l
+ PCTools Browser Monitor iesdpb.dll PC Tools c:\program files\spyware doctor\tools\iesdpb.dll
+ PCTools Site Guard Site Guard PC Tools c:\program files\spyware doctor\tools\iesdsg.dll
+ ReadPage Class SSO Plus Password Management for Internet Explorer PassGo Technologies c:\program files\passgo technologies\sso plus\pgiexpl.dll
+ SSVHelper Class Java(TM) 2 Platform Standard Edition binary Sun Microsystems, Inc. c:\program files\java\jre1.5.0_06\bin \ssv.dll
HKLM\Software\Microsoft\In ternet Explorer\Toolbar
+ googletoolbar1.dll Google IE Client Toolbar Google Inc. c:\program files\google\googletoolbar 1.dll
+ Kwyshell MidpX Kwyshell J2ME Midp Emulator IE Toolbar Kwyshell G.Corp c:\program files\kwyshell\midpx\jadin voker\midp invoker.dl l
+ yt.dll Yahoo! Toolbar Yahoo! Inc. c:\program files\yahoo!\companion\ins talls\cpn0 \yt.dll
HKLM\Software\Microsoft\In ternet Explorer\Extensions
+ AIM AOL Instant Messenger America Online, Inc. c:\program files\aim95\aim.exe
Task Scheduler
+ RegCure.job RegCure Application c:\program files\regcure\regcure.exe
HKLM\System\CurrentControl Set\Servic es
+ aswUpdSv Provides automatic updating for the avast! antivirus. c:\program files\alwil software\avast4\aswupdsv.e xe
+ avast! Antivirus Manages and implements avast! antivirus services for this computer. This includes the resident protection, the virus chest and the scheduler. c:\program files\alwil software\avast4\ashserv.ex e
+ ewido security suite control ewido control ewido networks c:\program files\ewido anti-malware\ewidoctrl.exe
+ NVSvc Provides system and desktop level support to the NVIDIA display driver NVIDIA Corporation c:\windows\system32\nvsvc3 2.exe
+ pgpwdmon Captures, stores and plays back passwords to provide automated logon PassGo Technologies c:\program files\passgo technologies\sso plus\pgpwdmon.exe
+ SDhelper PC Tools Research Pty Ltd c:\program files\spyware doctor\sdhelp.exe
HKLM\System\CurrentControl Set\Servic es
+ alcan5wn WAN Driver THOMSON multimedia c:\windows\system32\driver s\alcan5wn .sys
+ alcaudsl WDM Driver THOMSON multimedia c:\windows\system32\driver s\alcaudsl .sys
+ ASPI32 ASPI for WIN32 Kernel Driver Adaptec c:\windows\system32\driver s\aspi32.s ys
+ aswRdr avast! TDI RDR Driver ALWIL Software c:\windows\system32\driver s\aswrdr.s ys
+ BtAudio File not found: System32\DRIVERS\btaudio.s ys
+ BTDriver File not found: System32\DRIVERS\btport.sy s
+ BTWDNDIS File not found: System32\DRIVERS\btwdndis. sys
+ BTWUSB File not found: System32\Drivers\btwusb.sy s
+ cmuda C-Media Audio WDM Driver C-Media Inc c:\windows\system32\driver s\cmuda.sy s
+ DFUBTUSB File not found: System32\Drivers\frmupgr.s ys
+ ElbyCDIO ElbyCD Windows NT/2000/XP I/O driver Elaborate Bytes AG c:\windows\system32\driver s\elbycdio .sys
+ ElbyDelay Elby Delay Lower Filter Driver Elaborate Bytes c:\windows\system32\driver s\elbydela y.sys
+ fasttx2k Promise Driver for Windows XP Promise Technology, Inc. c:\windows\system32\driver s\fasttx2k .sys
+ ikhlayer PCTools Research Pty Ltd. c:\windows\system32\driver s\ikhlayer .sys
+ k750bus Sony Ericsson 750 Driver MCCI c:\windows\system32\driver s\k750bus. sys
+ k750mdfl Sony Ericsson 750 USB WMC Modem Filter MCCI c:\windows\system32\driver s\k750mdfl .sys
+ k750mdm Sony Ericsson 750 USB WMC Modem Drivers MCCI c:\windows\system32\driver s\k750mdm. sys
+ k750mgmt Sony Ericsson 750 USB WMC Device Management Drivers MCCI c:\windows\system32\driver s\k750mgmt .sys
+ k750obex Sony Ericsson 750 USB WMC OBEX Interface Drivers MCCI c:\windows\system32\driver s\k750obex .sys
+ L8042pr2 Logitech PS/2 Mouse Filter Driver. Logitech, Inc. c:\windows\system32\driver s\l8042pr2 .sys
+ LMouFlt2 Logitech Filter Driver for Mouse Class. Logitech, Inc. c:\windows\system32\driver s\lmouflt2 .sys
+ MMRTKRNL MMRTKRNL.SYS ALCATech GmbH c:\windows\system32\driver s\mmrtkrnl .sys
+ nv NVIDIA Compatible Windows 2000 Miniport Driver, Version 53.03 NVIDIA Corporation c:\windows\system32\driver s\nv4_mini .sys
+ Pcouffin Patin-Couffin low level access layer for CD devices VSO Software c:\windows\system32\driver s\pcouffin .sys
+ pfc Padus(R) ASPI Shell Padus, Inc. c:\windows\system32\driver s\pfc.sys
+ PhilCam8116 Universal Serial Bus Camera Driver Logitech Inc. c:\windows\system32\driver s\camdrl21 .sys
+ prodrv06 StarForce Protection Environment Driver Protection Technology c:\windows\system32\driver s\prodrv06 .sys
+ prohlp02 StarForce Protection Helper Driver Protection Technology c:\windows\system32\driver s\prohlp02 .sys
+ prosync1 StarForce Protection Synchronization Driver Protection Technology c:\windows\system32\driver s\prosync1 .sys
+ Ptilink Direct Parallel Link Driver Parallel Technologies, Inc. c:\windows\system32\driver s\ptilink. sys
+ Ptserial HSP Modem Serial Device Driver for NT 5.0 PCTEL, INC. c:\windows\system32\driver s\ptserial .sys
+ PxHelp20 Px Engine Device Driver for Windows 2000/XP Sonic Solutions c:\windows\system32\driver s\pxhelp20 .sys
+ Secdrv SafeDisc driver Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K. c:\windows\system32\driver s\secdrv.s ys
+ sfdrv01 StarForce Protection Environment Driver Protection Technology c:\windows\system32\driver s\sfdrv01. sys
+ sfhlp01 StarForce Protection Helper Driver Protection Technology c:\windows\system32\driver s\sfhlp01. sys
+ sfhlp02 StarForce Protection Helper Driver Protection Technology c:\windows\system32\driver s\sfhlp02. sys
+ sfsync02 StarForce Protection Synchronization Driver Protection Technology c:\windows\system32\driver s\sfsync02 .sys
+ SISAGP SiS AGPv3.5 Filter Silicon Integrated Systems Corporation c:\windows\system32\driver s\sisagpx. sys
+ SiSide SiS PCI Mini IDE Driver Silicon Integrated Systems Corp. c:\windows\system32\driver s\siside.s ys
+ SISNIC SiS PCI Fast Ethernet Adapter Driver SiS Corporation c:\windows\system32\driver s\sisnic.s ys
+ snapman Acronis Snapshot API Acronis c:\windows\system32\driver s\snapman. sys
+ SONYPVU1 Sony USB Lower Filter driver Sony Corporation c:\windows\system32\driver s\sonypvu1 .sys
+ sptd c:\windows\system32\driver s\sptd.sys
+ timounter TrueImage Backup Archive Explorer Acronis c:\windows\system32\driver s\timntr.s ys
+ Vmodem HSP Modem Modem Device Driver PCTEL, INC. c:\windows\system32\driver s\vmodem.s ys
+ Vpctcom HSP Modem Virtual Control Device PCtel, Inc. c:\windows\system32\driver s\vpctcom. sys
+ Vvoice HSP Modem device driver PCtel, Inc. c:\windows\system32\driver s\vvoice.s ys
+ WinDriver File not found: System32\Drivers\windrvr.s ys
HKLM\SOFTWARE\Microsoft\Wi ndows NT\CurrentVersion\Windows\ Appinit_Dl ls
+ ssohook SSO Plus System Hook DLL PassGo Technologies c:\windows\system32\ssohoo k.dll
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- -----
after another reboot symptoms have not returned so far so good.
here is the shortened autorun log:
HKLM\SOFTWARE\Microsoft\Wi
+ avast! avast! service GUI component c:\program files\alwil software\avast4\ashdisp.ex
+ CloneDVDElbyDelay ElbyCheck Elaborate Bytes AG c:\program files\elaborate bytes\clonedvd\elbycheck.e
+ Cmaudio CmiCnfg DLL C-Media Corporation c:\windows\system\cmicnfg.
+ ISUSPM Startup InstallShield Update Service Update Manager InstallShield Software Corporation c:\program files\common files\installshield\update
+ ISUSScheduler InstallShield Update Service Scheduler InstallShield Software Corporation c:\program files\common files\installshield\update
+ Logitech Utility Logitech Launcher Application Logitech Inc. c:\windows\logi_mwx.exe
+ LogitechVideoRepair Logitech QuickCam Startup Application Logitech Inc. c:\program files\logitech\video\issta
+ LogitechVideoTray ImageStudio Tray Application Logitech Inc. c:\program files\logitech\video\logit
+ NvCplDaemon NVIDIA Display Properties Extension NVIDIA Corporation c:\windows\system32\nvcpl.
+ nwiz File not found: nwiz.exe
+ PCDRealtime Dell c:\windows\realtime.exe
+ PCTVOICE pctvoice MFC Application c:\windows\system32\pctspk
+ PinnacleDriverCheck c:\windows\system32\psdrvc
+ QuickTime Task Apple Computer, Inc. c:\program files\quicktime\qttask.exe
+ SSOTRAY SSO Plus System Tray App PassGo Technologies c:\program files\passgo technologies\sso plus\ssotray.exe
+ SunJavaUpdateSched Java(TM) 2 Platform Standard Edition binary Sun Microsystems, Inc. c:\program files\java\jre1.5.0_06\bin
+ TkBellExe RealNetworks Scheduler RealNetworks, Inc. c:\program files\common files\real\update_ob\reals
C:\WINDOWS\system32\MsSvc3
+ Adobe Gamma Loader.lnk Adobe Gamma Loader Adobe Systems, Inc. c:\program files\common files\adobe\calibration\ad
+ Adobe Reader Speed Launch.lnk Adobe Acrobat SpeedLauncher Adobe Systems Incorporated c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
+ Logitech Desktop Messenger.lnk LDM Configuration Application Logitech c:\program files\logitech\desktop messenger\8876480\program\
HKLM\Software\Microsoft\Wi
+ ewido shell guard c:\program files\ewido anti-malware\shellhook.dll
HKLM\Software\Microsoft\Wi
+ avast avast! Shell Extension ALWIL Software c:\program files\alwil software\avast4\ashshell.d
+ dBpowerAMP Music Converter dMCShell Module c:\program files\illustrate\dbpoweram
+ dBpowerAMP Music Converter 1 dBShell Module c:\program files\illustrate\dbpoweram
+ Display Panning CPL Extension File not found: deskpan.dll
+ Haali Column Provider c:\program files\avi2dvd\programs\fil
+ HyperTerminal Icon Ext HyperTerminal Applet Library Hilgraeve, Inc. c:\windows\system32\hticon
+ My Logitech Pictures Logitech Namespace2 Logitech Inc. c:\program files\logitech\video\names
+ Shell Extensions for RealOne Player RealPlayer Shell Extensions RealNetworks, Inc. c:\program files\real\realplayer\rpsh
+ SmartFTP Shell Extension DLL SmartFTP Shell Extension SmartFTP c:\program files\smartftp\smarthook.d
+ UnlockerShellExtension c:\program files\unlocker\unlockercom
+ WinRAR shell extension c:\program files\winrar\rarext.dll
+ WinZip WinZip Shell Extension DLL WinZip Computing, Inc. c:\program files\winzip\wzshlstb.dll
+ WinZip WinZip Shell Extension DLL WinZip Computing, Inc. c:\program files\winzip\wzshlstb.dll
+ WinZip WinZip Shell Extension DLL WinZip Computing, Inc. c:\program files\winzip\wzshlstb.dll
+ WinZip WinZip Shell Extension DLL WinZip Computing, Inc. c:\program files\winzip\wzshlstb.dll
HKCU\Software\Microsoft\Wi
+ StuffIt Archive Menu StuffIt Archive Shell Extension Allume Systems, Inc. c:\program files\allume systems\stuffit\archivemen
+ StuffIt Compress Menu StuffIt Compress Shell Extension Allume Systems, Inc. c:\program files\allume systems\stuffit\compressme
HKLM\Software\Classes\Fold
+ dBpShell Class dBShell Module c:\program files\illustrate\dbpoweram
+ Haali Column Provider c:\program files\avi2dvd\programs\fil
+ PDF Shell Extension PDF Shell Extension Adobe Systems, Inc. c:\program files\adobe\acrobat 7.0\activex\pdfshell.dll
HKLM\Software\Microsoft\Wi
+ Adobe PDF Reader Link Helper Adobe Acrobat IE Helper Version 7.0 for ActiveX Adobe Systems Incorporated c:\program files\adobe\acrobat 7.0\activex\acroiehelper.d
+ adobepnl.ADOBE_PANEL Laguna Media c:\windows\system32\adobep
+ Google Toolbar Helper Google IE Client Toolbar Google Inc. c:\program files\google\googletoolbar
+ Kwyshell MidpX Kwyshell J2ME Midp Emulator IE Toolbar Kwyshell G.Corp c:\program files\kwyshell\midpx\jadin
+ PCTools Browser Monitor iesdpb.dll PC Tools c:\program files\spyware doctor\tools\iesdpb.dll
+ PCTools Site Guard Site Guard PC Tools c:\program files\spyware doctor\tools\iesdsg.dll
+ ReadPage Class SSO Plus Password Management for Internet Explorer PassGo Technologies c:\program files\passgo technologies\sso plus\pgiexpl.dll
+ SSVHelper Class Java(TM) 2 Platform Standard Edition binary Sun Microsystems, Inc. c:\program files\java\jre1.5.0_06\bin
HKLM\Software\Microsoft\In
+ googletoolbar1.dll Google IE Client Toolbar Google Inc. c:\program files\google\googletoolbar
+ Kwyshell MidpX Kwyshell J2ME Midp Emulator IE Toolbar Kwyshell G.Corp c:\program files\kwyshell\midpx\jadin
+ yt.dll Yahoo! Toolbar Yahoo! Inc. c:\program files\yahoo!\companion\ins
HKLM\Software\Microsoft\In
+ AIM AOL Instant Messenger America Online, Inc. c:\program files\aim95\aim.exe
Task Scheduler
+ RegCure.job RegCure Application c:\program files\regcure\regcure.exe
HKLM\System\CurrentControl
+ aswUpdSv Provides automatic updating for the avast! antivirus. c:\program files\alwil software\avast4\aswupdsv.e
+ avast! Antivirus Manages and implements avast! antivirus services for this computer. This includes the resident protection, the virus chest and the scheduler. c:\program files\alwil software\avast4\ashserv.ex
+ ewido security suite control ewido control ewido networks c:\program files\ewido anti-malware\ewidoctrl.exe
+ NVSvc Provides system and desktop level support to the NVIDIA display driver NVIDIA Corporation c:\windows\system32\nvsvc3
+ pgpwdmon Captures, stores and plays back passwords to provide automated logon PassGo Technologies c:\program files\passgo technologies\sso plus\pgpwdmon.exe
+ SDhelper PC Tools Research Pty Ltd c:\program files\spyware doctor\sdhelp.exe
HKLM\System\CurrentControl
+ alcan5wn WAN Driver THOMSON multimedia c:\windows\system32\driver
+ alcaudsl WDM Driver THOMSON multimedia c:\windows\system32\driver
+ ASPI32 ASPI for WIN32 Kernel Driver Adaptec c:\windows\system32\driver
+ aswRdr avast! TDI RDR Driver ALWIL Software c:\windows\system32\driver
+ BtAudio File not found: System32\DRIVERS\btaudio.s
+ BTDriver File not found: System32\DRIVERS\btport.sy
+ BTWDNDIS File not found: System32\DRIVERS\btwdndis.
+ BTWUSB File not found: System32\Drivers\btwusb.sy
+ cmuda C-Media Audio WDM Driver C-Media Inc c:\windows\system32\driver
+ DFUBTUSB File not found: System32\Drivers\frmupgr.s
+ ElbyCDIO ElbyCD Windows NT/2000/XP I/O driver Elaborate Bytes AG c:\windows\system32\driver
+ ElbyDelay Elby Delay Lower Filter Driver Elaborate Bytes c:\windows\system32\driver
+ fasttx2k Promise Driver for Windows XP Promise Technology, Inc. c:\windows\system32\driver
+ ikhlayer PCTools Research Pty Ltd. c:\windows\system32\driver
+ k750bus Sony Ericsson 750 Driver MCCI c:\windows\system32\driver
+ k750mdfl Sony Ericsson 750 USB WMC Modem Filter MCCI c:\windows\system32\driver
+ k750mdm Sony Ericsson 750 USB WMC Modem Drivers MCCI c:\windows\system32\driver
+ k750mgmt Sony Ericsson 750 USB WMC Device Management Drivers MCCI c:\windows\system32\driver
+ k750obex Sony Ericsson 750 USB WMC OBEX Interface Drivers MCCI c:\windows\system32\driver
+ L8042pr2 Logitech PS/2 Mouse Filter Driver. Logitech, Inc. c:\windows\system32\driver
+ LMouFlt2 Logitech Filter Driver for Mouse Class. Logitech, Inc. c:\windows\system32\driver
+ MMRTKRNL MMRTKRNL.SYS ALCATech GmbH c:\windows\system32\driver
+ nv NVIDIA Compatible Windows 2000 Miniport Driver, Version 53.03 NVIDIA Corporation c:\windows\system32\driver
+ Pcouffin Patin-Couffin low level access layer for CD devices VSO Software c:\windows\system32\driver
+ pfc Padus(R) ASPI Shell Padus, Inc. c:\windows\system32\driver
+ PhilCam8116 Universal Serial Bus Camera Driver Logitech Inc. c:\windows\system32\driver
+ prodrv06 StarForce Protection Environment Driver Protection Technology c:\windows\system32\driver
+ prohlp02 StarForce Protection Helper Driver Protection Technology c:\windows\system32\driver
+ prosync1 StarForce Protection Synchronization Driver Protection Technology c:\windows\system32\driver
+ Ptilink Direct Parallel Link Driver Parallel Technologies, Inc. c:\windows\system32\driver
+ Ptserial HSP Modem Serial Device Driver for NT 5.0 PCTEL, INC. c:\windows\system32\driver
+ PxHelp20 Px Engine Device Driver for Windows 2000/XP Sonic Solutions c:\windows\system32\driver
+ Secdrv SafeDisc driver Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K. c:\windows\system32\driver
+ sfdrv01 StarForce Protection Environment Driver Protection Technology c:\windows\system32\driver
+ sfhlp01 StarForce Protection Helper Driver Protection Technology c:\windows\system32\driver
+ sfhlp02 StarForce Protection Helper Driver Protection Technology c:\windows\system32\driver
+ sfsync02 StarForce Protection Synchronization Driver Protection Technology c:\windows\system32\driver
+ SISAGP SiS AGPv3.5 Filter Silicon Integrated Systems Corporation c:\windows\system32\driver
+ SiSide SiS PCI Mini IDE Driver Silicon Integrated Systems Corp. c:\windows\system32\driver
+ SISNIC SiS PCI Fast Ethernet Adapter Driver SiS Corporation c:\windows\system32\driver
+ snapman Acronis Snapshot API Acronis c:\windows\system32\driver
+ SONYPVU1 Sony USB Lower Filter driver Sony Corporation c:\windows\system32\driver
+ sptd c:\windows\system32\driver
+ timounter TrueImage Backup Archive Explorer Acronis c:\windows\system32\driver
+ Vmodem HSP Modem Modem Device Driver PCTEL, INC. c:\windows\system32\driver
+ Vpctcom HSP Modem Virtual Control Device PCtel, Inc. c:\windows\system32\driver
+ Vvoice HSP Modem device driver PCtel, Inc. c:\windows\system32\driver
+ WinDriver File not found: System32\Drivers\windrvr.s
HKLM\SOFTWARE\Microsoft\Wi
+ ssohook SSO Plus System Hook DLL PassGo Technologies c:\windows\system32\ssohoo
--------------------------
after another reboot symptoms have not returned so far so good.
Can you take a closer look at the followinng entries from the Autoruns log:
C:\WINDOWS\system32\MsSvc3 2 (is this perhaps truncated from MsSvc32.exe - a known virus)
+ adobepnl.ADOBE_PANEL Laguna Media c:\windows\system32\adobep nl.dll (very suspicious)
+ RegCure.job RegCure Application c:\program files\regcure\regcure.exe (very suspicious)
Try to locate these files, right-click -> Properties -> Version and see who created them.
I would also try disabling them in Autoruns, reboot and see if they're still disabled.
The Scheduled Task (regcure) can probably be disabled in the Task Scheduler (unless you scheduled it yourself).
C:\WINDOWS\system32\MsSvc3
+ adobepnl.ADOBE_PANEL Laguna Media c:\windows\system32\adobep
+ RegCure.job RegCure Application c:\program files\regcure\regcure.exe (very suspicious)
Try to locate these files, right-click -> Properties -> Version and see who created them.
I would also try disabling them in Autoruns, reboot and see if they're still disabled.
The Scheduled Task (regcure) can probably be disabled in the Task Scheduler (unless you scheduled it yourself).
try this tool, http://www.whowait.com/index0.htm
ASKER
Although users32.exe is still present I'm closing this down (the threads getting abit long) but im not having any more sympoms so thats ok with me.
I think smitfraudfix has removed the parent which would load users32.exe.
Thanks Rpggamergirl
I think smitfraudfix has removed the parent which would load users32.exe.
Thanks Rpggamergirl
Yeah, "adobepnl.dll" also can go.
Now that smitfraud is gone, did you try deleting the users32.exe and see if it goes?
Or Killbox?
Download Pocket Killbox.
http://www.atribune.org/downloads/KillBox.exe
*Select the "Delete on Reboot" option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:
c:\windows\system32\users3 2.exe
c:\windows\system32\adobep nl.dll
*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt. If the computer doesn't restart, just restart manually.
If Killbox won't delete it, I'm sure Avenger would.
You might also need to delete this registry entry:
[HKEY_LOCAL_MACHINE\Softwa re\Microso ft\Windows \CurrentVe rsion\Expl orer\Brows er Helper Objects\{5E8FA924-DEF0-4E7 1-8A82-A11 CA0C1413B} ]
Now that smitfraud is gone, did you try deleting the users32.exe and see if it goes?
Or Killbox?
Download Pocket Killbox.
http://www.atribune.org/downloads/KillBox.exe
*Select the "Delete on Reboot" option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:
c:\windows\system32\users3
c:\windows\system32\adobep
*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt. If the computer doesn't restart, just restart manually.
If Killbox won't delete it, I'm sure Avenger would.
You might also need to delete this registry entry:
[HKEY_LOCAL_MACHINE\Softwa
ASKER
I found this page that really sovled the problem for me:
http://www.lavasoftsupport.com/index.php?showtopic=878&st=20
http://www.lavasoftsupport.com/index.php?showtopic=878&st=20
This was the result of my log file analysis which I have pasted from this link: http://www.hijackthis.de/logfiles/97da6547b5953a4407d86f644583c056.html
I would be very grateful if you could help me eliminate these ** unpleasant adware/malware scripts from my XP
rex browne
Entry Kind
(Safe, Nasty, Unknown) Description Tip
Logfile of HijackThis v1.99.1
Safe. Shows the version of HijackThis an. The newest version is: v1.99.1!
This should be the newest version. (v1.99.1)
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Safe. Shows the version of your Internet Explorer. Newest Version is: 6.00.2900.2180!
This should be the newest version. (6.00.2900.2180)
C:\WINDOWS\System32\smss.e xe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\WINDOWS\system32\winlog on.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\WINDOWS\system32\servic es.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\WINDOWS\system32\lsass. exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\WINDOWS\system32\Ati2ev xx.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\WINDOWS\system32\svchos t.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\WINDOWS\System32\svchos t.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\WINDOWS\system32\spools v.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\Program Files\Bluetooth Software\bin\btwdins.exe
Safe. running process. (btwdins.exe)
Bestandteil von DLink Bluetooth Software
C:\PROGRA~1\TRENDM~1\INTER N~1\PcCtlC om.exe
Safe. running process. (PcCtlCom.exe)
Trend Micro PC-cillin Internet Security
C:\WINDOWS\system32\slserv .exe
Safe. running process. (slserv.exe)
User-Level Modem Service
C:\WINDOWS\system32\svchos t.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\PROGRA~1\TRENDM~1\INTER N~1\Tmntsr v.exe
Safe. running process. (Tmntsrv.exe)
Trend Micro Internet Security
C:\PROGRA~1\TRENDM~1\INTER N~1\tmprox y.exe
Safe. running process. (tmproxy.exe)
Trend Micro Internet Security
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
Safe. running process. (ULCDRSvr.exe)
Ulead VideoStudio 8
Possibly nasty! According to our database this process runs normally in c:\programme\common files\ulead systems\dvd\! Check if you know this process and arrange a viruscheck where required.
C:\PROGRA~1\TRENDM~1\INTER N~1\TmPfw. exe
Safe. running process. (TmPfw.exe)
Trend Micro Personal Firewall
C:\WINDOWS\system32\Ati2ev xx.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\WINDOWS\Explorer.EXE
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
Safe. running process. (atiptaxx.exe)
ATI Desktop Control Panel from ATI Technologies
C:\WINDOWS\SOUNDMAN.EXE
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
Safe. running process. (pccguide.exe)
C:\WINDOWS\system32\rundll 32.exe
Safe. running process. (rundll32.exe)
RUNDLL32 is the Microsoft Windows program that loads DLLs into memory so that they can be used by specific programs or by Windows.
C:\Program Files\Java\jre1.5.0_06\bin \jusched.e xe
Safe. running process. (jusched.exe)
Java Runtime
C:\Program Files\iTunes\iTunesHelper. exe
Safe. running process. (iTunesHelper.exe)
Apple iTunes
Not dangerous, but unnecessary.
C:\WINDOWS\system32\ctfmon .exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
Safe. running process. (wcescomm.exe)
C:\Program Files\Novosoft\Handy Backup\hbagent.exe
Unknown running process. (hbagent.exe)
Handy Backup - automatic backup of your critical data to virtually any type of storage media including CD-RW devices and remote FTP servers
This is a unknown process.
C:\Program Files\Bluetooth Software\BTTray.exe
Safe. running process. (BTTray.exe)
Possibly nasty! According to our database this process runs normally in c:\programme\belkin\blueto oth software\! Check if you know this process and arrange a viruscheck where required.
C:\PROGRA~1\MICROS~3\rapim gr.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\Program Files\iPod\bin\iPodService .exe
Safe. running process. (iPodService.exe)
C:\WINDOWS\System32\svchos t.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\PROGRA~1\BLUETO~1\BTSTA C~1.EXE
Safe. running process. (BTSTAC~1.EXE)
Possibly nasty! According to our database this process runs normally in c:\programme\widcomm\bluet o~1\! Check if you know this process and arrange a viruscheck where required.
C:\Program Files\Internet Explorer\IEXPLORE.EXE
Safe. running process. (IEXPLORE.EXE)
Internet Explorer - Wir empfehlen einen sichereren alternativen Browser zu verwenden. (z.B. Firefox)
C:\WINDOWS\system32\users3 2.exe
Unknown running process. (users32.exe)
This is a unknown process.
C:\DOCUME~1\Owner\LOCALS~1 \Temp\Temp orary Directory 1 for hijackthis_199.zip\HijackT his.exe
Safe. running process. (HijackThis.exe)
Tool, mit dem sie dieses Logfile erzeugt haben. Das Programm sollte so angelegt sein ! C:\Programme\HijackThis\Hi jackThis.e xe
Remember that Hijackthis must be run in an own folder. Only if Hijackthis run in an own folder it will create backups!
R0 - HKLM\Software\Microsoft\In ternet Explorer\Search,SearchAssi stant = http://as.starware.com/dp/search?x=wKX1ILEOi+Vh7AfA98Gm4Me69ZMbubcD6jnrmkc3gR1l2 Nm5fznNfQAEFtUigG26BIPt+u2 +IOszlsWgZ PRhJcxRjpX qSmjYaxbcN 4EXI34oLd6 xxy0g+tjRR kyhF cO96cgBARN5+WIcnpN6Ia7Br2D Tp1I2OX/UO HYwWsIjrNU ut/V8hbK9y KNiSJuE6MD fWDLG/XFQE xg=
Nasty This entry should be fixed by HijackThis!
This entry should be fixed by HijackThis!
R3 - Default URLSearchHook is missing
Nasty This entry was classified from our visitors as bad.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
O2 - BHO: (no name) - {00000000-59D4-4008-9058-0 8001100120 0} - (no file)
Unnecessarily Entries found in this registry zone are potentially nasty. This application ([00000000-59D4-4008-9058- 0800110012 00] - Result: 00000000-59D4-4008-9058-08 0011001200 ) has been checked. Hit rate: 100,00%
Must be fixed!
Unnecessary (deactivated) entry that can be fixed.
O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4 D030000000 0} - (no file)
Unnecessarily Entries found in this registry zone are potentially nasty. This application ([00000000-C1EC-0345-6EC2- 4D03000000 00] - Result: 00000000-C1EC-0345-6EC2-4D 0300000000 ) has been checked. Hit rate: 100,00%
Must be fixed!
Unnecessary (deactivated) entry that can be fixed.
O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-A D030000000 0} - (no file)
Unnecessarily Entries found in this registry zone are potentially nasty. This application ([00000000-F09C-02B4-6EC2- AD03000000 00] - Result: 00000000-F09C-02B4-6EC2-AD 0300000000 ) has been checked. Hit rate: 100,00%
Must be fixed!
Unnecessary (deactivated) entry that can be fixed.
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEH elper.dll
Safe. Entries found in this registry zone are potentially nasty. This application ([06849E9F-C8D7-4D59-B87D- 784B7D6BE0 B3] - Result: 06849E9F-C8D7-4D59-B87D-78 4B7D6BE0B3 ) has been checked. Hit rate: 100,00%
O2 - BHO: adobepnl.ADOBE_PANEL - {2513A321-CB50-4C5F-91C5-8 0342AFACFB 1} - C:\WINDOWS\system32\adobep nl.dll
Unknown Entries found in this registry zone are potentially nasty. This application ([2513A321-CB50-4C5F-91C5- 80342AFACF B1] - Result: ) has been checked. Hit rate: 0,00%
Unknown application.
O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-f f7415288c3 b} - (no file)
Unnecessarily Entries found in this registry zone are potentially nasty. This application ([3ceff6cd-6f08-4e4d-bccd- ff7415288c 3b] - Result: 3CEFF6CD-6F08-4E4D-BCCD-FF 7415288C3B ) has been checked. Hit rate: 52,78%
Unknown application.
Unnecessary (deactivated) entry that can be fixed.
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D 4DAF1D92D4 3} - C:\Program Files\Java\jre1.5.0_06\bin \ssv.dll
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7 bd156758a3 7} - (no file)
Unnecessarily Entries found in this registry zone are potentially nasty. This application ([77701e16-9bfe-4b63-a5b4- 7bd156758a 37] - Result: 77701e16-9bfe-4b63-a5b4-7b d156758a37 ) has been checked. Hit rate: 100,00%
Must be fixed!
Unnecessary (deactivated) entry that can be fixed.
O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b 136188f5de b} - (no file)
Unnecessarily Entries found in this registry zone are potentially nasty. This application ([7b55bb05-0b4d-44fd-81a6- b136188f5d eb] - Result: 7B55BB05-0B4D-44fd-81A6-B1 36188F5DEB ) has been checked. Hit rate: 69,44%
Must be fixed!
Unnecessary (deactivated) entry that can be fixed.
O2 - BHO: (no name) - {8333c319-0669-4893-a418-f 56d9249fca 6} - (no file)
Unnecessarily Entries found in this registry zone are potentially nasty. This application ([8333c319-0669-4893-a418- f56d9249fc a6] - Result: 8333C319-0669-4893-A418-F5 6D9249FCA6 ) has been checked. Hit rate: 80,56%
Must be fixed!
Unnecessary (deactivated) entry that can be fixed.
O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c 176083f35c f} - (no file)
Unnecessarily Entries found in this registry zone are potentially nasty. This application ([9c691a33-7dda-4c2f-be4c- c176083f35 cf] - Result: 9C691A33-7DDA-4C2F-BE4C-C1 76083F35CF ) has been checked. Hit rate: 61,11%
Must be fixed!
Unnecessary (deactivated) entry that can be fixed.
O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c 48160800e8 1} - (no file)
Unnecessarily Entries found in this registry zone are potentially nasty. This application ([e52dedbb-d168-4bdb-b229- c48160800e 81] - Result: E52DEDBB-D168-4BDB-B229-C4 8160800E81 ) has been checked. Hit rate: 63,89%
Must be fixed!
Unnecessary (deactivated) entry that can be fixed.
O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-5 18f53a8261 f} - (no file)
Unnecessarily Entries found in this registry zone are potentially nasty. This application ([ffd2825e-0785-40c5-9a41- 518f53a826 1f] - Result: FFD2825E-0785-40C5-9A41-51 8F53A8261F ) has been checked. Hit rate: 75,00%
Must be fixed!
Unnecessary (deactivated) entry that can be fixed.
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
Safe. Control panel for the ATI series of video cards allowing access to such features as display resolution, colour depth, etc. Available via Start -> Settings -> Control Panel -> Display. Some users may need it if they have optimised their settings
Hit rate: 79,17 % (result)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCh eck.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
Safe. PC-Cillin 2002 antivirus software
Hit rate: 100,00 % (result)
O4 - HKLM\..\Run: [BluetoothAuthenticationAg ent] rundll32.exe bthprops.cpl,,BluetoothAut henticatio nAgent
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin \jusched.e xe
Safe. Java von Sun
Hit rate: 100,00 % (result)
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2 .0\OpwareS E2.exe"
Safe. OmniPage SE2
Hit rate: 100,00 % (result)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe " -atboottime
Safe. QuickTime
Hit rate: 100,00 % (result)
Not dangerous, but unnecessary.
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper. exe"
Safe.
Hit rate: 100,00 % (result)
Not dangerous, but unnecessary.
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv 32.exe
Nasty This entry was classified from our visitors as bad.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.e xe
Unknown
Hit rate: 0,00 % (result)
Unknown application.
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon .exe
Safe. CTFMon is involved with the language/alternative input services in Office XP. CTFMON.exe will continue to put itself back into MSConfig when you run the Office XP apps as long as the Text Services and Speech applets in the Control Panel are enabled. Not required if you don\'t need these features. For more info on ctfmon see here. CTFMON can be disabled from Control Panel, Text & Speech Services
Hit rate: 55,00 % (result)
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
Safe. Active sync for use with Windows CE based palm PC
Hit rate: 54,17 % (result)
O4 - HKCU\..\Run: [Handy Backup 4.0] "C:\Program Files\Novosoft\Handy Backup\hbagent.exe" -logon
Safe. Handy Backup - automatic backup of your critical data to virtually any type of storage media including CD-RW devices and remote FTP servers
Hit rate: 93,75 % (result)
O4 - Global Startup: BTTray.lnk = ?
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
Safe.
Hit rate: 68,75 % (result)
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Bluetooth Software\btsendto_ie_ctx.h tm
Safe. The entry Send To &Bluetooth has been identified as safe.
If the entry 'Send To &Bluetooth ' is not needed anymore, it should be fixed.
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.5.0_06\bin \ssv.dll
Safe. The entry has been identified as safe.
If the entry '' is not needed anymore, it should be fixed.
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre1.5.0_06\bin \ssv.dll
Safe. The entry Sun Java Console has been identified as safe.
If the entry 'Sun Java Console ' is not needed anymore, it should be fixed.
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-0 0C04FAE2D4 F} - C:\PROGRA~1\MICROS~3\INetR epl.dll
Safe. The entry Create Mobile Favorite has been identified as safe.
If the entry 'Create Mobile Favorite ' is not needed anymore, it should be fixed.
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-0 0C04FAE2D4 F} - C:\PROGRA~1\MICROS~3\INetR epl.dll
Safe. The entry has been identified as safe.
If the entry '' is not needed anymore, it should be fixed.
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-0 0C04FAE2D4 F} - C:\PROGRA~1\MICROS~3\INetR epl.dll
Safe. The entry Create Mobile Favorite... has been identified as safe.
If the entry 'Create Mobile Favorite... ' is not needed anymore, it should be fixed.
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5 C8D4460577 F} - C:\Program Files\Bluetooth Software\btsendto_ie.htm
Safe. The entry @btrez.dll, has been identified as safe.
If the entry '@btrez.dll,' is not needed anymore, it should be fixed.
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5 C8D4460577 F} - C:\Program Files\Bluetooth Software\btsendto_ie.htm
Safe. The entry @btrez.dll, has been identified as safe.
If the entry '@btrez.dll,' is not needed anymore, it should be fixed.
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
Safe. The entry Messenger has been identified as safe.
If the entry 'Messenger ' is not needed anymore, it should be fixed.
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
Safe. The entry Windows Messenger has been identified as safe.
If the entry 'Windows Messenger ' is not needed anymore, it should be fixed.
O16 - DPF: {00B71CFB-6864-4346-A978-C 0A14556272 C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
Safe. This entry has been identified as safe.
O16 - DPF: {17492023-C23A-453E-A040-C 7C580BBF70 0} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
O16 - DPF: {8E0D4DE5-3180-4024-A327-4 DFAD1796A8 D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
Safe. This entry has been identified as safe.
O17 - HKLM\System\CCS\Services\T cpip\..\{4 2246CE4-06 C7-4492-83 35-617B3AF 63396}: NameServer = 192.168.1.1
Safe. If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too.
The entered IP or Domain '192.168.1.1' has been identified as safe.
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8 E305202313 F} - "C:\PROGRA~1\MSNMES~1\msgr app.dll" (file missing)
Safe. Only a few Hijackers are listed here. The most popular are 'cn' (CommonName) , 'ayb' (Lop.com) and 'relatedlinks' (Huntbar) . They should be fixed.
This entry has been identified as safe.
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLog on.dll
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2ev xx.exe
Safe. These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
This service (Ati2evxx.exe) was identified as a good one.
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sg ag.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Bluetooth Software\bin\btwdins.exe
Safe. These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
This service (btwdins.exe) was identified as a good one.
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver \11\Intel 32\IDriverT.exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService .exe
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTER N~1\PcCtlC om.exe
Safe. These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
This service (PcCtlCom.exe) was identified as a good one.
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv .exe
Safe. These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
This service (slserv.exe) was identified as a good one.
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTER N~1\Tmntsr v.exe
Safe. These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
This service (Tmntsrv.exe) was identified as a good one.
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTER N~1\TmPfw. exe
Safe. These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
This service (TmPfw.exe) was identified as a good one.
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTER N~1\tmprox y.exe
Safe. These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
This service (tmproxy.exe) was identified as a good one.
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
Safe. These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
This service (ULCDRSvr.exe) was identified as a good one.
This log has been checked automatically.
Check your log file automatically at www.hijackthis.de.
I would be very grateful if you could help me eliminate these ** unpleasant adware/malware scripts from my XP
rex browne
Entry Kind
(Safe, Nasty, Unknown) Description Tip
Logfile of HijackThis v1.99.1
Safe. Shows the version of HijackThis an. The newest version is: v1.99.1!
This should be the newest version. (v1.99.1)
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Safe. Shows the version of your Internet Explorer. Newest Version is: 6.00.2900.2180!
This should be the newest version. (6.00.2900.2180)
C:\WINDOWS\System32\smss.e
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\WINDOWS\system32\winlog
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\WINDOWS\system32\servic
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\WINDOWS\system32\lsass.
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\WINDOWS\system32\Ati2ev
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\WINDOWS\system32\svchos
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\WINDOWS\System32\svchos
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\WINDOWS\system32\spools
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\Program Files\Bluetooth Software\bin\btwdins.exe
Safe. running process. (btwdins.exe)
Bestandteil von DLink Bluetooth Software
C:\PROGRA~1\TRENDM~1\INTER
Safe. running process. (PcCtlCom.exe)
Trend Micro PC-cillin Internet Security
C:\WINDOWS\system32\slserv
Safe. running process. (slserv.exe)
User-Level Modem Service
C:\WINDOWS\system32\svchos
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\PROGRA~1\TRENDM~1\INTER
Safe. running process. (Tmntsrv.exe)
Trend Micro Internet Security
C:\PROGRA~1\TRENDM~1\INTER
Safe. running process. (tmproxy.exe)
Trend Micro Internet Security
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
Safe. running process. (ULCDRSvr.exe)
Ulead VideoStudio 8
Possibly nasty! According to our database this process runs normally in c:\programme\common files\ulead systems\dvd\! Check if you know this process and arrange a viruscheck where required.
C:\PROGRA~1\TRENDM~1\INTER
Safe. running process. (TmPfw.exe)
Trend Micro Personal Firewall
C:\WINDOWS\system32\Ati2ev
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\WINDOWS\Explorer.EXE
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
Safe. running process. (atiptaxx.exe)
ATI Desktop Control Panel from ATI Technologies
C:\WINDOWS\SOUNDMAN.EXE
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
Safe. running process. (pccguide.exe)
C:\WINDOWS\system32\rundll
Safe. running process. (rundll32.exe)
RUNDLL32 is the Microsoft Windows program that loads DLLs into memory so that they can be used by specific programs or by Windows.
C:\Program Files\Java\jre1.5.0_06\bin
Safe. running process. (jusched.exe)
Java Runtime
C:\Program Files\iTunes\iTunesHelper.
Safe. running process. (iTunesHelper.exe)
Apple iTunes
Not dangerous, but unnecessary.
C:\WINDOWS\system32\ctfmon
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
Safe. running process. (wcescomm.exe)
C:\Program Files\Novosoft\Handy Backup\hbagent.exe
Unknown running process. (hbagent.exe)
Handy Backup - automatic backup of your critical data to virtually any type of storage media including CD-RW devices and remote FTP servers
This is a unknown process.
C:\Program Files\Bluetooth Software\BTTray.exe
Safe. running process. (BTTray.exe)
Possibly nasty! According to our database this process runs normally in c:\programme\belkin\blueto
C:\PROGRA~1\MICROS~3\rapim
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\Program Files\iPod\bin\iPodService
Safe. running process. (iPodService.exe)
C:\WINDOWS\System32\svchos
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
C:\PROGRA~1\BLUETO~1\BTSTA
Safe. running process. (BTSTAC~1.EXE)
Possibly nasty! According to our database this process runs normally in c:\programme\widcomm\bluet
C:\Program Files\Internet Explorer\IEXPLORE.EXE
Safe. running process. (IEXPLORE.EXE)
Internet Explorer - Wir empfehlen einen sichereren alternativen Browser zu verwenden. (z.B. Firefox)
C:\WINDOWS\system32\users3
Unknown running process. (users32.exe)
This is a unknown process.
C:\DOCUME~1\Owner\LOCALS~1
Safe. running process. (HijackThis.exe)
Tool, mit dem sie dieses Logfile erzeugt haben. Das Programm sollte so angelegt sein ! C:\Programme\HijackThis\Hi
Remember that Hijackthis must be run in an own folder. Only if Hijackthis run in an own folder it will create backups!
R0 - HKLM\Software\Microsoft\In
Nasty This entry should be fixed by HijackThis!
This entry should be fixed by HijackThis!
R3 - Default URLSearchHook is missing
Nasty This entry was classified from our visitors as bad.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
O2 - BHO: (no name) - {00000000-59D4-4008-9058-0
Unnecessarily Entries found in this registry zone are potentially nasty. This application ([00000000-59D4-4008-9058-
Must be fixed!
Unnecessary (deactivated) entry that can be fixed.
O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4
Unnecessarily Entries found in this registry zone are potentially nasty. This application ([00000000-C1EC-0345-6EC2-
Must be fixed!
Unnecessary (deactivated) entry that can be fixed.
O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-A
Unnecessarily Entries found in this registry zone are potentially nasty. This application ([00000000-F09C-02B4-6EC2-
Must be fixed!
Unnecessary (deactivated) entry that can be fixed.
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
Safe. Entries found in this registry zone are potentially nasty. This application ([06849E9F-C8D7-4D59-B87D-
O2 - BHO: adobepnl.ADOBE_PANEL - {2513A321-CB50-4C5F-91C5-8
Unknown Entries found in this registry zone are potentially nasty. This application ([2513A321-CB50-4C5F-91C5-
Unknown application.
O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-f
Unnecessarily Entries found in this registry zone are potentially nasty. This application ([3ceff6cd-6f08-4e4d-bccd-
Unknown application.
Unnecessary (deactivated) entry that can be fixed.
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7
Unnecessarily Entries found in this registry zone are potentially nasty. This application ([77701e16-9bfe-4b63-a5b4-
Must be fixed!
Unnecessary (deactivated) entry that can be fixed.
O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b
Unnecessarily Entries found in this registry zone are potentially nasty. This application ([7b55bb05-0b4d-44fd-81a6-
Must be fixed!
Unnecessary (deactivated) entry that can be fixed.
O2 - BHO: (no name) - {8333c319-0669-4893-a418-f
Unnecessarily Entries found in this registry zone are potentially nasty. This application ([8333c319-0669-4893-a418-
Must be fixed!
Unnecessary (deactivated) entry that can be fixed.
O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c
Unnecessarily Entries found in this registry zone are potentially nasty. This application ([9c691a33-7dda-4c2f-be4c-
Must be fixed!
Unnecessary (deactivated) entry that can be fixed.
O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c
Unnecessarily Entries found in this registry zone are potentially nasty. This application ([e52dedbb-d168-4bdb-b229-
Must be fixed!
Unnecessary (deactivated) entry that can be fixed.
O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-5
Unnecessarily Entries found in this registry zone are potentially nasty. This application ([ffd2825e-0785-40c5-9a41-
Must be fixed!
Unnecessary (deactivated) entry that can be fixed.
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
Safe. Control panel for the ATI series of video cards allowing access to such features as display resolution, colour depth, etc. Available via Start -> Settings -> Control Panel -> Display. Some users may need it if they have optimised their settings
Hit rate: 79,17 % (result)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCh
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
Safe. PC-Cillin 2002 antivirus software
Hit rate: 100,00 % (result)
O4 - HKLM\..\Run: [BluetoothAuthenticationAg
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin
Safe. Java von Sun
Hit rate: 100,00 % (result)
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2
Safe. OmniPage SE2
Hit rate: 100,00 % (result)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
Safe. QuickTime
Hit rate: 100,00 % (result)
Not dangerous, but unnecessary.
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.
Safe.
Hit rate: 100,00 % (result)
Not dangerous, but unnecessary.
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv
Nasty This entry was classified from our visitors as bad.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.e
Unknown
Hit rate: 0,00 % (result)
Unknown application.
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon
Safe. CTFMon is involved with the language/alternative input services in Office XP. CTFMON.exe will continue to put itself back into MSConfig when you run the Office XP apps as long as the Text Services and Speech applets in the Control Panel are enabled. Not required if you don\'t need these features. For more info on ctfmon see here. CTFMON can be disabled from Control Panel, Text & Speech Services
Hit rate: 55,00 % (result)
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
Safe. Active sync for use with Windows CE based palm PC
Hit rate: 54,17 % (result)
O4 - HKCU\..\Run: [Handy Backup 4.0] "C:\Program Files\Novosoft\Handy Backup\hbagent.exe" -logon
Safe. Handy Backup - automatic backup of your critical data to virtually any type of storage media including CD-RW devices and remote FTP servers
Hit rate: 93,75 % (result)
O4 - Global Startup: BTTray.lnk = ?
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
Safe.
Hit rate: 68,75 % (result)
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Bluetooth Software\btsendto_ie_ctx.h
Safe. The entry Send To &Bluetooth has been identified as safe.
If the entry 'Send To &Bluetooth ' is not needed anymore, it should be fixed.
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
Safe. The entry has been identified as safe.
If the entry '' is not needed anymore, it should be fixed.
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
Safe. The entry Sun Java Console has been identified as safe.
If the entry 'Sun Java Console ' is not needed anymore, it should be fixed.
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-0
Safe. The entry Create Mobile Favorite has been identified as safe.
If the entry 'Create Mobile Favorite ' is not needed anymore, it should be fixed.
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-0
Safe. The entry has been identified as safe.
If the entry '' is not needed anymore, it should be fixed.
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-0
Safe. The entry Create Mobile Favorite... has been identified as safe.
If the entry 'Create Mobile Favorite... ' is not needed anymore, it should be fixed.
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5
Safe. The entry @btrez.dll, has been identified as safe.
If the entry '@btrez.dll,' is not needed anymore, it should be fixed.
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5
Safe. The entry @btrez.dll, has been identified as safe.
If the entry '@btrez.dll,' is not needed anymore, it should be fixed.
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
Safe. The entry Messenger has been identified as safe.
If the entry 'Messenger ' is not needed anymore, it should be fixed.
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
Safe. The entry Windows Messenger has been identified as safe.
If the entry 'Windows Messenger ' is not needed anymore, it should be fixed.
O16 - DPF: {00B71CFB-6864-4346-A978-C
Safe. This entry has been identified as safe.
O16 - DPF: {17492023-C23A-453E-A040-C
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
O16 - DPF: {8E0D4DE5-3180-4024-A327-4
Safe. This entry has been identified as safe.
O17 - HKLM\System\CCS\Services\T
Safe. If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too.
The entered IP or Domain '192.168.1.1' has been identified as safe.
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8
Safe. Only a few Hijackers are listed here. The most popular are 'cn' (CommonName) , 'ayb' (Lop.com) and 'relatedlinks' (Huntbar) . They should be fixed.
This entry has been identified as safe.
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLog
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2ev
Safe. These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
This service (Ati2evxx.exe) was identified as a good one.
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sg
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Bluetooth Software\bin\btwdins.exe
Safe. These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
This service (btwdins.exe) was identified as a good one.
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService
Safe. This entry was classified from our visitors as good.
Click on the stars and look at the comments from our visitors, to see, why the entry was classified in such a way.
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTER
Safe. These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
This service (PcCtlCom.exe) was identified as a good one.
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv
Safe. These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
This service (slserv.exe) was identified as a good one.
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTER
Safe. These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
This service (Tmntsrv.exe) was identified as a good one.
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTER
Safe. These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
This service (TmPfw.exe) was identified as a good one.
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTER
Safe. These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
This service (tmproxy.exe) was identified as a good one.
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
Safe. These entries shows all services which are not from Microsoft. Often malware is starting as a systemservice and it's not easy to detect it.
This service (ULCDRSvr.exe) was identified as a good one.
This log has been checked automatically.
Check your log file automatically at www.hijackthis.de.
Dear Rex,
Could you please start a new question? Buy some points and post a new question, and we will be glad to help all we can thenks, D_may
Could you please start a new question? Buy some points and post a new question, and we will be glad to help all we can thenks, D_may
DuarteR,
It's a new smitfraud files, pretty much still there!
Is that the latest Hijackthis scan log?
If not, can you give us the latest one and please post it to this link? the site where you posted it is a little confusing for me.(since I don't rely on their analysis)
Can you paste it to this link instead?
Paste the hijackthis log to this site --> http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:
It's a new smitfraud files, pretty much still there!
Is that the latest Hijackthis scan log?
If not, can you give us the latest one and please post it to this link? the site where you posted it is a little confusing for me.(since I don't rely on their analysis)
Can you paste it to this link instead?
Paste the hijackthis log to this site --> http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:
Well, you won't be able to remove this virus with any virus checker unless you boot your computer in Safe-mode.
If you don't then the registry loads the virus on start up, so the checker won't delete it as it is in use.
To boot in safe mode, restart, then hammer the F8 key.
Choose safe mode, then load your virus check of your choice
Personally we like
kaspersky anti virus http://www.kaspersky.com/ $$
Spybot SD http://www.download.com/3000-2144-10122137.html FREE
Enjoy! Hope this gets rid of your Virus
Michael
http://www.vainternet.co.uk
If you don't then the registry loads the virus on start up, so the checker won't delete it as it is in use.
To boot in safe mode, restart, then hammer the F8 key.
Choose safe mode, then load your virus check of your choice
Personally we like
kaspersky anti virus http://www.kaspersky.com/ $$
Spybot SD http://www.download.com/3000-2144-10122137.html FREE
Enjoy! Hope this gets rid of your Virus
Michael
http://www.vainternet.co.uk
thank you muchly for your help. The www.hijackthis.de log paste and analysis followed by deleting of high risk .exe files seems to have fixed all.
best wishes
best wishes
Download and run HijackThis from http://www.hijackthis.de/
Copy-and-paste the resulting log back to that same web site (not here)
Click on "Analyze", and then click on "Save Analysis" at the bottom of the next page.
Finally post a link here to the saved analyzed page.
I can suggest a couple of ways to get rid of those hard-to-delete files, but it is better to see the HJT log first to see what files are involved.