View Full Version : possible Project1 infection + Log
Spike_Rocks
03-01-2006, 01:04 AM
I got the Project1 spyware acouple of days ago and i ran a couple of anti-spyware programs and removed some strange .exe files from my C: drive, but i dont know if it still there. it sems to strangle my internet connection and i dont know if it is my firewall doing this to protect my computer, btv i use ZoneLabs ZoneAlarm as my firewall.
I appriciate any help i can get. (sorry for my bad spelling)
Logfile of HijackThis v1.99.1
Scan saved at 17:25:31, on 2006-02-28
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\CTsvcCDA.exe
e:\Program\Spyware Doctor\sdhelp.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
c:\Program\Webroot\Spy Sweeper\WRSSSDK.exe
D:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
D:\Program\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet. EXE
D:\WINDOWS\System32\CTHELPER.EXE
D:\WINDOWS\System32\smsvc.exe
E:\Program\D-Tools\daemon.exe
E:\program\quicktime\qttask.exe
E:\Program\Zone Labs\ZoneAlarm\zlclient.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program\Creative\MediaSource\RemoteControl\RCMa n.EXE
C:\Program\SpywareGuard\sgmain.exe
D:\WINDOWS\System32\wdfmgr.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program\SpywareGuard\sgbhp.exe
D:\WINDOWS\System32\MsPMSPSv.exe
E:\Documents and Settings\Spike_Rocks\Mina dokument\Program\antivirus\Project1 Killer\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.se
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.thepiratebay.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.se
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.thepiratebay.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - c:\Program\SpywareGuard\dlprotect.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - E:\Program\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - E:\Program\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] D:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] D:\Program\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] D:\Program\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet. EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] D:\Program\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Microsoft DLL Verifier] smsvc.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "E:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\program\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] e:\Program\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [Microsoft DLL Verifier] smsvc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [RemoteCenter] D:\Program\Creative\MediaSource\RemoteControl\RCMa n.EXE
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - E:\Program\SPYWAR~1\tools\iesdpb.dll
O20 - Winlogon Notify: WRNotifier - D:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - D:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Electronic Arts Licensing Service - Unknown owner - D:\Program\Delade filer\Electronic Arts Shared\Service\EA Licensing Service.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - e:\Program\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - c:\Program\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe
Spike_Rocks
03-01-2006, 01:05 AM
btv, games that runned perfectly on my pc before dosnt do that anymore :(
nightowl
03-01-2006, 08:25 AM
Download The Stand Alone Version of CW Shredder,Spybot, AdAware, (Links at the bottom of my message) If you have them allready make sure they are up to date.
You may want to print this out
Unplug the internet from your computer
Reboot To Safe Mode (tap F8 on Startup)
Delete this file
D:\WINDOWS\System32\smsvc.exe info on this file below
http://www.symantec.com/avcenter/venc/data/w32.spybot.fcd.html
Still In Safe Mode Open up Hijack This and Place a check next to each of these and click Fix Checked.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.thepiratebay.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.thepiratebay.com
O4 - HKLM\..\Run: [Microsoft DLL Verifier] smsvc.exe
O4 - HKLM\..\RunServices: [Microsoft DLL Verifier] smsvc.exe
Still In Safe Mode Delete all Temporary Internet Files, Cookies, Run CW Shredder, AdAware and Spybot, Delete what they find , Empty Recycle Bin.
Plug the internet back in and Reboot to normal mode and post a new log..........Jim
Spike_Rocks
03-02-2006, 01:38 AM
thank you very much, but just to inform you, www.thepiratebay.com is a swedish BitTorrent site and a safe one. ;)
nightowl
03-02-2006, 11:34 AM
Ok thanks for that info, I never seen it before.How is it running? Post a new log. Let me see if we got everything.........Jim
Spike_Rocks
03-03-2006, 12:15 AM
well, the games are running mutch better now, but i havnt tested internet yet.
New Log:
Logfile of HijackThis v1.99.1
Scan saved at 07:44:36, on 2006-03-03
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\CTsvcCDA.exe
e:\Program\Spyware Doctor\sdhelp.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
c:\Program\Webroot\Spy Sweeper\WRSSSDK.exe
D:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
D:\Program\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet. EXE
D:\WINDOWS\System32\CTHELPER.EXE
E:\Program\D-Tools\daemon.exe
E:\program\quicktime\qttask.exe
E:\Program\Zone Labs\ZoneAlarm\zlclient.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program\Creative\MediaSource\RemoteControl\RCMa n.EXE
C:\Program\SpywareGuard\sgmain.exe
C:\Program\SpywareGuard\sgbhp.exe
D:\WINDOWS\System32\wdfmgr.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\WINDOWS\System32\MsPMSPSv.exe
E:\Documents and Settings\Spike_Rocks\Mina dokument\Program\antivirus\Project1 Killer\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.se
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thepiratebay.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.se
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.thepiratebay.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - c:\Program\SpywareGuard\dlprotect.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - E:\Program\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - E:\Program\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] D:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] D:\Program\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] D:\Program\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet. EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] D:\Program\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "E:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\program\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] e:\Program\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [RemoteCenter] D:\Program\Creative\MediaSource\RemoteControl\RCMa n.EXE
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - E:\Program\SPYWAR~1\tools\iesdpb.dll
O20 - Winlogon Notify: WRNotifier - D:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - D:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Electronic Arts Licensing Service - Unknown owner - D:\Program\Delade filer\Electronic Arts Shared\Service\EA Licensing Service.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - e:\Program\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - c:\Program\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe
nightowl
03-03-2006, 09:32 AM
Your log looks good, How is everything running?........Jim
Spike_Rocks
03-16-2006, 10:29 AM
sorry for not replying until now, have been busy.
The computer runned great until i got some other crappy spyware, this one tries to fool me to download a "free" antispyware program, but i am not that easely fooled :P
It calls it self AdService.
Logfile of HijackThis v1.99.1
Scan saved at 19:22:11, on 2006-03-16
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\rwnt.exe
D:\Program\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program\Java\jre1.5.0_06\bin\jusched.exe
D:\Program\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
D:\Program\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet. EXE
D:\WINDOWS\System32\CTHELPER.EXE
D:\Program\Delade filer\Real\Update_OB\realsched.exe
D:\Program\ATI Technologies\ATI.ACE\cli.exe
D:\WINDOWS\System32\svchelper.exe
D:\Program\D-Tools\daemon.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program\MSN Messenger\MsnMsgr.Exe
D:\Program\Creative\MediaSource\RemoteControl\RCMa n.EXE
D:\WINDOWS\atigraphics.exe
D:\WINDOWS\System32\CTsvcCDA.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\WINDOWS\System32\MsPMSPSv.exe
D:\Program\Azureus\Azureus.exe
E:\Program\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
E:\Program\Spybot - Search & Destroy\SpybotSD.exe
D:\Program\Mozilla Firefox\firefox.exe
E:\Documents and Settings\Spike_Rocks\Mina dokument\Program\antivirus\Project1 Killer\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.telia.se/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Windowsz] rwnt.exe
O4 - HKLM\..\Run: [Zone Labs Client] D:\Program\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [CTSysVol] D:\Program\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] D:\Program\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet. EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] D:\Program\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] D:\Program\Delade filer\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [ATICCC] "D:\Program\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Windows Helper] D:\WINDOWS\System32\svchelper.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\RunServices: [Windowsz] rwnt.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RemoteCenter] D:\Program\Creative\MediaSource\RemoteControl\RCMa n.EXE
O4 - HKCU\..\Run: [MSMSGS] "D:\Program\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = D:\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program\Java\jre1.5.0_06\bin\ssv.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\Program\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: winrzf32 - D:\WINDOWS\SYSTEM32\winrzf32.dll
O23 - Service: Adobe LM Service - Unknown owner - D:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATIintergrated - Unknown owner - D:\WINDOWS\atigraphics.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: MicroSoft Media Tools - Unknown owner - D:\WINDOWS\MSmedia.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe
thanks
mczplwp
03-16-2006, 08:15 PM
I understand some people have a mistrust of Uncle Bill. I always update my spyware/virus infected clients to the latest Service Packs. I see you are SP1. Unless your using inhouse created software the average joe doesn't have a problem with updates. They can protect you from attack. I was using the MS Anti-Spyware removal tool for awhile but I don't like installing programs on client boxes and it won't allow me to install on my external tool drive. It is good and can prevent unauthorized IE changes.
nightowl turned me onto ewido. COOL program.
GoodNightNow,
mczplwp
nightowl
03-17-2006, 12:18 PM
Yea it looks like you picked up a few things here.
Unplug the internet from your computer
Reboot To Safe Mode (tap F8 on Startup)
Delete this file
Delete these Files and or Folders
D:\WINDOWS\System32\rwnt.exe
D:\WINDOWS\System32\svchelper.exe
D:\WINDOWS\SYSTEM32\winrzf32.dll
http://castlecops.com/s10258-svchelper_exe.html
Still In Safe Mode Open up Hijack This and Place a check next to each of these and click Fix Checked.
O4 - HKLM\..\Run: [Windowsz] rwnt.exe
O4 - HKLM\..\Run: [Windows Helper] D:\WINDOWS\System32\svchelper.exe
O4 - HKLM\..\RunServices: [Windowsz] rwnt.exe
O20 - Winlogon Notify: winrzf32 - D:\WINDOWS\SYSTEM32\winrzf32.dll
Still In Safe Mode Delete all Temporary Internet Files, Cookies, Run CW Shredder, AdAware and Spybot, Delete what they find , Empty Recycle Bin.
Plug the internet back in and Reboot to normal mode and post a new log..........Jim
Spike_Rocks
03-21-2006, 12:46 PM
hmm i cant delete winrzf32.dll not even in unsafe mode. and i think i got some more spyware (dont ask me where i gett them, i dont even know)
Logfile of HijackThis v1.99.1
Scan saved at 21:43:38, on 2006-03-21
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\atigraphics.exe
D:\WINDOWS\System32\CTsvcCDA.exe
D:\WINDOWS\MSmedia.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\WINDOWS\System32\MsPMSPSv.exe
D:\Program\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program\Java\jre1.5.0_06\bin\jusched.exe
D:\Program\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
D:\Program\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet. EXE
D:\WINDOWS\System32\CTHELPER.EXE
D:\Program\Delade filer\Real\Update_OB\realsched.exe
D:\Program\ATI Technologies\ATI.ACE\cli.exe
D:\Program\D-Tools\daemon.exe
C:\Program\iTunes\iTunesHelper.exe
D:\Program\iPod\bin\iPodService.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program\MSN Messenger\MsnMsgr.Exe
D:\Program\Creative\MediaSource\RemoteControl\RCMa n.EXE
D:\WINDOWS\TEMP\win6CF.tmp.exe
D:\Program\Azureus\Azureus.exe
E:\Documents and Settings\Spike_Rocks\Mina dokument\Program\antivirus\Project1 Killer\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.telia.se/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Zone Labs Client] D:\Program\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [CTSysVol] D:\Program\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] D:\Program\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet. EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] D:\Program\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] D:\Program\Delade filer\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [ATICCC] "D:\Program\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RemoteCenter] D:\Program\Creative\MediaSource\RemoteControl\RCMa n.EXE
O4 - HKCU\..\Run: [MSMSGS] "D:\Program\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = D:\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program\Java\jre1.5.0_06\bin\ssv.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\Program\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: winrzf32 - D:\WINDOWS\SYSTEM32\winrzf32.dll
O23 - Service: Adobe LM Service - Unknown owner - D:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATIintergrated - Unknown owner - D:\WINDOWS\atigraphics.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program\iPod\bin\iPodService.exe
O23 - Service: MicroSoft Media Tools - Unknown owner - D:\WINDOWS\MSmedia.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe
thanx
nightowl
03-21-2006, 02:21 PM
Looks like a stubborn file lets try something else. I found this fix on another site. Lets give it a try. Print this out
1. Download Ewido Security suite but dont run it yet
http://download.ewido.net/ewido-setup.exe
2. Download ATF Cleaner by Atribune and save it to your Desktop.
http://www.atribune.org/ccount/click.php?id=1
3. Make sure that you can see hidden files
" Click Start
" Open My Computer
" Select the Tools menu and click Folder Options
" Select the View Tab
" Under the Hidden files and folders heading select Show hidden files and folders
" Uncheck the Hide protected operating system files (recommended) option
" Click Yes to confirm
" Click OK
4. Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
Look in here for more information.
http://www.computerhope.com/issues/chsafe.htm
5. Scan with HijackThis and put a checkmark against the following:
O20 - Winlogon Notify: winrzf32 - D:\WINDOWS\SYSTEM32\winrzf32.dll
Delete this file
D:\WINDOWS\TEMP\win6CF.tmp.exe
6. Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
The rest are optional - if you want to remove the lot, check "Select All".
Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.
7.Run Ewido.
Click on Scanner
Click on Complete System Scan and the scan will begin.
While the scan is in progress you will be prompted to clean files, click OK
When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says 'Perform action with all infections' then choose clean and click OK.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report - click it.
Save the report.txt file to your desktop.
Now close Ewido-Anti-Malware.
Warning: While the scan is in progress, DO NOT open any folders or the Windows Control Panel !!
8.Run Panda's ActiveScan from here and perform a full system scan
.
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
- Once you are on the Panda site click the "Scan your PC" button
- A new window will open...click the big "Check Now" button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
- Click on "Local Disks" to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Scan with HijackThis and save the log. Post back here........Jim
Spike_Rocks
03-25-2006, 10:46 AM
here is a new exiting HijackLog. And the spywares wont leave me alone, there is a fake "virus alert!" icon in the right bottom corner beside the clock.
Logfile of HijackThis v1.99.1
Scan saved at 19:42:51, on 2006-03-25
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\CTsvcCDA.exe
D:\Program\ewido anti-malware\ewidoctrl.exe
D:\Program\ewido anti-malware\ewidoguard.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\WINDOWS\System32\MsPMSPSv.exe
D:\Program\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program\Java\jre1.5.0_06\bin\jusched.exe
D:\Program\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
D:\Program\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet. EXE
D:\WINDOWS\System32\CTHELPER.EXE
D:\Program\Delade filer\Real\Update_OB\realsched.exe
D:\Program\ATI Technologies\ATI.ACE\cli.exe
D:\Program\D-Tools\daemon.exe
C:\Program\iTunes\iTunesHelper.exe
D:\Program\iPod\bin\iPodService.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program\MSN Messenger\MsnMsgr.Exe
D:\Program\Creative\MediaSource\RemoteControl\RCMa n.EXE
D:\Program\Azureus\Azureus.exe
D:\Program\Mozilla Firefox\firefox.exe
E:\Documents and Settings\Spike_Rocks\Mina dokument\Program\antivirus\Project1 Killer\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.telia.se/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Zone Labs Client] D:\Program\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [CTSysVol] D:\Program\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] D:\Program\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet. EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] D:\Program\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] D:\Program\Delade filer\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [ATICCC] "D:\Program\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RemoteCenter] D:\Program\Creative\MediaSource\RemoteControl\RCMa n.EXE
O4 - HKCU\..\Run: [MSMSGS] "D:\Program\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = D:\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\Program\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: winrzf32 - winrzf32.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - D:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATIintergrated - Unknown owner - D:\WINDOWS\atigraphics.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program\iPod\bin\iPodService.exe
O23 - Service: MicroSoft Media Tools - Unknown owner - D:\WINDOWS\MSmedia.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe
thanks :)
Spike_Rocks
03-26-2006, 03:35 AM
and here is the Panda Activescan Log
Incident Status Location
Spyware:Cookie/WinFixer Not disinfected D:\Documents and Settings\Spike_Rocks\Application Data\Mozilla\Firefox\Profiles\7fcj2lpo.default\coo kies.txt[]
Adware:adware/securityerror Not disinfected D:\Documents and Settings\Spike_Rocks\Favoriter\Antivirus Test Online.url
Possible Virus. Not disinfected D:\WINDOWS\system32\1024\ld2929.tmp
Virus:Trj/Zlob.DT Disinfected D:\WINDOWS\system32\dfrgsrv.exe
Adware:adware/spyfalcon Not disinfected D:\WINDOWS\system32\ginuerep.dll
Virus:W32/Sdbot.ftp Disinfected D:\WINDOWS\system32\i
Adware:adware/emediacodec Not disinfected D:\WINDOWS\system32\ld57F3.tmp
Adware:Adware/IST.ISTBar Not disinfected E:\Documents and Settings\Spike_Rocks\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jav ainstaller.jar-5ad1bcbe-370d8b9a.zip[InstallerApplet.class]
Spyware:Cookie/Hbmediapro Not disinfected E:\Documents and Settings\Spike_Rocks\Cookies\spike_rocks@adopt.hbm ediapro[2].txt
Spyware:Cookie/Belnk Not disinfected E:\Documents and Settings\Spike_Rocks\Cookies\spike_rocks@ath.belnk[1].txt
Spyware:Cookie/Belnk Not disinfected E:\Documents and Settings\Spike_Rocks\Cookies\spike_rocks@belnk[2].txt
Spyware:Cookie/Belnk Not disinfected E:\Documents and Settings\Spike_Rocks\Cookies\spike_rocks@dist.beln k[1].txt
Potentially unwanted tool:Application/Processor Not disinfected E:\Documents and Settings\Spike_Rocks\Mina dokument\Program\antivirus\Project1 Killer\antispyware\l2mfix.exe[Process.exe]
Adware:Adware/IST.ISTBar Not disinfected E:\Documents and Settings\Spike_Rocks\Mina dokument\Program\SurfOffline_v1.2.10.17_www.crack-locator.com_.zip[ojq.exe]
Adware:Adware/IST.ISTBar Not disinfected E:\Documents and Settings\Spike_Rocks\Skrivbord\Skrivbordskladd\Kla dd\Norton_AntiVirus_2003.zip[edw.exe]
Adware:Adware/IST.ISTBar Not disinfected E:\Documents and Settings\Spike_Rocks\Skrivbord\Skrivbordskladd\Kla dd\Norton_LiveUpdate.zip[xhj.exe]
Potentially unwanted tool:Application/Processor Not disinfected E:\Program\DVD2SVCD\Tylo\dist\process.exe
thanks
nightowl
03-29-2006, 08:57 AM
Sorry for the late reply, Ive been out of town a few days.
I see quite a bit on your Panda log. Do you have a antiVirus program on here? If not Try AVG AntiVirus. Its the best free AV program out there. If you want to buy one get Trend Micro or E-Trust.
For now, Heres the link to AVG AntiVirus
http://forums.designtechnica.com/showthread.php?t=5583
Run it, then post a new Panda and HJThis Log. Hopefully it will clean some of this up. .........Jim
Spike_Rocks
04-10-2006, 09:55 AM
sorry for not replying on a few days, been busy. but i think i got rid of the fake virus alert.
Logfile of HijackThis v1.99.1
Scan saved at 18:51:08, on 2006-04-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\Program\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program\Java\jre1.5.0_06\bin\jusched.exe
D:\Program\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
D:\Program\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet. EXE
D:\WINDOWS\system32\CTHELPER.EXE
D:\Program\Delade filer\Real\Update_OB\realsched.exe
D:\Program\D-Tools\daemon.exe
D:\Program\ATI Technologies\ATI.ACE\cli.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program\MSN Messenger\MsnMsgr.Exe
D:\Program\Creative\MediaSource\RemoteControl\RCMa n.EXE
D:\Program\Messenger\msmsgs.exe
D:\Program\Grisoft\AVG6\avgserv.exe
D:\WINDOWS\System32\CTsvcCDA.exe
D:\Program\ewido anti-malware\ewidoctrl.exe
D:\Program\ewido anti-malware\ewidoguard.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\WINDOWS\System32\MsPMSPSv.exe
D:\Program\Azureus\Clean\Azureus.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program\ATI Technologies\ATI.ACE\cli.exe
D:\Program\ATI Technologies\ATI.ACE\cli.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\System32\svchost.exe
E:\Documents and Settings\Spike_Rocks\Mina dokument\Program\antivirus\Project1 Killer\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.telia.se/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O4 - HKLM\..\Run: [Zone Labs Client] D:\Program\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [CTSysVol] D:\Program\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] D:\Program\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet. EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] D:\Program\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] D:\Program\Delade filer\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATICCC] "D:\Program\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RemoteCenter] D:\Program\Creative\MediaSource\RemoteControl\RCMa n.EXE
O4 - HKCU\..\Run: [MSMSGS] "D:\Program\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Free Download Manager] c:\Program\Free Download Manager\fdm.exe -autorun
O4 - Startup: Adobe Gamma.lnk = D:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OpenOffice.org 2.0.lnk = D:\Program\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: SpywareGuard.lnk = D:\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Ladda ner allt med Free Download Manager - file://c:\Program\Free Download Manager\dlall.htm
O8 - Extra context menu item: Ladda ner markerat med Free Download Mananger - file://c:\Program\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Ladda ner med Free Download Manager - file://c:\Program\Free Download Manager\dllink.htm
O8 - Extra context menu item: Ladda ner webbplats med Free Download Manager - file://c:\Program\Free Download Manager\dlpage.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1143805996500
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "D:\Program\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\Program\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: winrzf32 - winrzf32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATIintergrated - Unknown owner - D:\WINDOWS\atigraphics.exe (file missing)
O23 - Service: AVG6 Service (AvgServ) - GRISOFT(c) SOFTWARE s.r.o - D:\Program\Grisoft\AVG6\avgserv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program\iPod\bin\iPodService.exe
O23 - Service: MicroSoft Media Tools - Unknown owner - D:\WINDOWS\MSmedia.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe
nightowl
04-10-2006, 09:42 PM
Few here still with missing files. best to delete them if possible.
Unplug the internet from your computer
Reboot To Safe Mode (tap F8 on Startup)
Open up Hijack This and Place a check next to each of these and click Fix Checked.
O20 - Winlogon Notify: winrzf32 - winrzf32.dll (file missing)
O23 - Service: MicroSoft Media Tools - Unknown owner - D:\WINDOWS\MSmedia.exe (file missing)
Still In Safe Mode Delete all Temporary Internet Files, Cookies, Run AdAware and Spybot, Delete what they find , Empty Recycle Bin.
Plug the internet back in and Reboot to normal mode and post a new log..........Jim
vBulletin® v3.7.0, Copyright ©2000-2008, Jelsoft Enterprises Ltd.