[mechanix21]

I recently noticed that when i try to save a picture on my computer (just when i right click and open "save picture as" dialog box" something appears and disappears in one second in system tray. i cannot see the icon properly but system tray expands and gets back to normal position very fast. is it some kind of virus? should i need to run HijackThis and paste the log data here?

Thanks in advance.

[Phantom010]

Please click here to download and install the HijackThis installer.

Run it and select Do a system scan and save a logfile.

The log will be saved in Notepad. Copy and paste the log in your next post.

Do not fix anything

[mechanix21]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:34:02, on 26.09.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\Analog Devices\Core\smax4pnp.exe
D:\Program Files\Analog Devices\SoundMAX\Smax4.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\DAEMON Tools Lite\daemon.exe
D:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
D:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\System32\wbem\wmiapsrv.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Last.fm\LastFM.exe
D:\Program Files\Windows Live\Messenger\usnsvc.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Bağlantılar
O1 - Hosts: 208.117.236.70 youtube.com
O1 - Hosts: 208.117.236.70 www.youtube.com
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Oturum Açma Yardım Aracı - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - D:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] "HDAShCut.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] "D:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [SoundMAX] "D:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [XPActivationreset] "D:\WINDOWS\xpcrack.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "D:\Program Files\Ares\Ares.exe" -h
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A67CFA60-7165-4464-A244-A2F50E7EBC32}: NameServer = 208.67.222.222,208.67.220.220
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - D:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
--
End of file - 5570 bytes

here you go, thanks for your interest for helping : )

[Phantom010]

Did you add entries for Youtube in your HOSTS file because you were having difficulties accessing the website? If you did not, I wonder why some sort of malware would have put Youtube in your HOSTS file with the correct IP address for Youtube, instead of redirecting you elsewhere???

If you haven't touched your HOSTS file, I would still consider it as suspicious. Therefore, you should click on the Report button and kindly ask to be moved to the Malware Removal forum.

If you did edit your HOSTS file, ignore the warning then. Proceed with a Clean Boot to narrow it down to the culprit.

[Phantom010]

Just noticed something TSG's Administrators won't like at all. They might even ignore your request for help in the Malware Removal forum...

O4 - HKLM\..\Run: [XPActivationreset] "D:\WINDOWS\xpcrack.exe"

It might even be the root cause of your problem...

It is considered malware by some.

[mechanix21]

i personally added these entries for youtube because my government banned the access to youtube, and i'm against all kinds of censorship. its the only way to visit youtube.

secondly i dont think thats the source of my problem because i've recently noticed this thing, i'm using windows for 2-3 months now this way, and that activity appeared just recently.

so now should i perform a clean boot and tell you the results?

[Phantom010]

To make sure you understood correctly, I was not talking about the HOSTS file as the root cause. I was refering to:

O4 - HKLM\..\Run: [XPActivationreset] "D:\WINDOWS\xpcrack.exe"

[Phantom010]

Yes, try a Clean Boot. But, you may also have to consider xpcrack.exe might very well be malware...

[mechanix21]

what i mean is, "O4 - HKLM\..\Run: [XPActivationreset] "D:\WINDOWS\xpcrack.exe" " string is there for 2-3 months, but this activity in system tray is reasonably new, like several days since i noticed.

and it will be a bit off topic but i scanned my system with almost every kind of antivirus, malvare, online file checks but none of them found it as a threat. if that file is dangerous, shouldnt these programs be aware of that? i'm not saying that file is safe but it seems strange to me that none of the antivirus and malware programs noticed it.

i will perform a clean boot now and will tell the result here.

[Phantom010]

A LOT of nasties aren't detected by commercial anti-malware programs.

[mechanix21]

the problem still persist with clean boot, but somehow i succeeded to take a screenshot wile the icon was there.



it's the icon to the far left.

[Cookiegal]

I'm closing this as we don't assist with non-genuine operating systems.

Please refer to the forum rules.