Desktop problem.

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

RoARX

Thread Starter
Joined
Dec 25, 2005
Messages
6
I let my sister use my computer (shes 10) and when I got back, poof, viruses everywhere .. geez, what pages do these girls go to anyways?

Anyways, my biggest issue is the small amount of popups, start page, and the desktop background. It's completely black, sometimes it says 'Your computer is infected with Spyware' bla bla bla ... (as a background)

I need halp ! please ! :p

Thanxx
 

RoARX

Thread Starter
Joined
Dec 25, 2005
Messages
6
Here you go ..


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\STOPzilla!\szntsvc.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\javajc.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\Program\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\System32\qbinxz.exe
C:\Program\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program\STOPzilla!\Stopzilla.exe
C:\Program\QuickTime\qttask.exe
C:\Program\Java\jre1.5.0_02\bin\jusched.exe
C:\Program\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\DOCUME~1\MOURAD~1\LOKALA~1\Temp\75.tmp.exe
C:\DOCUME~1\MOURAD~1\LOKALA~1\Temp\76.tmp.exe
C:\WINDOWS\system32\netoy32.exe
C:\WINDOWS\System32\1877.exe
C:\Program\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program\WinZip\WZQKPICK.EXE
C:\Program\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program\MSN Messenger\msnmsgr.exe
C:\Program\Spybot - Search & Destroy\SpybotSD.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program\DC++\DCPlusPlus.exe
C:\unzipped\hijackthis_199\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rphal.dll/sp.html#88449%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rphal.dll/sp.html#88449%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\rphal.dll/sp.html#88449%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rphal.dll/sp.html#88449%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rphal.dll/sp.html#88449%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rphal.dll/sp.html#88449%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rphal.dll/sp.html#88449%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://login1.telia.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE_Window_Title
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy1.telia.com:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Use

:cool:
 

RoARX

Thread Starter
Joined
Dec 25, 2005
Messages
6
Logfile of HijackThis v1.99.1
Scan saved at 03:02:36, on 2005-12-26
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\STOPzilla!\szntsvc.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\javajc.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\Program\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\System32\qbinxz.exe
C:\Program\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program\STOPzilla!\Stopzilla.exe
C:\Program\QuickTime\qttask.exe
C:\Program\Java\jre1.5.0_02\bin\jusched.exe
C:\Program\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\DOCUME~1\MOURAD~1\LOKALA~1\Temp\75.tmp.exe
C:\DOCUME~1\MOURAD~1\LOKALA~1\Temp\76.tmp.exe
C:\WINDOWS\system32\netoy32.exe
C:\WINDOWS\System32\1877.exe
C:\Program\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program\WinZip\WZQKPICK.EXE
C:\Program\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program\MSN Messenger\msnmsgr.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\cidaemon.exe
C:\unzipped\hijackthis_199\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rphal.dll/sp.html#88449%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rphal.dll/sp.html#88449%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\rphal.dll/sp.html#88449%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rphal.dll/sp.html#88449%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rphal.dll/sp.html#88449%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rphal.dll/sp.html#88449%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rphal.dll/sp.html#88449%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://login1.telia.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE_Window_Title
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy1.telia.com:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar1.dll
O2 - BHO: Class - {B513F19C-5C67-40E1-6FA7-165FFCD035F2} - C:\WINDOWS\ipfb.dll
O2 - BHO: Class - {C25AEDCA-B031-C73B-0FD1-AC9B52E73BD4} - C:\WINDOWS\ietu32.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O2 - BHO: anteaudio - {E9692DD0-6F3F-0B36-81EE-2E062292E72D} - C:\Program\SIZEPH~1\CashMove.dll (file missing)
O3 - Toolbar: Filesend - {51756FF8-F761-92D4-CC6E-86747B9F7C36} - C:\Program\SIZEPH~1\CashMove.dll (file missing)
O3 - Toolbar: MSN Verktygslåda - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Toolbar\01.01.1601.0\sv\msntb.dll
O3 - Toolbar: SuperBar - {7348E586-D05F-46A6-A0BF-F12E1677F4E2} - C:\Program\_SUPERBAR\_SUPERBAR.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Webcelerator] C:\Program Files\Acceleration Software\Webcelerator\webcel.exe runstart
O4 - HKLM\..\Run: [STOPzilla] "C:\Program\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Uuwetufq] c:\Program Files\Lteysq\Xzngsp.exe
O4 - HKLM\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run
O4 - HKLM\..\Run: [firlnin] C:\Documents and Settings\Mourad 1\Lokala inställningar\Temporary Internet Files\Content.IE5\6BQZ2PAJ\delf061225[1].exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [AdwareAlert] C:\Program\AdwareAlert\AdwareAlert.Exe -boot
O4 - HKLM\..\Run: [kzetkz] c:\windows\system32\hkzlhbu.exe
O4 - HKLM\..\Run: [Cmt101] c:\windows\system32\cmt101.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [links] links.exe
O4 - HKLM\..\Run: [WinHound] C:\Program\WinHound\WinHound.exe
O4 - HKLM\..\Run: [mfcnv32.exe] C:\WINDOWS\mfcnv32.exe
O4 - HKLM\..\Run: [75.tmp] C:\DOCUME~1\MOURAD~1\LOKALA~1\Temp\75.tmp.exe
O4 - HKLM\..\Run: [76.tmp] C:\DOCUME~1\MOURAD~1\LOKALA~1\Temp\76.tmp.exe
O4 - HKLM\..\Run: [75.tmp.exe] C:\DOCUME~1\MOURAD~1\LOKALA~1\Temp\75.tmp.exe
O4 - HKLM\..\Run: [76.tmp.exe] C:\DOCUME~1\MOURAD~1\LOKALA~1\Temp\76.tmp.exe
O4 - HKLM\..\Run: [apppd.exe] C:\WINDOWS\apppd.exe
O4 - HKLM\..\Run: [sysbi.exe] C:\WINDOWS\sysbi.exe
O4 - HKLM\..\Run: [netoy32.exe] C:\WINDOWS\system32\netoy32.exe
O4 - HKLM\..\Run: [knfdmp] C:\WINDOWS\System32\qbinxz.exe r
O4 - HKCU\..\Run: [Apwheel] C:\WINDOWS\System32\1877.exe
O4 - HKCU\..\Run: [appips] C:\WINDOWS\System32\appips.exe
O4 - HKCU\..\Run: [Cmt101] c:\windows\system32\cmt101.exe
O4 - HKCU\..\Run: [Steam] D:\Program\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://login1.telia.com
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab?affiliate=BRANDY
O16 - DPF: {2DBEFB64-B6C4-4A2C-BE6A-16FF065B99C6} - http://www.dialerzona.com/cuadruple.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: mad.dll
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\javajc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Creative NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\Program\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: STOPzilla Local Service - International Software Systems Solutions - C:\Program\STOPzilla!\szntsvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program\TRENDM~1\INTERN~1\tmproxy.exe




This should be the whole log
 
Joined
Jul 8, 2002
Messages
14,681
Please save or print these instructions before beginning.
  • Extract About:Buster to your Desktop
  • Run About:Buster and click OK>>Update>>Check for Update
  • Download any available updates by clicking Download Update
  • Exit About:Buster
  • Save CWShredder to your Desktop
  • Run CWShredder and click I Agree>>Check For Update
  • Exit CWShredder
  • Run About:Buster and click Start>>OK
  • Click Yes when prompted to shutdown explorer.exe
  • Allow the program to make a second pass through your system if it asks you to do so
  • Click Save Log and save this log to your Desktop
  • Run About:Buster and click Start>>OK
  • Click Yes when prompted to shutdown explorer.exe
  • Allow the program to make a second pass through your system if it asks you to do so
  • Click Save Log and save this log to your Desktop
  • Run CWShredder
  • Click I Agree>>Fix>>Next and allow it to fix any problems it finds
  • Exit CWShredder
  • Run SpSeHjFix
  • Run CleanUp! and go to Options>>Custom CleanUp!
  • Put a checkmark next to each of the following items:

    Empty Recycle Bins
    Delete Cookies
    Delete Prefetch files
    Scan local drives for temporary files
    Cleanup! All Users
  • Click OK>>CleanUp!
  • Exit CleanUp!
  • Restart your computer
  • Post the contents of the About:Buster log you saved earlier
  • Post the contents of SpSeHjFix.log
Please save or print these instructions before beginning.
  • Go to Start>>Control Panel>>Add or Remove Program
  • Uninstall any of the following programs that appear in the list:

    eAcceleration Webcelerator


  • Run HijackThis and click Do a system scan only
  • Put a checkmark next to any of the following entries that appear, and click Fix Checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rphal.dll/sp.html#88449%resultposition.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rphal.dll/sp.html#88449%resultposition.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\rphal.dll/sp.html#88449%resultposition.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rphal.dll/sp.html#88449%resultposition.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rphal.dll/sp.html#88449%resultposition.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rphal.dll/sp.html#88449%resultposition.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rphal.dll/sp.html#88449%resultposition.net
    R3 - Default URLSearchHook is missing
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
    O2 - BHO: Class - {B513F19C-5C67-40E1-6FA7-165FFCD035F2} - C:\WINDOWS\ipfb.dll
    O2 - BHO: Class - {C25AEDCA-B031-C73B-0FD1-AC9B52E73BD4} - C:\WINDOWS\ietu32.dll
    O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
    O2 - BHO: anteaudio - {E9692DD0-6F3F-0B36-81EE-2E062292E72D} - C:\Program\SIZEPH~1\CashMove.dll (file missing)
    O3 - Toolbar: Filesend - {51756FF8-F761-92D4-CC6E-86747B9F7C36} - C:\Program\SIZEPH~1\CashMove.dll (file missing)
    O3 - Toolbar: SuperBar - {7348E586-D05F-46A6-A0BF-F12E1677F4E2} - C:\Program\_SUPERBAR\_SUPERBAR.dll (file missing)
    O4 - HKLM\..\Run: [Uuwetufq] c:\Program Files\Lteysq\Xzngsp.exe
    O4 - HKLM\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run
    O4 - HKLM\..\Run: [kzetkz] c:\windows\system32\hkzlhbu.exe
    O4 - HKLM\..\Run: [Cmt101] c:\windows\system32\cmt101.exe
    O4 - HKLM\..\Run: [links] links.exe
    O4 - HKLM\..\Run: [WinHound] C:\Program\WinHound\WinHound.exe
    O4 - HKLM\..\Run: [mfcnv32.exe] C:\WINDOWS\mfcnv32.exe
    O4 - HKLM\..\Run: [apppd.exe] C:\WINDOWS\apppd.exe
    O4 - HKLM\..\Run: [sysbi.exe] C:\WINDOWS\sysbi.exe
    O4 - HKLM\..\Run: [netoy32.exe] C:\WINDOWS\system32\netoy32.exe
    O4 - HKLM\..\Run: [knfdmp] C:\WINDOWS\System32\qbinxz.exe r
    O4 - HKCU\..\Run: [Apwheel] C:\WINDOWS\System32\1877.exe
    O4 - HKCU\..\Run: [appips] C:\WINDOWS\System32\appips.exe
    O4 - HKCU\..\Run: [Cmt101] c:\windows\system32\cmt101.exe
    O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovio...filiate=BRANDY
    O16 - DPF: {2DBEFB64-B6C4-4A2C-BE6A-16FF065B99C6} - http://www.dialerzona.com/cuadruple.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
    O20 - AppInit_DLLs: mad.dll
    O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\javajc.exe
  • Exit HijackThis
  • Run KillBox and go to Action>>Delete on Reboot
  • Go to File>>Add File and select each of the following file/folder paths

    C:\WINDOWS\Nail.exe
    C:\Program\_SUPERBAR\
    c:\Program Files\Lteysq\
    C:\Program Files\WebSpecials\
    c:\windows\system32\hkzlhbu.exe
    c:\windows\system32\cmt101.exe
    C:\Program\WinHound\
    C:\WINDOWS\mfcnv32.exe
    C:\WINDOWS\apppd.exe
    C:\WINDOWS\sysbi.exe
    C:\WINDOWS\system32\netoy32.exe
    C:\WINDOWS\System32\qbinxz.exe
    C:\WINDOWS\System32\1877.exe
    C:\WINDOWS\System32\appips.exe
    c:\windows\system32\cmt101.exe
  • Go to Action>>Process and Reboot>>Yes
    WARNING:: Your computer will be restarted. Any unsaved work in open applications will be lost.​
 

RoARX

Thread Starter
Joined
Dec 25, 2005
Messages
6
I've done all that, I had no log on CWSearch (no problems found) and on About:Buster I don't know how to post a log, so I skipped with posting the log and continued, I think the problems are fixed - except my background, I can't change background because on the desktop settings the background stuff are all gray (cant click)
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
post a new HJT log
 

RoARX

Thread Starter
Joined
Dec 25, 2005
Messages
6
Logfile of HijackThis v1.99.1
Scan saved at 12:38:24, on 2005-12-26
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\STOPzilla!\szntsvc.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\Program\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\System32\etsxilw.exe
C:\Program\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\Mixer.exe
C:\Program\STOPzilla!\Stopzilla.exe
C:\Program\QuickTime\qttask.exe
C:\Program\Java\jre1.5.0_02\bin\jusched.exe
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\Program\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program\WinZip\WZQKPICK.EXE
C:\Program\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Program\TRENDM~1\INTERN~1\PCCMAIN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program\TRENDM~1\INTERN~1\PccVScan.exe
C:\Program\MSN Messenger\msnmsgr.exe
C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program\Grisoft\AVGFRE~1\avgemc.exe
C:\Program\Grisoft\AVG Free\avgcc.exe
C:\Program\Grisoft\AVG Free\avgwb.dat
C:\unzipped\hijackthis_199\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login1.telia.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://login1.telia.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE_Window_Title
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy1.telia.com:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar1.dll
O3 - Toolbar: MSN Verktygslåda - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Toolbar\01.01.1601.0\sv\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [STOPzilla] "C:\Program\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [firlnin] C:\Documents and Settings\Mourad 1\Lokala inställningar\Temporary Internet Files\Content.IE5\6BQZ2PAJ\delf061225[1].exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [75.tmp] C:\DOCUME~1\MOURAD~1\LOKALA~1\Temp\75.tmp.exe
O4 - HKLM\..\Run: [76.tmp] C:\DOCUME~1\MOURAD~1\LOKALA~1\Temp\76.tmp.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Steam] D:\Program\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AVG7_Run] C:\Program\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://login1.telia.com
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: mad.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Creative NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\Program\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: STOPzilla Local Service - International Software Systems Solutions - C:\Program\STOPzilla!\szntsvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program\TRENDM~1\INTERN~1\tmproxy.exe
 

RoARX

Thread Starter
Joined
Dec 25, 2005
Messages
6
I removed Nail.exe for example, but it autostarts itself ... wow ... ?
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
if you remove it incorrectly it will come back

For a start you will have major problkems with n oth Trend & avg both active and running at teh same toime

decide which one you want and uninstall the other one

then

BEFORE BEGINNING, Please read completely through the instructions below and download the files from the links provided. You may want to save or print out these instructions for easier reference.

First, download Ewido Security Suite.

Next, download Lavasoft's Ad-Aware and the VX2 Cleaner Plug-in. Install Ad-Aware using the default options, then install vx2cleaner_inst.exe, taking all the defaults there as well.

Run Ad-Aware, update to the latest definitions, then click on Add-ons in the lefthand column. Select VX2 Cleaner V2.0 and click Run Tool. Click "OK", then, if something is found, click "Clean" as in the directions given. Click "Close", and exit Ad-Aware.

Reboot your PC and run Ad-Aware again. This time, click on the Start button in Ad-Aware, select "Perform smart system scan" and click Next. Once the scan finishes, click "Next" again. Select all objects found (right click anywhere in the list of found objects and click "Select All Objects"). Click "Next" one more time, then "OK" to confirm the removal.

You will be prompted to set Ad-Aware to run on reboot, click "OK". Exit Ad-Aware and restart your PC once again.

When Ad-Aware starts up, click on "Start", then "Next". Follow the steps above if anything is found, or click "Finish", then exit Ad-Aware.

For a final cleanup, please install and run Ewido.
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • From the main ewido screen, click on update in the left menu, then click the Start update button.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
  • If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
  • When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

Please finish up by rebooting your system once more, and posting a new HijackThis log and the log from the Ewido scan.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top