strange shell.dll

[ffox]

I have PC with win xp sp2 installed.


I was about to install software for my new graphic table GENIUS WIZARD PEN.

But message "Cannot find shell.dll" appears.

I have copied shell.dll from c:\windows\system to c:\windows\system32

ok, installation passed cool, but software still does not work. It should dispaly some icon in tray bar but it does not.

Then I have tried to delete shell.dll from c:\windows\system32 and then - surprise!

whenever I delete file, somehow it recreate itself and same in c:\windows\system ?!

another strange thing is: it is only 5k ?!

right click, properties says it is microsoft file, but looks like it is fake, couse it has (see attached image) some kind of WOW version ?!

there is also shell.dll attached in a shell.zip but if you download it, it is on your own.

finaly, KAspersky, AD-AWare SE pro, and trend Micro Anti spy found some suspecious items, but after cleaning, problem with SHELL.DLL still persists.


I am desperate, here is the hijackthis log file, please let me know what to do.


Logfile of HijackThis v1.99.1
Scan saved at 22:50:11, on 1.7.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WService.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alias\Maya6.0\docs\jre\bin\java.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\WINDOWS\System32\Drivers\WTSRV.EXE
C:\Program Files\WinFax\WFXMOD32.EXE
C:\Program Files\FlashGet\flashget.exe
C:\Program Files\Maxthon\Maxthon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Downloads\shell\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 82.117.194.6:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\Documents and Settings\Nesa\Application Data\Mozilla\Profiles\default\8upj1szy.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Nesa\Application Data\Mozilla\Profiles\default\8upj1szy.slt\prefs.js)
O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWS\xmllib.dll (file missing)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HTTPServer] C:\Program Files\Spytech Software\SpyAnywhere\SpyAnywhere.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpgradeService] C:\WINDOWS\system32\UpgradeService.exe
O4 - HKLM\..\Run: [WService] WService.EXE
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download &Flash Movies - C:\Program Files\Flash2X\Flash Hunter\save.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: FlashToolset - res://C:\PROGRA~1\Easeweb\FLASHT~1.0\Swafer.dll/300
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: FlashToolset - {4A067D7A-84C4-4de8-A109-2BFBA2B39F72} - C:\PROGRA~1\Easeweb\FLASHT~1.0\Swafer.dll (HKCU)
O9 - Extra 'Tools' menuitem: FlashToolset - {4A067D7A-84C4-4de8-A109-2BFBA2B39F72} - C:\PROGRA~1\Easeweb\FLASHT~1.0\Swafer.dll (HKCU)
O9 - Extra button: Flash2X Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (HKCU)
O9 - Extra 'Tools' menuitem: &Launch Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/content/common/cab/DjVuControlLite_EN.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4389/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FB945E8E-03BB-4C7A-9CAE-2969F692B3CB}: NameServer = 82.117.194.2,82.117.194.3
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Alias Documentation Server (aliasdocserver) - Unknown owner - C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe" -s "C:\Program Files\Alias\Maya6.0\docs/Wrapper.conf (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\System32\Drivers\WTSRV.EXE






THANKS

 

[MFDnNC]

That's legit

Whats not is this

O4 - HKLM\..\Run: [UpgradeService] C:\WINDOWS\system32\UpgradeService.exe
O4 - HKLM\..\Run: [WService] WService.EXE

But Wservice can be

Do this - disable both of those entries (their equivalent) in msconfig and see what happens

Check your tablet

Post back

 

[ffox]

O4 - HKLM\..\Run: [UpgradeService] C:\WINDOWS\system32\UpgradeService.exe
O4 - HKLM\..\Run: [WService] WService.EXE


done, but after that, for some reason KAV refused to start, so I reinstalled it again.

WService.exe seems to belong to Tablet, so I enabled it again.

UpgradeService.exe is disabled, problem persists.



Can you tell me anything about that strange SHELL.DLL ?

 

[MFDnNC]

My shell.dll looks just like yours and is 5kb

the wservice is list as a file for the tablet and a virus, that's why I did it the way I did

Not sure what happened to Kav so lets run something

Oh when this is over if we have not come back to UpgradeService.exe, you will need to delete the file and remove the entry using HiJack

Download the trial version of Ewido Security Suite http://www.ewido.net/en/download/
· Install ewido.
· During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
· Launch ewido
· It will prompt you to update click the OK button and it will go to the main screen
· On the left side of the main screen click update
· Click on Start and let it update.
· DO NOT run a scan yet. You will do that later in safe mode.

Restart your computer into safe mode now. Perform the following steps in safe mode:

Run Ewido:
· Click on scanner
· Put a check by the following before you scan:
o Binder
o Crypter
o Archives
· Click the Start Scan button to start the scan.
· During the scan it will prompt you to clean files, click OK
· When the scan is finished, look at the bottom of the screen and click the Save report button.
· Save the report to your desktop
Post that log

 

[ffox]

THANKS SO MUCH

it works now


as a matter of fact, when I started PC in safe mode windosws said "installing new hardware is finished", so I just tried, and Tablet were started.

anyway, I did scan with ewido and here are the results.


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:36:46, 2.7.2005
+ Report-Checksum: 2D8AF8BE

+ Date of database: 1.7.2005
+ Version of scan engine: v3.0

+ Duration: 122 min
+ Scanned Files: 289578
+ Speed: 39.42 Files/Second
+ Infected files: 80
+ Removed files: 74
+ Files put in quarantine: 74
+ Files that could not be opened: 0
+ Files that could not be cleaned: 6

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\Nesa\Cookies\nesa@ad.ir[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nesa\Cookies\nesa@ad.krutilka[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nesa\Cookies\nesa@ads.guardian.co[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nesa\Cookies\nesa@ads.mediaturf[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nesa\Cookies\nesa@ads.planetactive[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nesa\Cookies\nesa@ads15.bpath[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nesa\Cookies\nesa@adsremote.scripps[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nesa\Cookies\nesa@affiliates.x10[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nesa\Cookies\nesa@a[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nesa\Cookies\nesa@bannerads[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nesa\Cookies\nesa@bcentral[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nesa\Cookies\nesa@c2.gostats[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nesa\Cookies\nesa@c3.gostats[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nesa\Cookies\nesa@cnsmin.3721[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nesa\Cookies\nesa@cyborg2[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nesa\Cookies\nesa@cz3.clickzs[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nesa\Cookies\nesa@cz4.clickzs[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nesa\Cookies\nesa@cz6.clickzs[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nesa\Cookies\nesa@cz7.clickzs[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nesa\Cookies\nesa@cz8.clickzs[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nesa\Cookies\nesa@ded.gostats[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nesa\Cookies\nesa@gamecenter.speedbit[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nesa\Cookies\nesa@geocities[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nesa\Cookies\nesa@guide.real[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nesa\Cookies\nesa@hb.lycos[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nesa\Cookies\nesa@image.masterstats[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nesa\Cookies\nesa@linkexchange[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nesa\Cookies\nesa@phpmyadmin[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nesa\Cookies\nesa@reklamr.hitlist[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nesa\Cookies\nesa@sammy4u[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nesa\Cookies\nesa@search.msn[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nesa\Cookies\nesa@speedbit[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nesa\Cookies\nesa@tribalfusion[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nesa\Cookies\nesa@vip.clickzs[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nesa\Cookies\nesa@visit.theglobeandmail[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nesa\Cookies\nesa@www.clickheretofind[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nesa\Cookies\nesa@www.designsxchange[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nesa\Cookies\nesa@www.easypic[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nesa\Cookies\nesa@www.health-server[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nesa\Cookies\nesa@www.leadclub[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nesa\Cookies\nesa@www.macobserver[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nesa\Cookies\nesa@www.myaffiliateprogram[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nesa\Cookies\nesa@www.realnetworks[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nesa\Cookies\nesa@www.real[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nesa\Cookies\nesa@www.websidestory[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nesa\Cookies\nesa@xiti[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nesa\Cookies\nesa@zwsw.3721[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Nesa\Local Settings\Temp\uninst.tmp -> TrojanSpy.Perflogger.az -> Cleaned with backup
C:\TEMP\cdt_bbi8016.exe -> Spyware.Exact.a -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.dll -> Spyware.Gator.1019 -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\WinadX.dll -> TrojanDownloader.Winupdt.a -> Cleaned with backup
C:\WINDOWS\system32\lc.exe -> Spyware.WinAD -> Cleaned with backup
C:\WINDOWS\system32\Plugins.exe -> TrojanSpy.Perflogger.az -> Cleaned with backup
C:\WINDOWS\system32\Pluginsr.exe -> TrojanSpy.Perflogger.az -> Cleaned with backup
C:\WINDOWS\winadvt.dll -> Spyware.FastLook.a -> Cleaned with backup
C:\Z_Install\zrx\Cookies\zrx@ad4.lbn[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Z_Install\zrx\Cookies\zrx@ads18.bpath[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Z_Install\zrx\Cookies\zrx@att.com[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Z_Install\zrx\Cookies\zrx@cnsmin.3721[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Z_Install\zrx\Cookies\zrx@com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Z_Install\zrx\Cookies\zrx@directads.mcafee[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Z_Install\zrx\Cookies\zrx@download.com[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Z_Install\zrx\Cookies\zrx@geocities[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Z_Install\zrx\Cookies\zrx@hb.lycos[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Z_Install\zrx\Cookies\zrx@linkexchange[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Z_Install\zrx\Cookies\zrx@list[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Z_Install\zrx\Cookies\zrx@list[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Z_Install\zrx\Cookies\zrx@servedby.adscpm[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Z_Install\zrx\Cookies\zrx@topsites[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Z_Install\zrx\Cookies\zrx@www.designsxchange[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Z_Install\zrx\Cookies\zrx@www.xzoomy[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup


::Report End





and here is the HJT log after all

Logfile of HijackThis v1.99.1
Scan saved at 3:01:46, on 2.7.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\WService.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Alias\Maya6.0\docs\jre\bin\java.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\WINDOWS\system32\DRIVERS\WtSrv.exe
C:\Program Files\WinFax\WFXMOD32.EXE
C:\Program Files\Adobe\Adobe Photoshop CS2\Photoshop.exe
C:\DOCUME~1\Nesa\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\Nesa\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Maxthon\Maxthon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Downloads\shell\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 82.117.194.6:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\Documents and Settings\Nesa\Application Data\Mozilla\Profiles\default\8upj1szy.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Nesa\Application Data\Mozilla\Profiles\default\8upj1szy.slt\prefs.js)
O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWS\xmllib.dll (file missing)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HTTPServer] C:\Program Files\Spytech Software\SpyAnywhere\SpyAnywhere.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WService] WService.EXE
O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download &Flash Movies - C:\Program Files\Flash2X\Flash Hunter\save.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: FlashToolset - res://C:\PROGRA~1\Easeweb\FLASHT~1.0\Swafer.dll/300
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: FlashToolset - {4A067D7A-84C4-4de8-A109-2BFBA2B39F72} - C:\PROGRA~1\Easeweb\FLASHT~1.0\Swafer.dll (HKCU)
O9 - Extra 'Tools' menuitem: FlashToolset - {4A067D7A-84C4-4de8-A109-2BFBA2B39F72} - C:\PROGRA~1\Easeweb\FLASHT~1.0\Swafer.dll (HKCU)
O9 - Extra button: Flash2X Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (HKCU)
O9 - Extra 'Tools' menuitem: &Launch Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/content/common/cab/DjVuControlLite_EN.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4389/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FB945E8E-03BB-4C7A-9CAE-2969F692B3CB}: NameServer = 82.117.194.2,82.117.194.3
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Alias Documentation Server (aliasdocserver) - Unknown owner - C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe" -s "C:\Program Files\Alias\Maya6.0\docs/Wrapper.conf (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\system32\DRIVERS\WtSrv.exe




p.s.
what should I do with UpgradeService.exe ?



once again, THANKS MUCH

 

[MFDnNC]

Add remove programs – if present remove – SpyAnywhere

These are the Spyware programs you need and they are free

SpywareBlaster 3.4 http://majorgeeks.com/download2859.html
SpyBot V1.4 http://www.majorgeeks.com/download2471.html
AdAware SE 1.06 http://www.majorgeeks.com/download506.html
MS AntiSpy - http://download.microsoft.com/downl...-fca2f2c6f0cc/MicrosoftAntiSpywareInstall.exe (XP and W2K only)

DL them (they are free), install them, check each for their
definition updates and then run AdAware and Spybot, fixing anything
they say.

In SpywareBlaster - Always enable all protection after updates
In SpyBot - After an update run immunize

Fix these with HJT – mark them – close every thing but HJT – click fixchecked

O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWS\xmllib.dll (file missing)

O4 - HKLM\..\Run: [HTTPServer] C:\Program Files\Spytech Software\SpyAnywhere\SpyAnywhere.exe

Considering it is definetly bad go ahead and delete C:\WINDOWS\system32\UpgradeService.exe

How are things now???????????????

 

[ffox]

thanks for advices


SpywareBlaster 3.4 http://majorgeeks.com/download2859.html
SpyBot V1.4 http://www.majorgeeks.com/download2471.html
AdAware SE 1.06 http://www.majorgeeks.com/download506.html
MS AntiSpy - http://download.microsoft.com/downl...wareInstall.exe (XP and W2K only)


I will try (I have adAware) but is it any good to purchase ewido instead of all above mentioned ?

 

[MFDnNC]

Those do a very good job and normally Ewido and the cost are not needed.

 

[ffox]

MS AntiSpy - http://download.microsoft.com/downl...wareInstall.exe (XP and W2K only)


this link seems to be broken

 

[MFDnNC]

Looks like they changed the link

http://www.microsoft.com/downloads/...A8BD-DBF62EDA9671&displaylang=en&Hash=RDXMHB6

 

[ffox]

thanks