PDA

View Full Version : cmdservice removal



W33bl
2005-12-26, 22:17
Hi my spybotS&D reported the cmdservice virus/trojan/aware.
How do I delete it? I you are willing to help me, you will have to teach me how to remove it step by step.

tashi
2005-12-26, 22:57
Hello.
Please see here:
Before you post a log (http://forums.spybot.info/showthread.php?t=288[/url)
Cheers.

W33bl
2005-12-26, 23:11
Logfile of HijackThis v1.99.1
Scan saved at 22:10:15, on 26-12-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\inet20009\services.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Xfire\Xfire.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllcache\IExplore.exe
C:\WINDOWS\system32\dllcache\IExplore.exe
C:\WINDOWS\system32\dllcache\IExplore.exe
C:\WINDOWS\system32\dllcache\IExplore.exe
C:\WINDOWS\system32\dllcache\IExplore.exe
C:\WINDOWS\system32\dllcache\IExplore.exe
C:\WINDOWS\system32\dllcache\IExplore.exe
C:\WINDOWS\system32\dllcache\IExplore.exe
C:\Program Files\Teamspeak2_RC2\TeamSpeak.exe
C:\WINDOWS\system32\dllcache\IExplore.exe
C:\WINDOWS\system32\dllcache\IExplore.exe
C:\WINDOWS\system32\dllcache\IExplore.exe
C:\WINDOWS\system32\dllcache\IExplore.exe
C:\WINDOWS\system32\dllcache\IExplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Antispyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
F3 - REG:win.ini: run=C:\WINDOWS\inet20009\services.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20009\services.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20009\services.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: ssldr - C:\WINDOWS\SYSTEM32\ssldr32.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

LonnyRJones
2005-12-27, 03:55
Hello

Start Hijackthis and place a check next to these items If there.
Close all browser windows and shut down all other programs that show in the taskbar.(even Folders)
F3 - REG:win.ini: run=C:\WINDOWS\inet20009\services.exe
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20009\services.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20009\services.exe
O20 - Winlogon Notify: ssldr - C:\WINDOWS\SYSTEM32\ssldr32.dll
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

C:\WINDOWS\inet20009 < delete that folder
Post a fresh hijackthis log please, be sure to mention any current problems.

W33bl
2005-12-27, 14:15
Logfile of HijackThis v1.99.1
Scan saved at 13:14:10, on 27-12-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Antispyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe


No extra internet explorer's! yaay! Thnx a lot for your help :bigthumb:
....but spybot still detects the command service, is this normal?

Also i read on the internet that command service alows other virusses and infections to enter my pc easily, and they are entering easily! New virusses every day, boohoo...

LonnyRJones
2005-12-27, 16:39
Hi
Is it this detection SpyBot is finding ?
Command Service- mchInjDrv in HKLM-CurrentControlSet: http://forums.spybot.info/showthread.php?t=774

Get this free online and post its report
Kaspersky Lab - Free Online scan:
http://www.kaspersky.com/virusscanner
Click scan settings and place a check next to use [x]extended this database etc etc. Click ok.
Then choose: my computer: scan all your hard drives and mapped disks.
when finished click save as text and post that in your reply.

Or Computer Associates eTrust AV Web Scanner: http://www3.ca.com/virusinfo/virusscan.aspx
select all drives, scan, Try to cure/repair, if it cannot choose delete! If it cannot delete tell us the files names and locations.

W33bl
2005-12-28, 15:03
Hi heres the log of kaspersky, lots of virusses! :(

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, December 28, 2005 14:01:03
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 28/12/2005
Kaspersky Anti-Virus database records: 167972
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 82585
Number of viruses found: 41
Number of infected objects: 147
Number of suspicious objects: 0
Duration of the scan process: 4354 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Michiel\.housecall\Quarantine\C.tmp.bac_a01952 Infected: Trojan-Dropper.Win32.Small.zp
C:\Documents and Settings\Michiel\.housecall\Quarantine\child.dll.bac_a01952 Infected: Trojan-Downloader.Win32.Small.bug
C:\Documents and Settings\Michiel\.housecall\Quarantine\child[1].exe.bac_a01952 Infected: Trojan-Dropper.Win32.Small.ahg
C:\Documents and Settings\Michiel\.housecall\Quarantine\drsmartload[1].exe.bac_a01952 Infected: Trojan-Downloader.Win32.Adload.l
C:\Documents and Settings\Michiel\.housecall\Quarantine\E.tmp.bac_a01952 Infected: Trojan-Dropper.Win32.Small.ahg
C:\Documents and Settings\Michiel\.housecall\Quarantine\install[1].exe.bac_a01952 Infected: Trojan-Dropper.Win32.Agent.aed
C:\Documents and Settings\Michiel\.housecall\Quarantine\mng[1].exe.bac_a01952 Infected: Trojan-Proxy.Win32.Agent.hs
C:\Documents and Settings\Michiel\.housecall\Quarantine\paqpwk.exe.bac_a01952 Infected: Trojan-Downloader.Win32.Qoologic.at
C:\Documents and Settings\Michiel\.housecall\Quarantine\paradise.raw.bac_a01952 Infected: Packed.Win32.Klone.b
C:\Documents and Settings\Michiel\.housecall\Quarantine\paradise[1].raw.bac_a01952 Infected: Packed.Win32.Klone.b
C:\Documents and Settings\Michiel\.housecall\Quarantine\paytime.exe.bac_a01952 Infected: Trojan.Win32.StartPage.adi
C:\Documents and Settings\Michiel\.housecall\Quarantine\paytime[1].txt.bac_a01952 Infected: Trojan.Win32.StartPage.adi
C:\Documents and Settings\Michiel\.housecall\Quarantine\runsvc32[1].exe.bac_a01952 Infected: Trojan-Dropper.Win32.Small.zp
C:\Documents and Settings\Michiel\.housecall\Quarantine\spoolsrv32.exe.bac_a01952 Infected: not-a-virus:AdWare.Win32.FindSpy.e
C:\Documents and Settings\Michiel\.housecall\Quarantine\srpcsrv32.dll.bac_a01952 Infected: Trojan-Downloader.Win32.Agent.rm
C:\Documents and Settings\Michiel\.housecall\Quarantine\ssldr32.dll.bac_a01952 Infected: Trojan-Proxy.Win32.Agent.hs
C:\Documents and Settings\Michiel\.housecall\Quarantine\sywsvcs.exe.bac_a01952 Infected: Packed.Win32.Klone.b
C:\Documents and Settings\Michiel\.housecall\Quarantine\tool3.exe.bac_a01952 Infected: Packed.Win32.Klone.b
C:\Documents and Settings\Michiel\.housecall\Quarantine\tool3[1].txt.bac_a01952 Infected: Packed.Win32.Klone.b

END OF PART I

W33bl
2005-12-28, 15:04
C:\Documents and Settings\Michiel\.housecall\Quarantine\toolbar.exe.bac_a01952 Infected: Trojan-Downloader.Win32.Adload.j
C:\Documents and Settings\Michiel\.housecall\Quarantine\toolbar[1].txt.bac_a01952 Infected: Trojan-Downloader.Win32.Adload.j
C:\Documents and Settings\Michiel\.housecall\Quarantine\txfdb32.dll.bac_a01952 Infected: Trojan-Downloader.Win32.Agent.rm
C:\Documents and Settings\Michiel\.housecall\Quarantine\wugwp.dat.bac_a01952 Infected: Trojan-Downloader.Win32.Qoologic.at
C:\Documents and Settings\Michiel\Local Settings\Temp\B.tmp Infected: Trojan-Downloader.Win32.CWS.s
C:\Documents and Settings\Michiel\Local Settings\Temp\svchst.exe Infected: Trojan-Downloader.Win32.Small.caf
C:\Documents and Settings\Michiel\Local Settings\Temporary Internet Files\Content.IE5\0ZTJUMNT\cr-se121[1].exe/run.exe Infected: Trojan-Downloader.Win32.Harnig.ax
C:\Documents and Settings\Michiel\Local Settings\Temporary Internet Files\Content.IE5\0ZTJUMNT\cr-se121[1].exe Infected: Trojan-Downloader.Win32.Harnig.ax
C:\Documents and Settings\Michiel\Local Settings\Temporary Internet Files\Content.IE5\EDLYZE5G\211156[1].htm Infected: Trojan-Downloader.JS.IstBar.z
C:\Documents and Settings\Michiel\Local Settings\Temporary Internet Files\Content.IE5\EDLYZE5G\prompt[1].htm Infected: Trojan-Downloader.JS.IstBar.j
C:\Documents and Settings\Michiel\Local Settings\Temporary Internet Files\Content.IE5\ETLUJ2DC\1[2].htm Infected: Exploit.HTML.Mht
C:\Documents and Settings\Michiel\Local Settings\Temporary Internet Files\Content.IE5\H7RF1L0E\web[1].exe Infected: Trojan-Downloader.Win32.CWS.s
C:\Documents and Settings\Michiel\Local Settings\Temporary Internet Files\Content.IE5\IPVGT4JE\get_40698_Trend.Micro.PC.Cillin.Internet.Security.2005.v12.1_crack[1].htm Infected: Trojan-Downloader.JS.IstBar.u
C:\Documents and Settings\Michiel\Local Settings\Temporary Internet Files\Content.IE5\PCSJ95GT\10[1].exe Infected: Trojan-Downloader.Win32.Small.caf
C:\Documents and Settings\Michiel\Local Settings\Temporary Internet Files\Content.IE5\QDQRUZ6N\ms1[1].txt Infected: Trojan-Downloader.Win32.Tiny.al
C:\Documents and Settings\Michiel\Local Settings\Temporary Internet Files\Content.IE5\RBPFJP4S\drsmartloadb[1].exe Infected: Trojan-Downloader.Win32.Adload.l
C:\Documents and Settings\Michiel\Local Settings\Temporary Internet Files\Content.IE5\RBPFJP4S\kl[1].txt Infected: Trojan-PSW.Win32.Agent.bu
C:\Documents and Settings\Michiel\Local Settings\Temporary Internet Files\Content.IE5\S9EDQZ4J\hosts[1].txt Infected: Trojan.Win32.Qhost.el
C:\Documents and Settings\Michiel\Local Settings\Temporary Internet Files\Content.IE5\S9EDQZ4J\xpladv470[1].wmf Infected: Trojan-Downloader.Win32.Agent.acd
C:\Documents and Settings\Michiel\Local Settings\Temporary Internet Files\Content.IE5\SRFNAC5P\free[1].anr Infected: Trojan-Downloader.Win32.Ani.c
C:\Documents and Settings\Michiel\Local Settings\Temporary Internet Files\Content.IE5\SRFNAC5P\tool2[1].txt Infected: not-virus:Hoax.Win32.Renos.aj
C:\Downloads\Crack.patches.keygens\cr-se121.exe/run.exe Infected: Trojan-Downloader.Win32.Harnig.ax
C:\Downloads\Crack.patches.keygens\cr-se121.exe Infected: Trojan-Downloader.Win32.Harnig.ax
C:\Downloads\Setups\cr-se121.exe/run.exe Infected: Trojan-Downloader.Win32.Harnig.ax
C:\Downloads\Setups\cr-se121.exe Infected: Trojan-Downloader.Win32.Harnig.ax
C:\Downloads\Setups\mirc616.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616
C:\Downloads\Setups\mirc616.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll Infected: Trojan-PSW.Win32.Agent.bu
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe Infected: Trojan-PSW.Win32.Agent.bu
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll Infected: Trojan-PSW.Win32.Agent.bu
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003164.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.bo
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003164.exe/WISE0017.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003164.exe/WISE0018.BIN Infected: Trojan-Downloader.Win32.Small.bke
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003164.exe Infected: Trojan-Downloader.Win32.Small.bke
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003165.exe/WISE0015.BIN Infected: Trojan-Downloader.Win32.Small.bke
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003165.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003165.exe Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003166.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.bo
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003166.exe/WISE0017.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003166.exe/WISE0018.BIN Infected: Trojan-Downloader.Win32.Small.bke
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003166.exe Infected: Trojan-Downloader.Win32.Small.bke
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003180.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.bo
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003180.exe/WISE0017.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003180.exe/WISE0018.BIN Infected: Trojan-Downloader.Win32.Small.bke
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003180.exe Infected: Trojan-Downloader.Win32.Small.bke
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003181.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.bo
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003181.exe/WISE0017.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003181.exe/WISE0018.BIN Infected: Trojan-Downloader.Win32.Small.bke
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003181.exe Infected: Trojan-Downloader.Win32.Small.bke
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003182.exe/WISE0015.BIN Infected: Trojan-Downloader.Win32.Small.bke
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003182.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003182.exe Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003183.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.bo
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003183.exe/WISE0017.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003183.exe/WISE0018.BIN Infected: Trojan-Downloader.Win32.Small.bke
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003183.exe Infected: Trojan-Downloader.Win32.Small.bke
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003184.exe/WISE0017.BIN Infected: Trojan-Downloader.Win32.Small.bke
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003184.exe/WISE0018.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003184.exe/WISE0019.BIN/stream/data0007 Infected: not-a-virus:AdWare.Win32.ActivShopper.a
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003184.exe/WISE0019.BIN/stream/data0008 Infected: not-a-virus:AdWare.Win32.ActivShopper.a
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003184.exe/WISE0019.BIN/stream Infected: not-a-virus:AdWare.Win32.ActivShopper.a
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003184.exe/WISE0019.BIN Infected: not-a-virus:AdWare.Win32.ActivShopper.a
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003184.exe Infected: not-a-virus:AdWare.Win32.ActivShopper.a
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003185.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.bo
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003185.exe/WISE0017.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003185.exe/WISE0018.BIN Infected: Trojan-Downloader.Win32.Small.bke
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003185.exe Infected: Trojan-Downloader.Win32.Small.bke
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003186.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.bo
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003186.exe/WISE0017.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003186.exe/WISE0018.BIN Infected: Trojan-Downloader.Win32.Small.bke
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003186.exe Infected: Trojan-Downloader.Win32.Small.bke
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003187.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.bo
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003187.exe/WISE0017.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003187.exe/WISE0018.BIN Infected: Trojan-Downloader.Win32.Small.bke
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003187.exe Infected: Trojan-Downloader.Win32.Small.bke
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003188.exe/WISE0019.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.bo
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003188.exe/WISE0020.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003188.exe/WISE0022.BIN Infected: Trojan-Downloader.Win32.Small.bke
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003188.exe/WISE0023.BIN/data0002 Infected: not-a-virus:AdWare.Win32.WebRebates.r
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003188.exe/WISE0023.BIN/data0003 Infected: not-a-virus:AdWare.Win32.WebRebates.p
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003188.exe/WISE0023.BIN/data0004 Infected: not-a-virus:AdWare.Win32.WebRebates.p
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003188.exe/WISE0023.BIN/data0005 Infected: not-a-virus:AdWare.Win32.WebRebates.p
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003188.exe/WISE0023.BIN Infected: not-a-virus:AdWare.Win32.WebRebates.p
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP44\A0003188.exe Infected: not-a-virus:AdWare.Win32.WebRebates.p
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003322.exe Infected: Trojan-Downloader.Win32.Qoologic.at
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003327.exe Infected: Trojan-Proxy.Win32.Delf.an
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003330.exe Infected: Email-Worm.Win32.Delf.i
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003340.exe Infected: Trojan-Proxy.Win32.Delf.an
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003342.exe Infected: Email-Worm.Win32.Delf.i
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003351.exe Infected: not-virus:Hoax.Win32.Renos.aj
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003352.exe Infected: Trojan-Downloader.Win32.Adload.l
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003353.exe Infected: Trojan-Downloader.Win32.Adload.l
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003354.exe Infected: Trojan-Dropper.Win32.Agent.aed
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003367.exe Infected: Trojan-Downloader.Win32.Harnig.ax
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003370.exe Infected: not-a-virus:AdWare.Win32.CommAd.a
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003372.exe Infected: Trojan-Clicker.Win32.VB.kc
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003374.exe Infected: Trojan.Win32.StartPage.aw
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003384.exe Infected: Trojan-Downloader.Win32.Tiny.al
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003385.dll Infected: Trojan-Downloader.Win32.Qoologic.at
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003386.cpl Infected: Trojan-Downloader.Win32.Qoologic.at
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003393.exe Infected: Trojan-Proxy.Win32.Delf.an
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003396.exe Infected: Email-Worm.Win32.Delf.i
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003408.exe Infected: Trojan-Proxy.Win32.Delf.an
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003410.exe Infected: Email-Worm.Win32.Delf.i
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003419.dll Infected: not-a-virus:AdWare.Win32.CommAd.a
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003421.exe Infected: Trojan-Downloader.Win32.Qoologic.at
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003422.exe Infected: Trojan.Win32.StartPage.adi
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003423.exe Infected: not-a-virus:AdWare.Win32.FindSpy.e
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003424.dll Infected: Trojan-Downloader.Win32.Agent.rm
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003425.exe Infected: Packed.Win32.Klone.b
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003426.dll Infected: Trojan-Downloader.Win32.Agent.rm
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003427.exe Infected: Packed.Win32.Klone.b
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003428.exe Infected: Trojan-Downloader.Win32.Adload.j
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003435.dll Infected: Trojan-Downloader.Win32.Small.bug
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003441.exe Infected: Trojan-Proxy.Win32.Delf.an
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003443.exe Infected: Email-Worm.Win32.Delf.i
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003455.dll Infected: not-a-virus:AdWare.Win32.Ihbo.gen
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003456.exe Infected: Email-Worm.Win32.Delf.i
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003458.exe Infected: Trojan-Proxy.Win32.Delf.an
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003459.exe Infected: Trojan-Downloader.Win32.CWS.s
C:\System Volume Information\_restore{31CBBA23-1807-40BF-BA31-FD062EDA1913}\RP46\A0003477.exe Infected: Trojan-Downloader.Win32.Harnig.ax
C:\WINDOWS\kl.exe Infected: Trojan-PSW.Win32.Agent.bu
C:\WINDOWS\system32\ipsiean.dll Infected: Trojan-Downloader.Win32.Qoologic.az
C:\WINDOWS\system32\jvvjfcd.exe Infected: Trojan.Win32.Pakes
C:\WINDOWS\system32\kmqkf.dll Infected: Trojan-Downloader.Win32.Qoologic.bd
C:\WINDOWS\system32\ssldr32.dll Infected: Trojan-Proxy.Win32.Agent.hs
C:\WINDOWS\tool2.exe Infected: not-virus:Hoax.Win32.Renos.aj

Scan process completed.

END OF PART II

LonnyRJones
2005-12-28, 15:32
Hi
Delete these files >
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
C:\Downloads\Setups\cr-se121.exe
C:\WINDOWS\kl.exe
C:\WINDOWS\system32\ipsiean.dll
C:\WINDOWS\system32\jvvjfcd.exe
C:\WINDOWS\system32\kmqkf.dll
C:\WINDOWS\system32\ssldr32.dll
C:\WINDOWS\tool2.exe
C:\Downloads\Crack.patches.keygens\ < delete entire folder and never use any cracks from anywhere again or you will most certainly get infected once again, we can and do get infected just looking for them much less downloading.
Even if you had scanned them with ten antivirus programs found it to be safe something
would eventualy get in.


Download System Security Suite.
http://www.igorshpak.net/
If that site is unavailable use this link please
http://forums.subratam.org/index.php?act=Attach&type=post&id=25013
Extract it from the zip file and run setup.exe
after the install you can delete setup.exe and the downloaded zip file
Start the program Check all the boxes under the 'Items to Clear' (except perhaps cookies) tab and click
'Clear Selected Items'. You will be prompted to reboot, do so.

If the pc is stable after about a week Purge the old System Restore points
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Then Reboot. < Dont skip that step.
Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

W33bl
2005-12-28, 16:01
Thank you for replying.

C:\WINDOWS\system32\kmqkf.dll < file is unse, can't delete it
C:\WINDOWS\system32\ssldr32.dll < no such file

Could you help me with those prob's?

Thnx!

Edit: I ran SpybotSD again, and it still shows command service, 2 entries.
I can't delete them, they are in use by my memory.

LonnyRJones
2005-12-28, 16:12
Run Hijackthis click config > misc tools > delete a file on reboot
paste this file and path into the file name box
C:\WINDOWS\system32\kmqkf.dll
answer no to the prompt to reboot, paste in that other file even if it seams not to exist and answer yes to the prompt to reboot the pc
C:\WINDOWS\system32\ssldr32.dll

W33bl
2005-12-28, 17:30
Hi, i did what you told me to do, but spybot still shows command service.

SpybotSD log:

Command Service: Systeem Service (Register sleutel, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdService

Command Service: Instellingen (Register sleutel, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService

Command Service: Instellingen (Register sleutel, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-12-26 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2005-12-23 Includes\Cookies.sbi (*)
2005-12-23 Includes\Dialer.sbi (*)
2005-12-23 Includes\Hijackers.sbi (*)
2005-12-23 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2005-12-23 Includes\Malware.sbi (*)
2005-12-23 Includes\PUPS.sbi (*)
2005-12-23 Includes\Revision.sbi (*)
2005-12-23 Includes\Security.sbi (*)
2005-12-23 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2005-12-23 Includes\Trojans.sbi (*)


Here's a new/fresh HiJackThis-log.

Logfile of HijackThis v1.99.1
Scan saved at 16:30:49, on 28-12-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Xfire\Xfire.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Antispyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

LonnyRJones
2005-12-28, 17:43
Hi
Copy the contents of the quote box below into a new notepad document (not wordpad).
Click file> save as...> call it check.bat > file types *all files*> and save it to desktop.


(Echo %DATE% %TIME%
sc config "cmdService" start= disabled
sc delete "cmdService"
sc query "cmdService"
)>logit.txt 2>&1
start notepad logit.txt

Run check.bat and post back with the text that will open

Also: Download and run blacklite
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
click > scan then > next, next again then exit
there will be a new txt near blacklite. post it please.
!!Do not rename any files yet

W33bl
2005-12-29, 17:16
ive got a strange background, installed automatically.

When I right-click it and click 'source' it shows this:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!----
***** This file is automatically generated by Microsoft Windows *****
--------><HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=windows-1252"></HEAD>
<BODY bgColor=#000000>
<DIV
style="BACKGROUND: url(file:///C:/Documents%20and%20Settings/Michiel/Local%20Settings/Application%20Data/Microsoft/Wallpaper1.bmp) no-repeat 50% 50%; LEFT: 0px; WIDTH: 1024px; POSITION: absolute; TOP: 0px; HEIGHT: 768px"></DIV><IFRAME
id=0
style="BACKGROUND: none transparent scroll repeat 0% 0%; LEFT: 0px; WIDTH: 1024px; POSITION: absolute; TOP: 1px; HEIGHT: 767px"
name=DeskMovrW marginWidth=0 marginHeight=0
src="file:///C:/WINDOWS/Web/desktop.html" frameBorder=0 scrolling=no
subscribed_url="C:\WINDOWS\Web\desktop.html"
resizeable="粶� ၩ"> </IFRAME>&nbsp; </BODY></HTML>

when i delete the desktop.html its still there.
Also im unable to clock software in the 'tools-menu' (in windows)

LonnyRJones
2005-12-29, 17:51
ok we can deal with that, first fallow suggestions in my last post.

"Also im unable to clock software in the 'tools-menu' (in windows)"
Not sure what you mean, explain further please

W33bl
2005-12-29, 21:11
Right.

Also im unable to clock software in the 'tools-menu' (in windows) means:

Also, I am unable to click on the 'software'-icon in the 'tools-menu' (i am not sure it is called 'tools-menu' in English, it's where you can acces stuff like 'software' 'hardware' 'graphics' 'printers' etc.

When I click on 'software' I get the error: ' Value creation failed '' at line 521 '

Results of F-secure:
12/29/05 20:09:35 [Info]: BlackLight Engine 1.0.30 initialized
12/29/05 20:09:35 [Info]: OS: 5.1 build 2600 (Service Pack 2)
12/29/05 20:09:35 [Note]: 7019 4
12/29/05 20:09:35 [Note]: 7005 0
12/29/05 20:09:39 [Note]: 7006 0
12/29/05 20:09:39 [Note]: 7011 1632
12/29/05 20:09:39 [Note]: FSRAW library version 1.7.1014
12/29/05 20:11:23 [Note]: 7007 0

LonnyRJones
2005-12-29, 22:47
Hi
Where is the logit.txt ?

Do you mean in the windows control panel and the administrator tools ?

Fallow the advice in this post to download smitrem and Ewido then run them both while in safe mode, please.
http://forums.spybot.info/showthread.php?t=1316

Post there logs here as described

W33bl
2005-12-29, 23:08
I only got a log located int the same directory as the blbeta.exe.
The content of this log was the text I posted earlier.
Also: blbeta.exe didn't any virusses or results.

Next step is to install all the software from the other forum-page and follow the steps?

LonnyRJones
2005-12-29, 23:31
Hi
Check this post again about check.bat
http://forums.spybot.info/showpost.php?p=5560&postcount=13

Then yes continue with the instructs in that other post please
good luck

W33bl
2005-12-30, 00:13
Results of ewido:
---------------------------------------------------------
ewido anti-malware - Scan rapport
---------------------------------------------------------

+ Gemaakt op: 22:55:08, 29-12-2005
+ Rapport samenvatting: 6271C80C

+ Scan resultaten:

HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} -> Spyware.GameSpyArcade : Schoongemaakt met een backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5321E378-FFAD-4999-8C62-03CA8155F0B3} -> Spyware.CoolWebSearch : Schoongemaakt met een backup
HKU\S-1-5-21-484763869-839522115-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5321E378-FFAD-4999-8C62-03CA8155F0B3} -> Spyware.CoolWebSearch : Schoongemaakt met een backup
HKU\S-1-5-21-484763869-839522115-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} -> Spyware.GameSpyArcade : Schoongemaakt met een backup
HKU\S-1-5-21-484763869-839522115-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Schoongemaakt met een backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5321E378-FFAD-4999-8C62-03CA8155F0B3} -> Spyware.CoolWebSearch : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@2o7[1].txt -> Spyware.Cookie.2o7 : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@ads.addynamix[2].txt -> Spyware.Cookie.Addynamix : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@ads.pointroll[1].txt -> Spyware.Cookie.Pointroll : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@adtech[2].txt -> Spyware.Cookie.Adtech : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@as-us.falkag[1].txt -> Spyware.Cookie.Falkag : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@burstnet[2].txt -> Spyware.Cookie.Burstnet : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@centrport[1].txt -> Spyware.Cookie.Centrport : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@com[2].txt -> Spyware.Cookie.Com : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@edge.ru4[1].txt -> Spyware.Cookie.Ru4 : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@estat[1].txt -> Spyware.Cookie.Estat : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@ivwbox[1].txt -> Spyware.Cookie.Ivwbox : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@overture[1].txt -> Spyware.Cookie.Overture : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@paypopup[1].txt -> Spyware.Cookie.Paypopup : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@revenue[1].txt -> Spyware.Cookie.Revenue : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@stat.onestat[1].txt -> Spyware.Cookie.Onestat : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@statcounter[2].txt -> Spyware.Cookie.Statcounter : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@www.burstbeacon[2].txt -> Spyware.Cookie.Burstbeacon : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Local Settings\Temp\B.tmp -> Downloader.CWS.r : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Local Settings\Temporary Internet Files\Content.IE5\O1EBS1U7\mm[2].js -> Spyware.Chitika : Schoongemaakt met een backup
C:\WINDOWS\wt\wtupdates\Webd\4.1.1\files\wtvh.dll -> Spyware.WildTangent : Schoongemaakt met een backup
C:\WINDOWS\wt\wtvh.dll -> Spyware.WildTangent : Schoongemaakt met een backup


::Einde rapport

Schoongemaakt met backup means 'cleaned with backup'

Results of smitrem:
Smitrem did not make a log or anything, i think.

LonnyRJones
2005-12-30, 03:15
The results of running check.bat = logit.txt ?
C:\smitfiles.txt << is located there, post it

W33bl
2005-12-30, 12:28
Sorry I didn't see the log!

Here it is:


smitRem ę log file
version 2.8

by noahdfear


Microsoft Windows XP [versie 5.1.2600]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

svcp.csv


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 780 'explorer.exe'
Killing PID 780 'explorer.exe'

Starting registry repairs

Deleting files


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :)

W33bl
2005-12-30, 14:44
logit.txt>

vr 30-12-2005 13:43:04,75
[SC] OpenService FAILED 1060:

De opgegeven service is geen ge´nstalleerde service.
The given service is not an installed service.

[SC] OpenService FAILED 1060:

De opgegeven service is geen ge´nstalleerde service.


[SC] EnumQueryServicesStatus:OpenService FAILED 1060:

De opgegeven service is geen ge´nstalleerde service.

LonnyRJones
2005-12-30, 15:49
Thanks

Are there any current problems ? hows your desktop ?
If there are still problems explain and post one more hijackthis log please

W33bl
2005-12-30, 16:37
Desktop hasn't changed, still this irritating background, plus i get a new trojan every now and then. Here's the log you requested.
Logfile of HijackThis v1.99.1
Scan saved at 15:37:00, on 30-12-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Teamspeak2_RC2\TeamSpeak.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Antispyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - (no CLSID) - (no file)
O18 - Filter: text/plain - (no CLSID) - (no file)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

LonnyRJones
2005-12-30, 16:56
Have hijackthis fix these
O18 - Filter: text/html - (no CLSID) - (no file)
O18 - Filter: text/plain - (no CLSID) - (no file)
====================
Open the windows Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.
Log off then back on again (or restart the pc)
Control Panel click Display > Desktop and change you wall paper

How did that go ?

W33bl
2005-12-30, 20:38
Right, I fixed the two files, ran spybot, NO command service.
Fixed the desktop, my sweet puppy is now on my desktop again, hehe

Mate, i want to thank you for all your help!
If you want me to, I can this website to people if they are having trouble deleting spyware.

THNX! :bigthumb:

LonnyRJones
2005-12-31, 06:26
Great, Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.
If you should need to post another log for the same PC let me or Tashi know.