raz469
2007-09-19, 00:14
hi, i had or still have sum sort of malware problem.
i started by disabling all file associaations which could not be fixed without needing to download reg. fixes.
everytime i would start windows before it would login and load my settings and what not, i message box would appear. the title would look similiar to this with th e same text in the message area. i can not start windows without click ok. this symptom is the only one apparant now as the file association problem seems to be fixed. this only happened once i had found and removed da following
Microsoft windows security center antivirusdisablenotify
Microsoft windows security center firewalloverride
Microsoft windows security center antivirusoverride
Microsoft windows security center firewalldisablenotify
Microsoft windows security center_disabled
here is a HJT log to help hopefully:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 23:05:06, on 18/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
H:\WINDOWS.0\System32\smss.exe
H:\WINDOWS.0\system32\winlogon.exe
H:\WINDOWS.0\system32\services.exe
H:\WINDOWS.0\system32\lsass.exe
H:\WINDOWS.0\system32\svchost.exe
H:\WINDOWS.0\System32\svchost.exe
H:\WINDOWS.0\system32\spoolsv.exe
H:\Program Files\Eset\nod32krn.exe
H:\WINDOWS.0\system32\nvsvc32.exe
H:\WINDOWS.0\Explorer.EXE
H:\WINDOWS.0\system32\ctfmon.exe
H:\Program Files\SuperLogix\Super Utilities\SuperUtil.exe
C:\Documents and Settings\RL\My Documents\Xpadder\Xpadder.exe
H:\Program Files\MSN Messenger\msnmsgr.exe
H:\Program Files\SuperLogix\Super Utilities\SuperUtil.exe
H:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe
H:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
H:\Program Files\Vista Inspirat 2\RocketDock\RocketDock.exe
H:\Program Files\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
H:\Program Files\ESET\nod32kui.exe
H:\Program Files\MSN Messenger\usnsvc.exe
K:\Software\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = pepsi_labeb Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - H:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - H:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - H:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS.0\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS.0\system32\ctfmon.exe
O4 - HKCU\..\Run: [Super Utilities] H:\Program Files\SuperLogix\Super Utilities\SuperUtil.exe /min
O4 - HKCU\..\Run: [Xpadder] "C:\Documents and Settings\RL\My Documents\Xpadder\Xpadder.exe" -minimized
O4 - HKCU\..\Run: [msnmsgr] "H:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] H:\WINDOWS.0\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide2] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,L,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] H:\WINDOWS.0\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] H:\WINDOWS.0\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] H:\WINDOWS.0\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Anapod Manager.lnk = H:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
O4 - Startup: RocketDock.lnk = H:\Program Files\Vista Inspirat 2\RocketDock\RocketDock.exe
O4 - Startup: UberIcon.lnk = H:\Program Files\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
O4 - Global Startup: Belkin 802.11g Wireless PCI Card Configuration Utility.lnk = H:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe
O8 - Extra context menu item: &Download All with FlashGet - H:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - H:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - H:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - H:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{78085154-6711-4114-9D2F-D54E3FA023E6}: NameServer = 194.168.4.100,194.168.8.100
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - H:\WINDOWS.0\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - H:\WINDOWS.0\system32\browseui.dll
O23 - Service: NBService - Nero AG - H:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - H:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS.0\system32\nvsvc32.exe
--
End of file - 5887 bytes
i started by disabling all file associaations which could not be fixed without needing to download reg. fixes.
everytime i would start windows before it would login and load my settings and what not, i message box would appear. the title would look similiar to this with th e same text in the message area. i can not start windows without click ok. this symptom is the only one apparant now as the file association problem seems to be fixed. this only happened once i had found and removed da following
Microsoft windows security center antivirusdisablenotify
Microsoft windows security center firewalloverride
Microsoft windows security center antivirusoverride
Microsoft windows security center firewalldisablenotify
Microsoft windows security center_disabled
here is a HJT log to help hopefully:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 23:05:06, on 18/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
H:\WINDOWS.0\System32\smss.exe
H:\WINDOWS.0\system32\winlogon.exe
H:\WINDOWS.0\system32\services.exe
H:\WINDOWS.0\system32\lsass.exe
H:\WINDOWS.0\system32\svchost.exe
H:\WINDOWS.0\System32\svchost.exe
H:\WINDOWS.0\system32\spoolsv.exe
H:\Program Files\Eset\nod32krn.exe
H:\WINDOWS.0\system32\nvsvc32.exe
H:\WINDOWS.0\Explorer.EXE
H:\WINDOWS.0\system32\ctfmon.exe
H:\Program Files\SuperLogix\Super Utilities\SuperUtil.exe
C:\Documents and Settings\RL\My Documents\Xpadder\Xpadder.exe
H:\Program Files\MSN Messenger\msnmsgr.exe
H:\Program Files\SuperLogix\Super Utilities\SuperUtil.exe
H:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe
H:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
H:\Program Files\Vista Inspirat 2\RocketDock\RocketDock.exe
H:\Program Files\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
H:\Program Files\ESET\nod32kui.exe
H:\Program Files\MSN Messenger\usnsvc.exe
K:\Software\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = pepsi_labeb Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - H:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - H:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - H:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS.0\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS.0\system32\ctfmon.exe
O4 - HKCU\..\Run: [Super Utilities] H:\Program Files\SuperLogix\Super Utilities\SuperUtil.exe /min
O4 - HKCU\..\Run: [Xpadder] "C:\Documents and Settings\RL\My Documents\Xpadder\Xpadder.exe" -minimized
O4 - HKCU\..\Run: [msnmsgr] "H:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] H:\WINDOWS.0\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide2] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,L,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] H:\WINDOWS.0\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] H:\WINDOWS.0\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] H:\WINDOWS.0\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Anapod Manager.lnk = H:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
O4 - Startup: RocketDock.lnk = H:\Program Files\Vista Inspirat 2\RocketDock\RocketDock.exe
O4 - Startup: UberIcon.lnk = H:\Program Files\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
O4 - Global Startup: Belkin 802.11g Wireless PCI Card Configuration Utility.lnk = H:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe
O8 - Extra context menu item: &Download All with FlashGet - H:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - H:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - H:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - H:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{78085154-6711-4114-9D2F-D54E3FA023E6}: NameServer = 194.168.4.100,194.168.8.100
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - H:\WINDOWS.0\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - H:\WINDOWS.0\system32\browseui.dll
O23 - Service: NBService - Nero AG - H:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - H:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS.0\system32\nvsvc32.exe
--
End of file - 5887 bytes