Run Hijackthis click config > misc tools > delete a file on reboot
paste this file and path into the file name box
C:\WINDOWS\system32\kmqkf.dll
answer no to the prompt to reboot, paste in that other file even if it seams not to exist and answer yes to the prompt to reboot the pc
C:\WINDOWS\system32\ssldr32.dll
Hi, i did what you told me to do, but spybot still shows command service.
SpybotSD log:
Command Service: Systeem Service (Register sleutel, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdService
Command Service: Instellingen (Register sleutel, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService
Command Service: Instellingen (Register sleutel, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-12-26 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2005-12-23 Includes\Cookies.sbi (*)
2005-12-23 Includes\Dialer.sbi (*)
2005-12-23 Includes\Hijackers.sbi (*)
2005-12-23 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2005-12-23 Includes\Malware.sbi (*)
2005-12-23 Includes\PUPS.sbi (*)
2005-12-23 Includes\Revision.sbi (*)
2005-12-23 Includes\Security.sbi (*)
2005-12-23 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2005-12-23 Includes\Trojans.sbi (*)
Here's a new/fresh HiJackThis-log.
Logfile of HijackThis v1.99.1
Scan saved at 16:30:49, on 28-12-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Xfire\Xfire.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Antispyware\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europ...vex/hcImpl.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/soft...ch/alaunch.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
Hi
Copy the contents of the quote box below into a new notepad document (not wordpad).
Click file> save as...> call it check.bat > file types *all files*> and save it to desktop.
Run check.bat and post back with the text that will open(Echo %DATE% %TIME%
sc config "cmdService" start= disabled
sc delete "cmdService"
sc query "cmdService"
)>logit.txt 2>&1
start notepad logit.txt
Also: Download and run blacklite
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
click > scan then > next, next again then exit
there will be a new txt near blacklite. post it please.
!!Do not rename any files yet
ive got a strange background, installed automatically.
When I right-click it and click 'source' it shows this:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!----
***** This file is automatically generated by Microsoft Windows *****
--------><HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=windows-1252"></HEAD>
<BODY bgColor=#000000>
<DIV
style="BACKGROUND: url(file:///C:/Documents%20and%20Settings/Michiel/Local%20Settings/Application%20Data/Microsoft/Wallpaper1.bmp) no-repeat 50% 50%; LEFT: 0px; WIDTH: 1024px; POSITION: absolute; TOP: 0px; HEIGHT: 768px"></DIV><IFRAME
id=0
style="BACKGROUND: none transparent scroll repeat 0% 0%; LEFT: 0px; WIDTH: 1024px; POSITION: absolute; TOP: 1px; HEIGHT: 767px"
name=DeskMovrW marginWidth=0 marginHeight=0
src="file:///C:/WINDOWS/Web/desktop.html" frameBorder=0 scrolling=no
subscribed_url="C:\WINDOWS\Web\desktop.html"
resizeable="粶� ၩ"> </IFRAME> </BODY></HTML>
when i delete the desktop.html its still there.
Also im unable to clock software in the 'tools-menu' (in windows)
ok we can deal with that, first fallow suggestions in my last post.
"Also im unable to clock software in the 'tools-menu' (in windows)"
Not sure what you mean, explain further please
Right.
Also im unable to clock software in the 'tools-menu' (in windows) means:
Also, I am unable to click on the 'software'-icon in the 'tools-menu' (i am not sure it is called 'tools-menu' in English, it's where you can acces stuff like 'software' 'hardware' 'graphics' 'printers' etc.
When I click on 'software' I get the error: ' Value creation failed '' at line 521 '
Results of F-secure:
12/29/05 20:09:35 [Info]: BlackLight Engine 1.0.30 initialized
12/29/05 20:09:35 [Info]: OS: 5.1 build 2600 (Service Pack 2)
12/29/05 20:09:35 [Note]: 7019 4
12/29/05 20:09:35 [Note]: 7005 0
12/29/05 20:09:39 [Note]: 7006 0
12/29/05 20:09:39 [Note]: 7011 1632
12/29/05 20:09:39 [Note]: FSRAW library version 1.7.1014
12/29/05 20:11:23 [Note]: 7007 0
Hi
Where is the logit.txt ?
Do you mean in the windows control panel and the administrator tools ?
Fallow the advice in this post to download smitrem and Ewido then run them both while in safe mode, please.
http://forums.spybot.info/showthread.php?t=1316
Post there logs here as described
I only got a log located int the same directory as the blbeta.exe.
The content of this log was the text I posted earlier.
Also: blbeta.exe didn't any virusses or results.
Next step is to install all the software from the other forum-page and follow the steps?
Hi
Check this post again about check.bat
http://forums.spybot.info/showpost.p...0&postcount=13
Then yes continue with the instructs in that other post please
good luck
Results of ewido:
---------------------------------------------------------
ewido anti-malware - Scan rapport
---------------------------------------------------------
+ Gemaakt op: 22:55:08, 29-12-2005
+ Rapport samenvatting: 6271C80C
+ Scan resultaten:
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} -> Spyware.GameSpyArcade : Schoongemaakt met een backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5321E378-FFAD-4999-8C62-03CA8155F0B3} -> Spyware.CoolWebSearch : Schoongemaakt met een backup
HKU\S-1-5-21-484763869-839522115-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5321E378-FFAD-4999-8C62-03CA8155F0B3} -> Spyware.CoolWebSearch : Schoongemaakt met een backup
HKU\S-1-5-21-484763869-839522115-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} -> Spyware.GameSpyArcade : Schoongemaakt met een backup
HKU\S-1-5-21-484763869-839522115-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Schoongemaakt met een backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5321E378-FFAD-4999-8C62-03CA8155F0B3} -> Spyware.CoolWebSearch : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@2o7[1].txt -> Spyware.Cookie.2o7 : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@ads.addynamix[2].txt -> Spyware.Cookie.Addynamix : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@ads.pointroll[1].txt -> Spyware.Cookie.Pointroll : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@adtech[2].txt -> Spyware.Cookie.Adtech : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@as-us.falkag[1].txt -> Spyware.Cookie.Falkag : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@burstnet[2].txt -> Spyware.Cookie.Burstnet : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@centrport[1].txt -> Spyware.Cookie.Centrport : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@com[2].txt -> Spyware.Cookie.Com : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@edge.ru4[1].txt -> Spyware.Cookie.Ru4 : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@estat[1].txt -> Spyware.Cookie.Estat : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@ivwbox[1].txt -> Spyware.Cookie.Ivwbox : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@overture[1].txt -> Spyware.Cookie.Overture : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@paypopup[1].txt -> Spyware.Cookie.Paypopup : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@revenue[1].txt -> Spyware.Cookie.Revenue : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@stat.onestat[1].txt -> Spyware.Cookie.Onestat : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@statcounter[2].txt -> Spyware.Cookie.Statcounter : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Cookies\michiel@www.burstbeacon[2].txt -> Spyware.Cookie.Burstbeacon : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Local Settings\Temp\B.tmp -> Downloader.CWS.r : Schoongemaakt met een backup
C:\Documents and Settings\Michiel\Local Settings\Temporary Internet Files\Content.IE5\O1EBS1U7\mm[2].js -> Spyware.Chitika : Schoongemaakt met een backup
C:\WINDOWS\wt\wtupdates\Webd\4.1.1\files\wtvh.dll -> Spyware.WildTangent : Schoongemaakt met een backup
C:\WINDOWS\wt\wtvh.dll -> Spyware.WildTangent : Schoongemaakt met een backup
::Einde rapport
Schoongemaakt met backup means 'cleaned with backup'
Results of smitrem:
Smitrem did not make a log or anything, i think.
Posting Permissions
