| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 68262 | 2006-04-23 00:06:00 | registry edit on startup | Dead_Man (10267) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 448610 | 2006-04-23 00:06:00 | I got some freaky ass virus (well, not sure if its a virus perse (per say)) it starts to edit the registry to not reconize main file types such as .exe and .bin. Luckly I have ad-watch which stops it before it does anything, but even clicking block it still edits the registry, and I cant simply just minimize ad-watch when the error comes up. So I have to ctrl-alt-delete, right click ad-watch, and select minimze, and I serisously dont want to do that every startup.... i need to find whats causing it to run and stop it.. ive run ad-aware and spyware docter and they cant seem to trace it.... img165.imageshack.us and about 20 more of thoes for each registry change it makes Respectfully, Dead_Man |
Dead_Man (10267) | ||
| 448611 | 2006-04-23 03:27:00 | Please download HijackThis (www.cyberanswers.org). It will create a directory folder for you in C\Program files. Run a scan and save the log file. Post the whole log file here. Do not fix anything since most of them listed there are harmless (some are system required). This program will help determine what,if any, spyware/malware is on your computer. | Pancake (6359) | ||
| 448612 | 2006-04-23 05:13:00 | Logfile of HijackThis v1.99.1 Scan saved at 9:11:19 PM, on 4/22/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe C:\Program Files\Spyware Doctor\swdoctor.exe C:\WINDOWS\system32\mspaint.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\World of Warcraft\WoW.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\TANNER\Desktop\Vspambotv2.exe C:\Program Files\HijackThis 1.99.1\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe" O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {00001022-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter22 Class) - download.netmarble.com O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - messenger.zone.msn.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - go.microsoft.com O16 - DPF: {20050325-D35A-4233-926E-2E801AE25949} (NMJPStarter15 Class) - www.netmarble.jp O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - h20270.www2.hp.com O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - www.e-games.com.my O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - update.microsoft.com O16 - DPF: {6FC19219-C47E-4880-9A79-D218A1C374F9} (NMJTransX Control) - file.netmarble.jp O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - www.survival.com.my O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - messenger.zone.msn.com O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe |
Dead_Man (10267) | ||
| 448613 | 2006-04-23 05:26:00 | Whats this file? C:\Documents and Settings\TANNER\Desktop\Vspambotv2.exe What have you installed recently? That pic is a program wanting to add something when you right mouse, when you're in My computer. Something like Winzip, or a program for extracting rar / zip files etc? |
Speedy Gonzales (78) | ||
| 448614 | 2006-04-23 05:32:00 | here is your hjk log file analysis (www.hijackthis.de) valid for three days as of today |
beama (111) | ||
| 448615 | 2006-04-23 05:39:00 | I agree that Vspambotv2.exe dont look to good. Run a full scan here with Ewido (www.cyberanswers.org) and see what it pulls out. |
Pancake (6359) | ||
| 448616 | 2006-04-23 07:04:00 | im a scripter and happen to know visual basic, that program is just a simple little toy i made to repeat keys, nothing bad i use it mainly for wow when im looking for a group |
Dead_Man (10267) | ||
| 448617 | 2006-04-25 00:03:00 | just bringing the thread back to life | Dead_Man (10267) | ||
| 448618 | 2006-04-25 00:15:00 | It could be anything . I would either run msconfig, see whats under startup, and take a snapshot and upload it here ( . imagef1 . net . nz/upload/" target="_blank">www . imagef1 . net . nz) Post the link it gives u here . Or get ccleaner (http://www . ccleaner . com) and install it / run it . Then go to tools/startup . And take a snapshot and do the same thing . So, we can see whats running on startup . |
Speedy Gonzales (78) | ||
| 448619 | 2006-04-25 03:09:00 | better idea . . . --------------------------------------------------------- Startup report --------------------------------------------------------- C:\WINDOWS\system32\NvCpl . dll C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch . exe" C:\Program Files\Spyware Doctor\swdoctor . exe" C:\Documents and Settings\TANNER\Start Menu\Programs\Startup\Adobe Gamma . lnk --------------------------------------------------------- Process report --------------------------------------------------------- 0: System Process 4: System Process 208: C:\Program Files\ewido anti-malware\ewidoctrl . exe 216: C:\Program Files\ewido anti-malware\ewidoguard . exe 300: C:\WINDOWS\system32\nvsvc32 . exe 460: C:\Program Files\Webroot\Spy Sweeper\WRSSSDK . exe 580: C:\Program Files\Internet Explorer\iexplore . exe 588: C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch . exe 724: \SystemRoot\System32\smss . exe 780: \??\C:\WINDOWS\system32\csrss . exe 804: \??\C:\WINDOWS\system32\winlogon . exe 848: C:\WINDOWS\system32\services . exe 860: C:\WINDOWS\system32\lsass . exe 1028: C:\WINDOWS\system32\svchost . exe 1080: C:\WINDOWS\system32\wdfmgr . exe 1096: C:\WINDOWS\system32\svchost . exe 1240: C:\WINDOWS\System32\svchost . exe 1264: C:\Program Files\TGTSoft\StyleXP\StyleXPService . exe 1308: C:\WINDOWS\system32\svchost . exe 1460: C:\WINDOWS\System32\alg . exe 1512: C:\WINDOWS\system32\svchost . exe 1712: C:\WINDOWS\system32\wisptis . exe 1808: C:\Program Files\MSN Messenger\msnmsgr . exe 1848: C:\Program Files\Spyware Doctor\swdoctor . exe 1908: C:\WINDOWS\Explorer . EXE 2008: C:\WINDOWS\system32\spoolsv . exe 2952: C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig . exe 3016: C:\Program Files\ewido anti-malware\securitysuite . exe 3056: C:\WINDOWS\System32\svchost . exe 3272: C:\Program Files\CCleaner\ccleaner . exe 3784: C:\WINDOWS\system32\svchost . exe 3856: C:\WINDOWS\system32\mspaint . exe and is it just me or are you guys just coping / pasting pre-written steps |
Dead_Man (10267) | ||
| 1 2 | |||||