WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93085 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Unknown stuff appearing on the log.

Started by TSW , May 25 2005 05:32 PM

This topic is locked

10 replies to this topic

#1 TSW

New Member

New Member
6 posts

Posted 25 May 2005 - 05:32 PM

Hi, I'm new. The reason I'm posting my log is because "stuff" I don't know appeared on the list. I'm almost sure they weren't there last time I checked (around a month ago) and I haven't made big system changes since then, so I'm kind of worried.

Here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 20:23:38, on 25/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\kxmixer.exe
C:\Arquivos de programas\D-Tools\daemon.exe
C:\Arquivos de programas\Telefonica\Speedy\SATUF.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe
C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Arquivos de programas\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsof...ss/allinone.asp
F2 - REG:system.ini: UserInit=userinit.exe,userinit32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL;ctaud2k.sys
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [DevconDefaultDB] C:\WINDOWS\READREG
O4 - HKLM\..\Run: [kX Mixer] C:\WINDOWS\System32\kxmixer.exe --startup
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Arquivos de programas\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [tspuf] C:\Arquivos de programas\Telefonica\Speedy\SATUF.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Nulware] C:\WINDOWS\System32\nulware.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\RunServices: [MSN Service] msnmgr32.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsof...ss/allinone.asp
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1114219818251
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://D:\Content\include\msSecUcd.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DE2D76DA-80FE-42BE-9CC2-68B61F08A8A6}: NameServer = 200.204.0.10 200.204.0.138
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Advertisements

Register to Remove

#2 TSW

New Member

New Member
6 posts

Posted 30 May 2005 - 05:57 AM

Even if there is no problem with the log, please tell me. I'll post another one:

Logfile of HijackThis v1.99.1
Scan saved at 08:51:36, on 30/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\kxmixer.exe
C:\Arquivos de programas\D-Tools\daemon.exe
C:\Arquivos de programas\Telefonica\Speedy\SATUF.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Arquivos de programas\ABC\abc.exe
C:\Arquivos de programas\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsof...ss/allinone.asp
F2 - REG:system.ini: UserInit=userinit.exe,userinit32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL;ctaud2k.sys
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [DevconDefaultDB] C:\WINDOWS\READREG
O4 - HKLM\..\Run: [kX Mixer] C:\WINDOWS\System32\kxmixer.exe --startup
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Arquivos de programas\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [tspuf] C:\Arquivos de programas\Telefonica\Speedy\SATUF.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Nulware] C:\WINDOWS\System32\nulware.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [MSN Service] msnmgr32.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsof...ss/allinone.asp
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1114219818251
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://D:\Content\include\msSecUcd.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DE2D76DA-80FE-42BE-9CC2-68B61F08A8A6}: NameServer = 200.204.0.10 200.204.0.138
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#3 alsocom

Retired Staff-Malware Expert

Authentic Member
2,498 posts

Posted 30 May 2005 - 04:53 PM

Hello TSW and welcome to TomCoyote. :wavey:

In order to help you on this log, I need you to provide as much information as possible on a few files. .
Note : These may not be bad files but I can not find enough information about them to determine if they are good/bad.

Please set your computer to show all files to make sure all files are visible.

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.

Right click on the file and choose 'properties', than on the 'version' tab note what the "Company" and "Version" are.

C:\Arquivos de programas\ABC\abc.exe
C:\Arquivos de programas\Telefonica\Speedy\SATUF.exe
C:\WINDOWS\System32\nulware.exe

You'll need to search for these files with Explorer to delete. They may be in C:\WINDOWS\system32\ or C:\WINDOWS\
(Start > Search > All files and folders > More advanced options place a check in the first three boxes)

msnmgr32.exe

If you still are unsure what these files are, please submit them to the following links for a scan.
http://www.kaspersky.com/scanforvirus
http://virusscan.jotti.org/

Post the results for each file in a reply to this thread.

#4 TSW

New Member

New Member
6 posts

Posted 30 May 2005 - 08:01 PM

Hi, and thanks for the answer. About the files: abc.exe is a bittorrent client and satuf.exe is related to my connection. Sorry, I should've mentioned it earlier. nulware.exe doesn't have those tabs, it seems to be a DOS program (it has the tabs DOS programs have, such as Program, Font, Memory, etc). There is no information about the program itself under any of the tabs. Also, it has 0kb and is a hidden file, if that matters. I tried to scan using both the links you gave me, but it didn't work: on the first the screen goes blank after I've clicked "submit", and on the second the following message was returned: "The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file" The file indeed has 0 bytes (that's what Windows Explorer says, at least), so I think it's not because of the firewall. I don't know if it's important, but around a month ago my PC was full of viruses and spyware, and I used AVG, Ad-Aware, Spybot and MS AntiSpyware to do the cleaning. EDIT: I couldn't find msnmgr32.exe, neither searching nor browsing through explorer.

Edited by TSW, 30 May 2005 - 08:02 PM.

#5 alsocom

Retired Staff-Malware Expert

Authentic Member
2,498 posts

Posted 30 May 2005 - 08:20 PM

Step 1
Open HijackThis, run a scan, then check the following:

F2 - REG:system.ini: UserInit=userinit.exe,userinit32.exe
O4 - HKLM\..\Run: [Nulware] C:\WINDOWS\System32\nulware.exe
O4 - HKLM\..\RunServices: [MSN Service] msnmgr32.exe

Optional items to check with HijackThis for improved performance.
Resource hog that launches common MS Office components to help speed up the launch of Office programs. Some users claim there's no difference with or without it but it isn't required either way.
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE

With all other programs and browsers closed, click fix checked.

Step 2
Please set your computer to show all files.

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.

You will need to reverse this process when all steps are done.

Step 3
Please delete the following file:

C:\WINDOWS\System32\nulware.exe

Step 4
Click here to download mwavscan.

Double-click it to run it.
Read then accept the agreement.
Check Drive, and select all local drives, scan all files, then press 'scan'. (This may take a while and will not fix anything)
Once it finds something, it will prompt you so click OK.
When it is completed, anything found will be displayed in the lower pane.
Highlight it, copy it (CTRL+C), and paste (CTRL+V) it in your next reply.

Step 5
Reboot normally and scan with HijackThis. Post the new log as a reply to this thread.
Please let us know of any complications you had and how the computer is behaving.

#6 TSW

New Member

New Member
6 posts

Posted 31 May 2005 - 04:06 PM

Sorry for taking so long to reply, it was unavoidable.

Step 1 - Done.
Step 2 - Done.
Step 3 - I couldn't delete nulware.exe, windows said it was being used by another program.
Step 4 - Done, here's the list:

Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Arquivos de programas\Ahead\CoverDesigner\covered-deu.nls". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Arquivos de programas\Ahead\Nero BackItUp\BackItUp-Deu.nls". Action Taken: No Action Taken.

Entry "HKCR\Plenoptic.Plenoptic" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.

Entry "HKCR\Plenoptic.Plenoptic.1" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.

Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.

Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr.1" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.

File C:\WINDOWS\4.html infected by "Trojan-Clicker.JS.Linker.j" Virus! Action Taken: No Action Taken.

File C:\WINDOWS\ss.exe infected by "Trojan.Win32.LowZones.d" Virus! Action Taken: No Action Taken.

File C:\WINDOWS\System32\KILLAPPS.EXE tagged as not-a-virus:Tool.Win32.KillApp.b. No Action Taken.

File C:\Arquivos de programas\WinAce\Fire Emblem The Sacred Stones GBA ROM.exe infected by "P2P-Worm.Win32.VB.da" Virus! Action Taken: No Action Taken.

File C:\WINDOWS\4.html infected by "Trojan-Clicker.JS.Linker.j" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\ss.exe infected by "Trojan.Win32.LowZones.d" Virus! Action Taken: No Action Taken.

File C:\WINDOWS\system32\config\systemprofile\Configurações locais\Temporary Internet Files\Content.IE5\0TQ7CT6B\dl[1].com infected by "Trojan.Win32.LowZones.d" Virus! Action Taken: No Action Taken.

File C:\WINDOWS\system32\KILLAPPS.EXE tagged as not-a-virus:Tool.Win32.KillApp.b. No Action Taken.

Step 5 - Done, here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 19:03:57, on 31/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\kxmixer.exe
C:\Arquivos de programas\D-Tools\daemon.exe
C:\Arquivos de programas\Telefonica\Speedy\SATUF.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Arquivos de programas\ABC\abc.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Arquivos de programas\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsof...ss/allinone.asp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL;ctaud2k.sys
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [DevconDefaultDB] C:\WINDOWS\READREG
O4 - HKLM\..\Run: [kX Mixer] C:\WINDOWS\System32\kxmixer.exe --startup
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Arquivos de programas\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [tspuf] C:\Arquivos de programas\Telefonica\Speedy\SATUF.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsof...ss/allinone.asp
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1114219818251
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://D:\Content\include\msSecUcd.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DE2D76DA-80FE-42BE-9CC2-68B61F08A8A6}: NameServer = 200.204.0.10 200.204.0.138
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#7 alsocom

Retired Staff-Malware Expert

Authentic Member
2,498 posts

Posted 31 May 2005 - 09:18 PM

The new HijackThis log appears clean.

Now we just need to remove the remaining bad files.

Click on this link http://www.downloads...org/KillBox.zip to download Pocket Killbox by Option^Explicit. Extract it from the zip file then double-click on Killbox.exe to run it.
Start Killbox, than copy and paste each of the following lines into the Full Path of File to Delete box in Killbox, and click the red button with the white X on it after each. Keep track of any files it tells you either could not be found or could not be deleted, as you'll need those later:

C:\WINDOWS\4.html
C:\WINDOWS\ss.exe
C:\Arquivos de programas\WinAce\Fire Emblem The Sacred Stones GBA ROM.exe
C:\WINDOWS\system32\config\systemprofile\Configurações locais\Temporary Internet Files\Content.IE5\0TQ7CT6B\dl[1].com
C:\WINDOWS\System32\nulware.exe

For the files that it either couldn't find or couldn't delete, in the killbox again this time, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.
If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.

Post a fresh HijackThis log and mwavscan log.

#8 TSW

New Member

New Member
6 posts

Posted 01 June 2005 - 06:15 AM

Great, almost there!

mwavscan log:

Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Arquivos de programas\Ahead\CoverDesigner\covered-deu.nls". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Arquivos de programas\Ahead\Nero BackItUp\BackItUp-Deu.nls". Action Taken: No Action Taken.

Entry "HKCR\Plenoptic.Plenoptic" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.

Entry "HKCR\Plenoptic.Plenoptic.1" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.

Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.

Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr.1" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.

File C:\WINDOWS\System32\KILLAPPS.EXE tagged as not-a-virus:Tool.Win32.KillApp.b. No Action Taken.

File C:\!Submit\4.html infected by "Trojan-Clicker.JS.Linker.j" Virus! Action Taken: No Action Taken.

File C:\!Submit\dl[1].com infected by "Trojan.Win32.LowZones.d" Virus! Action Taken: No Action Taken.

File C:\!Submit\Fire Emblem The Sacred Stones GBA ROM.exe infected by "P2P-Worm.Win32.VB.da" Virus! Action Taken: No Action Taken.

File C:\WINDOWS\system32\KILLAPPS.EXE tagged as not-a-virus:Tool.Win32.KillApp.b. No Action Taken.

HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 09:12:34, on 1/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\kxmixer.exe
C:\Arquivos de programas\D-Tools\daemon.exe
C:\Arquivos de programas\Telefonica\Speedy\SATUF.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Arquivos de programas\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsof...ss/allinone.asp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL;ctaud2k.sys
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [DevconDefaultDB] C:\WINDOWS\READREG
O4 - HKLM\..\Run: [kX Mixer] C:\WINDOWS\System32\kxmixer.exe --startup
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Arquivos de programas\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [tspuf] C:\Arquivos de programas\Telefonica\Speedy\SATUF.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsof...ss/allinone.asp
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1114219818251
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://D:\Content\include\msSecUcd.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DE2D76DA-80FE-42BE-9CC2-68B61F08A8A6}: NameServer = 200.204.0.10 200.204.0.138
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#9 alsocom

Retired Staff-Malware Expert

Authentic Member
2,498 posts

Posted 01 June 2005 - 10:45 AM

You can delete this folder now as it was created by Killbox as a backup of the items that were fixed.

C:\!Submit

Both logs appear clean now. :thumbup:

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

1. Right-click My Computer, and then click Properties.
2. On the System Restore tab, put a check mark in the 'Turn Off System Restore' check box.
3. Click OK, and then click Yes.
4. Restart the computer.
5. Repeat steps 1 - 2, this time clearing the box beside 'Turn Off System Restore', click 'OK'.

I suggest that you get these programs to help keep the computer clean:

Spyware Blaster - Blocks bad ActiveX items from installing on your computer. Spyware Blaster runs silently in the background.
SpywareGuard - Real-time protection from spyware installation attempts
ie-spyad - Puts over 8,000 bad URLs into your restricted sites for Internet Explorer.
Google Toolbar - Blocks many unwanted pop-ups in Internet Explorer.
Firefox - 'Safer' alternative to the Internet Explorer web browser.

Here are three very good and free malware scanners:

Spybot Search and Destroy 1.3
AdAware SE v1.06
Set-up Instructions for Spybot S&D and Adaware SE
a² Free Trojan Remover

If you have them already, check to make sure that they are the newest version.

Update these regularly.

You may also want to read "How did I get infected in the first place" to learn how to better secure your computer.

Be sure to keep Windows and your Anti-virus updated.

#10 TSW

New Member

New Member
6 posts

Posted 01 June 2005 - 01:52 PM

Thank you very very much, alsocom! Thanks for you time, your help, your tips and, most of all, for the peace you gave me!

#11 alsocom

Retired Staff-Malware Expert

Authentic Member
2,498 posts

Posted 01 June 2005 - 08:45 PM

Your welcome. Glad the computer is working better for you now.

As this topic has been resolved, the thread will be closed.

If you need this topic reopened, please request this by sending an email to us at the following link: (Click for address)
Include your post user name and detail why you need it reopened with a valid link to your post.
Any bad links or emails that are not from the original poster will be deleted without response.
Any emails without the subject "Reopen" will be deleted without being looked at.

If this is not your thread please start a New Topic.

Body Background

skin color theme