Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Help me to remove malware please - BHO object

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Help me to remove malware please - BHO object

Unread postby cam910 » March 14th, 2007, 10:43 pm

Hi,
My Virus software - F-Secure, constantly finds a trojan in my system which it cannot delete, and I cannot delete manually even using unlocker, killbox etc it lists its name as "Trojan.Win32.Delf.zj"

The file at fault is WINDOWS\SYSTEM32\nfianfi.dll....and nfianfi.dll.bak
I believe it is a BHO object and it comes up in Hijack this. But it cannot delete it either....help!

heres my log file:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:09:19 PM, on 14/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\SHAWSE~1\backweb\3875767\Program\SERVIC~1.EXE
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\Shaw Secure\backweb\3875767\program\fsbwsys.exe
C:\Program Files\Shaw Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\Shaw Secure\Common\FSMA32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe
C:\Program Files\Shaw Secure\Common\FSMB32.EXE
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Shaw Secure\Common\FCH32.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsqh.exe
C:\Program Files\Shaw Secure\Common\FAMEH32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fsrw.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsav32.exe
C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Shaw Secure\Common\FSM32.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\PROGRA~1\SHAWSE~1\ANTI-S~1\fsaw.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Shaw Secure\FSGUI\fsguidll.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Shaw Secure\backweb\3875767\Program\fspex.exe
C:\DOCUME~1\CAMERON\LOCALS~1\Temp\Temporary Directory 2 for HiJackThis_v2.zip\HiJackThis_v2.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8D725EF0-1236-4202-97D0-E03F9ECCCE47} - C:\WINDOWS\system32\nfianfi.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [USBPhoneforSkype] C:\Program Files\USBPhoneforSkype\General\USBPhoneforSkype.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Shaw Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Shaw Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Shaw Secure\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-914436913-3278402245-2684344494-1037\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe (User 'other')
O4 - HKUS\S-1-5-21-914436913-3278402245-2684344494-1037\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'other')
O4 - HKUS\S-1-5-21-914436913-3278402245-2684344494-1037\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'other')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Shaw Secure.lnk = C:\Program Files\Shaw Secure\backweb\3875767\Program\fspex.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\Shaw Secure\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Shaw Secure\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Shaw Secure\Anti-Spyware\ieshield.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.hotmail.msn.com/r ... nPUpld.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: nfiisiel - C:\WINDOWS\SYSTEM32\nfianfi.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Shaw Secure (BackWeb Plug-in - 3875767) - BackWeb Technologies Inc. - C:\PROGRA~1\SHAWSE~1\backweb\3875767\Program\SERVIC~1.EXE
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - Unknown owner - C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
O23 - Service: FSBWSYS - Unknown owner - C:\Program Files\Shaw Secure\backweb\3875767\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Shaw Secure\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 13282 bytes


Thanks
[/code]
cam910
Active Member
 
Posts: 5
Joined: March 14th, 2007, 10:31 pm
Advertisement
Register to Remove

Unread postby Angelfire777 » March 15th, 2007, 12:53 am

Hi, Welcome to Malware Removal.

Please hold on while I research a fix for you :)
User avatar
Angelfire777
Retired Graduate
 
Posts: 2554
Joined: April 27th, 2006, 9:58 am

Unread postby Angelfire777 » March 15th, 2007, 2:40 am

Hi,

Your version of HijackThis is still on a beta version and the data may be inaccurate... Please download and run HijackThis 1.99.1 by following the instructions below:

Click HERE to download a self-extracting version of Hijackthis. Double click on the file, by default it will extract itself to C:\Hijackthis

Next, double click on Hijackthis.exe. Click "Scan System and Save a Logfile." A Notepad will appear in your screen, copy and paste the contents of the notepad to your next reply.
User avatar
Angelfire777
Retired Graduate
 
Posts: 2554
Joined: April 27th, 2006, 9:58 am

latest logfile

Unread postby cam910 » March 15th, 2007, 10:22 am

Hi, ok I followed the link to the other version and heres is the new logfile
-thanks for responding.


Logfile of HijackThis v1.99.1
Scan saved at 7:20:48 AM, on 15/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\SHAWSE~1\backweb\3875767\Program\SERVIC~1.EXE
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\Shaw Secure\backweb\3875767\program\fsbwsys.exe
C:\Program Files\Shaw Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\Shaw Secure\Common\FSMA32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe
C:\Program Files\Shaw Secure\Common\FSMB32.EXE
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Shaw Secure\Common\FCH32.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsqh.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsrw.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsav32.exe
C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Shaw Secure\Common\FSM32.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\PROGRA~1\SHAWSE~1\ANTI-S~1\fsaw.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Shaw Secure\FSGUI\fsguidll.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Shaw Secure\backweb\3875767\Program\fspex.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8D725EF0-1236-4202-97D0-E03F9ECCCE47} - C:\WINDOWS\system32\nfianfi.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [USBPhoneforSkype] C:\Program Files\USBPhoneforSkype\General\USBPhoneforSkype.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Shaw Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Shaw Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Shaw Secure\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Shaw Secure.lnk = C:\Program Files\Shaw Secure\backweb\3875767\Program\fspex.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\Shaw Secure\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Shaw Secure\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Shaw Secure\Anti-Spyware\ieshield.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.hotmail.msn.com/r ... nPUpld.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: nfiisiel - C:\WINDOWS\SYSTEM32\nfianfi.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Shaw Secure (BackWeb Plug-in - 3875767) - BackWeb Technologies Inc. - C:\PROGRA~1\SHAWSE~1\backweb\3875767\Program\SERVIC~1.EXE
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
O23 - Service: FSBWSYS - F-Secure Corp. - C:\Program Files\Shaw Secure\backweb\3875767\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Shaw Secure\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
cam910
Active Member
 
Posts: 5
Joined: March 14th, 2007, 10:31 pm

Unread postby Angelfire777 » March 16th, 2007, 8:36 pm

Hi, sorry for the delay...

*Are you using Norton Antivirus along with F-Secure in your system?

*Please download the Suspicious file Packer from Safer-Networking.Org and unzip it to your desktop.

Run SFP.exe.

Please copy the following lines into the Step 1: Paste Text window:

C:\WINDOWS\system32\nfianfi.dll
C:\WINDOWS\system32\nfianfi.bak

then click "Continue".

This will create a .cab file on your desktop named requested-files[Date/Time].cab

Next, please visit TheSpyKillers forum HERE

Read the first topic for instructions on uploading files then start a new Topic, name the topic "Requested by Angelfire777 for Marckie" post a link to this thread and upload the requested files.cab archive from your desktop.

Post back when you're done with that :)
User avatar
Angelfire777
Retired Graduate
 
Posts: 2554
Joined: April 27th, 2006, 9:58 am

Spy Killers uploaded

Unread postby cam910 » March 17th, 2007, 1:43 pm

Hi,

I downloaded the file...and uploaded the packed file to the spykillers forum.

I think I kinda kooked the title though....sorry!
the subject line is the link to this thread, and the "started by" column is labeled "Angelfire777 for Marckie".........I hope this is ok, if not I'll try again.

To answer your question...I used to have Norton running, and its license expired. I uninstalled and now have F-secure.
So norton should be gone.

thanks again
cam910
Active Member
 
Posts: 5
Joined: March 14th, 2007, 10:31 pm

Unread postby Angelfire777 » March 18th, 2007, 12:54 am

Hi,

There are still traces of Norton in your log..

To fully remove Norton AntiVirus, you should go here before uninstalling and download the files and print the instructions for removal, and follow them after uninstalling NAV:
How to uninstall Norton AntiVirus 2004/2005/2006

*Please download VundoFix.exe to your Desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES.
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
User avatar
Angelfire777
Retired Graduate
 
Posts: 2554
Joined: April 27th, 2006, 9:58 am

latest results - Vundo couldnt remove the BHO

Unread postby cam910 » March 19th, 2007, 10:04 pm

Hi ,

First I tried to remove the remnants of norton...it crashes towards the end of the process every time....not sure why.

i ran Vundo....it found 2 files and deleted them, but not "nfianfi.dll"

here are the Vundo logs and Hijack this respectively -

VundoFix V6.3.17

Checking Java version...

Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 6:23:42 PM 19/03/2007

Listing files found while scanning....

C:\WINDOWS\system32\cbxvt.dll
C:\WINDOWS\system32\nfianfi.dll
C:\WINDOWS\system32\tvxbc.bak1

Beginning removal...

Attempting to delete C:\WINDOWS\system32\cbxvt.dll
C:\WINDOWS\system32\cbxvt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nfianfi.dll
C:\WINDOWS\system32\nfianfi.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\tvxbc.bak1
C:\WINDOWS\system32\tvxbc.bak1 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\nfianfi.dll
C:\WINDOWS\system32\nfianfi.dll Could not be deleted.

Performing Repairs to the registry.
Done!
--------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 6:00:20 PM, on 19/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Shaw Secure\Common\FSM32.EXE
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\SHAWSE~1\backweb\3875767\Program\SERVIC~1.EXE
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\Shaw Secure\backweb\3875767\program\fsbwsys.exe
C:\Program Files\Shaw Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\Shaw Secure\Common\FSMA32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Shaw Secure\Common\FSMB32.EXE
C:\Program Files\Shaw Secure\backweb\3875767\Program\fspex.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Shaw Secure\Common\FCH32.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Shaw Secure\Common\FAMEH32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fsqh.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsrw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsav32.exe
C:\PROGRA~1\SHAWSE~1\ANTI-S~1\fsaw.exe
C:\Program Files\Shaw Secure\FSGUI\fsguidll.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8D725EF0-1236-4202-97D0-E03F9ECCCE47} - C:\WINDOWS\system32\nfianfi.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [USBPhoneforSkype] C:\Program Files\USBPhoneforSkype\General\USBPhoneforSkype.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Shaw Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Shaw Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Shaw Secure\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Shaw Secure.lnk = C:\Program Files\Shaw Secure\backweb\3875767\Program\fspex.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\Shaw Secure\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Shaw Secure\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Shaw Secure\Anti-Spyware\ieshield.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.hotmail.msn.com/r ... nPUpld.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: nfiisiel - C:\WINDOWS\SYSTEM32\nfianfi.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Shaw Secure (BackWeb Plug-in - 3875767) - BackWeb Technologies Inc. - C:\PROGRA~1\SHAWSE~1\backweb\3875767\Program\SERVIC~1.EXE
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
O23 - Service: FSBWSYS - F-Secure Corp. - C:\Program Files\Shaw Secure\backweb\3875767\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Shaw Secure\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
cam910
Active Member
 
Posts: 5
Joined: March 14th, 2007, 10:31 pm

Unread postby Angelfire777 » March 20th, 2007, 1:44 pm

Hi,

First I tried to remove the remnants of norton...it crashes towards the end of the process every time....not sure why.


That's ok. The leftovers were removed.


Download combofix.exe

1. Double click combofix.exe & follow the prompts.
2. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
User avatar
Angelfire777
Retired Graduate
 
Posts: 2554
Joined: April 27th, 2006, 9:58 am

combofix executed...

Unread postby cam910 » March 20th, 2007, 10:32 pm

heres the combofix log...thanks again!



"CAMERON" - 07-03-20 18:07:45 Service Pack 2
ComboFix 07-03-20.2 - Running from: "C:\Documents and Settings\CAMERON\Desktop"

(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\nfianfi.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\1.txt
C:\WINDOWS\system32\2.txt
C:\DOCUME~1\CAMERON\APPLIC~1\Microsoft\2236.dat
C:\Documents and Settings\All Users.\documents\settings\artm_new.dll~
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\Program Files\dns\affid.dat
C:\Program Files\dns\uid.dat
C:\Program Files\Common Files\system32.dll
C:\Documents and Settings\All Users.\documents\settings
C:\Program Files\Common Files\inetget2
C:\Program Files\Common Files\inetget2
C:\Program Files\dns
C:\Program Files\winupdate
C:\WINDOWS\system32\drivers\edfwfowf.sys
C:\WINDOWS\system32\nfianfi.dll
C:\WINDOWS\system32\nfianfi.dll.bak
C:\WINDOWS\system32\ksl48.bin
C:\WINDOWS\system32\nfianfi.dll
C:\WINDOWS\system32\nfianfi.dll.bak


((((((((((((((((((((((((((((((( Files Created from 2007-02-20 to 2007-03-20 ))))))))))))))))))))))))))))))))))


2007-03-20 18:03 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2007-03-19 18:30 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-03-19 18:23 <DIR> d-------- C:\VundoFix Backups
2007-03-16 07:30 1,177 --a------ C:\WINDOWS\mozver.dat
2007-03-15 07:20 <DIR> d-------- C:\hijackthis
2007-03-14 18:48 116,224 --a------ C:\WINDOWS\system32\mtehtbqs.dll
2007-03-14 18:29 <DIR> d-------- C:\DOCUME~1\other\APPLIC~1\F-Secure
2007-03-14 18:26 1,048,576 --ah----- C:\DOCUME~1\other\NTUSER.DAT
2007-03-14 18:26 <DIR> d-------- C:\DOCUME~1\other\APPLIC~1\toshiba
2007-03-14 18:26 <DIR> d-------- C:\DOCUME~1\other\APPLIC~1\Symantec
2007-03-14 18:26 <DIR> d-------- C:\DOCUME~1\other\APPLIC~1\Sun
2007-03-14 18:26 <DIR> d-------- C:\DOCUME~1\other\APPLIC~1\InterTrust
2007-03-14 18:26 <DIR> d-------- C:\DOCUME~1\other\APPLIC~1\Adobe
2007-03-13 18:42 0 --a------ C:\WINDOWS\nsreg.dat
2007-03-10 13:25 43,008 --a------ C:\WINDOWS\system32\zljralry.dll
2007-03-06 21:25 <DIR> d-------- C:\!KillBox
2007-02-27 22:48 <DIR> d-------- C:\DOCUME~1\CAMERON\APPLIC~1\F-Secure
2007-02-27 22:40 <DIR> d-------- C:\DOCUME~1\CAMERON\APPLIC~1\ispnews
2007-02-27 22:37 70,896 --a------ C:\WINDOWS\system32\drivers\fsdfw.sys
2007-02-27 22:37 33,584 --a------ C:\WINDOWS\system32\drivers\fsndis5.sys
2007-02-27 22:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\F-Secure
2007-02-27 22:27 118,842 -r------- C:\WINDOWS\bwUnin-6.3.2.123-3875767L.exe
2007-02-27 22:27 <DIR> d-------- C:\Program Files\Shaw Secure
2007-02-26 20:36 16,384 --a------ C:\WINDOWS\system32\ktbkmuqd.exe
2007-02-26 20:35 1,046 --a------ C:\WINDOWS\system32\rnanoaaa.exe
2007-02-25 15:19 87,608 --a------ C:\DOCUME~1\CAMERON\APPLIC~1\ezpinst.exe
2007-02-25 15:19 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2007-02-25 15:19 47,360 --a------ C:\DOCUME~1\CAMERON\APPLIC~1\pcouffin.sys
2007-02-25 15:19 <DIR> d-------- C:\DOCUME~1\CAMERON\APPLIC~1\Vso


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-20 09:56 43008 --a------ C:\WINDOWS\system32\zljralry.dll
2007-03-20 09:56 116224 --a------ C:\WINDOWS\system32\mtehtbqs.dll
2007-03-19 18:30 24576 --a------ C:\WINDOWS\system32\vundofixsvc.exe
2007-03-19 18:13 25837 --a--c--- C:\WINDOWS\system32\drivers\regguard.sys
2007-03-16 07:30 1177 --a------ C:\WINDOWS\mozver.dat
2007-03-16 07:27 -------- d-------- C:\DOCUME~1\CAMERON\APPLIC~1\skype
2007-03-13 18:42 0 --a------ C:\WINDOWS\nsreg.dat
2007-03-01 21:21 -------- d-------- C:\Program Files\poweriso
2007-03-01 21:19 87608 --a------ C:\DOCUME~1\CAMERON\APPLIC~1\ezpinst.exe
2007-03-01 21:19 47360 --a------ C:\DOCUME~1\CAMERON\APPLIC~1\pcouffin.sys
2007-03-01 21:19 33 --a------ C:\DOCUME~1\CAMERON\APPLIC~1\pcouffin.log
2007-03-01 21:19 1144 --a------ C:\DOCUME~1\CAMERON\APPLIC~1\pcouffin.inf
2007-03-01 21:19 1074 --a------ C:\DOCUME~1\CAMERON\APPLIC~1\pcouffin.cat
2007-03-01 21:19 -------- d--h----- C:\Program Files\installshield installation information
2007-03-01 21:19 -------- d-------- C:\DOCUME~1\CAMERON\APPLIC~1\vso
2007-03-01 21:18 -------- d-------- C:\Program Files\limewire
2007-03-01 21:00 -------- d-------- C:\Program Files\norton antivirus
2007-03-01 20:41 -------- d-------- C:\Program Files\messenger
2007-02-28 08:22 -------- d-------- C:\DOCUME~1\CAMERON\APPLIC~1\f-secure
2007-02-27 22:40 -------- d-------- C:\DOCUME~1\CAMERON\APPLIC~1\ispnews
2007-02-27 22:36 -------- d-------- C:\Program Files\shaw secure
2007-02-27 22:35 -------- d-------- C:\DOCUME~1\CAMERON\APPLIC~1\lavasoft
2007-02-27 22:27 118842 -r------- C:\WINDOWS\bwunin-6.3.2.123-3875767l.exe
2007-02-27 22:20 -------- d-------- C:\Program Files\shaw
2007-02-26 20:36 16384 --a------ C:\WINDOWS\system32\ktbkmuqd.exe
2007-02-26 20:35 1046 --a------ C:\WINDOWS\system32\rnanoaaa.exe
2007-02-25 15:19 47360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2007-02-15 22:45 -------- d-------- C:\Program Files\maxon
2007-01-27 14:48 646392 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2006-12-22 20:46 98304 --a------ C:\WINDOWS\system32\cmdlineext.dll
2006-12-21 20:28 12800 --a------ C:\ieupdate.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"TOSCDSPD"="C:\\Program Files\\TOSHIBA\\TOSCDSPD\\toscdspd.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Sonic RecordNow!"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"SoundMAX"="C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe /tray"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"Tvs"="C:\\Program Files\\Toshiba\\Tvs\\TvsTray.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"SmoothView"="C:\\Program Files\\TOSHIBA\\TOSHIBA Zooming Utility\\SmoothView.exe"
"PadTouch"="C:\\Program Files\\TOSHIBA\\Touch and Launch\\PadExe.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"THotkey"="C:\\Program Files\\Toshiba\\Toshiba Applet\\thotkey.exe"
"TPSMain"="TPSMain.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"UnlockerAssistant"="C:\\Program Files\\Unlocker\\UnlockerAssistant.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"
"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
"USBPhoneforSkype"="C:\\Program Files\\USBPhoneforSkype\\General\\USBPhoneforSkype.exe"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"F-Secure Manager"="\"C:\\Program Files\\Shaw Secure\\Common\\FSM32.EXE\" /splash"
"F-Secure TNB"="\"C:\\Program Files\\Shaw Secure\\TNB\\TNBUtil.exe\" /CHECKALL /WAITFORSW"
"F-Secure Startup Wizard"="\"C:\\Program Files\\Shaw Secure\\FSGUI\\FSSW.EXE\" /reboot"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\ApprovedByRegRun2]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\ApprovedByRegRun2\AntiRepl]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\ApprovedByRegRun2\AntiRepl\0]
"Operation"=dword:00000001
"Target"="C:\\WINDOWS\\SYSTEM32\\NFIANFI.DLL"
"Source"=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-03-20 18:25:01
cam910
Active Member
 
Posts: 5
Joined: March 14th, 2007, 10:31 pm

Unread postby Angelfire777 » March 21st, 2007, 10:39 am

Hi,


*A few optionals that I would recommend be uninstalled.

LimeWire
This program is very likely the reason your system is infested with malware. Even when a program like this is not infected itself, it will still bring malware into your system because more than half of all files available for download from peer-to-peer networks have been deliberately infected with some form of malware. I recommend that you remove this program from your system.

*Click Start > Control Panel > Add or Remove Programs and uninstall the items I listed in bold if found.

*Reboot
_____________

*Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Do not use it yet.


*Download ATF Cleaner by Atribune

Do not use it yet.
_____________

You may want to print these instructions here or save them in notepad since you'll work offline.

Reboot into Safe Mode.

To enter Safe Mode..

Click Start > Turn Off Computer > Restart > Tap F8 key just before Windows starts to load, > This will bring up a Menu > Use your keyboard to scroll to Safe Mode> Hit enter.


*Configure your machine to view hidden files:

Windows XP
  • Click Start.
  • Open My Computer..
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the "Hidden files and folders" heading select Show hidden files and folders.
  • Uncheck the Hide Protected Operating System Files Option.
  • Click Yes to confirm.
  • Click OK.

*Using Windows Explorer, find and delete these files:

C:\WINDOWS\system32\ktbkmuqd.exe
C:\WINDOWS\system32\rnanoaaa.exe


Do you recognize the following file? If not, locate the file and right click on it, select properties, and look for the vendor name, or anything that would indicate the program with which it may be associated. If you still do not recognize it, nor does it appear to be associated with a known valid program, delete it...

C:\WINDOWS\system32\mtehtbqs.dll
C:\WINDOWS\system32\zljralry.dll


*Delete the following folder if you uninstalled limewire:

C:\Program Files\limewire

Empty your recycle bin.


*Open notepad.
Copy and paste the text inside the Code Box below into Notepad
Choose File > Save As and under "Save as type", choose "All Files".
Type fix.reg in the File name and save it to your desktop.

Code: Select all
REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\ApprovedByRegRun2] 




Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Close notepad. Make sure that all windows are closed.

Find the fix.reg file on your desktop.
Double click it.
It will then ask if you want the file merged to your registry.
Answer Yes.

_____________________

*Important: Make sure all your browsers are [b]closed[/b] before running ATF Cleaner..

  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose:Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click
  • No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE:If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.


  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
    Image
    If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer to normal mode!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply


*I would like you to scan a few files for me.

Please go HERE. Click browse then, navigate to this file:

C:\ieupdate.exe

Then click submit.

Please post the results to your next reply.

If Jotti is too busy, you can go HERE and do the same as above.

On your next reply, please posta fresh HijackThis log, CureiT log, results of the jotti scan and a description on how your machine is running.
User avatar
Angelfire777
Retired Graduate
 
Posts: 2554
Joined: April 27th, 2006, 9:58 am

Unread postby NonSuch » April 4th, 2007, 2:20 am

Due to inactivity, this topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27300
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 18 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware