Help - Search - Members - Calendar
Full Version: TheMatrichasyou virus and other problems
Lavasoft Support Forums > Archived Topics > Archives: Resolved/Inactive Topics > Resolved/Inactive HijackThis Logs
D`artagnan
Jun 15 2006, 08:36 PM
For some reason and the only thing i can credit to my being infected is from someone using my computer to play some yahoo game because before that I didnt have any of these viruses. But now it appears that i have this "thematrixhasyou" virus as well as several others. and AD-Aware SE wont run properly, it starts and then an error pops up saying winlogin or winlogon has generated errors and needs to be restarted or something and my computer will reboot on me. I am currently running Ad-aware 1.06r1 and AVG, I am downloading The Cleaner, Spybot, and hijackthis now. If anyone could help please do. I hate these pesky things.
By the way my processes in the taskmanager have went from 37 to 50 as well as a rundll.exe file that i cant seem to get rid of.
Thankyou.
D`artagnan.
D`artagnan
Jun 15 2006, 09:14 PM
Here is the hijackthis log file

Logfile of HijackThis v1.99.1
Scan saved at 4:05:19 PM, on 6/15/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1

(6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\CTsvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\netbtd.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\0mcamcap.exe
C:\WINNT\system32\pctspk.exe
C:\Program Files\Creative\SB Live!

24-bit\Surround Mixer\CTSysVol.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Lexmark 4300

Series\lxcemon.exe
C:\Program Files\Lexmark 4300

Series\ezprint.exe
E:\Program

Files\CyberLink\PowerDVD\PDVDServ.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\Program Files\Winamp\winampa.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINNT\system32\Rundll32.exe
C:\Program

Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINNT\system32\0mcamcap.exe
C:\WINNT\system32\dxvwhjub.exe
D:\Program Files\The Cleaner\tca.exe
D:\Program Files\The Cleaner\tcm.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program

Files\Creative\MediaSource\Detector\CTDetect.

exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINNT\system32\0mcamcap.exe
D:\Program Files\Spybot - Search &

Destroy\TeaTimer.exe
C:\WINNT\system32\lxcecoms.exe
C:\Program Files\Internet

Explorer\IEXPLORE.EXE
C:\HIjackThis\HijackThis.exe

F2 - REG:system.ini: Shell=explorer.exe





"C:\Program Files\Common Files\Microsoft

Shared\Web Folders\ibm00011.exe"
O2 - BHO: AcroIEHlprObj Class -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Adobe\Acrobat

7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) -

{53707962-6F74-2D53-2644-206D7942484F} -

D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class -

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio -

{8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager]

mobsync.exe /logon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTSysVol] C:\Program

Files\Creative\SB Live! 24-bit\Surround

Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg]

C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [NeroFilterCheck]

C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter]

RUNDLL32.EXE

C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [FaxCenterServer]

"C:\Program Files\Lexmark Fax

Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCECATS] rundll32

C:\WINNT\system32\spool\DRIVERS\W32X86\3\LXCE

time.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program

Files\Lexmark 4300 Series\lxcemon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program

Files\Lexmark 4300 Series\ezprint.exe"
O4 - HKLM\..\Run: [RemoteControl] "E:\Program

Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG7_CC]

E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

/STARTUP
O4 - HKLM\..\Run: [WinampAgent] E:\Program

Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program

Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [P17Helper] Rundll32

P17.dll,P17Helper
O4 - HKLM\..\Run: [SunJavaUpdateSched]

C:\Program

Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [0mcamcap]

C:\WINNT\system32\0mcamcap.exe
O4 - HKLM\..\Run: [DCOM Server]

C:\WINNT\system32\dxvwhjub.exe
O4 - HKLM\..\Run: [tcactive] D:\Program

Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] D:\Program

Files\The Cleaner\tcm.exe
O4 - HKLM\..\RunServices: [0mcamcap]

C:\WINNT\system32\0mcamcap.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program

Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program

Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Creative Detector]

"C:\Program

Files\Creative\MediaSource\Detector\CTDetect.

exe" /R
O4 - HKCU\..\Run: [Skype] "C:\Program

Files\Skype\Phone\Skype.exe" /nosplash

/minimized
O4 - HKCU\..\Run: [0mcamcap]

C:\WINNT\system32\0mcamcap.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer]

D:\Program Files\Spybot - Search &

Destroy\TeaTimer.exe
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console

- {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: Yahoo! Pool 2 -

http://download.games.yahoo.com/games/clients

/y/potg_x.cab
O16 - DPF:

{0A5FD7C5-A45C-49FC-ADB5-9952547D5715}

(Creative Software AutoUpdate) -

http://www.creative.com/su/ocx/15015/CTSUEng.

cab
O16 - DPF:

{39B0684F-D7BF-4743-B050-FDC3F48F7E3B}

(FilePlanet Download Control Class) -

http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2

.2.1.87.cab
O16 - DPF:

{3FE16C08-D6A7-4133-84FC-D5BFB4F7D886}

(WebGameLoader Class) -

http://zone.msn.com/bingame/rtlw/default/Refl

exiveWebGameLoader.cab
O16 - DPF:

{6414512B-B978-451D-A0D8-FCFDF33E833C}

(WUWebControl Class) -

http://update.microsoft.com/windowsupdate/v6/

V5Controls/en/x86/client/wuweb_site.cab?11408

95756203
O16 - DPF:

{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}

(MUWebControl Class) -

http://update.microsoft.com/microsoftupdate/v

6/V5Controls/en/x86/client/muweb_site.cab?114

0896664562
O16 - DPF:

{B8BE5E93-A60C-4D26-A2DC-220313175592}

(ZoneIntro Class) -

http://cdn2.zone.msn.com/binFramework/v10/ZIn

tro.cab34246.cab
O16 - DPF:

{F6ACF75C-C32C-447B-9BEF-46B766368D29}

(Creative Software AutoUpdate Support

Package) -

http://www.creative.com/su/ocx/15021/CTPID.ca

b
O20 - AppInit_DLLs:

C:\WINNT\system32\tmp_0v.dll
O20 - Winlogon Notify: directpt -

C:\WINNT\SYSTEM32\directpt.dll
O21 - SSODL: DCOM Server -

{2C1CD3D7-86AC-4068-93BC-A02304BB8C34} -

C:\WINNT\system32\dxvwhjub.exe
O23 - Service: AVG7 Alert Manager Server

(Avg7Alrt) - GRISOFT, s.r.o. -

E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service

(Avg7UpdSvc) - GRISOFT, s.r.o. -

E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) -

GRISOFT, s.r.o. -

E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM

Access - Creative Technology Ltd -

C:\WINNT\system32\CTsvcCDA.exe
O23 - Service: Logical Disk Manager

Administrative Service (dmadmin) - VERITAS

Software Corp. -

C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager

(IDriverT) - Macrovision Corporation -

C:\Program Files\Common

Files\InstallShield\Driver\11\Intel

32\IDriverT.exe
O23 - Service: lxce_device - Lexmark

International, Inc. -

C:\WINNT\system32\lxcecoms.exe
O23 - Service: NVIDIA Display Driver Service

(NVSvc) - NVIDIA Corporation -

C:\WINNT\system32\nvsvc32.exe
LS CalamityJane
Jun 15 2006, 11:16 PM
I can't read your log very well because it's all chopped up. To fix that, please open Notepad and choose *format* at the top. Make sure Wordwrap is unchecked. Scan again with HijackThis and post a new log

From a brief glance of what I can see you've got some rather nasty backdoor trojans running on there. I would advise you to take this computer off the net and access this board for instructions via a clean computer.

Troj/Haxdoor-AX
http://www.sophos.com/virusinfo/analyses/trojhaxdoorax.html

W32/Sdbot-BLW
http://www.sophos.com/security/analyses/w32sdbotblw.html

Troj/Agent-FG
http://www.sophos.com/virusinfo/analyses/trojagentfg.html

W32/Sdbot-BLW
http://www.sophos.com/security/analyses/w32sdbotblw.html

Troj/Cosiam-H
http://www.sophos.com/virusinfo/analyses/trojcosiamh.html

Your computer has been compromised and allowed access to a remote attacker.

What is a backdoor or remote access trojan?
Read this article.
Danger: Remote Access Trojans
http://www.microsoft.com/technet/security/...o/virusrat.mspx

When should I re-format? How should I reinstall? <---you should definitely consider this if possible
http://www.dslreports.com/faq/10063

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451
D`artagnan
Jun 18 2006, 06:41 PM
Logfile of HijackThis v1.99.1
Scan saved at 1:33:20 PM, on 6/18/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\CTsvcCDA.exe
C:\WINNT\System32\svchost.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\pctspk.exe
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Lexmark 4300 Series\lxcemon.exe
C:\Program Files\Lexmark 4300 Series\ezprint.exe
E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\Program Files\Winamp\winampa.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINNT\system32\Rundll32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Skype\Phone\Skype.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\system32\lxcecoms.exe
C:\mIRC\mirc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HIjackThis\HijackThis.exe

F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00011.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINNT\system32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
O4 - HKLM\..\Run: [RemoteControl] "E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [0mcamcap] C:\WINNT\system32\0mcamcap.exe
O4 - HKLM\..\Run: [DCOM Server] C:\WINNT\system32\dxvwhjub.exe
O4 - HKLM\..\Run: [tcactive] D:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\RunServices: [0mcamcap] C:\WINNT\system32\0mcamcap.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [0mcamcap] C:\WINNT\system32\0mcamcap.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potg_x.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.1.87.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/default/R...bGameLoader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1140895756203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1140896664562
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15021/CTPID.cab
O20 - AppInit_DLLs: C:\WINNT\system32\tmp_0v.dll
O20 - Winlogon Notify: directpt - directpt.dll (file missing)
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - (no file)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTsvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINNT\system32\lxcecoms.exe
O23 - Service: NetBTD(ntbtd) (NetBTD) - Unknown owner - C:\WINNT\system32\netbtd.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
D`artagnan
Jun 18 2006, 06:43 PM
also, is there a program besides sophos that i can use their scanners arent for home computers.
LS CalamityJane
Jun 18 2006, 08:26 PM
I didn't mean for you to scan with Sophos, those links were just the description so you could see what kind of nasties those are.

I see you got Ewido - that's a good trojan scanner. May have removed some of these files for you already. Did you have the latest updates and scan in SAFE MODE? Did you save the log and, if so, can you post the Ewido scan log?

Open HijackThis and do a *scan only*. When it finishes, checkmark these entries then press the *fix checked* button

F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00011.exe"

O4 - HKLM\..\Run: [0mcamcap] C:\WINNT\system32\0mcamcap.exe

O4 - HKLM\..\Run: [DCOM Server] C:\WINNT\system32\dxvwhjub.exe

O4 - HKLM\..\RunServices: [0mcamcap] C:\WINNT\system32\0mcamcap.exe

O4 - HKCU\..\Run: [0mcamcap] C:\WINNT\system32\0mcamcap.exe

O20 - Winlogon Notify: directpt - directpt.dll (file missing)

O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - (no file)

O23 - Service: NetBTD(ntbtd) (NetBTD) - Unknown owner - C:\WINNT\system32\netbtd.exe (file missing)

Delete these files (if found)

C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00011.exe"

C:\WINNT\system32\0mcamcap.exe

C:\WINNT\system32\dxvwhjub.exe

You can get free online AV scans at any of these (recommended)

eTrust Antivirus Web Scanner
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
(if prompted, please *allow* Active X and the install of software - this is needed to scan your system)
It will take a while to download the updates needed, and then you'll be presented with a screen to scan your system.

Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com

Panda's Active Scan
http://www.pandasoftware.com/products/activescan.htm
....................................
I need a report from this free tool please:

Post a report from this tool

Download the free beta trial of this tool from F-Secure called Blacklight
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Doubleclick on bibeta.exe to run it.
Click the *I accept* button near the bottom of that page.
Download and run blacklite click > scan then > next, next again then exit
there will be a new text file near blacklite.Post it please. The text file is named:
fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
!!Do not rename any files yet

And a report from this one too:
Please download Rootkit Revealer
http://www.sysinternals.com/utilities/rootkitrevealer.html
(link is at the very bottom of the page)

Unzip it to your desktop.
Open the rootkitrevealer folder and double-click rootkitrevealer.exe
Click the Scan button (bottom right)
It may take a while to scan (don't do anything while it's running - leave the PC idle during the scan!)
When it's done, go up to File > Save. Choose to save it to your desktop.
Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here
D`artagnan
Jun 18 2006, 09:34 PM
kinda hard to scan in safe mode, my video card doesnt seem to work well in safe mode i cant make out anything in safe mode. if you know how to fix that i will scan in safe mode, i did scan in normal mode though.
D`artagnan
Jun 18 2006, 09:56 PM
06/18/06 16:45:54 [Info]: BlackLight Engine 1.0.37 initialized
06/18/06 16:45:54 [Info]: OS: 5.0 build 2195 (Service Pack 4)
06/18/06 16:45:54 [Note]: 7019 4
06/18/06 16:45:54 [Note]: 7005 0
06/18/06 16:45:57 [Note]: 7006 0
06/18/06 16:45:57 [Note]: 7011 1148
06/18/06 16:45:57 [Note]: 7026 0
06/18/06 16:45:57 [Note]: 7026 0
06/18/06 16:45:59 [Note]: FSRAW library version 1.7.1015
06/18/06 16:48:28 [Note]: 7007 0
D`artagnan
Jun 18 2006, 10:11 PM
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg 4/3/2006 12:24 AM 0 bytes Access is denied.
LS CalamityJane
Jun 18 2006, 10:26 PM
Those are ok.

No, I don't know how to fix your video card. If you could post the Ewido log that was run in normal mode
D`artagnan
Jun 18 2006, 11:41 PM
I ran ediwdo in safe mode kinda winged it and guessed what to click on and got it going here is the log file.

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 6:23:53 PM, 6/18/2006
+ Report-Checksum: A01D669D

+ Scan result:

C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\XIJ68860\ulgvfczwb[2].htm -> Downloader.Small.chk : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\YDMEE6PA\2238[1].exe -> Logger.Agent.mw : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\YDMEE6PA\ycytfehsk[1].txt -> Not-A-Virus.SpamTool.Win32.Mailbot.ba : Cleaned with backup
C:\Documents and Settings\D`artagnan\Cookies\d`artagnan@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\D`artagnan\Cookies\d`artagnan@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\D`artagnan\Cookies\d`artagnan@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\Documents and Settings\D`artagnan\Cookies\d`artagnan@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\D`artagnan\Cookies\d`artagnan@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\D`artagnan\Cookies\d`artagnan@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\D`artagnan\Cookies\d`artagnan@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\D`artagnan\Cookies\d`artagnan@citi.bridgetrack[2].txt -> TrackingCookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\D`artagnan\Cookies\d`artagnan@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\D`artagnan\Cookies\d`artagnan@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\D`artagnan\Cookies\d`artagnan@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\D`artagnan\Cookies\d`artagnan@revenue[2].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\D`artagnan\Cookies\d`artagnan@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\D`artagnan\Cookies\d`artagnan@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\D`artagnan\Cookies\d`artagnan@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\D`artagnan\Cookies\d`artagnan@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\rxrxrlw.exe -> Downloader.Small.ctf : Cleaned with backup
C:\WINNT\system32\TheMatrixHasYou.exe -> Proxy.Small.bo : Cleaned with backup


::Report End
D`artagnan
Jun 18 2006, 11:42 PM
and here is a new hijackthis log file after running all those programs.

Logfile of HijackThis v1.99.1
Scan saved at 6:34:27 PM, on 6/18/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\CTsvcCDA.exe
C:\WINNT\System32\svchost.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\pctspk.exe
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Lexmark 4300 Series\lxcemon.exe
C:\Program Files\Lexmark 4300 Series\ezprint.exe
E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\Program Files\Winamp\winampa.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINNT\system32\Rundll32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINNT\system32\lxcecoms.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HIjackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINNT\system32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
O4 - HKLM\..\Run: [RemoteControl] "E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [tcactive] D:\Program Files\The Cleaner\tca.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potg_x.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.1.87.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/default/R...bGameLoader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1140895756203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1140896664562
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15021/CTPID.cab
O20 - AppInit_DLLs: C:\WINNT\system32\tmp_0v.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTsvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINNT\system32\lxcecoms.exe
O23 - Service: NetBTD(ntbtd) (NetBTD) - Unknown owner - C:\WINNT\system32\netbtd.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
LS CalamityJane
Jun 19 2006, 01:28 AM
You have one mystery file I need to find out what it is and ask you to do the following so I can get a copy and examine it.

Go here to upload the file as an attachment
http://www.thespykiller.co.uk/forum/index.php?board=1.0
Just press new topic (Make the subject: For CalamityJane from D`artagnan at LS ),
fill in a short message & then press the browse button and then navigate to & select this file on your computer, then press the *Post* to upload the file. I will be able to collect it from there.

File to upload:

C:\WINNT\system32\tmp_0v.dll

(Do not post HJT logs there as they will not get dealt with)

You DO NOT need to be a member to upload, anybody can upload the files

You will not see the files that have been uploaded as they only show to the authorized users who can download them
LS CalamityJane
Jun 20 2006, 06:25 PM
Thanks for uploading the file. It was 0 bytes so either it has been cleaned before by some prior step or it was recognized as malware during the upload, so we'll proceed with the fix.

Open HijackThis and do a *scan only*
When it finishes checkmark these entries, then press the *fix checked* button

O20 - AppInit_DLLs: C:\WINNT\system32\tmp_0v.dll

O23 - Service: NetBTD(ntbtd) (NetBTD) - Unknown owner - C:\WINNT\system32\netbtd.exe (file missing)

Delete these files

C:\WINNT\system32\tmp_0v.dll

C:\WINNT\system32\netbtd.exe (if found) Look for it because even thought the HJT log says file missing, it is not always right...sometimes the file is really there.

Reboot your computer. Scan again with HijackThis and post a fresh log please.

How is your computer acting at this point?
D`artagnan
Jun 20 2006, 07:58 PM
ok im not seeing any of those 2 files there
also i recieved this error

{Edit by LS CalamityJane: .bmp screenshot attachment replaced with smaller .gif size}
LS CalamityJane
Jun 20 2006, 09:09 PM
Ok, I believe that error is caused when the file is not found.

And those two files may have already been removed by prior cleaning steps, so that all we see now is those entries reflection in the registry.

Could you scan once more with Hijackthis and post a fresh log?
D`artagnan
Jun 20 2006, 10:01 PM
Logfile of HijackThis v1.99.1
Scan saved at 4:53:01 PM, on 6/20/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\CTsvcCDA.exe
C:\WINNT\System32\svchost.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\pctspk.exe
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Lexmark 4300 Series\lxcemon.exe
C:\Program Files\Lexmark 4300 Series\ezprint.exe
E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\Program Files\Winamp\winampa.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINNT\system32\Rundll32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINNT\system32\lxcecoms.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HIjackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINNT\system32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
O4 - HKLM\..\Run: [RemoteControl] "E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [tcactive] D:\Program Files\The Cleaner\tca.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potg_x.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.1.87.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/default/R...bGameLoader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1140895756203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1140896664562
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://209.190.31.34/display/PopupSh.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15021/CTPID.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTsvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINNT\system32\lxcecoms.exe
O23 - Service: NetBTD(ntbtd) (NetBTD) - Unknown owner - C:\WINNT\system32\netbtd.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
LS CalamityJane
Jun 20 2006, 11:46 PM
Only this on is being stubborn.

O23 - Service: NetBTD(ntbtd) (NetBTD) - Unknown owner - C:\WINNT\system32\netbtd.exe (file missing)

go to Start->Run and type: Services.msc then hit Ok

Scroll down and find the service called: NetBTD(ntbtd)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

Open HijackThis and scan. Checkmark this entry, then press *fix checked*
O23 - Service: NetBTD(ntbtd) (NetBTD) - Unknown owner - C:\WINNT\system32\netbtd.exe (file missing)


Close HijackThis and scan once more. Look to see if that 023 item is now gone. Let me know.
D`artagnan
Jun 22 2006, 02:36 AM
O.k. when i ran the scan i didnt see that one anymore.
everything look good now?


Logfile of HijackThis v1.99.1
Scan saved at 9:28:34 PM, on 6/21/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\CTsvcCDA.exe
C:\WINNT\System32\svchost.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
D:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\pctspk.exe
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Lexmark 4300 Series\lxcemon.exe
C:\Program Files\Lexmark 4300 Series\ezprint.exe
E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\Program Files\Winamp\winampa.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINNT\system32\Rundll32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINNT\system32\lxcecoms.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\mIRC\mirc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\services.exe
C:\HIjackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCECATS] rundll32 C:\WINNT\system32\spool\DRIVERS\W32X86\3\LXCEtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcemon.exe] "C:\Program Files\Lexmark 4300 Series\lxcemon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 4300 Series\ezprint.exe"
O4 - HKLM\..\Run: [RemoteControl] "E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [tcactive] D:\Program Files\The Cleaner\tca.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potg_x.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.1.87.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/default/R...bGameLoader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1140895756203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1140896664562
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://209.190.31.34/display/PopupSh.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15021/CTPID.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTsvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINNT\system32\lxcecoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
LS CalamityJane
Jun 22 2006, 12:14 PM
Looks good! biggrin.gif Assuming your computer is acting back to normal

Some final cleanup and prevention recomendations follow.

Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Clean out your Temporary Internet files.
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

I highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help smile.gif.
How do I prevent Browser Hijacks and Spyware?
http://www.dslreports.com/faq/13620

Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month. This is the first step in malware prevention, as many nasties now take advantage of new exploits and if not patched, you are vulnerable!
Windows Update
http://update.microsoft.com/microsoftupdate/

I also highly recommend to get the free tool, Microsoft Baseline Security Analyzer (MBSA) from Microsoft to analyze your PC security for prevention purposes.

MBSA Version 2.0 will scan for common system misconfigurations on Windows 2000, Windows XP, and Windows Server 2003 systems. This program will identify the system security weaknesses in your browser and operating system and provides easy instructions to correct them. This includes any missing critical Windows security updates, system vulnerabilities and your IE Browser security settings. Get the download here:
Microsoft Baseline Security Analyzer
http://www.microsoft.com/technet/security/...s/mbsahome.mspx
Choose MBSAsetup-EN.msi = (English Version) or the language appropriate for you.

Also visit this Free Online Scanner for PC Health and Safety
http://safety.live.com/site/en-US/default.htm
and Microsoft Security At Home
http://www.microsoft.com/athome/security/default.mspx
for tips to Protect your Pc, Protect yourself and Protect your Family.
D`artagnan
Jun 24 2006, 04:02 AM
Thank you so much for you help, i really do appreciate it.
LS CalamityJane
Jun 24 2006, 03:17 PM
You're quite welcome! Glad we could help smile.gif
D`artagnan
Jun 24 2006, 06:18 PM
thanks for the help. I greatly appreciate it.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2010 Invision Power Services, Inc.