PDA

View Full Version : A baaad virus just got me!


Fish.
08-11-08, 06:34
Earlier my brother was downloading some stuff, and he must have accidentally downloaded a virus. I have gotten rid of most of it, but there's still processes such as "csrssc.exe" and Internet Explorer (I don't use it, I use Firefox), as well as a lot of other processes which seem veeeery suspicious.

My computer was constantly shutting down and restarting, with an error message saying that the shutdown was initiated by "NT AUTHORITY\SYSTEM", and that it was initiated because "C:\WINDOWS\system32\services.exe" was terminated without warning. I'll get a diagnose later, as well as an ardiag. I've run Spybot S&D at least 5 times.

Oh, if someone has it, can they post a link to SmitfraudFix? I think that's what I've come down with.

edit: Ok, I just ran SmitfraudFix, and it's done nothing but turn my clock into 24-hour time... As well as slow internet, I've also been getting popups like this:
http://i134.photobucket.com/albums/q103/Benhead_500/browserhelper.jpg


....and this....
http://i134.photobucket.com/albums/q103/Benhead_500/csrssc.jpg

EscondeR
08-11-08, 09:07
Run ARDiag.exe (http://www.tombraiderhub.com/download/ardiag.exe) and post the report.

Fish.
08-11-08, 09:19
Here ya go, Esconder. :wve:

Copy the following text and paste it to your report AS IS!!!

---------------------------------------------------------------
AutoRuns Diagnostics for TRF v 0.5 Developed by EscondeR
---------------------------------------------------------------



Program:
"Provides the interface to Apple mobile devices."
Publisher:
"(Verified) Apple Inc."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
Apple Mobile Device
Program path & name:
"c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe"
Enabled: [V]


Program:
"Bonjour allows applications like iTunes and Safari to advertise and discover services on the local network. Having Bonjour running enables you to connect to hardware devices like Apple TV and software services like iTunes sharing and AirTunes. If you disable Bonjour
Publisher:
any network service that explicitly depends on it will fail to start."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
Bonjour Service
Program path & name:
"(Verified) Apple Inc.""c:\program files\bonjour\mdnsresponder.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
FCI
Program path & name:
c:\windows\system32\svchost.exe:ext.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
ICF
Program path & name:
c:\windows\system32\svchost.exe:ext.exe"
Enabled: [V]


Program:
"Scans files for viruses and other threats when they are accessed by this computer."
Publisher:
N/A
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
McShield
Program path & name:
File not found: C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe"
Enabled: [V]


Program:
"SQL Server Windows NT"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
MSSQL$SONY_MEDIAMGR
Program path & name:
"c:\program files\sony\shared plug-ins\media manager\mssql$sony_mediamgr\binn\sqlservr.exe"
Enabled: [V]


Program:
"PunkBuster Service Component [v1029] http://www.evenbalance.com"
Publisher:
"(Verified) Even Balance Inc."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
PnkBstrA
Program path & name:
"c:\windows\system32\pnkbstra.exe"
Enabled: [V]


Program:
"PunkBuster Service Component [v2.48 AAO] http://www.evenbalance.com"
Publisher:
"(Verified) Even Balance Inc."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
PnkBstrB
Program path & name:
"c:\windows\system32\pnkbstrb.exe"
Enabled: [V]


Program:
"Ensures Viewpoint 3D and Rich Media Technologies are up to date"
Publisher:
"(Not verified) Viewpoint Corporation"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
Viewpoint Manager Service
Program path & name:
"c:\program files\viewpoint\common\viewpointservice.exe"
Enabled: [V]


Program:
"Monitors internet traffic and generates alerts for disallowed access."
Publisher:
"(Verified) Check Point Software Technologies Ltd."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
vsmon
Program path & name:
"c:\windows\system32\zonelabs\vsmon.exe"
Enabled: [V]


Program:
"ASPI for WIN32 Kernel Driver"
Publisher:
"(Not verified) Adaptec"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
ASPI
Program path & name:
"c:\windows\system32\drivers\aspi32.sys"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
ati7rwxx
Program path & name:
c:\windows\system32\drivers\ati7rwxx.sys"
Enabled: [V]


Program:
"Device Driver"
Publisher:
"(Not verified) Sonic Solutions"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
drvmcdb
Program path & name:
"c:\windows\system32\drivers\drvmcdb.sys"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
EverestDriver
Program path & name:
File not found: C:\Program Files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt"
Enabled: [V]


Program:
"Virtual Audio Device"
Publisher:
"(Not verified) NCH Swift Sound"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
NCHSSVAD
Program path & name:
"c:\windows\system32\drivers\nchssvad.sys"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
npkcrypt
Program path & name:
File not found: C:\Nexon\MapleStory\npkcrypt.sys"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
npkcusb
Program path & name:
File not found: C:\Nexon\MapleStory\npkcusb.sys"
Enabled: [V]


Program:
N/A
Publisher:
"(Verified) Even Balance Inc."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
PnkBstrK
Program path & name:
"c:\windows\system32\drivers\pnkbstrk.sys"
Enabled: [V]


Program:
"Px Engine Device Driver for Windows 2000/XP"
Publisher:
"(Verified) Sonic Solutions"
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
PxHelp20
Program path & name:
"c:\windows\system32\drivers\pxhelp20.sys"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
restore
Program path & name:
File not found: C:\WINDOWS\system32\drivers\restore.sys"
Enabled: [V]


Program:
"srescan"
Publisher:
"(Verified) Check Point Software Technologies Ltd."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
srescan
Program path & name:
"c:\windows\system32\zonelabs\srescan.sys"
Enabled: [V]


Program:
"TrendMicro Common Module"
Publisher:
"(Verified) Trend Micro Inc."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
tmcomm
Program path & name:
"c:\windows\system32\drivers\tmcomm.sys"
Enabled: [V]


Program:
"TrueVector Device Driver"
Publisher:
"(Verified) Check Point Software Technologies Ltd."
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
vsdatant
Program path & name:
"c:\windows\system32\vsdatant.sys"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
Entry name:
pnocvc
Program path & name:
c:\windows\system32\pnocvc32.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
Entry name:
WRNotifier
Program path & name:
File not found: WRLogonNTF.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
Entry name:
xxyxuvuT
Program path & name:
c:\windows\system32\xxyxuvut.dll"
Enabled: [V]


Program:
"Print Monitor (Win2k/WinXP)"
Publisher:
N/A
Entry path:
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monito rs
Entry name:
Lexmark Print-2-Fax Port
Program path & name:
c:\windows\system32\lxprmon.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authenti cation Packages
Entry name:
C:\WINDOWS\system32\fccbBUkL
Program path & name:
c:\windows\system32\fccbbukl.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
Entry name:
rnurge.dll
Program path & name:
c:\windows\system32\rnurge.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
Entry name:
qwsfsm.dll
Program path & name:
c:\windows\system32\qwsfsm.dll"
Enabled: [V]


Program:
"Internet Shortcut Shell Extension DLL"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Entry name:
url
Program path & name:
"c:\windows\system32\url.dll"
Enabled: [V]


Program:
"OLE32 Extensions for Win32"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Entry name:
urlmon
Program path & name:
"c:\windows\system32\urlmon.dll"
Enabled: [V]


Program:
"Registry Monitor"
Publisher:
"(Not verified) PixArt Imaging Incorporation"
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
Monitor
Program path & name:
"c:\windows\pixart\pac207\monitor.exe"
Enabled: [V]


Program:
"Fax Man Server"
Publisher:
"(Verified) Lexmark International Inc."
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
FaxCenterServer
Program path & name:
"c:\program files\lexmark fax solutions\fm3032.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
UnlockerAssistant
Program path & name:
c:\program files\unlocker\unlockerassistant.exe"
Enabled: [V]


Program:
"NVIDIA nView Wizard
Publisher:
Version 111.32 "
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
nwiz
Program path & name:
"(Not verified) NVIDIA Corporation""c:\windows\system32\nwiz.exe"
Enabled: [V]


Program:
"Lexmark 1200 Series Button Manager"
Publisher:
"(Verified) Lexmark International Inc."
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
lxczbmgr.exe
Program path & name:
"c:\program files\lexmark 1200 series\lxczbmgr.exe"
Enabled: [V]


Program:
"Java(TM) Platform SE binary"
Publisher:
"(Verified) Sun Microsystems Inc."
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
SunJavaUpdateSched
Program path & name:
"c:\program files\java\jre1.6.0_07\bin\jusched.exe"
Enabled: [V]


Program:
"ZoneAlarm Client"
Publisher:
"(Verified) Check Point Software Technologies Ltd."
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
ZoneAlarm Client
Program path & name:
"c:\program files\zone labs\zonealarm\zlclient.exe"
Enabled: [V]


Program:
"QuickTime Task"
Publisher:
"(Not verified) Apple Inc."
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
QuickTime Task
Program path & name:
"c:\program files\quicktime\qttask.exe"
Enabled: [V]


Program:
"iTunesHelper Module"
Publisher:
"(Verified) Apple Inc."
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
iTunesHelper
Program path & name:
"c:\program files\itunes\ituneshelper.exe"
Enabled: [V]


Program:
"Microsoft .NET Runtime Execution Engine"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\SOFTWARE\Classes\Protocols\Filter
Entry name:
application/octet-stream
Program path & name:
"c:\windows\system32\mscoree.dll"
Enabled: [V]


Program:
"Microsoft .NET Runtime Execution Engine"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\SOFTWARE\Classes\Protocols\Filter
Entry name:
application/x-complus
Program path & name:
"c:\windows\system32\mscoree.dll"
Enabled: [V]


Program:
"Microsoft .NET Runtime Execution Engine"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\SOFTWARE\Classes\Protocols\Filter
Entry name:
application/x-msdownload
Program path & name:
"c:\windows\system32\mscoree.dll"
Enabled: [V]


Program:
"OLE32 Extensions for Win32"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\SOFTWARE\Classes\Protocols\Filter
Entry name:
Class Install Handler
Program path & name:
"c:\windows\system32\urlmon.dll"
Enabled: [V]


Program:
"OLE32 Extensions for Win32"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\SOFTWARE\Classes\Protocols\Filter
Entry name:
deflate
Program path & name:
"c:\windows\system32\urlmon.dll"
Enabled: [V]


Program:
"OLE32 Extensions for Win32"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\SOFTWARE\Classes\Protocols\Filter
Entry name:
gzip
Program path & name:
"c:\windows\system32\urlmon.dll"
Enabled: [V]


Program:
"OLE32 Extensions for Win32"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\SOFTWARE\Classes\Protocols\Filter
Entry name:
lzdhtml
Program path & name:
"c:\windows\system32\urlmon.dll"
Enabled: [V]


Program:
"Microsoft (R) HTML Viewer"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\SOFTWARE\Classes\Protocols\Handler
Entry name:
about
Program path & name:
"c:\windows\system32\mshtml.dll"
Enabled: [V]


Program:
"OLE32 Extensions for Win32"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\SOFTWARE\Classes\Protocols\Handler
Entry name:
cdl
Program path & name:
"c:\windows\system32\urlmon.dll"
Enabled: [V]


Program:
"OLE32 Extensions for Win32"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\SOFTWARE\Classes\Protocols\Handler
Entry name:
file
Program path & name:
"c:\windows\system32\urlmon.dll"
Enabled: [V]


Program:
"OLE32 Extensions for Win32"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\SOFTWARE\Classes\Protocols\Handler
Entry name:
ftp
Program path & name:
"c:\windows\system32\urlmon.dll"
Enabled: [V]


Program:
"OLE32 Extensions for Win32"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\SOFTWARE\Classes\Protocols\Handler
Entry name:
gopher
Program path & name:
"c:\windows\system32\urlmon.dll"
Enabled: [V]


Program:
"OLE32 Extensions for Win32"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\SOFTWARE\Classes\Protocols\Handler
Entry name:
http
Program path & name:
"c:\windows\system32\urlmon.dll"
Enabled: [V]


Program:
"OLE32 Extensions for Win32"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\SOFTWARE\Classes\Protocols\Handler
Entry name:
https
Program path & name:
"c:\windows\system32\urlmon.dll"
Enabled: [V]


Program:
"Microsoft (R) HTML Viewer"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\SOFTWARE\Classes\Protocols\Handler
Entry name:
javascript
Program path & name:
"c:\windows\system32\mshtml.dll"
Enabled: [V]


Program:
"OLE32 Extensions for Win32"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\SOFTWARE\Classes\Protocols\Handler
Entry name:
local
Program path & name:
"c:\windows\system32\urlmon.dll"
Enabled: [V]


Program:
"Microsoft (R) HTML Viewer"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\SOFTWARE\Classes\Protocols\Handler
Entry name:
mailto
Program path & name:
"c:\windows\system32\mshtml.dll"
Enabled: [V]


Program:
"OLE32 Extensions for Win32"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\SOFTWARE\Classes\Protocols\Handler
Entry name:
mk
Program path & name:
"c:\windows\system32\urlmon.dll"
Enabled: [V]


Program:
"Microsoft (R) HTML Viewer"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\SOFTWARE\Classes\Protocols\Handler
Entry name:
res
Program path & name:
"c:\windows\system32\mshtml.dll"
Enabled: [V]


Program:
"Skype for COM API"
Publisher:
"(Verified) Skype Technologies SA"
Entry path:
HKLM\SOFTWARE\Classes\Protocols\Handler
Entry name:
skype4com
Program path & name:
"c:\program files\common files\skype\skype4com.dll"
Enabled: [V]


Program:
"Microsoft (R) HTML Viewer"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\SOFTWARE\Classes\Protocols\Handler
Entry name:
sysimage
Program path & name:
"c:\windows\system32\mshtml.dll"
Enabled: [V]


Program:
"Microsoft (R) HTML Viewer"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\SOFTWARE\Classes\Protocols\Handler
Entry name:
vbscript
Program path & name:
"c:\windows\system32\mshtml.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components
Entry name:
0
Program path & name:
File not found: About:Home"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
Entry name:
n/a
Program path & name:
c:\recycler\s-1-5-21-1482476501-1644491937-682003330-1013\smartmgr.exe"
Enabled: [V]


Program:
"Microsoft .NET IE SECURITY REGISTRATION"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
Entry name:
n/a
Program path & name:
"c:\windows\system32\mscories.dll"
Enabled: [V]


Program:
"Adobe Acrobat SpeedLauncher"
Publisher:
"(Not verified) Adobe Systems Incorporated"
Entry path:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Entry name:
Adobe Reader Speed Launch.lnk
Program path & name:
"c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe"
Enabled: [V]


Program:
"Kodak EasyShare Software"
Publisher:
"(Not verified) Eastman Kodak Company"
Entry path:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Entry name:
Kodak EasyShare software.lnk
Program path & name:
"c:\program files\kodak\kodak easyshare software\bin\easyshare.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\Run
Entry name:
Lsass Service
Program path & name:
File not found: C:\Documents and Settings\WM\Application Data\Microsoft\Windows\lsass.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\SharedTaskScheduler
Entry name:
mcb7uehuj3n8weuhejsw
Program path & name:
c:\windows\system32\jsne87fidgf.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\SharedTaskScheduler
Entry name:
lke3iemrl490kgfgdsfd
Program path & name:
c:\windows\system32\siejf93.dll"
Enabled: [V]


Program:
"Web Site Monitor"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She llServiceObjectDelayLoad
Entry name:
WebCheck
Program path & name:
"c:\windows\system32\webcheck.dll"
Enabled: [V]


Program:
"System settings protector"
Publisher:
"(Verified) Safer Networking Ltd."
Entry path:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Entry name:
SpybotSD TeaTimer
Program path & name:
"c:\program files\spybot - search & destroy\teatimer.exe"
Enabled: [V]


Program:
"Apple Software Update"
Publisher:
"(Verified) Apple Inc."
Entry path:
Task Scheduler
Entry name:
AppleSoftwareUpdate.job
Program path & name:
"c:\program files\apple software update\softwareupdate.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
{275CFCC6-55B7-40C5-9E2C-EAE85683712E}
Program path & name:
c:\windows\system32\fccbbukl.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
{9E91EF7B-6846-45C3-A8AB-67CF7C900783}
Program path & name:
c:\windows\system32\xxyxuvut.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks
Entry name:
xxyxuvut.dll
Program path & name:
c:\windows\system32\xxyxuvut.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
Display Panning CPL Extension
Program path & name:
File not found: deskpan.dll"
Enabled: [V]


Program:
"Object Control Viewer"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
ActiveX Cache Folder
Program path & name:
"c:\windows\system32\occache.dll"
Enabled: [V]


Program:
"Web Site Monitor"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
WebCheck
Program path & name:
"c:\windows\system32\webcheck.dll"
Enabled: [V]


Program:
"Web Site Monitor"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
Subscription Mgr
Program path & name:
"c:\windows\system32\webcheck.dll"
Enabled: [V]


Program:
"Web Site Monitor"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
Subscription Folder
Program path & name:
"c:\windows\system32\webcheck.dll"
Enabled: [V]


Program:
"Web Site Monitor"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
WebCheckWebCrawler
Program path & name:
"c:\windows\system32\webcheck.dll"
Enabled: [V]


Program:
"Web Site Monitor"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
WebCheckChannelAgent
Program path & name:
"c:\windows\system32\webcheck.dll"
Enabled: [V]


Program:
"Web Site Monitor"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
TrayAgent
Program path & name:
"c:\windows\system32\webcheck.dll"
Enabled: [V]


Program:
"Web Site Monitor"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
Code Download Agent
Program path & name:
"c:\windows\system32\webcheck.dll"
Enabled: [V]


Program:
"Web Site Monitor"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
ConnectionAgent
Program path & name:
"c:\windows\system32\webcheck.dll"
Enabled: [V]


Program:
"Web Site Monitor"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
PostAgent
Program path & name:
"c:\windows\system32\webcheck.dll"
Enabled: [V]


Program:
"Web Site Monitor"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
WebCheck SyncMgr Handler
Program path & name:
"c:\windows\system32\webcheck.dll"
Enabled: [V]


Program:
"Microsoft .NET Runtime Execution Engine"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
Fusion Cache
Program path & name:
"c:\windows\system32\mscoree.dll"
Enabled: [V]


Program:
"Drive Letter Access Component"
Publisher:
"(Not verified) Sonic Solutions"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
DriveLetterAccess
Program path & name:
"c:\windows\system32\dla\tfswshx.dll"
Enabled: [V]


Program:
"Application Deployment Support Library"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
ShellLink for Application References
Program path & name:
"c:\windows\system32\dfshim.dll"
Enabled: [V]


Program:
"Application Deployment Support Library"
Publisher:
"(Not verified) Microsoft Corporation"
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
Shell Icon Handler for Application References
Program path & name:
"c:\windows\system32\dfshim.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
WinRAR shell extension
Program path & name:
c:\program files\winrar\rarext.dll"
Enabled: [V]


Program:
"zlavscan shell extension"
Publisher:
"(Verified) Check Point Software Technologies Ltd."
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
Multiscan
Program path & name:
"c:\program files\zone labs\zonealarm\zlavscan.dll"
Enabled: [V]


Program:
"CMenuExtender"
Publisher:
"(Not verified) Revenger inc."
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
CMenuExtender
Program path & name:
"c:\windows\bricopacks\vista inspirat 2\icolorfolder\cmext.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
UnlockerShellExtension
Program path & name:
c:\program files\unlocker\unlockercom.dll"
Enabled: [V]


Program:
"NVIDIA Desktop Explorer
Publisher:
Version 111.32 "
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
Desktop Explorer
Program path & name:
"(Not verified) NVIDIA Corporation""c:\windows\system32\nvshell.dll"
Enabled: [V]


Program:
"NVIDIA Desktop Explorer
Publisher:
Version 111.32 "
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
Desktop Explorer Menu
Program path & name:
"(Not verified) NVIDIA Corporation""c:\windows\system32\nvshell.dll"
Enabled: [V]


Program:
"NVIDIA Desktop Explorer
Publisher:
Version 111.32 "
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
nView Desktop Context Menu
Program path & name:
"(Not verified) NVIDIA Corporation""c:\windows\system32\nvshell.dll"
Enabled: [V]


Program:
"Yahoo! Mail"
Publisher:
"(Verified) Yahoo! Inc."
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
Yahoo! Mail
Program path & name:
"c:\program files\yahoo!\common\ymmapi.dll"
Enabled: [V]


Program:
"iTunes Mini Player DLL"
Publisher:
"(Verified) Apple Inc."
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved
Entry name:
iTunes
Program path & name:
"c:\program files\itunes\itunesminiplayer.dll"
Enabled: [V]


Program:
"PDF Shell Extension"
Publisher:
"(Not verified) Adobe Systems Inc."
Entry path:
HKLM\Software\Classes\Folder\Shellex\ColumnHandler s
Entry name:
PDF Shell Extension
Program path & name:
"c:\program files\adobe\acrobat 7.0\activex\pdfshell.dll"
Enabled: [V]


Program:
"ZoneAlarm Spy Blocker"
Publisher:
"(Not verified) ZoneAlarm"
Entry path:
HKLM\Software\Microsoft\Internet Explorer\Toolbar
Entry name:
spyblock.dll
Program path & name:
"c:\program files\zonealarmsb\bar\1.bin\spyblock.dll"
Enabled: [V]


Program:
"Winamp IE Toolbar Dynamic Link Library"
Publisher:
"(Verified) AOL LLC"
Entry path:
HKLM\Software\Microsoft\Internet Explorer\Toolbar
Entry name:
Winamp Toolbar
Program path & name:
"c:\program files\winamp toolbar\winamptb.dll"
Enabled: [V]


Program:
"ICQ Library"
Publisher:
"(Verified) ICQ"
Entry path:
HKLM\Software\Microsoft\Internet Explorer\Extensions
Entry name:
ICQ6
Program path & name:
"c:\program files\icq6\icq.exe"
Enabled: [V]

EscondeR
08-11-08, 09:33
1. Download Autoruns (http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx)
2. Reboot into Safe Mode.
3. Run Autoruns, wait till it finishes scanning and kill those:


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
FCI
Program path & name:
c:\windows\system32\svchost.exe:ext.exe"
Enabled: [V] - !!!VIRUS - main entry!!!


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
ICF
Program path & name:
c:\windows\system32\svchost.exe:ext.exe"
Enabled: [V] - !!!VIRUS - main entry!!!


Program:
"Scans files for viruses and other threats when they are accessed by this computer."
Publisher:
N/A
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
McShield
Program path & name:
File not found: C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
EverestDriver
Program path & name:
File not found: C:\Program Files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
npkcrypt
Program path & name:
File not found: C:\Nexon\MapleStory\npkcrypt.sys"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
npkcusb
Program path & name:
File not found: C:\Nexon\MapleStory\npkcusb.sys"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\System\CurrentControlSet\Services
Entry name:
restore
Program path & name:
File not found: C:\WINDOWS\system32\drivers\restore.sys"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
Entry name:
pnocvc
Program path & name:
c:\windows\system32\pnocvc32.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
Entry name:
WRNotifier
Program path & name:
File not found: WRLogonNTF.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
Entry name:
xxyxuvuT
Program path & name:
c:\windows\system32\xxyxuvut.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authenti cation Packages
Entry name:
C:\WINDOWS\system32\fccbBUkL
Program path & name:
c:\windows\system32\fccbbukl.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
Entry name:
rnurge.dll
Program path & name:
c:\windows\system32\rnurge.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
Entry name:
qwsfsm.dll
Program path & name:
c:\windows\system32\qwsfsm.dll"
Enabled: [V]


Program:
"Registry Monitor"
Publisher:
"(Not verified) PixArt Imaging Incorporation"
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
Monitor
Program path & name:
"c:\windows\pixart\pac207\monitor.exe"
Enabled: [V]


Program:
"Java(TM) Platform SE binary"
Publisher:
"(Verified) Sun Microsystems Inc."
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
SunJavaUpdateSched
Program path & name:
"c:\program files\java\jre1.6.0_07\bin\jusched.exe"
Enabled: [V]


Program:
"QuickTime Task"
Publisher:
"(Not verified) Apple Inc."
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Entry name:
QuickTime Task
Program path & name:
"c:\program files\quicktime\qttask.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
Entry name:
n/a
Program path & name:
c:\recycler\s-1-5-21-1482476501-1644491937-682003330-1013\smartmgr.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\Run
Entry name:
Lsass Service
Program path & name:
File not found: C:\Documents and Settings\WM\Application Data\Microsoft\Windows\lsass.exe"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\SharedTaskScheduler
Entry name:
mcb7uehuj3n8weuhejsw
Program path & name:
c:\windows\system32\jsne87fidgf.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\SharedTaskScheduler
Entry name:
lke3iemrl490kgfgdsfd
Program path & name:
c:\windows\system32\siejf93.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
{275CFCC6-55B7-40C5-9E2C-EAE85683712E}
Program path & name:
c:\windows\system32\fccbbukl.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects
Entry name:
{9E91EF7B-6846-45C3-A8AB-67CF7C900783}
Program path & name:
c:\windows\system32\xxyxuvut.dll"
Enabled: [V]


Program:
N/A
Publisher:
N/A
Entry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks
Entry name:
xxyxuvut.dll
Program path & name:
c:\windows\system32\xxyxuvut.dll"
Enabled: [V]


4. Look for the following files over your drives:

44324905.EXE
41671629.DAT
AVZ00004.DTA
45625909.TMP
34840523.EXE
49950687.EXE
06413111.EXE
38628698.EXE
FCI.EXE
90231467.EXE
72511024.EXE
03327184.EXE
11.TMP
34774786.VEX
94109626.DTA
83298017.DTA
43302289.SVD
!I!SVCHOST.EXE
32853085.DAT
27715404.DAT
89448276.EXE
IRNYVTV.TMP
DD[1].EXE
21.TMP
D[1].EXE
58.TMP
15.TMP
49656575.DAT
07077896.EXE
59373391.EXE
20346597.DAT
05733281.SVD
D.EXE
90217634.DAT
IENUDWQS.EXE
70632419.DAT
%TEMP%:SVCHOST.EXE
CYDGNB.EXE
LMUXJF.EXE
BPFSQPQ.EXE
CPGCBW.EXE
MSISVID.EXE
HARDDISKVOLUME6EXT.EXE
CSI365.TMP
12450535.EXE
54944887.EXE

And if found any - kill them.

Fish.
08-11-08, 10:09
Aye aye, I'm in safe mode right now. I deleted all the Autoruns entries, and I can't find any of the other files that you told me to look for. Should I just not bother with the small ones?

Jeet
08-11-08, 14:48
Goto http://www.kaspersky.com and do a online scan to detect viruses. and delete them through unlocker or replacer. or you may use kaspersky trial. i'm using that thing as Esconder advice me to use :). and this thing is really cool. btw use kaspersky internet security.

EscondeR
08-11-08, 15:57
Yup, scan this way:
Goto http://www.kaspersky.com and do a online scan to detect viruses.

OR boot in Normal Mode and rerun ARDiag scan.