I think i got a problem

Christian Darrall

Christian Darrall

Active Member
errm people i really do think i have a problem (spyware)

C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Q2hyaXN0aWFuIERhcnJhbGw\command.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\BearShare\BearShare.exe
C:\WINNT\wupdmgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\osaupd.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Windows Media Player\mplayer2.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\uninstDsk.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\explorer.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\Icp3p2BxK0.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
c:\Program Files\paytime.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\system32\0mcamcap.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\system32\TheMatrixHasYou.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\WINNT\uninstDsk.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\WINNT\uninstDsk.exe
C:\Documents and Settings\Christian Darrall\Local Settings\Temp\wz1214\HijackThis.exe
C:\WINNT\uninstDsk.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.5.5.2
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINNT\system32\winbrume.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: ZToolbar Activator Class - {da7ff3f8-08be-4cac-bc00-94d91c6ae7f4} - C:\WINNT\system32\azesearch4.ocx
O2 - BHO: AddressBar Class - {f65b197f-8260-4d52-909a-f70118e646eb} - C:\WINNT\system32\iasada.dll
O3 - Toolbar: Search - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - C:\WINNT\system32\azesearch4.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [rock] rock.exe
O4 - HKLM\..\Run: [intell321.exe] C:\WINNT\system32\intell321.exe
O4 - HKLM\..\Run: [c3252441.exe] C:\WINNT\system32\c3252441.exe
O4 - HKLM\..\Run: [46bd1e6e.exe] C:\WINNT\system32\46bd1e6e.exe
O4 - HKLM\..\Run: [ntdll.dll] c:\Program Files\paytime.exe
O4 - HKLM\..\Run: [d321301b.exe] C:\WINNT\system32\d321301b.exe
O4 - HKLM\..\Run: [0mcamcap] C:\WINNT\system32\0mcamcap.exe
O4 - HKLM\..\RunServices: [0mcamcap] C:\WINNT\system32\0mcamcap.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [c3252441.exe] C:\Documents and Settings\Christian Darrall\Local Settings\Application Data\c3252441.exe
O4 - HKCU\..\Run: [ntdll.dll] C:\WINNT\system32\0mcamcap.exe
O4 - HKCU\..\Run: [46bd1e6e.exe] C:\Documents and Settings\Christian Darrall\Local Settings\Application Data\46bd1e6e.exe
O4 - HKCU\..\Run: [d321301b.exe] C:\Documents and Settings\Christian Darrall\Local Settings\Application Data\d321301b.exe
O4 - HKCU\..\Run: [0mcamcap] C:\WINNT\system32\0mcamcap.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00005.exe"
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: wupdmgr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/download/scanner/en-us/wlscbase7617.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1146996718421
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F41F3E82-322D-49E3-9D9E-49438A9656CC}: NameServer = 62.31.112.39,62.31.144.39
O20 - Winlogon Notify: prwsks - C:\WINNT\
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINNT\system32\dcom_16.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\Q2hyaXN0aWFuIERhcnJhbGw\command.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

ermm do i have to say any more

and this was suppost to be a computer for homework, coursework and safe internet exploring, hah i dont think so some how.

plz can you send a fix to a private message, use as much detail as pos plz, only cuz ill be away in spain and a close mate will fix it for me.

and if he talks on threads I WANNA KNOW bibi
 
Last edited:
ermm do i have to say any more
Click to expand...
No you don't.

Shouldn't be a problem, let's get started.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
 
guten tag

SmitFraudFix v2.41

Scan done at 20:44:50.70, Mon 08/05/2006
Run from C:\Documents and Settings\Christian Darrall\Desktop
OS: Microsoft Windows 2000 [Version 5.00.2195]

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT

C:\WINNT\azesearch.bmp FOUND !
C:\WINNT\drsmartload95a.exe FOUND !
C:\WINNT\loadadv728.exe FOUND !
C:\WINNT\osaupd.exe FOUND !
C:\WINNT\uninstDsk.exe FOUND !
C:\WINNT\wupdmgr.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32

C:\WINNT\system32\intell321.exe FOUND !
C:\WINNT\system32\oleext.dll FOUND !
C:\WINNT\system32\taskdir.exe FOUND !
C:\WINNT\system32\taskdir~.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Christian Darrall\Application Data

C:\Documents and Settings\Christian Darrall\Application Data\Install.dat FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\CHRIST~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\paytime.exe FOUND !
C:\Program Files\PestTrap\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304BB8C34}"="DCOM Server"

[HKEY_CLASSES_ROOT\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB8C34}\InProcServer32]
@="C:\WINNT\system32\dcom_16.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB8C34}\InProcServer32]
@="C:\WINNT\system32\dcom_16.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

C:\WINNT\system32\wininet.dll infected !

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll backup

Volume in drive C has no label.
Volume Serial Number is 7CCC-D061

Directory of C:\WINNT\system32

29/08/2002 07:14 585,728 wininet.dll
1 File(s) 585,728 bytes

Directory of C:\WINNT\system32\dllcache

29/08/2002 07:14 585,728 wininet.dll
1 File(s) 585,728 bytes

Directory of C:\WINNT\$NtServicePackUninstall$

07/12/1999 12:00 467,728 wininet.dll
1 File(s) 467,728 bytes

Directory of C:\WINNT\ServicePackFiles\i386

19/06/2003 20:05 466,704 wininet.dll
1 File(s) 466,704 bytes

»»»»»»»»»»»»»»»»»»»»»»»» End

i waz shwn dis????

C:\WINNT\system32\intell321.exe FOUND
Click to expand...
chris is runnin a amd i fink

peeps chris is gonna screw theres now 109 processes runnin, there was only 40 b4, whats going on?????? there incrasing aswell by da rate of 1 every 9 seconds
 
Last edited:
That intel file is fake.

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please download, install, and update the free version of Ewido Anti-Malware:
  1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  2. When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  3. From the main Ewido screen, click on update in the left menu, then click the Start update button.
  4. After the update finishes, the status bar at the bottom will display "Update successful"
  5. Exit Ewido. DO NOT run a scan yet.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

After SmitfraudFix finishes (and after a reboot if required), please open Ewido. (If a reboot is required, please boot BACK into Safe Mode.)
  • Click on Scanner
  • Click on Complete System Scan and the scan will begin.
  • If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
  • Close Ewido

Then please restart it into Normal Windows, and post a new Hijackthis log.
 
yep i did up 2 no 2 and then

The instruction at "0x009411ba" referenced memory at "ox009411ba". the memory could not be "read". click ok to terminate the program click on cancel to debug the program

now 125 processes
 
Last edited:
Did you try the debug option? If it still won't work, carry on with the other instructions, save the report from SmitfraudFix and post it here.
 
i dont understand, i just did didn't i. its post 3, as for ewido, its not openniing when i click debug it says its generated a prob

mate have u got msn or summing cuz den u can du remote assistance

140 processes and its the same prog

ill do the safe mode section ill post back
 
Last edited:
soz about the wait, ewido took longer than i thought


it finished when there was 350 processes and cpu usage was 3. hehe

heres the log

Logfile of HijackThis v1.99.1
Scan saved at 23:02:41, on 08/05/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\system32\46bd1e6e.exe
C:\WINNT\system32\d321301b.exe
C:\WINNT\system32\0mcamcap.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\wupdmgr.exe
C:\WINNT\osaupd.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Christian Darrall\Local Settings\Temp\wz9101\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.5.5.2
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINNT\system32\winbrume.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [rock] rock.exe
O4 - HKLM\..\Run: [c3252441.exe] C:\WINNT\system32\c3252441.exe
O4 - HKLM\..\Run: [46bd1e6e.exe] C:\WINNT\system32\46bd1e6e.exe
O4 - HKLM\..\Run: [ntdll.dll] c:\Program Files\paytime.exe
O4 - HKLM\..\Run: [d321301b.exe] C:\WINNT\system32\d321301b.exe
O4 - HKLM\..\Run: [0mcamcap] C:\WINNT\system32\0mcamcap.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunServices: [0mcamcap] C:\WINNT\system32\0mcamcap.exe
O4 - HKCU\..\Run: [c3252441.exe] C:\Documents and Settings\Christian Darrall\Local Settings\Application Data\c3252441.exe
O4 - HKCU\..\Run: [ntdll.dll] C:\WINNT\system32\0mcamcap.exe
O4 - HKCU\..\Run: [46bd1e6e.exe] C:\Documents and Settings\Christian Darrall\Local Settings\Application Data\46bd1e6e.exe
O4 - HKCU\..\Run: [d321301b.exe] C:\Documents and Settings\Christian Darrall\Local Settings\Application Data\d321301b.exe
O4 - HKCU\..\Run: [0mcamcap] C:\WINNT\system32\0mcamcap.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00005.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: wupdmgr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/download/scanner/en-us/wlscbase7617.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1146996718421
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F41F3E82-322D-49E3-9D9E-49438A9656CC}: NameServer = 62.31.112.39,62.31.144.39
O20 - Winlogon Notify: prwsks - C:\WINNT\
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\Q2hyaXN0aWFuIERhcnJhbGw\command.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

is there any way of reducing this ammount,
 
Here is a list of unknown/nastly stuff on your computer:

C:\WINNT\system32\46bd1e6e.exe - Unknown
C:\WINNT\system32\d321301b.exe - Unknown
C:\WINNT\system32\0mcamcap.exe - Unknown
C:\WINNT\wupdmgr.exe - Nasty
C:\WINNT\osaupd.exe - Unknown
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm - Possibly nasty
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm - Possibly nasty
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = 192.5.5.2 - Possibly nasty
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINNT\system32\winbrume.dll - Unknown
O4 - HKLM\..\Run: [rock] rock.exe - Unknown
O4 - HKLM\..\Run: [c3252441.exe] C:\WINNT\system32\c3252441.exe - Possibly nasty
O4 - HKLM\..\Run: [46bd1e6e.exe] C:\WINNT\system32\46bd1e6e.exe - Possibly nasty
O4 - HKLM\..\Run: [ntdll.dll] c:\Program Files\paytime.exe - Unknown
O4 - HKLM\..\Run: [d321301b.exe] C:\WINNT\system32\d321301b.exe - Possibly nasty
O4 - HKLM\..\Run: [0mcamcap] C:\WINNT\system32\0mcamcap.exe - Unknown
O4 - HKLM\..\RunServices: [0mcamcap] C:\WINNT\system32\0mcamcap.exe - Unknown
O4 - HKCU\..\Run: [c3252441.exe] C:\Documents and Settings\Christian Darrall\Local Settings\Application Data\c3252441.exe - Possibly nasty
O4 - HKCU\..\Run: [ntdll.dll] C:\WINNT\system32\0mcamcap.exe - Unknown
O4 - HKCU\..\Run: [46bd1e6e.exe] C:\Documents and Settings\Christian Darrall\Local Settings\Application Data\46bd1e6e.exe - Possibly nasty
O4 - HKCU\..\Run: [d321301b.exe] C:\Documents and Settings\Christian Darrall\Local Settings\Application Data\d321301b.exe - Possibly nasty
O4 - HKCU\..\Run: [0mcamcap] C:\WINNT\system32\0mcamcap.exe - Unknown
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00005.exe" - Unknown
O4 - Global Startup: wupdmgr.exe - Unknown
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/1.cab - Nasty
O17 - HKLM\System\CCS\Services\Tcpip\..\{F41F3E82-322D-49E3-9D9E-49438A9656CC}: NameServer = 62.31.112.39,62.31.144.39 - Possibly nasty
O20 - Winlogon Notify: prwsks - C:\WINNT\ - Unknown
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll - Unknown
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\Q2hyaXN0aWFuIERhcnJhbGw\command.exe (file missing) - This service (§service) seems to be nasty.
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network

I think it should be ok to delete but let buzz check before you do anything.
 
ok

if nobody can fix it, then ill just reformat my hard drive and install xp.

i know everyone on this forum is an expert on it. hehehe

thanx so much for your help people fixed the prob 95% just the 5% needed fixing
 
Last edited:
if nobody can fix it, then ill just reformat my hard drive and install xp.
Click to expand...
Who said it can't be fixed? Just because it takes more than one or two posts, you decide to format?
Oh well, your choice.
 
Your problem is Fixable. It is nearly as infected as some are. You have to give us time to right up a fix. If you decide to reformat tell us if you don't tell us. Your choice.
 
You must log in or register to reply here.
Back
Top