Dll windows:bad image Troj

propaganda · 07-06-2008, 10:08 PM

Hello,

Heres whats happened so far.

I recently got multiple viruses from Norton dl. Sorry I cant tell you what they were because I already removed them. What happened:

My start menu was hijacked. etc.

So I installed AVG 8.0 and ran it and did the smitfraud run spill.

Didnt work. Then I downloaded malwarebytes and it removed the
Alert Virus from my taskbar and let me enter my local C: again.

So alas everything is normal...... except now every time I open a window pop up I get the following...... The application or DLL C:\WINDOWS\system32\iSecurity.cpl is not a valid Windows image. Please check this against your installation diskette. Funny that there isnt much about this on the net. So I updated all of my Windows and got SP2. I currently run ZA as my firewall.

So I think bad\missing system file. So I put my XP Home cd in and do a windows repair. Did not work. Then I did a SFC \scannow. The system file checker didnt work either. So here I am. Hijack this activescan did disinfect 1 medium threat but didnt disinfect 3 low threats.

Windows XP

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-07-06 23:45:07
PROTECTIONS: 0
MALWARE: 4
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139535 Application/Processor HackTools No 0 Yes No C:\WINDOWS\system32\Process.exe
00139535 Application/Processor HackTools No 0 Yes No C:\Program Files\sprof\SmitfraudFix\Process.exe
00139535 Application/Processor HackTools No 0 Yes No C:\Program Files\sprof\SmitfraudFix.zip[SmitfraudFix/Process.exe]
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Travis\Cookies\travis@bs.serving-sys[2].txt
02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes Yes C:\Program Files\sprof\SmitfraudFix.zip[SmitfraudFix/Reboot.exe]
02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes Yes C:\Program Files\sprof\SmitfraudFix\Reboot.exe
02909975 Cookie/CookingLuck TrackingCookie No 0 Yes No C:\Documents and Settings\Travis\Cookies\travis@cookingluck[1].txt
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
182048 HIGH MS07-069
182043 HIGH MS07-064
176382 HIGH MS07-057
170907 HIGH MS07-046
170906 HIGH MS07-045
170904 HIGH MS07-043
164913 HIGH MS07-033
160623 HIGH MS07-027
150253 HIGH MS07-016
141030 HIGH MS06-072
137568 HIGH MS06-067
126083 HIGH MS06-042
120815 HIGH MS06-022
120814 HIGH MS06-021
114666 HIGH MS06-015
114664 HIGH MS06-013
;============================

Moderators Message

Please be considerate of the fact that the people helping you are all volunteers, and in many cases usually have a job, and a limited amount of time to help, and therefore can only do so much. If no one has replied to your thread within 72hrs after you posted, please reply in your thread with the words BUMP, please to move it forward.

DO NOT Bump the thread unless 72 hours has passed. We work from oldest to newest posts so your wait will be longer if you bump it forward before the 72 hours is up. We look for 0 reply, or 1 reply threads to respond to.

You should also see our sticky at the top of this forum, entitled IMPORTANT - Read This Before Posting For Malware Removal Help

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Early bump posts will be deleted.

propaganda · 07-15-2008, 02:49 PM

bump de bump de

propaganda · 07-30-2008, 02:23 PM

bump still having issues......... I cant uninstall smitfraud

Ried · 07-30-2008, 07:10 PM

Hello propaganda and welcome,

We prefer a more comprehensive set of logs to assist in detecting any malware that may be present.

As noted in the final step (Step 5) of our sticky topic IMPORTANT - Read This Before Posting For Malware Removal Help....

Download Deckard's System Scanner (DSS) to your Desktop.

What DSS will do:

create a new System Restore point in Windows XP and Vista.
clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
check some important areas of your system and produce a report for your analyst to review.
DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

Note: You must be logged onto an account with administrator privileges.

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your next reply.
Please attach extra.txt to your post.

To attach a file to a new post, simply

Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
copy and paste the following into the "Upload File from your Computer" box:
C:\Deckard\System Scanner\extra.txt
Click Upload.

Please include the following in your next reply:

main.txt
an attached extra.txt

propaganda · 08-05-2008, 02:57 PM

Hey Reid thanks for the reply man,

Well I ran DSS like you said and it apparently couldn't dl
Hijackthis and run it, clone either. So I turned my firewall off and it seemed to change the look down time but it still didn't work.

So I ran hijack this alone and tried to upload the txt file, no bueno.

'upload failed'.......... so things aren't working my way.

But whats new............. So copy paste is best I can do my friend.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:27:52 PM, on 8/5/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Travis\Desktop\dss.exe
C:\DOCUME~1\Travis\Desktop\Travis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: cj helper - {B552B8A4-76AC-4e8c-A469-C1585B111116} - C:\Program Files\IE Extensions\cj.v5.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: iSecurity.cpl
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 3702 bytes

Ried · 08-05-2008, 05:31 PM

I prefer you copy/paste reports unless otherwise instructed.

If I understand you correctly, are you saying dss.exe would not run to completion? Or did you stop the tool after the download of HijackThis claimed to have failed?

If dss.exe 'stalled' or gave you some sort of error, then run dss.exe again, but use these instructions:

Click Start>Select 'Run' - then copy/paste the following text into the run box & click OK

"%userprofile%\desktop\dss.exe" /config

In the dialog box that appears:

View all the categories listed, and uncheck whichever one caused the problem. (Typically Temp Cleanup or Event Logs)

Click Scan!

Post the main.txt and extra.txt it produces.

propaganda · 08-27-2008, 08:29 PM

Deckard's System Scanner v20071014.68
Run by Travis on 2008-08-27 22:26:19
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

-- Last 5 Restore Point(s) --
123: 2008-08-28 03:22:43 UTC - RP168 - Deckard's System Scanner Restore Point
122: 2008-08-28 02:59:07 UTC - RP167 - System Checkpoint
121: 2008-08-27 02:49:14 UTC - RP166 - System Checkpoint
120: 2008-08-26 01:56:58 UTC - RP165 - System Checkpoint
119: 2008-08-24 21:25:50 UTC - RP164 - System Checkpoint

-- First Restore Point --
1: 2008-07-05 01:44:46 UTC - RP46 - Installed Windows XP KB922616.

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Travis.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:26:33 PM, on 8/27/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Travis\desktop\dss.exe
C:\DOCUME~1\Travis\Desktop\Travis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: cj helper - {B552B8A4-76AC-4e8c-A469-C1585B111116} - C:\Program Files\IE Extensions\cj.v5.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: iSecurity.cpl
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 4198 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 PciCon - d:\pcicon.sys (file missing)
S3 SymIM (Symantec Network Security Intermediate Filter Service) - c:\windows\system32\drivers\symim.sys (file missing)
S3 SymIMMP - c:\windows\system32\drivers\symim.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 ForceWare Intelligent Application Manager (IAM) - c:\program files\nvidia corporation\networkaccessmanager\bin32\nsvcappflt.exe <Not Verified; ; app_filter Module>
R2 nSvcIp (ForceWare IP service) - c:\program files\nvidia corporation\networkaccessmanager\bin32\nsvcip.exe <Not Verified; ; NAM>

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: NVIDIA nForce Networking Controller
Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0373\4&76B52AB&0&00
Manufacturer: NVIDIA
Name: NVIDIA nForce Networking Controller #2
PNP Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0373\4&76B52AB&0&00
Service: NVENETFD

-- Scheduled Tasks -------------------------------------------------------------

2008-08-21 22:27:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2008-07-27 and 2008-08-27 -----------------------------

2008-08-27 14:57:05 0 d-------- C:\WINDOWS\LastGood
2008-08-21 16:07:50 0 d-------- C:\WINDOWS\Sun
2008-08-21 16:07:50 0 d-------- C:\Documents and Settings\Travis\Application Data\Sun
2008-08-21 16

24 0 d-------- C:\Program Files\Java
2008-08-21 16:02:51 0 d-------- C:\Program Files\Common Files\Java
2008-08-05 15:38:49 0 d-------- C:\WINDOWS\Prefetch
2008-08-05 15:33:00 0 d-------- C:\WINDOWS\system32\scripting
2008-08-05 15:32:59 0 d-------- C:\WINDOWS\system32\en
2008-08-05 15:32:59 0 d-------- C:\WINDOWS\l2schemas
2008-08-05 15:30:01 0 d-------- C:\WINDOWS\network diagnostic

-- Find3M Report ---------------------------------------------------------------

2008-08-27 18:29:18 0 d-------- C:\Program Files\Warcraft III
2008-08-21 19:38:44 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-08-21 16:02:51 0 d-------- C:\Program Files\Common Files
2008-08-13 22:31:30 0 d-------- C:\Program Files\Messenger
2008-08-05 16:29:20 0 d-------- C:\Documents and Settings\Travis\Application Data\SPORE Creature Creator
2008-08-05 15:32:59 0 d-------- C:\Program Files\Movie Maker
2008-08-05 15:31:13 0 d-------- C:\Program Files\Windows NT
2008-07-07 00:22:16 0 d-------- C:\Program Files\Panda Security
2008-07-06 23:32:44 0 d-------- C:\Documents and Settings\Travis\Application Data\Apple Computer
2008-07-04 17:37:56 0 d-------- C:\Program Files\Lavasoft
2008-07-04 16:26:07 0 d-------- C:\Program Files\Realtek
2008-07-04 15:16:54 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-04 14:43:49 0 d--h----- C:\Program Files\WindowsUpdate
2008-07-04 14:28:46 22704 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-07-02 23

37 0 d-------- C:\Program Files\sprof
2008-07-02 23

05 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-02 23:05:56 0 d-------- C:\Program Files\AVG
2008-07-02 23:02:04 91520 -----n--- C:\WINDOWS\system32\lfwcolkx.dll
2008-07-02 23:02:04 28288 -----n--- C:\WINDOWS\system32\khfcaywv.dll
2008-07-02 22:28:33 0 d-------- C:\Documents and Settings\Travis\Application Data\Malwarebytes
2008-07-02 14:33:18 2124 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-02 13:59:42 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-07-02 13:44:41 0 d-------- C:\Documents and Settings\Travis\Application Data\TmpRecentIcons
2008-07-01 13:21:29 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-06-30 19:39:12 77720 --a------ C:\WINDOWS\War3Unin.dat
2008-06-07 17:41:17 2508 --a------ C:\Documents and Settings\Travis\Application Data\$_hpcst$.hpc
2008-05-29 09:35:36 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B552B8A4-76AC-4e8c-A469-C1585B111116}]
C:\Program Files\IE Extensions\cj.v5.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [01/03/2008 09:26 AM]
"nwiz"="nwiz.exe" [01/03/2008 09:26 AM C:\WINDOWS\system32\nwiz.exe]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [04/02/2008 09:07 PM]
"RTHDCPL"="RTHDCPL.EXE" [10/16/2007 09:30 PM C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [05/03/2005 09:43 PM C:\WINDOWS\Alcmtr.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [01/03/2008 09:26 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [06/20/2006 10:36 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStartMenuMorePrograms"=0 (0x0)
"StartMenuLogOff"=0 (0x0)
"NoToolbarCustomize"=0 (0x0)
"NoSetFolders"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=iSecurity.cpl

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"C:\PROGRA~1\MICROS~4\wcescomm.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc

-- End of Deckard's System Scanner: finished at 2008-08-27 22:26:56 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 3.0
Architecture: X86; Language: English

CPU 0: Intel(R) Core(TM)2 Duo CPU E6550 @ 2.33GHz
Percentage of Memory in Use: 36%
Physical Memory (total/avail): 1022.46 MiB / 650.88 MiB
Pagefile Memory (total/avail): 2461.02 MiB / 2184.32 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1942.89 MiB

C: is Fixed (NTFS) - 74.5 GiB total, 58.23 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - HDS72808 0PLA380 SCSI Disk Device - 74.5 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.5 GiB - C:

-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Travis\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=TRAVIS-T45X3VIC
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Travis
LOGONSERVER=\\TRAVIS-T45X3VIC
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 11, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0b
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Travis\LOCALS~1\Temp
TMP=C:\DOCUME~1\Travis\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=TRAVIS-T45X3VIC
USERNAME=Travis
USERPROFILE=C:\Documents and Settings\Travis
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

Travis (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742) --> MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Reader 8.1.2 Security Update 1 (KB403742) -->
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Codec Pack - All In 1 6.0.3.0 --> C:\WINDOWS\iun6002.exe "C:\Program Files\Codec Pack - All In 1\irunin.ini"
HijackThis 2.0.2 --> "C:\Documents and Settings\Travis\Desktop\HijackThis.exe" /uninstall
Java(TM) 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft ActiveSync 4.0 --> MsiExec.exe /I{B208806F-A231-4FA0-AB3F-5C1B8979223E}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office 2000 SR-1 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (2.0.0.16) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
NVIDIA Drivers --> C:\WINDOWS\system32\nvuninst.exe UninstallGUI
NVIDIA ForceWare Network Access Manager --> "C:\Program Files\InstallShield Installation Information\{7CFA46E3-CC2F-4355-82AE-6012DC3633FD}\setup.exe" -runfromtemp -l0x0409 -removeonly
NVIDIA ForceWare Network Access Manager --> MsiExec.exe /I{7CFA46E3-CC2F-4355-82AE-6012DC3633FD}
Panda ActiveScan 2.0 --> C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
Realtek High Definition Audio Driver --> RtlUpd.exe -r -m
SPORE™ Creature Creator Trial Edition --> "C:\Program Files\InstallShield Installation Information\{ECEE0279-785F-4CB3-9F28-E69813234BF8}\setup.exe" -runfromtemp -l0x0009 -removeonly
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Warcraft III: All Products --> C:\WINDOWS\War3Unin.exe C:\WINDOWS\War3Unin.dat
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows XP Service Pack 3 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
ZoneAlarm --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe

-- End of Deckard's System Scanner: finished at 2008-08-27 22:26:56 ------------

Alright, it didnt like the event logs.

propaganda · 08-28-2008, 10:58 AM

I think that I got it this time. Tell me what you think from the above. extra.txt is the bottom have main is on top.

Thanks in Advance.

propaganda · 08-28-2008, 02:40 PM

If I can add anything more just let me know.

Thanks

propaganda · 09-04-2008, 03:08 PM

Ill try a bump before the weekend hits........

propaganda · 09-05-2008, 01:13 PM

I think my problem is from smitfraud?? But I cant find it.

Ried · 09-05-2008, 06:20 PM

Hello propaganda,

One of my colleagues notified me that you had responded here. As 22 days had gone by with no response from you, I had unsubscribed from this thread and moved on to assist others. We have hundreds of people waiting for assistance.

No worries, I do see the infection. Please understand that time is of the essence if we're going to effectively clean your system.

This will require more than one round to properly eradicate. Please stay with me until given the 'all clear' even if symptoms seemingly abate.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

07-06-2008, 10:08 PM	#1 (permalink)
propaganda Registered User Join Date: Jul 2008 Posts: 14 OS: XP Home	Dll windows:bad image Troj Hello, Heres whats happened so far. I recently got multiple viruses from Norton dl. Sorry I cant tell you what they were because I already removed them. What happened: My start menu was hijacked. etc. So I installed AVG 8.0 and ran it and did the smitfraud run spill. Didnt work. Then I downloaded malwarebytes and it removed the Alert Virus from my taskbar and let me enter my local C: again. So alas everything is normal...... except now every time I open a window pop up I get the following...... The application or DLL C:\WINDOWS\system32\iSecurity.cpl is not a valid Windows image. Please check this against your installation diskette. Funny that there isnt much about this on the net. So I updated all of my Windows and got SP2. I currently run ZA as my firewall. So I think bad\missing system file. So I put my XP Home cd in and do a windows repair. Did not work. Then I did a SFC \scannow. The system file checker didnt work either. So here I am. Hijack this activescan did disinfect 1 medium threat but didnt disinfect 3 low threats. Windows XP ;********************************************************************************************************************************************************************************* ANALYSIS: 2008-07-06 23:45:07 PROTECTIONS: 0 MALWARE: 4 SUSPECTS: 0 ;******************************************************************************************************************************************************************************* PROTECTIONS Description Version Active Updated ;=================================================================================================================================================================================== ;=================================================================================================================================================================================== MALWARE Id Description Type Active Severity Disinfectable Disinfected Location ;=================================================================================================================================================================================== 00139535 Application/Processor HackTools No 0 Yes No C:\WINDOWS\system32\Process.exe 00139535 Application/Processor HackTools No 0 Yes No C:\Program Files\sprof\SmitfraudFix\Process.exe 00139535 Application/Processor HackTools No 0 Yes No C:\Program Files\sprof\SmitfraudFix.zip[SmitfraudFix/Process.exe] 00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Travis\Cookies\travis@bs.serving-sys[2].txt 02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes Yes C:\Program Files\sprof\SmitfraudFix.zip[SmitfraudFix/Reboot.exe] 02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes Yes C:\Program Files\sprof\SmitfraudFix\Reboot.exe 02909975 Cookie/CookingLuck TrackingCookie No 0 Yes No C:\Documents and Settings\Travis\Cookies\travis@cookingluck[1].txt ;=================================================================================================================================================================================== SUSPECTS Sent Location ;=================================================================================================================================================================================== ;=================================================================================================================================================================================== VULNERABILITIES Id Severity Description ;=================================================================================================================================================================================== 182048 HIGH MS07-069 182043 HIGH MS07-064 176382 HIGH MS07-057 170907 HIGH MS07-046 170906 HIGH MS07-045 170904 HIGH MS07-043 164913 HIGH MS07-033 160623 HIGH MS07-027 150253 HIGH MS07-016 141030 HIGH MS06-072 137568 HIGH MS06-067 126083 HIGH MS06-042 120815 HIGH MS06-022 120814 HIGH MS06-021 114666 HIGH MS06-015 114664 HIGH MS06-013 ;============================ Moderators Message Please be considerate of the fact that the people helping you are all volunteers, and in many cases usually have a job, and a limited amount of time to help, and therefore can only do so much. If no one has replied to your thread within 72hrs after you posted, please reply in your thread with the words BUMP, please to move it forward. DO NOT Bump the thread unless 72 hours has passed. We work from oldest to newest posts so your wait will be longer if you bump it forward before the 72 hours is up. We look for 0 reply, or 1 reply threads to respond to. You should also see our sticky at the top of this forum, entitled IMPORTANT - Read This Before Posting For Malware Removal Help If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply. Early bump posts will be deleted.** Last edited by TheBruce1 : 07-07-2008 at 02:32 PM.

07-15-2008, 02:49 PM	#2 (permalink)
propaganda Registered User Join Date: Jul 2008 Posts: 14 OS: XP Home	Re: Dll windows:bad image Troj bump de bump de

07-30-2008, 02:23 PM	#3 (permalink)
propaganda Registered User Join Date: Jul 2008 Posts: 14 OS: XP Home	Re: Dll windows:bad image Troj bump still having issues......... I cant uninstall smitfraud

07-30-2008, 07:10 PM	#4 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 19,025 OS: WinXP and Vista	Re: Dll windows:bad image Troj Hello propaganda and welcome, We prefer a more comprehensive set of logs to assist in detecting any malware that may be present. As noted in the final step (Step 5) of our sticky topic IMPORTANT - Read This Before Posting For Malware Removal Help.... Download Deckard's System Scanner (DSS) to your Desktop. What DSS will do: create a new System Restore point in Windows XP and Vista. clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives. check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed. Note: You must be logged onto an account with administrator privileges. Close all applications and windows. Double-click on dss.exe to run it, and follow the prompts. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your next reply. Please attach extra.txt to your post. To attach a file to a new post, simply Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and copy and paste the following into the "Upload File from your Computer" box: C:\Deckard\System Scanner\extra.txt Click Upload. Please include the following in your next reply: main.txt an attached extra.txt __________________ Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Keep this site free for all. Please consider, donating "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

08-05-2008, 02:57 PM	#5 (permalink)
propaganda Registered User Join Date: Jul 2008 Posts: 14 OS: XP Home	Re: Dll windows:bad image Troj Hey Reid thanks for the reply man, Well I ran DSS like you said and it apparently couldn't dl Hijackthis and run it, clone either. So I turned my firewall off and it seemed to change the look down time but it still didn't work. So I ran hijack this alone and tried to upload the txt file, no bueno. 'upload failed'.......... so things aren't working my way. But whats new............. So copy paste is best I can do my friend. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:27:52 PM, on 8/5/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\PROGRA~1\MICROS~4\rapimgr.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Travis\Desktop\dss.exe C:\DOCUME~1\Travis\Desktop\Travis.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing) O2 - BHO: cj helper - {B552B8A4-76AC-4e8c-A469-C1585B111116} - C:\Program Files\IE Extensions\cj.v5.dll (file missing) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O20 - AppInit_DLLs: iSecurity.cpl O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe O24 - Desktop Component 0: Privacy Protection - (no file) -- End of file - 3702 bytes

08-05-2008, 05:31 PM	#6 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 19,025 OS: WinXP and Vista	Re: Dll windows:bad image Troj I prefer you copy/paste reports unless otherwise instructed. If I understand you correctly, are you saying dss.exe would not run to completion? Or did you stop the tool after the download of HijackThis claimed to have failed? If dss.exe 'stalled' or gave you some sort of error, then run dss.exe again, but use these instructions: Click Start>Select 'Run' - then copy/paste the following text into the run box & click OK "%userprofile%\desktop\dss.exe" /config In the dialog box that appears: View all the categories listed, and uncheck whichever one caused the problem. (Typically Temp Cleanup or Event Logs) Click Scan! Post the main.txt and extra.txt it produces. __________________ Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Keep this site free for all. Please consider, donating "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

08-27-2008, 08:29 PM	#7 (permalink)
propaganda Registered User Join Date: Jul 2008 Posts: 14 OS: XP Home	Re: Dll windows:bad image Troj Deckard's System Scanner v20071014.68 Run by Travis on 2008-08-27 22:26:19 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- -- Last 5 Restore Point(s) -- 123: 2008-08-28 03:22:43 UTC - RP168 - Deckard's System Scanner Restore Point 122: 2008-08-28 02:59:07 UTC - RP167 - System Checkpoint 121: 2008-08-27 02:49:14 UTC - RP166 - System Checkpoint 120: 2008-08-26 01:56:58 UTC - RP165 - System Checkpoint 119: 2008-08-24 21:25:50 UTC - RP164 - System Checkpoint -- First Restore Point -- 1: 2008-07-05 01:44:46 UTC - RP46 - Installed Windows XP KB922616. Backed up registry hives. Performed disk cleanup. -- HijackThis (run as Travis.exe) ---------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:26:33 PM, on 8/27/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\WINDOWS\system32\nvsvc32.exe C:\PROGRA~1\MICROS~4\rapimgr.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Travis\desktop\dss.exe C:\DOCUME~1\Travis\Desktop\Travis.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: cj helper - {B552B8A4-76AC-4e8c-A469-C1585B111116} - C:\Program Files\IE Extensions\cj.v5.dll (file missing) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O20 - AppInit_DLLs: iSecurity.cpl O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe O24 - Desktop Component 0: Privacy Protection - (no file) -- End of file - 4198 bytes -- File Associations ----------------------------------------------------------- .cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%* .cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%* .reg - regfile - shell\open\command - regedit.exe "%1" %* .scr - scrfile - shell\open\command - "%1" %* -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- S3 PciCon - d:\pcicon.sys (file missing) S3 SymIM (Symantec Network Security Intermediate Filter Service) - c:\windows\system32\drivers\symim.sys (file missing) S3 SymIMMP - c:\windows\system32\drivers\symim.sys (file missing) -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 ForceWare Intelligent Application Manager (IAM) - c:\program files\nvidia corporation\networkaccessmanager\bin32\nsvcappflt.exe <Not Verified; ; app_filter Module> R2 nSvcIp (ForceWare IP service) - c:\program files\nvidia corporation\networkaccessmanager\bin32\nsvcip.exe <Not Verified; ; NAM> -- Device Manager: Disabled ---------------------------------------------------- Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: NVIDIA nForce Networking Controller Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0373\4&76B52AB&0&00 Manufacturer: NVIDIA Name: NVIDIA nForce Networking Controller #2 PNP Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0373\4&76B52AB&0&00 Service: NVENETFD -- Scheduled Tasks ------------------------------------------------------------- 2008-08-21 22:27:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job -- Files created between 2008-07-27 and 2008-08-27 ----------------------------- 2008-08-27 14:57:05 0 d-------- C:\WINDOWS\LastGood 2008-08-21 16:07:50 0 d-------- C:\WINDOWS\Sun 2008-08-21 16:07:50 0 d-------- C:\Documents and Settings\Travis\Application Data\Sun 2008-08-21 1624 0 d-------- C:\Program Files\Java 2008-08-21 16:02:51 0 d-------- C:\Program Files\Common Files\Java 2008-08-05 15:38:49 0 d-------- C:\WINDOWS\Prefetch 2008-08-05 15:33:00 0 d-------- C:\WINDOWS\system32\scripting 2008-08-05 15:32:59 0 d-------- C:\WINDOWS\system32\en 2008-08-05 15:32:59 0 d-------- C:\WINDOWS\l2schemas 2008-08-05 15:30:01 0 d-------- C:\WINDOWS\network diagnostic -- Find3M Report --------------------------------------------------------------- 2008-08-27 18:29:18 0 d-------- C:\Program Files\Warcraft III 2008-08-21 19:38:44 0 d--h----- C:\Program Files\InstallShield Installation Information 2008-08-21 16:02:51 0 d-------- C:\Program Files\Common Files 2008-08-13 22:31:30 0 d-------- C:\Program Files\Messenger 2008-08-05 16:29:20 0 d-------- C:\Documents and Settings\Travis\Application Data\SPORE Creature Creator 2008-08-05 15:32:59 0 d-------- C:\Program Files\Movie Maker 2008-08-05 15:31:13 0 d-------- C:\Program Files\Windows NT 2008-07-07 00:22:16 0 d-------- C:\Program Files\Panda Security 2008-07-06 23:32:44 0 d-------- C:\Documents and Settings\Travis\Application Data\Apple Computer 2008-07-04 17:37:56 0 d-------- C:\Program Files\Lavasoft 2008-07-04 16:26:07 0 d-------- C:\Program Files\Realtek 2008-07-04 15:16:54 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-07-04 14:43:49 0 d--h----- C:\Program Files\WindowsUpdate 2008-07-04 14:28:46 22704 --a------ C:\WINDOWS\system32\emptyregdb.dat 2008-07-02 2337 0 d-------- C:\Program Files\sprof 2008-07-02 2305 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-07-02 23:05:56 0 d-------- C:\Program Files\AVG 2008-07-02 23:02:04 91520 -----n--- C:\WINDOWS\system32\lfwcolkx.dll 2008-07-02 23:02:04 28288 -----n--- C:\WINDOWS\system32\khfcaywv.dll 2008-07-02 22:28:33 0 d-------- C:\Documents and Settings\Travis\Application Data\Malwarebytes 2008-07-02 14:33:18 2124 --a------ C:\WINDOWS\system32\tmp.reg 2008-07-02 13:59:42 0 d-------- C:\Program Files\Common Files\Symantec Shared 2008-07-02 13:44:41 0 d-------- C:\Documents and Settings\Travis\Application Data\TmpRecentIcons 2008-07-01 13:21:29 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat 2008-06-30 19:39:12 77720 --a------ C:\WINDOWS\War3Unin.dat 2008-06-07 17:41:17 2508 --a------ C:\Documents and Settings\Travis\Application Data\$_hpcst$.hpc 2008-05-29 09:35:36 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix> -- Registry Dump --------------------------------------------------------------- Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B552B8A4-76AC-4e8c-A469-C1585B111116}] C:\Program Files\IE Extensions\cj.v5.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [01/03/2008 09:26 AM] "nwiz"="nwiz.exe" [01/03/2008 09:26 AM C:\WINDOWS\system32\nwiz.exe] "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [04/02/2008 09:07 PM] "RTHDCPL"="RTHDCPL.EXE" [10/16/2007 09:30 PM C:\WINDOWS\RTHDCPL.exe] "Alcmtr"="ALCMTR.EXE" [05/03/2005 09:43 PM C:\WINDOWS\Alcmtr.exe] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [01/03/2008 09:26 AM] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [06/20/2006 10:36 PM] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoStartMenuMorePrograms"=0 (0x0) "StartMenuLogOff"=0 (0x0) "NoToolbarCustomize"=0 (0x0) "NoSetFolders"=0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy] C:\WINDOWS\System32\dimsntfy.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=iSecurity.cpl [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}] @="Volume shadow copy" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent] "C:\PROGRA~1\MICROS~4\wcescomm.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] eapsvcs eaphost dot3svc dot3svc HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs napagent hkmsvc -- End of Deckard's System Scanner: finished at 2008-08-27 22:26:56 ------------ Deckard's System Scanner v20071014.68 Extra logfile - please post this as an attachment with your post. -------------------------------------------------------------------------------- -- System Information ---------------------------------------------------------- Microsoft Windows XP Home Edition (build 2600) SP 3.0 Architecture: X86; Language: English CPU 0: Intel(R) Core(TM)2 Duo CPU E6550 @ 2.33GHz Percentage of Memory in Use: 36% Physical Memory (total/avail): 1022.46 MiB / 650.88 MiB Pagefile Memory (total/avail): 2461.02 MiB / 2184.32 MiB Virtual Memory (total/avail): 2047.88 MiB / 1942.89 MiB C: is Fixed (NTFS) - 74.5 GiB total, 58.23 GiB free. D: is CDROM (No Media) \\.\PHYSICALDRIVE0 - HDS72808 0PLA380 SCSI Disk Device - 74.5 GiB - 1 partition \PARTITION0 (bootable) - Installable File System - 74.5 GiB - C: -- Security Center ------------------------------------------------------------- AUOptions is set to notify before install. -- Environment Variables ------------------------------------------------------- ALLUSERSPROFILE=C:\Documents and Settings\All Users APPDATA=C:\Documents and Settings\Travis\Application Data CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip CLIENTNAME=Console CommonProgramFiles=C:\Program Files\Common Files COMPUTERNAME=TRAVIS-T45X3VIC ComSpec=C:\WINDOWS\system32\cmd.exe FP_NO_HOST_CHECK=NO HOMEDRIVE=C: HOMEPATH=\Documents and Settings\Travis LOGONSERVER=\\TRAVIS-T45X3VIC NUMBER_OF_PROCESSORS=2 OS=Windows_NT Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM;C:\Program Files\QuickTime\QTSystem\ PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 11, GenuineIntel PROCESSOR_LEVEL=6 PROCESSOR_REVISION=0f0b ProgramFiles=C:\Program Files PROMPT=$P$G QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip SESSIONNAME=Console SystemDrive=C: SystemRoot=C:\WINDOWS TEMP=C:\DOCUME~1\Travis\LOCALS~1\Temp TMP=C:\DOCUME~1\Travis\LOCALS~1\Temp tvdumpflags=8 USERDOMAIN=TRAVIS-T45X3VIC USERNAME=Travis USERPROFILE=C:\Documents and Settings\Travis windir=C:\WINDOWS -- User Profiles --------------------------------------------------------------- Travis (admin) -- Add/Remove Programs --------------------------------------------------------- --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF} Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742) --> MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7} Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003} Adobe Reader 8.1.2 Security Update 1 (KB403742) --> Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4} Codec Pack - All In 1 6.0.3.0 --> C:\WINDOWS\iun6002.exe "C:\Program Files\Codec Pack - All In 1\irunin.ini" HijackThis 2.0.2 --> "C:\Documents and Settings\Travis\Desktop\HijackThis.exe" /uninstall Java(TM) 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070} Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe" Microsoft ActiveSync 4.0 --> MsiExec.exe /I{B208806F-A231-4FA0-AB3F-5C1B8979223E} Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe" Microsoft Office 2000 SR-1 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7} Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe" Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d} Mozilla Firefox (2.0.0.16) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe NVIDIA Drivers --> C:\WINDOWS\system32\nvuninst.exe UninstallGUI NVIDIA ForceWare Network Access Manager --> "C:\Program Files\InstallShield Installation Information\{7CFA46E3-CC2F-4355-82AE-6012DC3633FD}\setup.exe" -runfromtemp -l0x0409 -removeonly NVIDIA ForceWare Network Access Manager --> MsiExec.exe /I{7CFA46E3-CC2F-4355-82AE-6012DC3633FD} Panda ActiveScan 2.0 --> C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD} Realtek High Definition Audio Driver --> RtlUpd.exe -r -m SPORE™ Creature Creator Trial Edition --> "C:\Program Files\InstallShield Installation Information\{ECEE0279-785F-4CB3-9F28-E69813234BF8}\setup.exe" -runfromtemp -l0x0009 -removeonly Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe" Warcraft III: All Products --> C:\WINDOWS\War3Unin.exe C:\WINDOWS\War3Unin.dat Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe" Windows XP Service Pack 3 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe" ZoneAlarm --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe -- End of Deckard's System Scanner: finished at 2008-08-27 22:26:56 ------------ Alright, it didnt like the event logs.

08-28-2008, 10:58 AM	#8 (permalink)
propaganda Registered User Join Date: Jul 2008 Posts: 14 OS: XP Home	Re: Dll windows:bad image Troj I think that I got it this time. Tell me what you think from the above. extra.txt is the bottom have main is on top. Thanks in Advance.

08-28-2008, 02:40 PM	#9 (permalink)
propaganda Registered User Join Date: Jul 2008 Posts: 14 OS: XP Home	Re: Dll windows:bad image Troj If I can add anything more just let me know. Thanks

09-04-2008, 03:08 PM	#10 (permalink)
propaganda Registered User Join Date: Jul 2008 Posts: 14 OS: XP Home	Re: Dll windows:bad image Troj Ill try a bump before the weekend hits........

09-05-2008, 01:13 PM	#11 (permalink)
propaganda Registered User Join Date: Jul 2008 Posts: 14 OS: XP Home	Re: Dll windows:bad image Troj I think my problem is from smitfraud?? But I cant find it.

09-05-2008, 06:20 PM	#12 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 19,025 OS: WinXP and Vista	Re: Dll windows:bad image Troj Hello propaganda, One of my colleagues notified me that you had responded here. As 22 days had gone by with no response from you, I had unsubscribed from this thread and moved on to assist others. We have hundreds of people waiting for assistance. No worries, I do see the infection. Please understand that time is of the essence if we're going to effectively clean your system. This will require more than one round to properly eradicate. Please stay with me until given the 'all clear' even if symptoms seemingly abate. We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/comb...o-use-combofix Please ensure you read this guide carefully and install the Recovery Console first. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time. Once installed, you should see a blue screen prompt that says: The Recovery Console was successfully installed. Please continue as follows: Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Click Yes to allow ComboFix to continue scanning for malware. When the tool is finished, it will produce a report for you. Please include the following reports for further review, and so we may continue cleansing the system: C:\ComboFix.txt New HijackThis log. __________________ Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Keep this site free for all. Please consider, donating "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."