Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page netadv.dll
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 10-02-2007, 07:52 PM   #1 (permalink)
Registered User
 
Join Date: Mar 2005
Location: US
Posts: 167
OS: XP x64, Ubuntu x86_64, OS X 10.5.7


Send a message via ICQ to XTTX Send a message via AIM to XTTX Send a message via Yahoo to XTTX
netadv.dll
Ran BitDefender - Clean
My friend opened a file from his flash drive (idiot,) then I saw my explorer restart (not a good sign -_-) and then a command line flashed open. I fear the worst. There have been no immediate symptoms, but just to make sure, here's a log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:38:06 PM, on 10/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
f:\PROGRAM FILES\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\WINDOWS\system32\nvsvc32.exe
F:\PROGRAM FILES\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
F:\PROGRAM FILES\COMMON FILES\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\system32\Tablet.exe
F:\PROGRAM FILES\COMMON FILES\Softwin\BitDefender Update Service\livesrv.exe
f:\PROGRAM FILES\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Razer\Tarantula\razerhid.exe
C:\Razer\Copperhead\razerhid.exe
C:\D-Link\AirPlus XtremeG\AirPlusCFG.exe
F:\PROGRAM FILES\ANI\ANIWZCS2 SERVICE\WZCSLDR2.EXE
F:\PROGRAM FILES\ACRONIS\TRUEIMAGEHOME\TRUEIMAGEMONITOR.EXE
F:\PROGRAM FILES\ACRONIS\TRUEIMAGEHOME\TIMOUNTERMONITOR.EXE
F:\PROGRAM FILES\COMMON FILES\ACRONIS\SCHEDULE2\SCHEDHLP.EXE
F:\PROGRAM FILES\Softwin\BitDefender10\bdmcon.exe
F:\PROGRAM FILES\Softwin\BitDefender10\bdagent.exe
C:\Razer\Barracuda AC-1 Gaming Audio Card\Customapp\PROGRAM\RAZER BARRACUDA AC-1 GAMING AUDIO CARD.EXE
F:\PROGRAM FILES\VisualTooltip\VisualToolTip.exe
C:\WINDOWS\RTHDCPL.EXE
F:\PROGRAM FILES\Microsoft Office\Office12\GrooveMonitor.exe
F:\program files\Winamp\winampa.exe
F:\PROGRAM FILES\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
F:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
F:\PROGRAM FILES\Google\Google Talk\googletalk.exe
F:\PROGRAM FILES\Java\jre1.6.0_02\bin\jusched.exe
F:\PROGRAM FILES\COMMON FILES\AHEAD\LIB\NMBGMONITOR.EXE
C:\WINDOWS\system32\ctfmon.exe
F:\PROGRAM FILES\LClock\lclock.exe
F:\PROGRAM FILES\Vista Sidebar\sidebar.exe
F:\PROGRAM FILES\ViStart\ViStart.exe
F:\PROGRAM FILES\VisualTooltip\VisualToolTip.exe
F:\PROGRAM FILES\PeerGuardian2\pg2.exe
C:\Razer\Copperhead\razertra.exe
C:\Razer\Copperhead\razerofa.exe
F:\PROGRAM FILES\COMMON FILES\Ahead\Lib\NMIndexStoreSvr.exe
F:\program files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Razer\Tarantula\razertra.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
F:\PROGRAM FILES\COMMON FILES\Ahead\Lib\NMIndexingService.exe
F:\program files\Winamp\winamp.exe
F:\program files\AIM6\aim6.exe
F:\program files\AIM6\aolsoftware.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
F:\PROGRAM FILES\COMMON FILES\Softwin\BitDefender Scan Server\bdss.exe
F:\PROGRAM FILES\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\system32\calc.exe
C:\WINDOWS\explorer.exe
F:\PROGRAM FILES\Softwin\BitDefender10\bdlite.exe
F:\program files\Mozilla Firefox\firefox.exe
F:\HJT\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - F:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\PROGRAM FILES\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - F:\PROGRAM FILES\COMMON FILES\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSVPS System - {ECBD04D1-1133-4480-8A8C-BC9FDD54D6C1} - C:\WINDOWS\afxp.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - F:\PROGRAM FILES\Styler\TB\StylerTB.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: The netadv - {E99D4D0C-EB54-46AF-B62A-3AA1F31D53E5} - C:\WINDOWS\netadv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Tarantula] C:\Razer\Tarantula\razerhid.exe
O4 - HKLM\..\Run: [Copperhead] C:\Razer\Copperhead\razerhid.exe
O4 - HKLM\..\Run: [Cmaudio8788] RunDll32 cmicnfgp.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] F:\PROGRAM FILES\ANI\ANIWZCS2 SERVICE\WZCSLDR2.EXE
O4 - HKLM\..\Run: [TrueImageMonitor.exe] F:\PROGRAM FILES\ACRONIS\TRUEIMAGEHOME\TRUEIMAGEMONITOR.EXE
O4 - HKLM\..\Run: [AcronisTimounterMonitor] F:\PROGRAM FILES\ACRONIS\TRUEIMAGEHOME\TIMOUNTERMONITOR.EXE
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "F:\PROGRAM FILES\COMMON FILES\ACRONIS\SCHEDULE2\SCHEDHLP.EXE"
O4 - HKLM\..\Run: [BDMCon] "F:\PROGRAM FILES\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "F:\PROGRAM FILES\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] F:\PROGRAM FILES\COMMON FILES\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [VisualTooltip] F:\PROGRAM FILES\VisualTooltip\VisualToolTip.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "F:\PROGRAM FILES\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [WinampAgent] F:\program files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "f:\PROGRAM FILES\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [googletalk] F:\PROGRAM FILES\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [SMSystemAnalyzer] "F:\PROGRAM FILES\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\PROGRAM FILES\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "F:\PROGRAM FILES\COMMON FILES\AHEAD\LIB\NMBGMONITOR.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LClock] F:\PROGRAM FILES\LClock\lclock.exe
O4 - HKCU\..\Run: [Vista Sidebar] F:\PROGRAM FILES\Vista Sidebar\sidebar.exe
O4 - HKCU\..\Run: [ViStart] F:\PROGRAM FILES\ViStart\ViStart.exe
O4 - HKCU\..\Run: [VisualTooltip] F:\PROGRAM FILES\VisualTooltip\VisualToolTip.exe
O4 - HKCU\..\Run: [PeerGuardian] F:\PROGRAM FILES\PeerGuardian2\pg2.exe
O4 - Startup: Ilium Software InScribe.lnk = F:\program files\Ilium Software\InScribe\InScribeTablet.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = F:\program files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = F:\program files\common files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\PROGRAM FILES\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\PROGRAM FILES\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8614BE35-8B64-43DC-A053-0B43947C50EF}: NameServer = 192.168.0.1,4.2.2.2
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - F:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O21 - SSODL: msvb - {75F1B25C-DB49-4EB6-BEE0-401922B3F60D} - C:\WINDOWS\msvb.dll
O21 - SSODL: sysdx - {8838E502-1D3B-432A-B1C4-935A86E0F941} - C:\WINDOWS\sysdx.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Unknown owner - G:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - F:\PROGRAM FILES\COMMON FILES\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - f:\PROGRAM FILES\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Unknown owner - G:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe (file missing)
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - F:\program files\Ares\chatServer.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - F:\PROGRAM FILES\COMMON FILES\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - F:\PROGRAM FILES\iolo\Common\Lib\ioloDMVSvc.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - F:\PROGRAM FILES\COMMON FILES\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: NBService - Nero AG - F:\PROGRAM FILES\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - F:\PROGRAM FILES\COMMON FILES\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - F:\PROGRAM FILES\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - F:\PROGRAM FILES\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - F:\PROGRAM FILES\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - F:\PROGRAM FILES\COMMON FILES\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 13773 bytes


Everything seems clean to me, but The netadv (netadv.dll) toolbar seems suspicious. I opened up my IE and found an interesting add on, I fear clicking any buttons, but here's a SS:


Also, just opened up a search, and bitdefender yelled at me. I feel my explorer.exe is corrupted.


Edit: the explorer yell was a false call, just did a whois, and it seems to actually be an IP owned by Microsoft.
Last edited by XTTX; 10-02-2007 at 07:58 PM.
XTTX is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 10-03-2007, 02:14 PM   #2 (permalink)
Registered User
 
Join Date: Mar 2005
Location: US
Posts: 167
OS: XP x64, Ubuntu x86_64, OS X 10.5.7


Send a message via ICQ to XTTX Send a message via AIM to XTTX Send a message via Yahoo to XTTX
Re: netadv.dll
So, I'm guessing this is a new beast unleashed?

Also, found a symptom upon restart:
No explorer until ctrl+alt+del was pressed
Consistent "anti-spyware" windows popups which open along with links to other sites.

I assume it's embedded into explorer.exe since I can't seem to find a process that relates to it.

Edit: Ran HJT again, found traces of a lot of browser hijacking... Heres a new log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:15:33 PM, on 10/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
f:\PROGRAM FILES\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\WINDOWS\system32\nvsvc32.exe
F:\PROGRAM FILES\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\Tablet.exe
F:\PROGRAM FILES\COMMON FILES\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
F:\PROGRAM FILES\COMMON FILES\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Razer\Tarantula\razerhid.exe
C:\Razer\Copperhead\razerhid.exe
C:\D-Link\AirPlus XtremeG\AirPlusCFG.exe
F:\PROGRAM FILES\ANI\ANIWZCS2 SERVICE\WZCSLDR2.EXE
F:\PROGRAM FILES\ACRONIS\TRUEIMAGEHOME\TRUEIMAGEMONITOR.EXE
F:\PROGRAM FILES\COMMON FILES\ACRONIS\SCHEDULE2\SCHEDHLP.EXE
F:\PROGRAM FILES\Softwin\BitDefender10\bdmcon.exe
C:\Razer\Barracuda AC-1 Gaming Audio Card\Customapp\PROGRAM\RAZER BARRACUDA AC-1 GAMING AUDIO CARD.EXE
F:\PROGRAM FILES\Softwin\BitDefender10\bdagent.exe
F:\PROGRAM FILES\VisualTooltip\VisualToolTip.exe
F:\PROGRAM FILES\Softwin\BitDefender10\vsserv.exe
f:\PROGRAM FILES\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
F:\PROGRAM FILES\Microsoft Office\Office12\GrooveMonitor.exe
F:\program files\Winamp\winampa.exe
F:\PROGRAM FILES\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Razer\Copperhead\razertra.exe
F:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
F:\PROGRAM FILES\Google\Google Talk\googletalk.exe
C:\Razer\Copperhead\razerofa.exe
F:\PROGRAM FILES\Java\jre1.6.0_02\bin\jusched.exe
F:\PROGRAM FILES\COMMON FILES\AHEAD\LIB\NMBGMONITOR.EXE
C:\WINDOWS\system32\ctfmon.exe
F:\PROGRAM FILES\LClock\lclock.exe
F:\PROGRAM FILES\Vista Sidebar\sidebar.exe
F:\PROGRAM FILES\ViStart\ViStart.exe
F:\PROGRAM FILES\VisualTooltip\VisualToolTip.exe
F:\PROGRAM FILES\PeerGuardian2\pg2.exe
C:\Razer\Tarantula\razertra.exe
F:\program files\Microsoft Office\Office12\ONENOTEM.EXE
F:\PROGRAM FILES\COMMON FILES\Ahead\Lib\NMIndexStoreSvr.exe
F:\program files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
F:\PROGRAM FILES\COMMON FILES\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
F:\PROGRAM FILES\COMMON FILES\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
F:\HJT\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - F:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\PROGRAM FILES\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - F:\PROGRAM FILES\COMMON FILES\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSVPS System - {ECBD04D1-1133-4480-8A8C-BC9FDD54D6C1} - C:\WINDOWS\afxp.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - F:\PROGRAM FILES\Styler\TB\StylerTB.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: The netadv - {E99D4D0C-EB54-46AF-B62A-3AA1F31D53E5} - C:\WINDOWS\netadv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Tarantula] C:\Razer\Tarantula\razerhid.exe
O4 - HKLM\..\Run: [Copperhead] C:\Razer\Copperhead\razerhid.exe
O4 - HKLM\..\Run: [Cmaudio8788] RunDll32 cmicnfgp.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] F:\PROGRAM FILES\ANI\ANIWZCS2 SERVICE\WZCSLDR2.EXE
O4 - HKLM\..\Run: [TrueImageMonitor.exe] F:\PROGRAM FILES\ACRONIS\TRUEIMAGEHOME\TRUEIMAGEMONITOR.EXE
O4 - HKLM\..\Run: [AcronisTimounterMonitor] F:\PROGRAM FILES\ACRONIS\TRUEIMAGEHOME\TIMOUNTERMONITOR.EXE
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "F:\PROGRAM FILES\COMMON FILES\ACRONIS\SCHEDULE2\SCHEDHLP.EXE"
O4 - HKLM\..\Run: [BDMCon] "F:\PROGRAM FILES\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "F:\PROGRAM FILES\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] F:\PROGRAM FILES\COMMON FILES\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [VisualTooltip] F:\PROGRAM FILES\VisualTooltip\VisualToolTip.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "F:\PROGRAM FILES\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [WinampAgent] F:\program files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "f:\PROGRAM FILES\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [googletalk] F:\PROGRAM FILES\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [SMSystemAnalyzer] "F:\PROGRAM FILES\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\PROGRAM FILES\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "F:\PROGRAM FILES\COMMON FILES\AHEAD\LIB\NMBGMONITOR.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LClock] F:\PROGRAM FILES\LClock\lclock.exe
O4 - HKCU\..\Run: [Vista Sidebar] F:\PROGRAM FILES\Vista Sidebar\sidebar.exe
O4 - HKCU\..\Run: [ViStart] F:\PROGRAM FILES\ViStart\ViStart.exe
O4 - HKCU\..\Run: [VisualTooltip] F:\PROGRAM FILES\VisualTooltip\VisualToolTip.exe
O4 - HKCU\..\Run: [PeerGuardian] F:\PROGRAM FILES\PeerGuardian2\pg2.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = F:\program files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = F:\program files\common files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\PROGRAM FILES\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\PROGRAM FILES\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8614BE35-8B64-43DC-A053-0B43947C50EF}: NameServer = 192.168.0.1,4.2.2.2
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - F:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O21 - SSODL: msvb - {75F1B25C-DB49-4EB6-BEE0-401922B3F60D} - C:\WINDOWS\msvb.dll
O21 - SSODL: sysdx - {8838E502-1D3B-432A-B1C4-935A86E0F941} - C:\WINDOWS\sysdx.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Unknown owner - G:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - F:\PROGRAM FILES\COMMON FILES\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - f:\PROGRAM FILES\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Unknown owner - G:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe (file missing)
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - F:\program files\Ares\chatServer.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - F:\PROGRAM FILES\COMMON FILES\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - F:\PROGRAM FILES\iolo\Common\Lib\ioloDMVSvc.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - F:\PROGRAM FILES\COMMON FILES\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: NBService - Nero AG - F:\PROGRAM FILES\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - F:\PROGRAM FILES\COMMON FILES\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - F:\PROGRAM FILES\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - F:\PROGRAM FILES\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - F:\PROGRAM FILES\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - F:\PROGRAM FILES\COMMON FILES\Softwin\BitDefender Communicator\xcommsvr.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 13634 bytes


Here's some suspicious lines I saw:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) // Is this safe to delete?
O2 - BHO: MSVPS System - {ECBD04D1-1133-4480-8A8C-BC9FDD54D6C1} - C:\WINDOWS\afxp.dll
O3 - Toolbar: The netadv - {E99D4D0C-EB54-46AF-B62A-3AA1F31D53E5} - C:\WINDOWS\netadv.dll
O21 - SSODL: msvb - {75F1B25C-DB49-4EB6-BEE0-401922B3F60D} - C:\WINDOWS\msvb.dll
O21 - SSODL: sysdx - {8838E502-1D3B-432A-B1C4-935A86E0F941} - C:\WINDOWS\sysdx.dll
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

Thanks for your help so far, it's appreciated!
Last edited by tetonbob; 10-11-2007 at 05:52 PM. Reason: removed link to Spykiller thread
XTTX is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-03-2007, 03:25 PM   #3 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,158
OS: 2000 Pro; XP Pro; XP Home


Re: netadv.dll
Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click smitfraudfix.exe to start the tool.
Select option #1 - Search by typing 1 and press "Enter"
and a text file will appear which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so!

---------------------------------------------------------------------------------------------

Please do not wrap logs in code tags. It makes them more difficult to view.

Thanks.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-04-2007, 02:43 AM   #4 (permalink)
Registered User
 
Join Date: Mar 2005
Location: US
Posts: 167
OS: XP x64, Ubuntu x86_64, OS X 10.5.7


Send a message via ICQ to XTTX Send a message via AIM to XTTX Send a message via Yahoo to XTTX
Re: netadv.dll
Alright, sorry about the code tags. Here's the report:
SmitFraudFix v2.237

Scan done at 3:42:49.92, Thu 10/04/2007
Run from C:\Documents and Settings\Kevin\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
f:\PROGRAM FILES\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\WINDOWS\system32\nvsvc32.exe
F:\PROGRAM FILES\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\Tablet.exe
F:\PROGRAM FILES\COMMON FILES\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
F:\PROGRAM FILES\COMMON FILES\Softwin\BitDefender Update Service\livesrv.exe
f:\PROGRAM FILES\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Razer\Tarantula\razerhid.exe
C:\Razer\Copperhead\razerhid.exe
C:\D-Link\AirPlus XtremeG\AirPlusCFG.exe
F:\PROGRAM FILES\ANI\ANIWZCS2 SERVICE\WZCSLDR2.EXE
F:\PROGRAM FILES\ACRONIS\TRUEIMAGEHOME\TRUEIMAGEMONITOR.EXE
F:\PROGRAM FILES\ACRONIS\TRUEIMAGEHOME\TIMOUNTERMONITOR.EXE
F:\PROGRAM FILES\COMMON FILES\ACRONIS\SCHEDULE2\SCHEDHLP.EXE
F:\PROGRAM FILES\Softwin\BitDefender10\bdmcon.exe
C:\Razer\Barracuda AC-1 Gaming Audio Card\Customapp\PROGRAM\RAZER BARRACUDA AC-1 GAMING AUDIO CARD.EXE
F:\PROGRAM FILES\Softwin\BitDefender10\bdagent.exe
F:\PROGRAM FILES\VisualTooltip\VisualToolTip.exe
C:\WINDOWS\RTHDCPL.EXE
F:\PROGRAM FILES\Microsoft Office\Office12\GrooveMonitor.exe
F:\program files\Winamp\winampa.exe
F:\PROGRAM FILES\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
F:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
F:\PROGRAM FILES\Google\Google Talk\googletalk.exe
F:\PROGRAM FILES\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Razer\Copperhead\razertra.exe
F:\PROGRAM FILES\LClock\lclock.exe
C:\Razer\Copperhead\razerofa.exe
F:\PROGRAM FILES\Vista Sidebar\sidebar.exe
F:\PROGRAM FILES\VisualTooltip\VisualToolTip.exe
F:\PROGRAM FILES\PeerGuardian2\pg2.exe
C:\Razer\Tarantula\razertra.exe
F:\PROGRAM FILES\COMMON FILES\Ahead\Lib\NMIndexStoreSvr.exe
F:\program files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
F:\PROGRAM FILES\COMMON FILES\Microsoft Shared\Windows Live\WLLoginProxy.exe
F:\PROGRAM FILES\COMMON FILES\Softwin\BitDefender Scan Server\bdss.exe
F:\PROGRAM FILES\Softwin\BitDefender10\vsserv.exe
F:\PROGRAM FILES\COMMON FILES\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\explorer.exe
F:\PROGRA~1\Mozilla Firefox\firefox.exe
F:\program files\Winamp\winamp.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\afxp.dll FOUND !
C:\WINDOWS\main_uninstaller.exe FOUND !
C:\WINDOWS\msvb.dll FOUND !
C:\WINDOWS\privacy_danger FOUND !
C:\WINDOWS\sysdx.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Kevin


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Kevin\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Kevin\FAVORI~1

C:\DOCUME~1\Kevin\FAVORI~1\Error Cleaner.url FOUND !
C:\DOCUME~1\Kevin\FAVORI~1\Privacy Protector.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

C:\DOCUME~1\Kevin\Desktop\Error Cleaner.url FOUND !
C:\DOCUME~1\Kevin\Desktop\Privacy Protector.url FOUND !
C:\DOCUME~1\Kevin\Desktop\Spyware?Malware Protection.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» F:\PROGRAM FILES

F:\PROGRAM FILES\VideoAccessCodec\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="file:///C:\\WINDOWS\\privacy_danger\\index.htm"
"SubscribedURL"=""
"FriendlyName"="Privacy Protection"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="sockspy.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: D-Link AirPlus Xtreme G DWL-G132 Wireless USB Adapter(rev.A) - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1
DNS Server Search Order: 4.2.2.2

HKLM\SYSTEM\CCS\Services\Tcpip\..\{8614BE35-8B64-43DC-A053-0B43947C50EF}: NameServer=192.168.0.1,4.2.2.2
HKLM\SYSTEM\CS1\Services\Tcpip\..\{8614BE35-8B64-43DC-A053-0B43947C50EF}: NameServer=192.168.0.1,4.2.2.2
HKLM\SYSTEM\CS3\Services\Tcpip\..\{8614BE35-8B64-43DC-A053-0B43947C50EF}: NameServer=192.168.0.1,4.2.2.2


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
XTTX is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-04-2007, 08:38 AM   #5 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,158
OS: 2000 Pro; XP Pro; XP Home


Re: netadv.dll
You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.

    Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
    O3 - Toolbar: The netadv - {E99D4D0C-EB54-46AF-B62A-3AA1F31D53E5} - C:\WINDOWS\netadv.dll

    Close HijackThis now.

    ---------------------------------------------------------------------------------------------

    Locate and delete this file:

    C:\WINDOWS\netadv.dll

Double-click on SmitfraudFix.exe to start the tool.
Select option #2 - Clean by typing 2 and press Enter.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

---------------------------------------------------------------------------------------------

Once back in normal Windows:

Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab
Select "Privacy Protection" you find in there and press the delete button on the right.
Hit ok below > apply in previous window.



Double-click on SmitfraudFix.exe to start the tool.
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here, along with the log from SmitfraudFix.

---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-04-2007, 02:09 PM   #6 (permalink)
Registered User
 
Join Date: Mar 2005
Location: US
Posts: 167
OS: XP x64, Ubuntu x86_64, OS X 10.5.7


Send a message via ICQ to XTTX Send a message via AIM to XTTX Send a message via Yahoo to XTTX
Re: netadv.dll
HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:09:11 PM, on 10/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
f:\PROGRAM FILES\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\WINDOWS\system32\nvsvc32.exe
F:\PROGRAM FILES\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\Tablet.exe
F:\PROGRAM FILES\COMMON FILES\Softwin\BitDefender Communicator\xcommsvr.exe
F:\PROGRAM FILES\COMMON FILES\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
F:\PROGRAM FILES\COMMON FILES\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Razer\Tarantula\razerhid.exe
C:\Razer\Copperhead\razerhid.exe
C:\D-Link\AirPlus XtremeG\AirPlusCFG.exe
F:\PROGRAM FILES\ANI\ANIWZCS2 SERVICE\WZCSLDR2.EXE
F:\PROGRAM FILES\ACRONIS\TRUEIMAGEHOME\TRUEIMAGEMONITOR.EXE
F:\PROGRAM FILES\ACRONIS\TRUEIMAGEHOME\TIMOUNTERMONITOR.EXE
F:\PROGRAM FILES\COMMON FILES\ACRONIS\SCHEDULE2\SCHEDHLP.EXE
F:\PROGRAM FILES\Softwin\BitDefender10\bdmcon.exe
C:\Razer\Barracuda AC-1 Gaming Audio Card\Customapp\PROGRAM\RAZER BARRACUDA AC-1 GAMING AUDIO CARD.EXE
F:\PROGRAM FILES\Softwin\BitDefender10\bdagent.exe
F:\PROGRAM FILES\VisualTooltip\VisualToolTip.exe
C:\WINDOWS\RTHDCPL.EXE
F:\PROGRAM FILES\Microsoft Office\Office12\GrooveMonitor.exe
F:\program files\Winamp\winampa.exe
F:\PROGRAM FILES\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
F:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
F:\PROGRAM FILES\Google\Google Talk\googletalk.exe
f:\PROGRAM FILES\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
F:\PROGRAM FILES\Java\jre1.6.0_02\bin\jusched.exe
F:\PROGRAM FILES\COMMON FILES\AHEAD\LIB\NMBGMONITOR.EXE
C:\WINDOWS\system32\ctfmon.exe
F:\PROGRAM FILES\LClock\lclock.exe
F:\PROGRAM FILES\Vista Sidebar\sidebar.exe
F:\PROGRAM FILES\ViStart\ViStart.exe
F:\PROGRAM FILES\VisualTooltip\VisualToolTip.exe
F:\PROGRAM FILES\PeerGuardian2\pg2.exe
C:\Razer\Copperhead\razertra.exe
C:\Razer\Copperhead\razerofa.exe
F:\PROGRAM FILES\COMMON FILES\Ahead\Lib\NMIndexStoreSvr.exe
F:\PROGRAM FILES\Softwin\BitDefender10\vsserv.exe
C:\Razer\Tarantula\razertra.exe
F:\program files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
F:\PROGRAM FILES\COMMON FILES\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\System32\alg.exe
F:\PROGRA~1\Mozilla Firefox\firefox.exe
F:\HJT\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - F:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\PROGRAM FILES\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - F:\PROGRAM FILES\COMMON FILES\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - F:\PROGRAM FILES\Styler\TB\StylerTB.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Tarantula] C:\Razer\Tarantula\razerhid.exe
O4 - HKLM\..\Run: [Copperhead] C:\Razer\Copperhead\razerhid.exe
O4 - HKLM\..\Run: [Cmaudio8788] RunDll32 cmicnfgp.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] F:\PROGRAM FILES\ANI\ANIWZCS2 SERVICE\WZCSLDR2.EXE
O4 - HKLM\..\Run: [TrueImageMonitor.exe] F:\PROGRAM FILES\ACRONIS\TRUEIMAGEHOME\TRUEIMAGEMONITOR.EXE
O4 - HKLM\..\Run: [AcronisTimounterMonitor] F:\PROGRAM FILES\ACRONIS\TRUEIMAGEHOME\TIMOUNTERMONITOR.EXE
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "F:\PROGRAM FILES\COMMON FILES\ACRONIS\SCHEDULE2\SCHEDHLP.EXE"
O4 - HKLM\..\Run: [BDMCon] "F:\PROGRAM FILES\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "F:\PROGRAM FILES\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] F:\PROGRAM FILES\COMMON FILES\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [VisualTooltip] F:\PROGRAM FILES\VisualTooltip\VisualToolTip.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "F:\PROGRAM FILES\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [WinampAgent] F:\program files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "f:\PROGRAM FILES\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [googletalk] F:\PROGRAM FILES\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [SMSystemAnalyzer] "F:\PROGRAM FILES\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\PROGRAM FILES\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "F:\PROGRAM FILES\COMMON FILES\AHEAD\LIB\NMBGMONITOR.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LClock] F:\PROGRAM FILES\LClock\lclock.exe
O4 - HKCU\..\Run: [Vista Sidebar] F:\PROGRAM FILES\Vista Sidebar\sidebar.exe
O4 - HKCU\..\Run: [ViStart] F:\PROGRAM FILES\ViStart\ViStart.exe
O4 - HKCU\..\Run: [VisualTooltip] F:\PROGRAM FILES\VisualTooltip\VisualToolTip.exe
O4 - HKCU\..\Run: [PeerGuardian] F:\PROGRAM FILES\PeerGuardian2\pg2.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = F:\program files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = F:\program files\common files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://f:\PROGRAM FILES\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\PROGRAM FILES\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\PROGRAM FILES\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8614BE35-8B64-43DC-A053-0B43947C50EF}: NameServer = 192.168.0.1,4.2.2.2
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - F:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Unknown owner - G:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - F:\PROGRAM FILES\COMMON FILES\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - f:\PROGRAM FILES\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Unknown owner - G:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe (file missing)
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - F:\program files\Ares\chatServer.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - F:\PROGRAM FILES\COMMON FILES\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - F:\PROGRAM FILES\iolo\Common\Lib\ioloDMVSvc.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - F:\PROGRAM FILES\COMMON FILES\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: NBService - Nero AG - F:\PROGRAM FILES\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - F:\PROGRAM FILES\COMMON FILES\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - F:\PROGRAM FILES\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - F:\PROGRAM FILES\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - F:\PROGRAM FILES\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - F:\PROGRAM FILES\COMMON FILES\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 12264 bytes



Smit Fraud Fix
SmitFraudFix v2.237

Scan done at 14:02:04.98, Thu 10/04/2007
Run from F:\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\afxp.dll Deleted
C:\WINDOWS\main_uninstaller.exe Deleted
C:\WINDOWS\msvb.dll Deleted
Deleting [HKEY_CLASSES_ROOT\CLSID\{75F1B25C-DB49-4EB6-BEE0-401922B3F60D}]
C:\WINDOWS\privacy_danger\ Deleted
C:\WINDOWS\sysdx.dll Deleted
Deleting [HKEY_CLASSES_ROOT\CLSID\{8838E502-1D3B-432A-B1C4-935A86E0F941}]
C:\DOCUME~1\Kevin\Desktop\Error Cleaner.url Deleted
C:\DOCUME~1\Kevin\Desktop\Privacy Protector.url Deleted
C:\DOCUME~1\Kevin\Desktop\Spyware?Malware Protection.url Deleted
C:\DOCUME~1\Kevin\FAVORI~1\Error Cleaner.url Deleted
C:\DOCUME~1\Kevin\FAVORI~1\Privacy Protector.url Deleted
F:\PROGRAM FILES\VideoAccessCodec\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{8614BE35-8B64-43DC-A053-0B43947C50EF}: NameServer=192.168.0.1,4.2.2.2
HKLM\SYSTEM\CS1\Services\Tcpip\..\{8614BE35-8B64-43DC-A053-0B43947C50EF}: NameServer=192.168.0.1,4.2.2.2
HKLM\SYSTEM\CS3\Services\Tcpip\..\{8614BE35-8B64-43DC-A053-0B43947C50EF}: NameServer=192.168.0.1,4.2.2.2


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

Many thanks! Thanks for sticking w/ me :D. So far, seems to be fine.
One thing I noticed though: when I started up I got an IE alert though about a webpage not being to open because I'm working offline [I set IE to work offline and cleared the cache], but I was wondering if the website that was trying to open was still part of the smit fraud spyware.
Last edited by XTTX; 10-04-2007 at 02:13 PM.
XTTX is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 10-04-2007, 02:39 PM   #7 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,158
OS: 2000 Pro; XP Pro; XP Home


Re: netadv.dll
If you can connect with IE now, that part of the issue is resolved.

Please run this online scan to look for remnants. This will take a while.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the licence, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 05:19 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85