Photoshop Cs3 and IE7 crash on Kernel32.dll offset:00018943

coolboyxxx · 11-26-2007, 01:27 PM

I can't run Adobe Photoshop CS3 it crashes on loading
i get this error:

"Photoshop has encountered a problem and needs to close. We are sorry for the inconvenience."

AppName: photoshop.exe AppVer: 10.0.0.0 ModName: kernel32.dll
ModVer: 5.1.2600.3119 Offset: 00018943
i have been searchin for an answer for days
i have tried eveything

-microsoft mouse drivers causes that but i dont have intelli mouse
-i have tried the update file from adobe
-Adobe Preferences Pspi deleted all pref files etc
-Updated the Vga drivers. i have ati radeon 9600

pls help me

i have the same error on internet explorer when i try to check my emails on my hotmail account...

explorer crashes and i get this error:

"Internet Explorer has encountered a problem and needs to close. We are sorry for the inconvenience."

AppName: iexplore.exe AppVer: 7.0.6000.16544 ModName: kernel32.dll
ModVer: 5.1.2600.3119 Offset: 00018943

Here is my log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:02:02, on 26.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\SYSTEM32\astsrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
g:\Program Files\Messenger Detect\MDServ.exe
g:\Program Files\Messenger Detect\MDetect.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ups.exe
D:\UPSMON_Service.Exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
D:\UPSMON.exe
D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\notepad.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: i-Nav IDN SearchHook - {CE000994-A58C-4441-8938-744CD72AB27F} - C:\Program Files\VeriSign\i-Nav\i-nav_4_2_1.dll
O2 - BHO: XTTBPos00 Class - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: FGCatchUrl - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {81A35F39-4850-474E-92C9-B4CF283207E0} - (no file)
O2 - BHO: (no name) - {904413A4-8B06-486E-62F3-504AAE43DFE0} - C:\WINDOWS\system32\vdxfkivl.dll
O2 - BHO: (no name) - {A4DD4B92-B79B-E2B7-0418-943D4A3AF4EB} - (no file)
O2 - BHO: (no name) - {AA909BCE-4552-48F6-2D36-835D4B8A0E7D} - (no file)
O2 - BHO: i-Nav IDN Resolver - {CE000992-A58C-4441-8938-744CD72AB27F} - C:\Program Files\VeriSign\i-Nav\i-nav_4_2_1.dll
O2 - BHO: Kwyshell MidpX - {EBE9E2B5-B526-48BC-AD46-687263EDCB0E} - E:\Program Files\Kwyshell\MidpX\JadInvoker\MidpInvoker.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [UPSMON] D:\\UPSMON.exe
O4 - HKLM\..\Run: [kis] "D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Add to Kaspersky Anti-Banner - D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Link to &MidpX - E:\Program Files\Kwyshell\MidpX\JadInvoker\Extent\jad_wrap.htm
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Descargas - {AF0828BC-CB46-4C8D-95B6-8A7C4988F9FF} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: i-Nav Help - {CE000992-A58C-4441-8938-744CD72AB27F} - http://idn.verisign-grs.com/plug-in/support/index.jsp (file missing)
O9 - Extra 'Tools' menuitem: i-Nav Help - {CE000992-A58C-4441-8938-744CD72AB27F} - http://idn.verisign-grs.com/plug-in/support/index.jsp (file missing)
O9 - Extra button: (no name) - {CE000996-A58C-4441-8938-744CD72AB27F} - C:\Program Files\VeriSign\i-Nav\i-nav_4_2_1.dll
O9 - Extra 'Tools' menuitem: i-Nav Options - {CE000996-A58C-4441-8938-744CD72AB27F} - C:\Program Files\VeriSign\i-Nav\i-nav_4_2_1.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{282D156A-6381-4570-BE37-251BEDDE1A00}: NameServer = 85.255.114.51,85.255.112.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{37A539A9-6C02-407B-98B5-F6B7F727193D}: NameServer = 85.255.114.51,85.255.112.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{A31C5FD6-96F9-407C-AFB7-B6EE31F12416}: NameServer = 85.255.114.51,85.255.112.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{CE3A2212-1A00-4CD8-863F-3B971463BC99}: NameServer = 85.255.114.51,85.255.112.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6F69E76-479C-4EE8-93BA-6A7D326D673C}: NameServer = 85.255.114.51,85.255.112.8
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.51 85.255.112.8
O17 - HKLM\System\CS1\Services\Tcpip\..\{0CAFE162-794E-4983-A6F7-1C2E9D88D432}: NameServer = 195.175.39.39 195.175.39.40
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.51 85.255.112.8
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.51 85.255.112.8
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.51 85.255.112.8
O20 - AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll d:\progra~1\agnitum\outpos~1\wl_hook.dll,D:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AST Service (astcc) - Advanced Software Technologies - C:\WINDOWS\SYSTEM32\astsrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LEC TranslateDotNet Server - Language Engineering Corporation, LLC - C:\Program Files\Power Translator\LogoMedia TranslateDotNet Server.exe
O23 - Service: MDServ - formessengers.com - g:\Program Files\Messenger Detect\MDServ.exe
O23 - Service: MainSafe Service (MSFIE) - Unknown owner - C:\WINDOWS\system32\mainsafe.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: UPSMONService - Unknown owner - D:\UPSMON_Service.Exe
O23 - Service: U.S. Robotics Wireless LAN Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O24 - Desktop Component 2: (no name) - http://online.platodata.com.tr/desktop/desktop.asp

--
End of file - 10993 bytes

coolboyxxx · 11-27-2007, 09:51 AM

any help ?

Ried · 11-28-2007, 08:26 AM

Hello coolboyxxx,

You have a couple of infections on board and as such, this will require more than one round to properly eradicate. Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.

When finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a new HijackThis log so we can continue cleaning the system.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

coolboyxxx · 11-28-2007, 05:07 PM

Thanks for your response

i have fallowed your instructions
here is the Combofix.txt along with the new HijackThis log after the combofix.exe has processed

ComboFix 07-11-29.3 - hasansas 2007-11-29 1:38:06.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1254.1.1033.18.164 [GMT 2:00]
Running from: C:\Documents and Settings\hasansas\Desktop\ComboFix.exe
* Created a new restore point
.
ADS - system32: deleted 12 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users.\documents\settings
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\Documents and Settings\avaslar\Application Data\HbTools
C:\Documents and Settings\hasansas\Application Data\HbTools\v3.0\HbTools\static\2\btntrans.idx
C:\Documents and Settings\hasansas\Application Data\hidires
C:\Documents and Settings\hasansas\Application Data\macromedia\Flash Player\#SharedObjects\8Y8H7V8M\www.broadcaster.com
C:\Documents and Settings\hasansas\Application Data\macromedia\Flash Player\#SharedObjects\8Y8H7V8M\www.broadcaster.com\played_list.sol
C:\Documents and Settings\hasansas\Application Data\macromedia\Flash Player\#SharedObjects\8Y8H7V8M\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\hasansas\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\hasansas\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\WINDOWS\Downloaded Program Files.\egauth.inf
C:\WINDOWS\Downloaded Program Files.\nethv32.inf
C:\WINDOWS\Downloaded Program Files\Cache
C:\WINDOWS\drsmartload2.dat
C:\WINDOWS\keyboard51.dat
C:\WINDOWS\newname.dat
C:\WINDOWS\system32\command.pif
C:\WINDOWS\system32\dlh9jkdq8.exe
C:\WINDOWS\system32\vxgame1.exe
C:\WINDOWS\tmlpcert2005
G:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_M_HOOK
-------\LEGACY_NWSAPAGENT
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\NwSapAgent

((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-28 )))))))))))))))))))))))))))))))
.

2007-11-26 19:47 . 2007-11-26 19:47 <DIR> d-------- C:\Program Files\Bonjour
2007-11-23 00:59 . 2007-11-23 00:59 <DIR> d-------- C:\Documents and Settings\ahmet\Application Data\ACD Systems
2007-11-19 21:40 . 1996-11-17 00:00 326,656 --a------ C:\WINDOWS\system\MSVCRT40.DLL
2007-11-17 22:35 . 2007-11-17 22:39 <DIR> d-------- C:\Program Files\XP Repair Pro 2007
2007-11-17 21:59 . 2007-11-17 21:59 0 --a------ C:\WINDOWS\ativpsrm.bin
2007-11-17 21:04 . 2007-11-17 21:08 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-11-17 17:02 . 2007-11-20 20:11 <DIR> d-------- C:\Program Files\MSECACHE
2007-11-17 16:06 . 2003-03-11 09:04 266,240 --a------ C:\WINDOWS\system32\hpdj3600
2007-11-17 16:05 . 2003-12-14 14:03 438,799 --a------ C:\WINDOWS\hpdj3600.hi2
2007-11-17 16:05 . 2003-12-14 14:03 9,050 --a------ C:\WINDOWS\hpdj3600.bu2
2007-11-17 15:57 . 2007-11-17 15:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-11-02 22:12 . 2007-11-02 23:09 <DIR> d-------- C:\ebooks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-28 23:51 118,531,872 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-28 23:49 3,384,096 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2007-11-28 23:47 323,504 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2007-11-28 23:47 1,595,792 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-28 23:35 --------- d-----w C:\Documents and Settings\hasansas\Application Data\AVG7
2007-11-28 23:18 362 ----a-w C:\Eurojava.sys
2007-11-27 22:47 --------- d-----w C:\Program Files\FlashGet
2007-11-26 17:47 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-26 17:28 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-11-21 17:44 --------- d-----w C:\Program Files\xat.com JPEG Optimizer
2007-11-21 17:44 --------- d-----w C:\Program Files\WinISO
2007-11-21 17:44 --------- d-----w C:\Program Files\Lavasoft Ad- Aware
2007-11-21 17:44 --------- d-----w C:\Program Files\Eng-Ger Dictionary
2007-11-21 17:44 --------- d-----w C:\Program Files\AZR
2007-11-21 17:44 --------- d-----w C:\Program Files\APDFPRP
2007-11-21 16:02 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item0-11-21-2007_17-56-48_5055604.dnp
2007-11-21 16:02 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item0-11-21-2007_17-56-48_3435695.dnp
2007-11-21 15:59 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item0-11-21-2007_17-56-48_8478519.dnp
2007-11-21 15:59 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item0-11-21-2007_17-56-48_4290064.dnp
2007-11-17 20:48 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item0-11-17-2007_22-39-32_6006188.dnp
2007-11-17 20:48 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item0-11-17-2007_22-39-32_1365664.dnp
2007-11-17 20:43 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item0-11-17-2007_22-39-32_9160329.dnp
2007-11-17 20:43 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item0-11-17-2007_22-39-32_6060886.dnp
2007-11-17 14:05 --------- d-----w C:\Program Files\Hewlett-Packard
2007-11-06 18:06 --------- d-----w C:\Program Files\ICQ6
2007-10-31 22:15 724,992 ----a-w C:\WINDOWS\iun6002.exe
2007-10-26 15:48 --------- d-----w C:\Documents and Settings\hasansas\Application Data\Apple Computer
2007-10-10 23:12 --------- d-----w C:\Program Files\Equis
2007-10-08 20:19 --------- d-----w C:\Program Files\Common Files\Equis
2007-10-08 18:47 --------- d-----w C:\Program Files\ZoomBook The Temple Of The Sun
2007-10-07 14:17 --------- d-----w C:\Documents and Settings\hasansas\Application Data\Azureus
2007-09-30 20:47 --------- d-----w C:\Program Files\iPod
2007-09-30 20:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-09-30 20:33 --------- d-----w C:\Program Files\Apple Software Update
2007-09-30 20:31 --------- d-----w C:\Program Files\Common Files\Apple
2007-09-30 20:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2005-10-31 00:05 1,560 -c--a-w C:\Program Files\INSTALL.LOG
2004-10-31 11:39 489 ----a-w C:\Documents and Settings\hasansas\Application Data\dcuser.dat
1998-02-10 16:34 128,000 ----a-w C:\Program Files\UNWISE.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{81A35F39-4850-474E-92C9-B4CF283207E0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{904413A4-8B06-486E-62F3-504AAE43DFE0}]
2001-08-18 14:00 11922 --a------ C:\WINDOWS\system32\vdxfkivl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A4DD4B92-B79B-E2B7-0418-943D4A3AF4EB}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA909BCE-4552-48F6-2D36-835D4B8A0E7D}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UPSMON"="D:\\UPSMON.exe" [2005-03-30 15:13]
"kis"="D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" [2006-03-24 19:09]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 09:56]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-31 21:34]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="cshnf.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll 2003-08-25 09:25 139264 C:\PROGRA~1\COMMON~1\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\google\google~1\goec62~1.dll d:\progra~1\agnitum\outpos~1\wl_hook.dll,D:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSFIE]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlackICE PC Protection.lnk]
backup=C:\WINDOWS\pss\BlackICE PC Protection.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Net Send GUI.lnk]
backup=C:\WINDOWS\pss\Net Send GUI.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^U.S. Robotics Wireless USB Adapter.lnk]
backup=C:\WINDOWS\pss\U.S. Robotics Wireless USB Adapter.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^hasansas^Start Menu^Programs^Startup^palmOne Registration.lnk]
backup=C:\WINDOWS\pss\palmOne Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anti Trojan Elite]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe runtime -Delay

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoShutdown]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
2002-10-07 00:23 90112 --a------ C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cc_app]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMSystem]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 09:56 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
2004-09-23 09:33 1019392 --a------ C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeskCalc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeviceDiscovery]
2002-12-02 20:56 40960 --a------ C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dgp]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dmnwb.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Drag'n'Drop_Autolaunch]
2004-05-13 10:01 131072 --a------ D:\Program Files\Iomega HotBurn Pro\Autolaunch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dywuopzc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzdMontr]
C:\Program Files\Quik Touch\EzdMontr.exe install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FineReader7NewsReaderPro]
2003-09-11 23:15 278528 --a------ C:\Program Files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2003-03-11 10:08 172032 --a------ C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Inst]
C:\WINDOWS\System\Inst.exe install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Instant Access]
rundll32.exe p2esocks_1021.dll,InstantAccess

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
2001-10-04 01:00 28672 --a------ C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Access]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msbb]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgrn]
2002-12-12 14:24 421888 --a------ C:\PROGRA~1\COPPER~1\BIN\WIN2K\tidslmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\navapp]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 09:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia Connection Monitor]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Overnet]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
2004-09-15 14:36 148992 --a------ C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRISMSVR.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
D:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunDLL]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
2002-04-17 10:42 69632 --a------ C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TotalRecorderScheduler]
2005-05-18 21:51 81920 --a------ C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 01:00 90112 -----c--- C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
2004-11-12 19:24 106557 --a------ C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebRebates0]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zone Labs Client]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DAEMON Tools"="D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
"XPRepairPro2007"=C:\Program Files\XP Repair Pro 2007\XPRepairPro.exe /r
"RegClean Expert Scheduler"="D:\Program Files\Registry Clean Expert\RCHelper.exe" /startup
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TIxDSL"=C:\PROGRA~1\COPPER~1\BIN\WIN2K\tidslmon.exe
"iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe"
"QuickTime Task"="D:\Program Files\QuickTime\QTTask.exe" -atboottime
"Viewbar"=D:\Program Files\AGLOCO Viewbar\Viewbar.exe
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
"Nokia Tray Application"=C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
"CTStartup"=C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
"Inst"=C:\WINDOWS\System\Inst.exe install
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"AVG7_CC"=C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

R1 ts_lb;ts_lb;C:\WINDOWS\system32\drivers\ts_lb.sys
R2 BT848;Conexant's BtPCI WDM Video Capture;C:\WINDOWS\system32\DRIVERS\BT848.sys
R2 BTTUNER;BtTuner, WDM TvTuner;C:\WINDOWS\system32\drivers\BTTUNER.sys
R2 MDServ;MDServ;"g:\Program Files\Messenger Detect\MDServ.exe"
R2 NokiaSuite3;NokiaSuite3;C:\WINDOWS\system32\drivers\NokiaSuite3.sys
R3 AtmElan;ATM Emulated LAN;C:\WINDOWS\system32\DRIVERS\atmlane.sys
R3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
R3 TSCOMM;CommStudio Virtual Adapter by TamoSoft;C:\WINDOWS\system32\DRIVERS\tscomm.sys
S2 BulkUsb;Genius ColorPage USB Scanner;C:\WINDOWS\system32\DRIVERS\usbscan.sys
S2 MSFIE;MainSafe Service;C:\WINDOWS\system32\mainsafe.exe C:\WINDOWS\system32\mainsafe.empty.ini
S3 Allied;CopperJet ADSL modem Installer;C:\WINDOWS\system32\DRIVERS\instl.sys
S3 Aruba;QuikTouch/USB2 Device;C:\WINDOWS\system32\DRIVERS\Aruba.sys
S3 AtmLane;ATM LAN Emulation;C:\WINDOWS\system32\DRIVERS\atmlane.sys
S3 CV2K1;CommView Network Monitor;C:\WINDOWS\system32\DRIVERS\cv2k1.sys
S3 KCIRNET;KC Technology Device Driver;C:\WINDOWS\system32\DRIVERS\kcirnet.sys
S3 kvpndev;Kerio VPN adapter;C:\WINDOWS\system32\DRIVERS\kvpndrv.sys
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys
S3 RapFile;RapFile;\??\C:\WINDOWS\system32\drivers\RapFile.sys
S3 RapNet;RapNet;\??\C:\WINDOWS\system32\drivers\RapNet.sys
S3 TIAu5Bt;AU5 USB DSL Modem Boot Device;C:\WINDOWS\system32\Drivers\tiau5bt.sys
S3 TIAU5CO;AU5 USB DSL Modem(WAN);C:\WINDOWS\system32\DRIVERS\TIAU5CO.sys
S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys
S4 ewido security suite driver;ewido security suite driver;\??\D:\Program Files\ewido\security suite\guard.sys
S4 NPDriver;Norton Unerase Protection Driver;\??\C:\WINDOWS\System32\Drivers\NPDRIVER.SYS

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53b5a0fe-8896-11dc-aaff-0002440b43c0}]
\Shell\AutoRun\command - wd_windows_tools\setup.exe

.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-29 01:51:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-29 1:55:25 - machine was rebooted
.
--- E O F ---

=====================================================================================

HijackThis after Combofix:

======================================================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:00:55, on 29.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\SYSTEM32\astsrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
g:\Program Files\Messenger Detect\MDServ.exe
g:\Program Files\Messenger Detect\MDetect.exe
C:\WINDOWS\System32\svchost.exe
D:\UPSMON_Service.Exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
D:\UPSMON.exe
D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\notepad.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: i-Nav IDN SearchHook - {CE000994-A58C-4441-8938-744CD72AB27F} - C:\Program Files\VeriSign\i-Nav\i-nav_4_2_1.dll
O2 - BHO: XTTBPos00 Class - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {81A35F39-4850-474E-92C9-B4CF283207E0} - (no file)
O2 - BHO: (no name) - {904413A4-8B06-486E-62F3-504AAE43DFE0} - C:\WINDOWS\system32\vdxfkivl.dll
O2 - BHO: (no name) - {A4DD4B92-B79B-E2B7-0418-943D4A3AF4EB} - (no file)
O2 - BHO: (no name) - {AA909BCE-4552-48F6-2D36-835D4B8A0E7D} - (no file)
O2 - BHO: i-Nav IDN Resolver - {CE000992-A58C-4441-8938-744CD72AB27F} - C:\Program Files\VeriSign\i-Nav\i-nav_4_2_1.dll
O2 - BHO: Kwyshell MidpX - {EBE9E2B5-B526-48BC-AD46-687263EDCB0E} - E:\Program Files\Kwyshell\MidpX\JadInvoker\MidpInvoker.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [UPSMON] D:\\UPSMON.exe
O4 - HKLM\..\Run: [kis] "D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Add to Kaspersky Anti-Banner - D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Link to &MidpX - E:\Program Files\Kwyshell\MidpX\JadInvoker\Extent\jad_wrap.htm
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Descargas - {AF0828BC-CB46-4C8D-95B6-8A7C4988F9FF} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: i-Nav Help - {CE000992-A58C-4441-8938-744CD72AB27F} - http://idn.verisign-grs.com/plug-in/support/index.jsp (file missing)
O9 - Extra 'Tools' menuitem: i-Nav Help - {CE000992-A58C-4441-8938-744CD72AB27F} - http://idn.verisign-grs.com/plug-in/support/index.jsp (file missing)
O9 - Extra button: (no name) - {CE000996-A58C-4441-8938-744CD72AB27F} - C:\Program Files\VeriSign\i-Nav\i-nav_4_2_1.dll
O9 - Extra 'Tools' menuitem: i-Nav Options - {CE000996-A58C-4441-8938-744CD72AB27F} - C:\Program Files\VeriSign\i-Nav\i-nav_4_2_1.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{282D156A-6381-4570-BE37-251BEDDE1A00}: NameServer = 85.255.114.51,85.255.112.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{37A539A9-6C02-407B-98B5-F6B7F727193D}: NameServer = 85.255.114.51,85.255.112.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{A31C5FD6-96F9-407C-AFB7-B6EE31F12416}: NameServer = 85.255.114.51,85.255.112.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{CE3A2212-1A00-4CD8-863F-3B971463BC99}: NameServer = 85.255.114.51,85.255.112.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6F69E76-479C-4EE8-93BA-6A7D326D673C}: NameServer = 85.255.114.51,85.255.112.8
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.51 85.255.112.8
O17 - HKLM\System\CS1\Services\Tcpip\..\{0CAFE162-794E-4983-A6F7-1C2E9D88D432}: NameServer = 195.175.39.39 195.175.39.40
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.51 85.255.112.8
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.51 85.255.112.8
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.51 85.255.112.8
O20 - AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll d:\progra~1\agnitum\outpos~1\wl_hook.dll,D:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AST Service (astcc) - Advanced Software Technologies - C:\WINDOWS\SYSTEM32\astsrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LEC TranslateDotNet Server - Language Engineering Corporation, LLC - C:\Program Files\Power Translator\LogoMedia TranslateDotNet Server.exe
O23 - Service: MDServ - formessengers.com - g:\Program Files\Messenger Detect\MDServ.exe
O23 - Service: MainSafe Service (MSFIE) - Unknown owner - C:\WINDOWS\system32\mainsafe.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: UPSMONService - Unknown owner - D:\UPSMON_Service.Exe
O23 - Service: U.S. Robotics Wireless LAN Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O24 - Desktop Component 2: (no name) - http://online.platodata.com.tr/desktop/desktop.asp

--
End of file - 10904 bytes

Ried · 11-29-2007, 12:11 AM

Hello coolboyxxx,

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

Please download FixWareout and save it to your desktop.

------------------------------------------------------------------

1. Disconnect from the internet.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of these tools.

---------------------------------------------------------------------

Run FixWareout. Click Next, then Install, make sure "Run fixit" is checked and click Finish.

The fix will begin, follow the prompts.
You will be asked to reboot your computer, please do so.
Your system may take longer than usual to load. This is normal.
Once the desktop loads post the text that will open C:\fixwareout\report.txt which I will need in your next reply.

----------------------------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Code:

File::
C:\WINDOWS\system32\vdxfkivl.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{81A35F39-4850-474E-92C9-B4CF283207E0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{904413A4-8B06-486E-62F3-504AAE43DFE0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A4DD4B92-B79B-E2B7-0418-943D4A3AF4EB}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA909BCE-4552-48F6-2D36-835D4B8A0E7D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dywuopzc]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Inst]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Instant Access]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Access]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msbb]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebRebates0]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Inst"=-

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

--------------------------------------------------------------------

Please include the following in your next reply:

C:\fixwareout\report.txt
C:\ComboFix.txt

coolboyxxx · 11-29-2007, 11:11 AM

FIXWAREOUT report (report.txt)

Username "hasansas" - 29.11.2007 19:04:40 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="cshnf.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.114.51 85.255.112.8" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{282D156A-6381-4570-BE37-251BEDDE1A00}
"nameserver"="85.255.114.51,85.255.112.8" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{37A539A9-6C02-407B-98B5-F6B7F727193D}
"nameserver"="85.255.114.51,85.255.112.8" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{A31C5FD6-96F9-407C-AFB7-B6EE31F12416}
"nameserver"="85.255.114.51,85.255.112.8" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{CE3A2212-1A00-4CD8-863F-3B971463BC99}
"nameserver"="85.255.114.51,85.255.112.8" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{F6F69E76-479C-4EE8-93BA-6A7D326D673C}
"nameserver"="85.255.114.51,85.255.112.8" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{282D156A-6381-4570-BE37-251BEDDE1A00}
"DhcpNameServer"="85.255.114.51,85.255.112.8" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{37A539A9-6C02-407B-98B5-F6B7F727193D}
"DhcpNameServer"="85.255.114.51,85.255.112.8" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{CE3A2212-1A00-4CD8-863F-3B971463BC99}
"DhcpNameServer"="85.255.114.51,85.255.112.8" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{F6F69E76-479C-4EE8-93BA-6A7D326D673C}
"DhcpNameServer"="85.255.114.51,85.255.112.8" <Value cleared.

System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion "fnhsc" Value deleted
HKCR\CLSID\{8C67E42F-FBD5-415E-9FDC-DA1F696E2C3F}\_h\4 Deleted.
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"UPSMON"="D:\\\\UPSMON.exe"
"kis"="\"D:\\Program Files\\Kaspersky Lab\\Kaspersky Internet Security 6.0\\avp.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUpdater]
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

===========================================================================================

Here is the new ComboFix.txt
Combofix has run as you described with the CFScript.txt

ComboFix 07-11-29.3 - hasansas 2007-11-29 19:36:29.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1254.1.1033.18.132 [GMT 2:00]
Running from: C:\Documents and Settings\hasansas\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\hasansas\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\vdxfkivl.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\vdxfkivl.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-29 )))))))))))))))))))))))))))))))
.

2007-11-26 19:47 . 2007-11-26 19:47 <DIR> d-------- C:\Program Files\Bonjour
2007-11-23 00:59 . 2007-11-23 00:59 <DIR> d-------- C:\Documents and Settings\ahmet\Application Data\ACD Systems
2007-11-19 21:40 . 1996-11-17 00:00 326,656 --a------ C:\WINDOWS\system\MSVCRT40.DLL
2007-11-17 22:35 . 2007-11-17 22:39 <DIR> d-------- C:\Program Files\XP Repair Pro 2007
2007-11-17 21:59 . 2007-11-17 21:59 0 --a------ C:\WINDOWS\ativpsrm.bin
2007-11-17 21:04 . 2007-11-17 21:08 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-11-17 17:02 . 2007-11-20 20:11 <DIR> d-------- C:\Program Files\MSECACHE
2007-11-17 16:06 . 2003-03-11 09:04 266,240 --a------ C:\WINDOWS\system32\hpdj3600
2007-11-17 16:05 . 2003-12-14 14:03 438,799 --a------ C:\WINDOWS\hpdj3600.hi2
2007-11-17 16:05 . 2003-12-14 14:03 9,050 --a------ C:\WINDOWS\hpdj3600.bu2
2007-11-17 15:57 . 2007-11-17 15:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-11-02 22:12 . 2007-11-02 23:09 <DIR> d-------- C:\ebooks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-29 17:51 118,587,424 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-29 17:46 3,388,960 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2007-11-29 17:44 323,960 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2007-11-29 17:44 1,596,536 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-29 16:57 362 ----a-w C:\Eurojava.sys
2007-11-28 23:35 --------- d-----w C:\Documents and Settings\hasansas\Application Data\AVG7
2007-11-27 22:47 --------- d-----w C:\Program Files\FlashGet
2007-11-26 17:47 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-26 17:28 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-11-21 17:44 --------- d-----w C:\Program Files\xat.com JPEG Optimizer
2007-11-21 17:44 --------- d-----w C:\Program Files\WinISO
2007-11-21 17:44 --------- d-----w C:\Program Files\Lavasoft Ad- Aware
2007-11-21 17:44 --------- d-----w C:\Program Files\Eng-Ger Dictionary
2007-11-21 17:44 --------- d-----w C:\Program Files\AZR
2007-11-21 17:44 --------- d-----w C:\Program Files\APDFPRP
2007-11-21 16:02 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item0-11-21-2007_17-56-48_5055604.dnp
2007-11-21 16:02 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item0-11-21-2007_17-56-48_3435695.dnp
2007-11-21 15:59 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item0-11-21-2007_17-56-48_8478519.dnp
2007-11-21 15:59 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item0-11-21-2007_17-56-48_4290064.dnp
2007-11-17 20:48 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item0-11-17-2007_22-39-32_6006188.dnp
2007-11-17 20:48 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item0-11-17-2007_22-39-32_1365664.dnp
2007-11-17 20:43 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item0-11-17-2007_22-39-32_9160329.dnp
2007-11-17 20:43 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item0-11-17-2007_22-39-32_6060886.dnp
2007-11-17 14:05 --------- d-----w C:\Program Files\Hewlett-Packard
2007-11-06 18:06 --------- d-----w C:\Program Files\ICQ6
2007-10-31 22:15 724,992 ----a-w C:\WINDOWS\iun6002.exe
2007-10-26 15:48 --------- d-----w C:\Documents and Settings\hasansas\Application Data\Apple Computer
2007-10-10 23:12 --------- d-----w C:\Program Files\Equis
2007-10-08 20:19 --------- d-----w C:\Program Files\Common Files\Equis
2007-10-08 18:47 --------- d-----w C:\Program Files\ZoomBook The Temple Of The Sun
2007-10-07 14:17 --------- d-----w C:\Documents and Settings\hasansas\Application Data\Azureus
2007-09-30 20:47 --------- d-----w C:\Program Files\iPod
2007-09-30 20:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-09-30 20:33 --------- d-----w C:\Program Files\Apple Software Update
2007-09-30 20:31 --------- d-----w C:\Program Files\Common Files\Apple
2007-09-30 20:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2005-10-31 00:05 1,560 -c--a-w C:\Program Files\INSTALL.LOG
2004-10-31 11:39 489 ----a-w C:\Documents and Settings\hasansas\Application Data\dcuser.dat
1998-02-10 16:34 128,000 ----a-w C:\Program Files\UNWISE.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UPSMON"="D:\\UPSMON.exe" [2005-03-30 15:13]
"kis"="D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" [2006-03-24 19:09]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 09:56]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-31 21:34]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll 2003-08-25 09:25 139264 C:\PROGRA~1\COMMON~1\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\google\google~1\goec62~1.dll d:\progra~1\agnitum\outpos~1\wl_hook.dll,D:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSFIE]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlackICE PC Protection.lnk]
backup=C:\WINDOWS\pss\BlackICE PC Protection.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Net Send GUI.lnk]
backup=C:\WINDOWS\pss\Net Send GUI.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^U.S. Robotics Wireless USB Adapter.lnk]
backup=C:\WINDOWS\pss\U.S. Robotics Wireless USB Adapter.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^hasansas^Start Menu^Programs^Startup^palmOne Registration.lnk]
backup=C:\WINDOWS\pss\palmOne Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anti Trojan Elite]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe runtime -Delay

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoShutdown]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
2002-10-07 00:23 90112 --a------ C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cc_app]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMSystem]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 09:56 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
2004-09-23 09:33 1019392 --a------ C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeskCalc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeviceDiscovery]
2002-12-02 20:56 40960 --a------ C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dgp]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dmnwb.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Drag'n'Drop_Autolaunch]
2004-05-13 10:01 131072 --a------ D:\Program Files\Iomega HotBurn Pro\Autolaunch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzdMontr]
C:\Program Files\Quik Touch\EzdMontr.exe install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FineReader7NewsReaderPro]
2003-09-11 23:15 278528 --a------ C:\Program Files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2003-03-11 10:08 172032 --a------ C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
2001-10-04 01:00 28672 --a------ C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgrn]
2002-12-12 14:24 421888 --a------ C:\PROGRA~1\COPPER~1\BIN\WIN2K\tidslmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\navapp]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 09:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia Connection Monitor]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Overnet]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
2004-09-15 14:36 148992 --a------ C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRISMSVR.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
D:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunDLL]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
2002-04-17 10:42 69632 --a------ C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TotalRecorderScheduler]
2005-05-18 21:51 81920 --a------ C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 01:00 90112 -----c--- C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
2004-11-12 19:24 106557 --a------ C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zone Labs Client]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DAEMON Tools"="D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
"XPRepairPro2007"=C:\Program Files\XP Repair Pro 2007\XPRepairPro.exe /r
"RegClean Expert Scheduler"="D:\Program Files\Registry Clean Expert\RCHelper.exe" /startup
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TIxDSL"=C:\PROGRA~1\COPPER~1\BIN\WIN2K\tidslmon.exe
"iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe"
"QuickTime Task"="D:\Program Files\QuickTime\QTTask.exe" -atboottime
"Viewbar"=D:\Program Files\AGLOCO Viewbar\Viewbar.exe
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
"Nokia Tray Application"=C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
"CTStartup"=C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
"Inst"=C:\WINDOWS\System\Inst.exe install
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"AVG7_CC"=C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

R1 ts_lb;ts_lb;C:\WINDOWS\system32\drivers\ts_lb.sys
R2 BT848;Conexant's BtPCI WDM Video Capture;C:\WINDOWS\system32\DRIVERS\BT848.sys
R2 BTTUNER;BtTuner, WDM TvTuner;C:\WINDOWS\system32\drivers\BTTUNER.sys
R2 MDServ;MDServ;"g:\Program Files\Messenger Detect\MDServ.exe"
R2 NokiaSuite3;NokiaSuite3;C:\WINDOWS\system32\drivers\NokiaSuite3.sys
R3 AtmElan;ATM Emulated LAN;C:\WINDOWS\system32\DRIVERS\atmlane.sys
R3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
R3 TSCOMM;CommStudio Virtual Adapter by TamoSoft;C:\WINDOWS\system32\DRIVERS\tscomm.sys
S2 BulkUsb;Genius ColorPage USB Scanner;C:\WINDOWS\system32\DRIVERS\usbscan.sys
S2 MSFIE;MainSafe Service;C:\WINDOWS\system32\mainsafe.exe C:\WINDOWS\system32\mainsafe.empty.ini
S3 Allied;CopperJet ADSL modem Installer;C:\WINDOWS\system32\DRIVERS\instl.sys
S3 Aruba;QuikTouch/USB2 Device;C:\WINDOWS\system32\DRIVERS\Aruba.sys
S3 AtmLane;ATM LAN Emulation;C:\WINDOWS\system32\DRIVERS\atmlane.sys
S3 CV2K1;CommView Network Monitor;C:\WINDOWS\system32\DRIVERS\cv2k1.sys
S3 KCIRNET;KC Technology Device Driver;C:\WINDOWS\system32\DRIVERS\kcirnet.sys
S3 kvpndev;Kerio VPN adapter;C:\WINDOWS\system32\DRIVERS\kvpndrv.sys
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys
S3 RapFile;RapFile;\??\C:\WINDOWS\system32\drivers\RapFile.sys
S3 RapNet;RapNet;\??\C:\WINDOWS\system32\drivers\RapNet.sys
S3 TIAu5Bt;AU5 USB DSL Modem Boot Device;C:\WINDOWS\system32\Drivers\tiau5bt.sys
S3 TIAU5CO;AU5 USB DSL Modem(WAN);C:\WINDOWS\system32\DRIVERS\TIAU5CO.sys
S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys
S4 ewido security suite driver;ewido security suite driver;\??\D:\Program Files\ewido\security suite\guard.sys
S4 NPDriver;Norton Unerase Protection Driver;\??\C:\WINDOWS\System32\Drivers\NPDRIVER.SYS

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53b5a0fe-8896-11dc-aaff-0002440b43c0}]
\Shell\AutoRun\command - wd_windows_tools\setup.exe

.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-29 19:51:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-29 19:54:32 - machine was rebooted
C:\ComboFix.txt ... 2007-11-29 01:55
.
--- E O F ---

Ried · 11-29-2007, 11:00 PM

That's better.

Now please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------

Run a new scan with HijackThis and save the log.

---------------------------------------------------------------

Please include the following in your next reply:

Kaspersky results
New HijackThis log
Update on system behavior

coolboyxxx · 11-30-2007, 10:18 AM

i am trying to scan online now but i have problems

some code or what is it i dont know exactly, let crash internet explorer on kernel on this page:

http://www.kaspersky.com/service?chapter=161739400

"Internet Explorer has encountered a problem and needs to close. We are sorry for the inconvenience."

AppName: iexplore.exe AppVer: 7.0.6000.16544 ModName: kernel32.dll
ModVer: 5.1.2600.3119 Offset: 00018943

i have got the same error

but i did'nt close the error window
i have clicked on kaspersky online scanning button
a new pop up window oppened giving instruction and Requirements and limitations etc.
i have clicked on accept button and nothing happened

i have got the direct link from the adress bar of that window and go directy try to run from this page:

http://www.kaspersky.com/kos/eng/par...avwebscan.html

on the opened page i let active x components install
Kaspersky Online Scanner has initialized without problem but
while updating the kaspersky anti-virus databases on the exactly 4077 kb of 14945 kb databese file i have got this error :

"Update process FAILED. No further antivirus actions can be performed!
Attention, you must be online to activate Kaspersky Online Scanner, since the latest Anti-Virus bases version
must be downloaded prior to scan.Otherwise we cannot guarantes detection of latest viruses. [21] "

Latest HijackThis log without a virus scan:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:16:41, on 30.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\SYSTEM32\astsrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
g:\Program Files\Messenger Detect\MDServ.exe
g:\Program Files\Messenger Detect\MDetect.exe
C:\WINDOWS\System32\svchost.exe
D:\UPSMON_Service.Exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
D:\UPSMON.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: i-Nav IDN SearchHook - {CE000994-A58C-4441-8938-744CD72AB27F} - C:\Program Files\VeriSign\i-Nav\i-nav_4_2_1.dll
O2 - BHO: XTTBPos00 Class - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: FGCatchUrl - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: i-Nav IDN Resolver - {CE000992-A58C-4441-8938-744CD72AB27F} - C:\Program Files\VeriSign\i-Nav\i-nav_4_2_1.dll
O2 - BHO: Kwyshell MidpX - {EBE9E2B5-B526-48BC-AD46-687263EDCB0E} - E:\Program Files\Kwyshell\MidpX\JadInvoker\MidpInvoker.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [UPSMON] D:\\UPSMON.exe
O4 - HKLM\..\Run: [kis] "D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Link to &MidpX - E:\Program Files\Kwyshell\MidpX\JadInvoker\Extent\jad_wrap.htm
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Descargas - {AF0828BC-CB46-4C8D-95B6-8A7C4988F9FF} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: i-Nav Help - {CE000992-A58C-4441-8938-744CD72AB27F} - http://idn.verisign-grs.com/plug-in/support/index.jsp (file missing)
O9 - Extra 'Tools' menuitem: i-Nav Help - {CE000992-A58C-4441-8938-744CD72AB27F} - http://idn.verisign-grs.com/plug-in/support/index.jsp (file missing)
O9 - Extra button: (no name) - {CE000996-A58C-4441-8938-744CD72AB27F} - C:\Program Files\VeriSign\i-Nav\i-nav_4_2_1.dll
O9 - Extra 'Tools' menuitem: i-Nav Options - {CE000996-A58C-4441-8938-744CD72AB27F} - C:\Program Files\VeriSign\i-Nav\i-nav_4_2_1.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.51 85.255.112.8
O17 - HKLM\System\CS1\Services\Tcpip\..\{0CAFE162-794E-4983-A6F7-1C2E9D88D432}: NameServer = 195.175.39.39 195.175.39.40
O20 - AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll d:\progra~1\agnitum\outpos~1\wl_hook.dll,D:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AST Service (astcc) - Advanced Software Technologies - C:\WINDOWS\SYSTEM32\astsrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LEC TranslateDotNet Server - Language Engineering Corporation, LLC - C:\Program Files\Power Translator\LogoMedia TranslateDotNet Server.exe
O23 - Service: MDServ - formessengers.com - g:\Program Files\Messenger Detect\MDServ.exe
O23 - Service: MainSafe Service (MSFIE) - Unknown owner - C:\WINDOWS\system32\mainsafe.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: UPSMONService - Unknown owner - D:\UPSMON_Service.Exe
O23 - Service: U.S. Robotics Wireless LAN Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O24 - Desktop Component 2: (no name) - http://online.platodata.com.tr/desktop/desktop.asp

--
End of file - 9591 bytes

Ried · 11-30-2007, 09:45 PM

I should have noticed earlier that you have 2 AV's installed, AVG7 and Kaspersky Internet Suite. While it may seem to be added protection for you, more than 1 Anti Virus can cause conflicts and confusion between the AV programs as well as system instability. Please choose and run only 1 and uninstall the other via the Add/Remove Programs in the Control Panel.

Then please try this online scanner instead:

Go here and perform the BitDefender online virus scan.

Click "I Agree" to agree to the EULA.
Allow the ActiveX control to install when prompted.
Leave the scanning options at default and press "Click here to scan" to begin the scan.
Please refrain from using the computer until the scan is finished.
Once finished, click on the Details button to view the results.
To the upper right of the results you will see an option saying "Click here to export the scan results" Post the log of the scan results in your next reply

coolboyxxx · 12-01-2007, 03:08 AM

i have uninstalled avg antivirus.
bitdefender online scan let explorer crash on kernel32.dll same as kaspersky when i click on "I Agree" to agree to the EULA

"Internet Explorer has encountered a problem and needs to close. We are sorry for the inconvenience."

AppName: iexplore.exe AppVer: 7.0.6000.16544 ModName: kernel32.dll
ModVer: 5.1.2600.3119 Offset: 00018943

I have tried to run my offline Kaspersky Scanner installed on my computerfor a full scan.I have updated the definition files.After a while it crashes also like explorer on kernel32.dll

coolboyxxx · 12-01-2007, 04:06 AM

i am trying to scan partially with offline kaspersky antivir scanner instaled on my computer so that kaspersky doesnt crash after a while:

first system memory....clear
second startup objects .....clear
third system restore....clear

other long scans cannot be performed...kaspersky crashes

Ried · 12-01-2007, 08:00 PM

Let's try a stand alone scanner and see if it reveals anything.

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

This scanner tends to be very aggressive. Please configure it exactly as shown below. For now, I only want to see a Report of what it finds. Due to your issues with kernel32.dll, boot into Safe Mode to run the scan:

1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

--------------------------------------------------------------------

Doubleclick the drweb-cureit.exe file and Allow to run the express scan. This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.

Once the short scan has finished, we need to change the default settings.
In the Menu Bar, Go to Options>Change Settings.
Click on the Actions tab
Using the drop down menus, change each item under Objects and Malware to Report
Next, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'No to All' if it asks if you want to cure/move the file.
After the scan has completed, in the Dr.Web CureIt menu on top, click File and choose Save Report List
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Post the contents of the log from Dr.Web in your next reply.

coolboyxxx · 12-02-2007, 02:37 PM

Here is the contents of the log from Dr.Web :

BMSetup.exe;C:\Documents and Settings\hasansas\Desktop\Coplluk\homemadedıy\led\BWMeter v2.4.0;Program.SrvAny;;
Service.exe;C:\Program Files\BWMeter;Program.SrvAny;;
MD5Crack.exe;D:\Downloads\Directconnect\Chip\checksum\checksum;Tool.MDCrack;;
KUR.BAT;D:\Downloads\Directconnect\EGE_OTO;Probably BATCH.Virus;;
Free Ripper 1.0.exe;D:\Downloads\Directconnect\radmin211\iradminnf-vmp3_42_crk;Tool.ASEye.2;;
Visual MP3 4.2.exe;D:\Downloads\Directconnect\radmin211\iradminnf-vmp3_42_crk;Tool.ASEye.2;;
STRESS_2.EXE;D:\Mydocuments;Joke.Puncher;;
sja.exe;D:\Program Files\SQLyog Enterprise Trial;Probably DLOADER.Trojan;;
superscan4.exe;G:\superscan\SuperScan v4.0 (2000 XP);Program.SuperScan;;

Ried · 12-02-2007, 08:23 PM

Using 'My Computer', navigate to and delete the following File and Folder

D:\Downloads\Directconnect\radmin211\ iradminnf-vmp3_42_crk
D:\Mydocuments\ STRESS_2.EXE

--------------------------------------------------------------------

Download GMER Rootkit Scanner from here or here.

Unzip it to your Desktop.

Launch gmer.exe by double-clicking it. Select the rootkit tab & make sure the 'Show All' button is unticked.

Click the Scan button and let the program do its work. It will produce a log.

Copy the log using the Copy button
Open Notepad and paste the log into a new text file (Using Ctrl + V), save it somewhere you can find it, and post the log in this thread.

coolboyxxx · 12-03-2007, 12:12 PM

Here is the gmer.log attached to this massage.

Ried · 12-04-2007, 09:52 AM

I'm not seeing anything in that log. Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.

Try invoking Windows File Protection.

Click Start>Run and type in sfc /scannow (there is a space between sfc and /) and let it scan for missing/corrupt files. This command will immediately initiate the Windows File Protection service to scan all protected files and verify their integrity, replacing any files with which it finds a problem. If it finds any problems, it will prompt you for the Windows XP Install disc so have it handy.

---------------------------------------------------------

Please let me know how that went for you.

coolboyxxx · 12-05-2007, 08:49 AM

I run that command and as u said it promted for the XP install disc
Now that annoying kernel error doesn't appear any more
I can run adobe and explorer now without a problem
thanks a lot
my best regards

Ried · 12-05-2007, 09:32 AM

That is good to hear.

Please continue with these final instructions and helpful links:

The following procedure will clear out the tools we've used as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

IESpyAD Zoned Out to block access to malicious websites so you cannot be redirected to them from an infected site or email. This severely impairs attempts to infect your system as it basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.

Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.

In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically.

**Kindly respond one more time and let me know if we may consider this thread resolved.

coolboyxxx · 05-27-2008, 02:26 AM

sorry i missed your last reply....yes this thread was resolved...thanks a lot

11-26-2007, 01:27 PM	#1 (permalink)
coolboyxxx Registered User Join Date: Nov 2007 Posts: 15 OS: xp home edition	Photoshop Cs3 and IE7 crash on Kernel32.dll offset:00018943 I can't run Adobe Photoshop CS3 it crashes on loading i get this error: "Photoshop has encountered a problem and needs to close. We are sorry for the inconvenience." AppName: photoshop.exe AppVer: 10.0.0.0 ModName: kernel32.dll ModVer: 5.1.2600.3119 Offset: 00018943 i have been searchin for an answer for days i have tried eveything -microsoft mouse drivers causes that but i dont have intelli mouse -i have tried the update file from adobe -Adobe Preferences Pspi deleted all pref files etc -Updated the Vga drivers. i have ati radeon 9600 pls help me i have the same error on internet explorer when i try to check my emails on my hotmail account... explorer crashes and i get this error: "Internet Explorer has encountered a problem and needs to close. We are sorry for the inconvenience." AppName: iexplore.exe AppVer: 7.0.6000.16544 ModName: kernel32.dll ModVer: 5.1.2600.3119 Offset: 00018943 Here is my log file: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 22:02:02, on 26.11.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16544) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\SYSTEM32\astsrv.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\drivers\CDAC11BA.EXE C:\WINDOWS\System32\CTsvcCDA.exe C:\PROGRA~1\Iomega\System32\AppServices.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE g:\Program Files\Messenger Detect\MDServ.exe g:\Program Files\Messenger Detect\MDetect.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\ups.exe D:\UPSMON_Service.Exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE D:\UPSMON.exe D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\MSN Messenger\usnsvc.exe C:\WINDOWS\system32\notepad.exe D:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: i-Nav IDN SearchHook - {CE000994-A58C-4441-8938-744CD72AB27F} - C:\Program Files\VeriSign\i-Nav\i-nav_4_2_1.dll O2 - BHO: XTTBPos00 Class - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: FGCatchUrl - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: (no name) - {81A35F39-4850-474E-92C9-B4CF283207E0} - (no file) O2 - BHO: (no name) - {904413A4-8B06-486E-62F3-504AAE43DFE0} - C:\WINDOWS\system32\vdxfkivl.dll O2 - BHO: (no name) - {A4DD4B92-B79B-E2B7-0418-943D4A3AF4EB} - (no file) O2 - BHO: (no name) - {AA909BCE-4552-48F6-2D36-835D4B8A0E7D} - (no file) O2 - BHO: i-Nav IDN Resolver - {CE000992-A58C-4441-8938-744CD72AB27F} - C:\Program Files\VeriSign\i-Nav\i-nav_4_2_1.dll O2 - BHO: Kwyshell MidpX - {EBE9E2B5-B526-48BC-AD46-687263EDCB0E} - E:\Program Files\Kwyshell\MidpX\JadInvoker\MidpInvoker.dll O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll O4 - HKLM\..\Run: [UPSMON] D:\\UPSMON.exe O4 - HKLM\..\Run: [kis] "D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: Add to Kaspersky Anti-Banner - D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Link to &MidpX - E:\Program Files\Kwyshell\MidpX\JadInvoker\Extent\jad_wrap.htm O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Descargas - {AF0828BC-CB46-4C8D-95B6-8A7C4988F9FF} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: i-Nav Help - {CE000992-A58C-4441-8938-744CD72AB27F} - http://idn.verisign-grs.com/plug-in/support/index.jsp (file missing) O9 - Extra 'Tools' menuitem: i-Nav Help - {CE000992-A58C-4441-8938-744CD72AB27F} - http://idn.verisign-grs.com/plug-in/support/index.jsp (file missing) O9 - Extra button: (no name) - {CE000996-A58C-4441-8938-744CD72AB27F} - C:\Program Files\VeriSign\i-Nav\i-nav_4_2_1.dll O9 - Extra 'Tools' menuitem: i-Nav Options - {CE000996-A58C-4441-8938-744CD72AB27F} - C:\Program Files\VeriSign\i-Nav\i-nav_4_2_1.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O17 - HKLM\System\CCS\Services\Tcpip\..\{282D156A-6381-4570-BE37-251BEDDE1A00}: NameServer = 85.255.114.51,85.255.112.8 O17 - HKLM\System\CCS\Services\Tcpip\..\{37A539A9-6C02-407B-98B5-F6B7F727193D}: NameServer = 85.255.114.51,85.255.112.8 O17 - HKLM\System\CCS\Services\Tcpip\..\{A31C5FD6-96F9-407C-AFB7-B6EE31F12416}: NameServer = 85.255.114.51,85.255.112.8 O17 - HKLM\System\CCS\Services\Tcpip\..\{CE3A2212-1A00-4CD8-863F-3B971463BC99}: NameServer = 85.255.114.51,85.255.112.8 O17 - HKLM\System\CCS\Services\Tcpip\..\{F6F69E76-479C-4EE8-93BA-6A7D326D673C}: NameServer = 85.255.114.51,85.255.112.8 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.51 85.255.112.8 O17 - HKLM\System\CS1\Services\Tcpip\..\{0CAFE162-794E-4983-A6F7-1C2E9D88D432}: NameServer = 195.175.39.39 195.175.39.40 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.51 85.255.112.8 O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.51 85.255.112.8 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.51 85.255.112.8 O20 - AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll d:\progra~1\agnitum\outpos~1\wl_hook.dll,D:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AST Service (astcc) - Advanced Software Technologies - C:\WINDOWS\SYSTEM32\astsrv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LEC TranslateDotNet Server - Language Engineering Corporation, LLC - C:\Program Files\Power Translator\LogoMedia TranslateDotNet Server.exe O23 - Service: MDServ - formessengers.com - g:\Program Files\Messenger Detect\MDServ.exe O23 - Service: MainSafe Service (MSFIE) - Unknown owner - C:\WINDOWS\system32\mainsafe.exe (file missing) O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: UPSMONService - Unknown owner - D:\UPSMON_Service.Exe O23 - Service: U.S. Robotics Wireless LAN Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE O24 - Desktop Component 2: (no name) - http://online.platodata.com.tr/desktop/desktop.asp -- End of file - 10993 bytes

11-27-2007, 09:51 AM	#2 (permalink)
coolboyxxx Registered User Join Date: Nov 2007 Posts: 15 OS: xp home edition	Re: Photoshop Cs3 and IE7 crash on Kernel32.dll offset:00018943 any help ?

11-28-2007, 08:26 AM	#3 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,531 OS: WinXP and Vista	Re: Photoshop Cs3 and IE7 crash on Kernel32.dll offset:00018943 Hello coolboyxxx, You have a couple of infections on board and as such, this will require more than one round to properly eradicate. Please stay with me until given the 'all clear' even if symptoms seemingly abate. Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. It's IMPORTANT to carry out the instructions in the sequence listed below. ************************************************* Download Combofix and save it to your desktop. Note: It is important that it is saved directly to your desktop -------------------------------------------------------------------- 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. -------------------------------------------------------------------- Double click on ComboFix.exe & follow the prompts. When finished, it will produce a report for you. Please post the C:\ComboFix.txt along with a new HijackThis log** so we can continue cleaning the system. Note: Do not mouseclick combofix's window while it's running. That may cause it to stall __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul." Last edited by Ried; 11-28-2007 at 08:27 AM.

11-28-2007, 05:07 PM	#4 (permalink)
coolboyxxx Registered User Join Date: Nov 2007 Posts: 15 OS: xp home edition	Re: Photoshop Cs3 and IE7 crash on Kernel32.dll offset:00018943 Thanks for your response i have fallowed your instructions here is the Combofix.txt along with the new HijackThis log after the combofix.exe has processed ComboFix 07-11-29.3 - hasansas 2007-11-29 1:38:06.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1254.1.1033.18.164 [GMT 2:00] Running from: C:\Documents and Settings\hasansas\Desktop\ComboFix.exe * Created a new restore point . ADS - system32: deleted 12 bytes in 1 streams. ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users.\documents\settings C:\Documents and Settings\All Users.\documents\settings\desktop.ini C:\Documents and Settings\avaslar\Application Data\HbTools C:\Documents and Settings\hasansas\Application Data\HbTools\v3.0\HbTools\static\2\btntrans.idx C:\Documents and Settings\hasansas\Application Data\hidires C:\Documents and Settings\hasansas\Application Data\macromedia\Flash Player\#SharedObjects\8Y8H7V8M\www.broadcaster.com C:\Documents and Settings\hasansas\Application Data\macromedia\Flash Player\#SharedObjects\8Y8H7V8M\www.broadcaster.com\played_list.sol C:\Documents and Settings\hasansas\Application Data\macromedia\Flash Player\#SharedObjects\8Y8H7V8M\www.broadcaster.com\video_queue.sol C:\Documents and Settings\hasansas\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com C:\Documents and Settings\hasansas\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol C:\WINDOWS\Downloaded Program Files.\egauth.inf C:\WINDOWS\Downloaded Program Files.\nethv32.inf C:\WINDOWS\Downloaded Program Files\Cache C:\WINDOWS\drsmartload2.dat C:\WINDOWS\keyboard51.dat C:\WINDOWS\newname.dat C:\WINDOWS\system32\command.pif C:\WINDOWS\system32\dlh9jkdq8.exe C:\WINDOWS\system32\vxgame1.exe C:\WINDOWS\tmlpcert2005 G:\Autorun.inf . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_M_HOOK -------\LEGACY_NWSAPAGENT -------\LEGACY_WINDOWS_OVERLAY_COMPONENTS -------\NwSapAgent ((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-28 ))))))))))))))))))))))))))))))) . 2007-11-26 19:47 . 2007-11-26 19:47 <DIR> d-------- C:\Program Files\Bonjour 2007-11-23 00:59 . 2007-11-23 00:59 <DIR> d-------- C:\Documents and Settings\ahmet\Application Data\ACD Systems 2007-11-19 21:40 . 1996-11-17 00:00 326,656 --a------ C:\WINDOWS\system\MSVCRT40.DLL 2007-11-17 22:35 . 2007-11-17 22:39 <DIR> d-------- C:\Program Files\XP Repair Pro 2007 2007-11-17 21:59 . 2007-11-17 21:59 0 --a------ C:\WINDOWS\ativpsrm.bin 2007-11-17 21:04 . 2007-11-17 21:08 664 --a------ C:\WINDOWS\system32\d3d9caps.dat 2007-11-17 17:02 . 2007-11-20 20:11 <DIR> d-------- C:\Program Files\MSECACHE 2007-11-17 16:06 . 2003-03-11 09:04 266,240 --a------ C:\WINDOWS\system32\hpdj3600 2007-11-17 16:05 . 2003-12-14 14:03 438,799 --a------ C:\WINDOWS\hpdj3600.hi2 2007-11-17 16:05 . 2003-12-14 14:03 9,050 --a------ C:\WINDOWS\hpdj3600.bu2 2007-11-17 15:57 . 2007-11-17 15:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet 2007-11-02 22:12 . 2007-11-02 23:09 <DIR> d-------- C:\ebooks . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-28 23:51 118,531,872 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat 2007-11-28 23:49 3,384,096 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat 2007-11-28 23:47 323,504 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx 2007-11-28 23:47 1,595,792 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx 2007-11-28 23:35 --------- d-----w C:\Documents and Settings\hasansas\Application Data\AVG7 2007-11-28 23:18 362 ----a-w C:\Eurojava.sys 2007-11-27 22:47 --------- d-----w C:\Program Files\FlashGet 2007-11-26 17:47 --------- d-----w C:\Program Files\Common Files\Adobe 2007-11-26 17:28 --------- d-----w C:\Program Files\Common Files\Macrovision Shared 2007-11-21 17:44 --------- d-----w C:\Program Files\xat.com JPEG Optimizer 2007-11-21 17:44 --------- d-----w C:\Program Files\WinISO 2007-11-21 17:44 --------- d-----w C:\Program Files\Lavasoft Ad- Aware 2007-11-21 17:44 --------- d-----w C:\Program Files\Eng-Ger Dictionary 2007-11-21 17:44 --------- d-----w C:\Program Files\AZR 2007-11-21 17:44 --------- d-----w C:\Program Files\APDFPRP 2007-11-21 16:02 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item0-11-21-2007_17-56-48_5055604.dnp 2007-11-21 16:02 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item0-11-21-2007_17-56-48_3435695.dnp 2007-11-21 15:59 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item0-11-21-2007_17-56-48_8478519.dnp 2007-11-21 15:59 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item0-11-21-2007_17-56-48_4290064.dnp 2007-11-17 20:48 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item0-11-17-2007_22-39-32_6006188.dnp 2007-11-17 20:48 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item0-11-17-2007_22-39-32_1365664.dnp 2007-11-17 20:43 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item0-11-17-2007_22-39-32_9160329.dnp 2007-11-17 20:43 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item0-11-17-2007_22-39-32_6060886.dnp 2007-11-17 14:05 --------- d-----w C:\Program Files\Hewlett-Packard 2007-11-06 18:06 --------- d-----w C:\Program Files\ICQ6 2007-10-31 22:15 724,992 ----a-w C:\WINDOWS\iun6002.exe 2007-10-26 15:48 --------- d-----w C:\Documents and Settings\hasansas\Application Data\Apple Computer 2007-10-10 23:12 --------- d-----w C:\Program Files\Equis 2007-10-08 20:19 --------- d-----w C:\Program Files\Common Files\Equis 2007-10-08 18:47 --------- d-----w C:\Program Files\ZoomBook The Temple Of The Sun 2007-10-07 14:17 --------- d-----w C:\Documents and Settings\hasansas\Application Data\Azureus 2007-09-30 20:47 --------- d-----w C:\Program Files\iPod 2007-09-30 20:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer 2007-09-30 20:33 --------- d-----w C:\Program Files\Apple Software Update 2007-09-30 20:31 --------- d-----w C:\Program Files\Common Files\Apple 2007-09-30 20:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple 2005-10-31 00:05 1,560 -c--a-w C:\Program Files\INSTALL.LOG 2004-10-31 11:39 489 ----a-w C:\Documents and Settings\hasansas\Application Data\dcuser.dat 1998-02-10 16:34 128,000 ----a-w C:\Program Files\UNWISE.EXE . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{81A35F39-4850-474E-92C9-B4CF283207E0}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{904413A4-8B06-486E-62F3-504AAE43DFE0}] 2001-08-18 14:00 11922 --a------ C:\WINDOWS\system32\vdxfkivl.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A4DD4B92-B79B-E2B7-0418-943D4A3AF4EB}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA909BCE-4552-48F6-2D36-835D4B8A0E7D}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:56] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "UPSMON"="D:\\UPSMON.exe" [2005-03-30 15:13] "kis"="D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" [2006-03-24 19:09] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 09:56] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-31 21:34] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "System"="cshnf.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient] C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll 2003-08-25 09:25 139264 C:\PROGRA~1\COMMON~1\Stardock\MCPStub.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\progra~1\google\google~1\goec62~1.dll d:\progra~1\agnitum\outpos~1\wl_hook.dll,D:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSFIE] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlackICE PC Protection.lnk] backup=C:\WINDOWS\pss\BlackICE PC Protection.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk backup=C:\WINDOWS\pss\HotSync Manager.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Net Send GUI.lnk] backup=C:\WINDOWS\pss\Net Send GUI.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^U.S. Robotics Wireless USB Adapter.lnk] backup=C:\WINDOWS\pss\U.S. Robotics Wireless USB Adapter.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^hasansas^Start Menu^Programs^Startup^palmOne Registration.lnk] backup=C:\WINDOWS\pss\palmOne Registration.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anti Trojan Elite] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\cli.exe runtime -Delay [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoShutdown] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor] 2002-10-07 00:23 90112 --a------ C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cc_app] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMSystem] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2004-08-04 09:56 15360 --a------ C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer] 2004-09-23 09:33 1019392 --a------ C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeskCalc] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeviceDiscovery] 2002-12-02 20:56 40960 --a------ C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dgp] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dmnwb.exe] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Drag'n'Drop_Autolaunch] 2004-05-13 10:01 131072 --a------ D:\Program Files\Iomega HotBurn Pro\Autolaunch.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dywuopzc] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzdMontr] C:\Program Files\Quik Touch\EzdMontr.exe install [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FineReader7NewsReaderPro] 2003-09-11 23:15 278528 --a------ C:\Program Files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe /startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility] 2003-03-11 10:08 172032 --a------ C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Inst] C:\WINDOWS\System\Inst.exe install [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Instant Access] rundll32.exe p2esocks_1021.dll,InstantAccess [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection] 2001-10-04 01:00 28672 --a------ C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Access] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msbb] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] C:\Program Files\MSN Messenger\msnmsgr.exe /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgrn] 2002-12-12 14:24 421888 --a------ C:\PROGRA~1\COPPER~1\BIN\WIN2K\tidslmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\navapp] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] 2001-07-09 09:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia Connection Monitor] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] nwiz.exe /install [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Overnet] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication] 2004-09-15 14:36 148992 --a------ C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRISMSVR.EXE] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] D:\Program Files\QuickTime\qttask.exe -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunDLL] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon] 2002-04-17 10:42 69632 --a------ C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TotalRecorderScheduler] 2005-05-18 21:51 81920 --a------ C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg] 2000-05-11 01:00 90112 -----c--- C:\WINDOWS\UpdReg.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr] 2004-11-12 19:24 106557 --a------ C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebRebates0] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch] CTHELPER.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zone Labs Client] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "DAEMON Tools"="D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 "XPRepairPro2007"=C:\Program Files\XP Repair Pro 2007\XPRepairPro.exe /r "RegClean Expert Scheduler"="D:\Program Files\Registry Clean Expert\RCHelper.exe" /startup "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "TIxDSL"=C:\PROGRA~1\COPPER~1\BIN\WIN2K\tidslmon.exe "iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" "QuickTime Task"="D:\Program Files\QuickTime\QTTask.exe" -atboottime "Viewbar"=D:\Program Files\AGLOCO Viewbar\Viewbar.exe "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" "Nokia Tray Application"=C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe "CTStartup"=C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run "Inst"=C:\WINDOWS\System\Inst.exe install "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot "AVG7_CC"=C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP R1 ts_lb;ts_lb;C:\WINDOWS\system32\drivers\ts_lb.sys R2 BT848;Conexant's BtPCI WDM Video Capture;C:\WINDOWS\system32\DRIVERS\BT848.sys R2 BTTUNER;BtTuner, WDM TvTuner;C:\WINDOWS\system32\drivers\BTTUNER.sys R2 MDServ;MDServ;"g:\Program Files\Messenger Detect\MDServ.exe" R2 NokiaSuite3;NokiaSuite3;C:\WINDOWS\system32\drivers\NokiaSuite3.sys R3 AtmElan;ATM Emulated LAN;C:\WINDOWS\system32\DRIVERS\atmlane.sys R3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys R3 TSCOMM;CommStudio Virtual Adapter by TamoSoft;C:\WINDOWS\system32\DRIVERS\tscomm.sys S2 BulkUsb;Genius ColorPage USB Scanner;C:\WINDOWS\system32\DRIVERS\usbscan.sys S2 MSFIE;MainSafe Service;C:\WINDOWS\system32\mainsafe.exe C:\WINDOWS\system32\mainsafe.empty.ini S3 Allied;CopperJet ADSL modem Installer;C:\WINDOWS\system32\DRIVERS\instl.sys S3 Aruba;QuikTouch/USB2 Device;C:\WINDOWS\system32\DRIVERS\Aruba.sys S3 AtmLane;ATM LAN Emulation;C:\WINDOWS\system32\DRIVERS\atmlane.sys S3 CV2K1;CommView Network Monitor;C:\WINDOWS\system32\DRIVERS\cv2k1.sys S3 KCIRNET;KC Technology Device Driver;C:\WINDOWS\system32\DRIVERS\kcirnet.sys S3 kvpndev;Kerio VPN adapter;C:\WINDOWS\system32\DRIVERS\kvpndrv.sys S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys S3 RapFile;RapFile;\??\C:\WINDOWS\system32\drivers\RapFile.sys S3 RapNet;RapNet;\??\C:\WINDOWS\system32\drivers\RapNet.sys S3 TIAu5Bt;AU5 USB DSL Modem Boot Device;C:\WINDOWS\system32\Drivers\tiau5bt.sys S3 TIAU5CO;AU5 USB DSL Modem(WAN);C:\WINDOWS\system32\DRIVERS\TIAU5CO.sys S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys S4 ewido security suite driver;ewido security suite driver;\??\D:\Program Files\ewido\security suite\guard.sys S4 NPDriver;Norton Unerase Protection Driver;\??\C:\WINDOWS\System32\Drivers\NPDRIVER.SYS [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53b5a0fe-8896-11dc-aaff-0002440b43c0}] \Shell\AutoRun\command - wd_windows_tools\setup.exe . ************************************************************************ catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-29 01:51:12 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2007-11-29 1:55:25 - machine was rebooted . --- E O F --- ===================================================================================== HijackThis after Combofix: ====================================================================================== Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 02:00:55, on 29.11.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16544) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\SYSTEM32\astsrv.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\drivers\CDAC11BA.EXE C:\WINDOWS\System32\CTsvcCDA.exe C:\PROGRA~1\Iomega\System32\AppServices.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE g:\Program Files\Messenger Detect\MDServ.exe g:\Program Files\Messenger Detect\MDetect.exe C:\WINDOWS\System32\svchost.exe D:\UPSMON_Service.Exe C:\WINDOWS\System32\MsPMSPSv.exe C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\svchost.exe D:\UPSMON.exe D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\notepad.exe D:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: i-Nav IDN SearchHook - {CE000994-A58C-4441-8938-744CD72AB27F} - C:\Program Files\VeriSign\i-Nav\i-nav_4_2_1.dll O2 - BHO: XTTBPos00 Class - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: (no name) - {81A35F39-4850-474E-92C9-B4CF283207E0} - (no file) O2 - BHO: (no name) - {904413A4-8B06-486E-62F3-504AAE43DFE0} - C:\WINDOWS\system32\vdxfkivl.dll O2 - BHO: (no name) - {A4DD4B92-B79B-E2B7-0418-943D4A3AF4EB} - (no file) O2 - BHO: (no name) - {AA909BCE-4552-48F6-2D36-835D4B8A0E7D} - (no file) O2 - BHO: i-Nav IDN Resolver - {CE000992-A58C-4441-8938-744CD72AB27F} - C:\Program Files\VeriSign\i-Nav\i-nav_4_2_1.dll O2 - BHO: Kwyshell MidpX - {EBE9E2B5-B526-48BC-AD46-687263EDCB0E} - E:\Program Files\Kwyshell\MidpX\JadInvoker\MidpInvoker.dll O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll O4 - HKLM\..\Run: [UPSMON] D:\\UPSMON.exe O4 - HKLM\..\Run: [kis] "D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: Add to Kaspersky Anti-Banner - D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Link to &MidpX - E:\Program Files\Kwyshell\MidpX\JadInvoker\Extent\jad_wrap.htm O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Descargas - {AF0828BC-CB46-4C8D-95B6-8A7C4988F9FF} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: i-Nav Help - {CE000992-A58C-4441-8938-744CD72AB27F} - http://idn.verisign-grs.com/plug-in/support/index.jsp (file missing) O9 - Extra 'Tools' menuitem: i-Nav Help - {CE000992-A58C-4441-8938-744CD72AB27F} - http://idn.verisign-grs.com/plug-in/support/index.jsp (file missing) O9 - Extra button: (no name) - {CE000996-A58C-4441-8938-744CD72AB27F} - C:\Program Files\VeriSign\i-Nav\i-nav_4_2_1.dll O9 - Extra 'Tools' menuitem: i-Nav Options - {CE000996-A58C-4441-8938-744CD72AB27F} - C:\Program Files\VeriSign\i-Nav\i-nav_4_2_1.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O17 - HKLM\System\CCS\Services\Tcpip\..\{282D156A-6381-4570-BE37-251BEDDE1A00}: NameServer = 85.255.114.51,85.255.112.8 O17 - HKLM\System\CCS\Services\Tcpip\..\{37A539A9-6C02-407B-98B5-F6B7F727193D}: NameServer = 85.255.114.51,85.255.112.8 O17 - HKLM\System\CCS\Services\Tcpip\..\{A31C5FD6-96F9-407C-AFB7-B6EE31F12416}: NameServer = 85.255.114.51,85.255.112.8 O17 - HKLM\System\CCS\Services\Tcpip\..\{CE3A2212-1A00-4CD8-863F-3B971463BC99}: NameServer = 85.255.114.51,85.255.112.8 O17 - HKLM\System\CCS\Services\Tcpip\..\{F6F69E76-479C-4EE8-93BA-6A7D326D673C}: NameServer = 85.255.114.51,85.255.112.8 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.51 85.255.112.8 O17 - HKLM\System\CS1\Services\Tcpip\..\{0CAFE162-794E-4983-A6F7-1C2E9D88D432}: NameServer = 195.175.39.39 195.175.39.40 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.51 85.255.112.8 O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.51 85.255.112.8 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.51 85.255.112.8 O20 - AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll d:\progra~1\agnitum\outpos~1\wl_hook.dll,D:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AST Service (astcc) - Advanced Software Technologies - C:\WINDOWS\SYSTEM32\astsrv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LEC TranslateDotNet Server - Language Engineering Corporation, LLC - C:\Program Files\Power Translator\LogoMedia TranslateDotNet Server.exe O23 - Service: MDServ - formessengers.com - g:\Program Files\Messenger Detect\MDServ.exe O23 - Service: MainSafe Service (MSFIE) - Unknown owner - C:\WINDOWS\system32\mainsafe.exe (file missing) O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: UPSMONService - Unknown owner - D:\UPSMON_Service.Exe O23 - Service: U.S. Robotics Wireless LAN Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE O24 - Desktop Component 2: (no name) - http://online.platodata.com.tr/desktop/desktop.asp -- End of file - 10904 bytes

11-29-2007, 12:11 AM	#5 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,531 OS: WinXP and Vista	Re: Photoshop Cs3 and IE7 crash on Kernel32.dll offset:00018943 Hello coolboyxxx, Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. It's IMPORTANT to carry out the instructions in the sequence listed below. ************************************************* Please download FixWareout and save it to your desktop. ------------------------------------------------------------------ 1. Disconnect from the internet. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of these tools. --------------------------------------------------------------------- Run FixWareout. Click Next, then Install, make sure "Run fixit" is checked and click Finish. The fix will begin, follow the prompts. You will be asked to reboot your computer, please do so. Your system may take longer than usual to load. This is normal. Once the desktop loads post the text that will open C:\fixwareout\report.txt which I will need in your next reply. ---------------------------------------------------------------- Open notepad and copy/paste the text in the code box below into it: Code: File:: C:\WINDOWS\system32\vdxfkivl.dll Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{81A35F39-4850-474E-92C9-B4CF283207E0}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{904413A4-8B06-486E-62F3-504AAE43DFE0}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A4DD4B92-B79B-E2B7-0418-943D4A3AF4EB}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA909BCE-4552-48F6-2D36-835D4B8A0E7D}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dywuopzc] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Inst] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Instant Access] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Access] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msbb] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebRebates0] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "Inst"=- Save this as CFScript.txt, in the same location as ComboFix.exe Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at C:\ComboFix.txt** Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall -------------------------------------------------------------------- Please include the following in your next reply: C:\fixwareout\report.txt C:\ComboFix.txt __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

11-29-2007, 11:11 AM	#6 (permalink)
coolboyxxx Registered User Join Date: Nov 2007 Posts: 15 OS: xp home edition	Re: Photoshop Cs3 and IE7 crash on Kernel32.dll offset:00018943 FIXWAREOUT report (report.txt) Username "hasansas" - 29.11.2007 19:04:40 [Fixwareout edited 9/01/2007] ~~~~~ Prerun check HKLM\SOFTWARE\~\Winlogon\ "System"="cshnf.exe" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters "nameserver"="85.255.114.51 85.255.112.8" <Value cleared. HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{282D156A-6381-4570-BE37-251BEDDE1A00} "nameserver"="85.255.114.51,85.255.112.8" <Value cleared. HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{37A539A9-6C02-407B-98B5-F6B7F727193D} "nameserver"="85.255.114.51,85.255.112.8" <Value cleared. HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{A31C5FD6-96F9-407C-AFB7-B6EE31F12416} "nameserver"="85.255.114.51,85.255.112.8" <Value cleared. HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{CE3A2212-1A00-4CD8-863F-3B971463BC99} "nameserver"="85.255.114.51,85.255.112.8" <Value cleared. HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{F6F69E76-479C-4EE8-93BA-6A7D326D673C} "nameserver"="85.255.114.51,85.255.112.8" <Value cleared. HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{282D156A-6381-4570-BE37-251BEDDE1A00} "DhcpNameServer"="85.255.114.51,85.255.112.8" <Value cleared. HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{37A539A9-6C02-407B-98B5-F6B7F727193D} "DhcpNameServer"="85.255.114.51,85.255.112.8" <Value cleared. HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{CE3A2212-1A00-4CD8-863F-3B971463BC99} "DhcpNameServer"="85.255.114.51,85.255.112.8" <Value cleared. HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{F6F69E76-479C-4EE8-93BA-6A7D326D673C} "DhcpNameServer"="85.255.114.51,85.255.112.8" <Value cleared. System was rebooted successfully. ~~~~~ Postrun check HKLM\SOFTWARE\~\Winlogon\ "system"="" .... HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion "fnhsc" Value deleted HKCR\CLSID\{8C67E42F-FBD5-415E-9FDC-DA1F696E2C3F}\_h\4 Deleted. .... ~~~~~ Misc files. .... ~~~~~ Checking for older varients. .... ~~~~~ Current runs (hklm hkcu "run" Keys Only) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run] "UPSMON"="D:\\\\UPSMON.exe" "kis"="\"D:\\Program Files\\Kaspersky Lab\\Kaspersky Internet Security 6.0\\avp.exe\"" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUpdater] .... Hosts file was reset, If you use a custom hosts file please replace it... ~~~~~ End report ~~~~~ =========================================================================================== Here is the new ComboFix.txt Combofix has run as you described with the CFScript.txt ComboFix 07-11-29.3 - hasansas 2007-11-29 19:36:29.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1254.1.1033.18.132 [GMT 2:00] Running from: C:\Documents and Settings\hasansas\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\hasansas\Desktop\CFScript.txt * Created a new restore point FILE C:\WINDOWS\system32\vdxfkivl.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\vdxfkivl.dll . ((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-29 ))))))))))))))))))))))))))))))) . 2007-11-26 19:47 . 2007-11-26 19:47 <DIR> d-------- C:\Program Files\Bonjour 2007-11-23 00:59 . 2007-11-23 00:59 <DIR> d-------- C:\Documents and Settings\ahmet\Application Data\ACD Systems 2007-11-19 21:40 . 1996-11-17 00:00 326,656 --a------ C:\WINDOWS\system\MSVCRT40.DLL 2007-11-17 22:35 . 2007-11-17 22:39 <DIR> d-------- C:\Program Files\XP Repair Pro 2007 2007-11-17 21:59 . 2007-11-17 21:59 0 --a------ C:\WINDOWS\ativpsrm.bin 2007-11-17 21:04 . 2007-11-17 21:08 664 --a------ C:\WINDOWS\system32\d3d9caps.dat 2007-11-17 17:02 . 2007-11-20 20:11 <DIR> d-------- C:\Program Files\MSECACHE 2007-11-17 16:06 . 2003-03-11 09:04 266,240 --a------ C:\WINDOWS\system32\hpdj3600 2007-11-17 16:05 . 2003-12-14 14:03 438,799 --a------ C:\WINDOWS\hpdj3600.hi2 2007-11-17 16:05 . 2003-12-14 14:03 9,050 --a------ C:\WINDOWS\hpdj3600.bu2 2007-11-17 15:57 . 2007-11-17 15:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet 2007-11-02 22:12 . 2007-11-02 23:09 <DIR> d-------- C:\ebooks . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-29 17:51 118,587,424 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat 2007-11-29 17:46 3,388,960 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat 2007-11-29 17:44 323,960 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx 2007-11-29 17:44 1,596,536 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx 2007-11-29 16:57 362 ----a-w C:\Eurojava.sys 2007-11-28 23:35 --------- d-----w C:\Documents and Settings\hasansas\Application Data\AVG7 2007-11-27 22:47 --------- d-----w C:\Program Files\FlashGet 2007-11-26 17:47 --------- d-----w C:\Program Files\Common Files\Adobe 2007-11-26 17:28 --------- d-----w C:\Program Files\Common Files\Macrovision Shared 2007-11-21 17:44 --------- d-----w C:\Program Files\xat.com JPEG Optimizer 2007-11-21 17:44 --------- d-----w C:\Program Files\WinISO 2007-11-21 17:44 --------- d-----w C:\Program Files\Lavasoft Ad- Aware 2007-11-21 17:44 --------- d-----w C:\Program Files\Eng-Ger Dictionary 2007-11-21 17:44 --------- d-----w C:\Program Files\AZR 2007-11-21 17:44 --------- d-----w C:\Program Files\APDFPRP 2007-11-21 16:02 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item0-11-21-2007_17-56-48_5055604.dnp 2007-11-21 16:02 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item0-11-21-2007_17-56-48_3435695.dnp 2007-11-21 15:59 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item0-11-21-2007_17-56-48_8478519.dnp 2007-11-21 15:59 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item0-11-21-2007_17-56-48_4290064.dnp 2007-11-17 20:48 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item0-11-17-2007_22-39-32_6006188.dnp 2007-11-17 20:48 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item0-11-17-2007_22-39-32_1365664.dnp 2007-11-17 20:43 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item0-11-17-2007_22-39-32_9160329.dnp 2007-11-17 20:43 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item0-11-17-2007_22-39-32_6060886.dnp 2007-11-17 14:05 --------- d-----w C:\Program Files\Hewlett-Packard 2007-11-06 18:06 --------- d-----w C:\Program Files\ICQ6 2007-10-31 22:15 724,992 ----a-w C:\WINDOWS\iun6002.exe 2007-10-26 15:48 --------- d-----w C:\Documents and Settings\hasansas\Application Data\Apple Computer 2007-10-10 23:12 --------- d-----w C:\Program Files\Equis 2007-10-08 20:19 --------- d-----w C:\Program Files\Common Files\Equis 2007-10-08 18:47 --------- d-----w C:\Program Files\ZoomBook The Temple Of The Sun 2007-10-07 14:17 --------- d-----w C:\Documents and Settings\hasansas\Application Data\Azureus 2007-09-30 20:47 --------- d-----w C:\Program Files\iPod 2007-09-30 20:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer 2007-09-30 20:33 --------- d-----w C:\Program Files\Apple Software Update 2007-09-30 20:31 --------- d-----w C:\Program Files\Common Files\Apple 2007-09-30 20:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple 2005-10-31 00:05 1,560 -c--a-w C:\Program Files\INSTALL.LOG 2004-10-31 11:39 489 ----a-w C:\Documents and Settings\hasansas\Application Data\dcuser.dat 1998-02-10 16:34 128,000 ----a-w C:\Program Files\UNWISE.EXE . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:56] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "UPSMON"="D:\\UPSMON.exe" [2005-03-30 15:13] "kis"="D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" [2006-03-24 19:09] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 09:56] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-31 21:34] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient] C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll 2003-08-25 09:25 139264 C:\PROGRA~1\COMMON~1\Stardock\MCPStub.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\progra~1\google\google~1\goec62~1.dll d:\progra~1\agnitum\outpos~1\wl_hook.dll,D:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSFIE] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlackICE PC Protection.lnk] backup=C:\WINDOWS\pss\BlackICE PC Protection.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk backup=C:\WINDOWS\pss\HotSync Manager.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Net Send GUI.lnk] backup=C:\WINDOWS\pss\Net Send GUI.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^U.S. Robotics Wireless USB Adapter.lnk] backup=C:\WINDOWS\pss\U.S. Robotics Wireless USB Adapter.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^hasansas^Start Menu^Programs^Startup^palmOne Registration.lnk] backup=C:\WINDOWS\pss\palmOne Registration.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anti Trojan Elite] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\cli.exe runtime -Delay [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoShutdown] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor] 2002-10-07 00:23 90112 --a------ C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cc_app] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMSystem] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2004-08-04 09:56 15360 --a------ C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer] 2004-09-23 09:33 1019392 --a------ C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeskCalc] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeviceDiscovery] 2002-12-02 20:56 40960 --a------ C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dgp] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dmnwb.exe] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Drag'n'Drop_Autolaunch] 2004-05-13 10:01 131072 --a------ D:\Program Files\Iomega HotBurn Pro\Autolaunch.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzdMontr] C:\Program Files\Quik Touch\EzdMontr.exe install [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FineReader7NewsReaderPro] 2003-09-11 23:15 278528 --a------ C:\Program Files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe /startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility] 2003-03-11 10:08 172032 --a------ C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection] 2001-10-04 01:00 28672 --a------ C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] C:\Program Files\MSN Messenger\msnmsgr.exe /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgrn] 2002-12-12 14:24 421888 --a------ C:\PROGRA~1\COPPER~1\BIN\WIN2K\tidslmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\navapp] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] 2001-07-09 09:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia Connection Monitor] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] nwiz.exe /install [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Overnet] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication] 2004-09-15 14:36 148992 --a------ C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRISMSVR.EXE] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] D:\Program Files\QuickTime\qttask.exe -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunDLL] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon] 2002-04-17 10:42 69632 --a------ C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TotalRecorderScheduler] 2005-05-18 21:51 81920 --a------ C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg] 2000-05-11 01:00 90112 -----c--- C:\WINDOWS\UpdReg.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr] 2004-11-12 19:24 106557 --a------ C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch] CTHELPER.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zone Labs Client] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "DAEMON Tools"="D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 "XPRepairPro2007"=C:\Program Files\XP Repair Pro 2007\XPRepairPro.exe /r "RegClean Expert Scheduler"="D:\Program Files\Registry Clean Expert\RCHelper.exe" /startup "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "TIxDSL"=C:\PROGRA~1\COPPER~1\BIN\WIN2K\tidslmon.exe "iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" "QuickTime Task"="D:\Program Files\QuickTime\QTTask.exe" -atboottime "Viewbar"=D:\Program Files\AGLOCO Viewbar\Viewbar.exe "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" "Nokia Tray Application"=C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe "CTStartup"=C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run "Inst"=C:\WINDOWS\System\Inst.exe install "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot "AVG7_CC"=C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP R1 ts_lb;ts_lb;C:\WINDOWS\system32\drivers\ts_lb.sys R2 BT848;Conexant's BtPCI WDM Video Capture;C:\WINDOWS\system32\DRIVERS\BT848.sys R2 BTTUNER;BtTuner, WDM TvTuner;C:\WINDOWS\system32\drivers\BTTUNER.sys R2 MDServ;MDServ;"g:\Program Files\Messenger Detect\MDServ.exe" R2 NokiaSuite3;NokiaSuite3;C:\WINDOWS\system32\drivers\NokiaSuite3.sys R3 AtmElan;ATM Emulated LAN;C:\WINDOWS\system32\DRIVERS\atmlane.sys R3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys R3 TSCOMM;CommStudio Virtual Adapter by TamoSoft;C:\WINDOWS\system32\DRIVERS\tscomm.sys S2 BulkUsb;Genius ColorPage USB Scanner;C:\WINDOWS\system32\DRIVERS\usbscan.sys S2 MSFIE;MainSafe Service;C:\WINDOWS\system32\mainsafe.exe C:\WINDOWS\system32\mainsafe.empty.ini S3 Allied;CopperJet ADSL modem Installer;C:\WINDOWS\system32\DRIVERS\instl.sys S3 Aruba;QuikTouch/USB2 Device;C:\WINDOWS\system32\DRIVERS\Aruba.sys S3 AtmLane;ATM LAN Emulation;C:\WINDOWS\system32\DRIVERS\atmlane.sys S3 CV2K1;CommView Network Monitor;C:\WINDOWS\system32\DRIVERS\cv2k1.sys S3 KCIRNET;KC Technology Device Driver;C:\WINDOWS\system32\DRIVERS\kcirnet.sys S3 kvpndev;Kerio VPN adapter;C:\WINDOWS\system32\DRIVERS\kvpndrv.sys S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys S3 RapFile;RapFile;\??\C:\WINDOWS\system32\drivers\RapFile.sys S3 RapNet;RapNet;\??\C:\WINDOWS\system32\drivers\RapNet.sys S3 TIAu5Bt;AU5 USB DSL Modem Boot Device;C:\WINDOWS\system32\Drivers\tiau5bt.sys S3 TIAU5CO;AU5 USB DSL Modem(WAN);C:\WINDOWS\system32\DRIVERS\TIAU5CO.sys S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys S4 ewido security suite driver;ewido security suite driver;\??\D:\Program Files\ewido\security suite\guard.sys S4 NPDriver;Norton Unerase Protection Driver;\??\C:\WINDOWS\System32\Drivers\NPDRIVER.SYS [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53b5a0fe-8896-11dc-aaff-0002440b43c0}] \Shell\AutoRun\command - wd_windows_tools\setup.exe . ************************************************************************ catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-29 19:51:00 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... ************************************************************************ . Completion time: 2007-11-29 19:54:32 - machine was rebooted C:\ComboFix.txt ... 2007-11-29 01:55 . --- E O F ---

11-29-2007, 11:00 PM	#7 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,531 OS: WinXP and Vista	Re: Photoshop Cs3 and IE7 crash on Kernel32.dll offset:00018943 That's better. Now please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course: Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400 Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan --------------------------------------------------------------- Run a new scan with HijackThis and save the log. --------------------------------------------------------------- Please include the following in your next reply: Kaspersky results New HijackThis log Update on system behavior __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

11-30-2007, 10:18 AM	#8 (permalink)
coolboyxxx Registered User Join Date: Nov 2007 Posts: 15 OS: xp home edition	Re: Photoshop Cs3 and IE7 crash on Kernel32.dll offset:00018943 i am trying to scan online now but i have problems some code or what is it i dont know exactly, let crash internet explorer on kernel on this page: http://www.kaspersky.com/service?chapter=161739400 "Internet Explorer has encountered a problem and needs to close. We are sorry for the inconvenience." AppName: iexplore.exe AppVer: 7.0.6000.16544 ModName: kernel32.dll ModVer: 5.1.2600.3119 Offset: 00018943 i have got the same error but i did'nt close the error window i have clicked on kaspersky online scanning button a new pop up window oppened giving instruction and Requirements and limitations etc. i have clicked on accept button and nothing happened i have got the direct link from the adress bar of that window and go directy try to run from this page: http://www.kaspersky.com/kos/eng/par...avwebscan.html on the opened page i let active x components install Kaspersky Online Scanner has initialized without problem but while updating the kaspersky anti-virus databases on the exactly 4077 kb of 14945 kb databese file i have got this error : "Update process FAILED. No further antivirus actions can be performed! Attention, you must be online to activate Kaspersky Online Scanner, since the latest Anti-Virus bases version must be downloaded prior to scan.Otherwise we cannot guarantes detection of latest viruses. [21] " Latest HijackThis log without a virus scan: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:16:41, on 30.11.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16544) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\SYSTEM32\astsrv.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\drivers\CDAC11BA.EXE C:\WINDOWS\System32\CTsvcCDA.exe C:\PROGRA~1\Iomega\System32\AppServices.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE g:\Program Files\Messenger Detect\MDServ.exe g:\Program Files\Messenger Detect\MDetect.exe C:\WINDOWS\System32\svchost.exe D:\UPSMON_Service.Exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE D:\UPSMON.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\MSN Messenger\usnsvc.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\wscntfy.exe D:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: i-Nav IDN SearchHook - {CE000994-A58C-4441-8938-744CD72AB27F} - C:\Program Files\VeriSign\i-Nav\i-nav_4_2_1.dll O2 - BHO: XTTBPos00 Class - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: FGCatchUrl - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: i-Nav IDN Resolver - {CE000992-A58C-4441-8938-744CD72AB27F} - C:\Program Files\VeriSign\i-Nav\i-nav_4_2_1.dll O2 - BHO: Kwyshell MidpX - {EBE9E2B5-B526-48BC-AD46-687263EDCB0E} - E:\Program Files\Kwyshell\MidpX\JadInvoker\MidpInvoker.dll O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll O4 - HKLM\..\Run: [UPSMON] D:\\UPSMON.exe O4 - HKLM\..\Run: [kis] "D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Link to &MidpX - E:\Program Files\Kwyshell\MidpX\JadInvoker\Extent\jad_wrap.htm O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Descargas - {AF0828BC-CB46-4C8D-95B6-8A7C4988F9FF} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: i-Nav Help - {CE000992-A58C-4441-8938-744CD72AB27F} - http://idn.verisign-grs.com/plug-in/support/index.jsp (file missing) O9 - Extra 'Tools' menuitem: i-Nav Help - {CE000992-A58C-4441-8938-744CD72AB27F} - http://idn.verisign-grs.com/plug-in/support/index.jsp (file missing) O9 - Extra button: (no name) - {CE000996-A58C-4441-8938-744CD72AB27F} - C:\Program Files\VeriSign\i-Nav\i-nav_4_2_1.dll O9 - Extra 'Tools' menuitem: i-Nav Options - {CE000996-A58C-4441-8938-744CD72AB27F} - C:\Program Files\VeriSign\i-Nav\i-nav_4_2_1.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.51 85.255.112.8 O17 - HKLM\System\CS1\Services\Tcpip\..\{0CAFE162-794E-4983-A6F7-1C2E9D88D432}: NameServer = 195.175.39.39 195.175.39.40 O20 - AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll d:\progra~1\agnitum\outpos~1\wl_hook.dll,D:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AST Service (astcc) - Advanced Software Technologies - C:\WINDOWS\SYSTEM32\astsrv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LEC TranslateDotNet Server - Language Engineering Corporation, LLC - C:\Program Files\Power Translator\LogoMedia TranslateDotNet Server.exe O23 - Service: MDServ - formessengers.com - g:\Program Files\Messenger Detect\MDServ.exe O23 - Service: MainSafe Service (MSFIE) - Unknown owner - C:\WINDOWS\system32\mainsafe.exe (file missing) O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: UPSMONService - Unknown owner - D:\UPSMON_Service.Exe O23 - Service: U.S. Robotics Wireless LAN Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE O24 - Desktop Component 2: (no name) - http://online.platodata.com.tr/desktop/desktop.asp -- End of file - 9591 bytes

11-30-2007, 09:45 PM	#9 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,531 OS: WinXP and Vista	Re: Photoshop Cs3 and IE7 crash on Kernel32.dll offset:00018943 I should have noticed earlier that you have 2 AV's installed, AVG7 and Kaspersky Internet Suite. While it may seem to be added protection for you, more than 1 Anti Virus can cause conflicts and confusion between the AV programs as well as system instability. Please choose and run only 1 and uninstall the other via the Add/Remove Programs in the Control Panel. Then please try this online scanner instead: Go here and perform the BitDefender online virus scan. Click "I Agree" to agree to the EULA. Allow the ActiveX control to install when prompted. Leave the scanning options at default and press "Click here to scan" to begin the scan. Please refrain from using the computer until the scan is finished. Once finished, click on the Details button to view the results. To the upper right of the results you will see an option saying "Click here to export the scan results" Post the log of the scan results in your next reply __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

12-01-2007, 03:08 AM	#10 (permalink)
coolboyxxx Registered User Join Date: Nov 2007 Posts: 15 OS: xp home edition	Re: Photoshop Cs3 and IE7 crash on Kernel32.dll offset:00018943 i have uninstalled avg antivirus. bitdefender online scan let explorer crash on kernel32.dll same as kaspersky when i click on "I Agree" to agree to the EULA "Internet Explorer has encountered a problem and needs to close. We are sorry for the inconvenience." AppName: iexplore.exe AppVer: 7.0.6000.16544 ModName: kernel32.dll ModVer: 5.1.2600.3119 Offset: 00018943 I have tried to run my offline Kaspersky Scanner installed on my computerfor a full scan.I have updated the definition files.After a while it crashes also like explorer on kernel32.dll

12-01-2007, 04:06 AM	#11 (permalink)
coolboyxxx Registered User Join Date: Nov 2007 Posts: 15 OS: xp home edition	Re: Photoshop Cs3 and IE7 crash on Kernel32.dll offset:00018943 i am trying to scan partially with offline kaspersky antivir scanner instaled on my computer so that kaspersky doesnt crash after a while: first system memory....clear second startup objects .....clear third system restore....clear other long scans cannot be performed...kaspersky crashes

12-01-2007, 08:00 PM	#12 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,531 OS: WinXP and Vista	Re: Photoshop Cs3 and IE7 crash on Kernel32.dll offset:00018943 Let's try a stand alone scanner and see if it reveals anything. Download Dr.Web CureIt to the desktop: ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe This scanner tends to be very aggressive. Please configure it exactly as shown below. For now, I only want to see a Report of what it finds. Due to your issues with kernel32.dll, boot into Safe Mode to run the scan: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Use the up arrow key to highlight Safe Mode and press Enter. 5) Login with your usual account. Make sure to close any open browsers. -------------------------------------------------------------------- Doubleclick the drweb-cureit.exe file and Allow to run the express scan. This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan. Once the short scan has finished, we need to change the default settings. In the Menu Bar, Go to Options>Change Settings. Click on the Actions tab Using the drop down menus, change each item under Objects and Malware to Report Next, mark the drives that you want to scan. Select all drives. A red dot shows which drives have been chosen. Click the green arrow at the right, and the scan will start. Click 'No to All' if it asks if you want to cure/move the file. After the scan has completed, in the Dr.Web CureIt menu on top, click File and choose Save Report List Save the report to your desktop. The report will be called DrWeb.csv Close Dr.Web Cureit. Post the contents of the log from Dr.Web in your next reply. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

12-02-2007, 02:37 PM	#13 (permalink)
coolboyxxx Registered User Join Date: Nov 2007 Posts: 15 OS: xp home edition	Re: Photoshop Cs3 and IE7 crash on Kernel32.dll offset:00018943 Here is the contents of the log from Dr.Web : BMSetup.exe;C:\Documents and Settings\hasansas\Desktop\Coplluk\homemadedıy\led\BWMeter v2.4.0;Program.SrvAny;; Service.exe;C:\Program Files\BWMeter;Program.SrvAny;; MD5Crack.exe;D:\Downloads\Directconnect\Chip\checksum\checksum;Tool.MDCrack;; KUR.BAT;D:\Downloads\Directconnect\EGE_OTO;Probably BATCH.Virus;; Free Ripper 1.0.exe;D:\Downloads\Directconnect\radmin211\iradminnf-vmp3_42_crk;Tool.ASEye.2;; Visual MP3 4.2.exe;D:\Downloads\Directconnect\radmin211\iradminnf-vmp3_42_crk;Tool.ASEye.2;; STRESS_2.EXE;D:\Mydocuments;Joke.Puncher;; sja.exe;D:\Program Files\SQLyog Enterprise Trial;Probably DLOADER.Trojan;; superscan4.exe;G:\superscan\SuperScan v4.0 (2000 XP);Program.SuperScan;;

12-02-2007, 08:23 PM	#14 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,531 OS: WinXP and Vista	Re: Photoshop Cs3 and IE7 crash on Kernel32.dll offset:00018943 Using 'My Computer', navigate to and delete the following File and Folder D:\Downloads\Directconnect\radmin211\ iradminnf-vmp3_42_crk D:\Mydocuments\ STRESS_2.EXE -------------------------------------------------------------------- Download GMER Rootkit Scanner from here or here. Unzip it to your Desktop. Launch gmer.exe by double-clicking it. Select the rootkit tab & make sure the 'Show All' button is unticked. Click the Scan button and let the program do its work. It will produce a log. Copy the log using the Copy button Open Notepad and paste the log into a new text file (Using Ctrl + V), save it somewhere you can find it, and post the log in this thread. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

12-04-2007, 09:52 AM	#16 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,531 OS: WinXP and Vista	Re: Photoshop Cs3 and IE7 crash on Kernel32.dll offset:00018943 I'm not seeing anything in that log. Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution. Try invoking Windows File Protection. Click Start>*Run* and type in sfc /scannow (there is a space between sfc and /) and let it scan for missing/corrupt files. This command will immediately initiate the Windows File Protection service to scan all protected files and verify their integrity, replacing any files with which it finds a problem. If it finds any problems, it will prompt you for the Windows XP Install disc so have it handy. --------------------------------------------------------- Please let me know how that went for you. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

12-05-2007, 08:49 AM	#17 (permalink)
coolboyxxx Registered User Join Date: Nov 2007 Posts: 15 OS: xp home edition	Re: Photoshop Cs3 and IE7 crash on Kernel32.dll offset:00018943 I run that command and as u said it promted for the XP install disc Now that annoying kernel error doesn't appear any more I can run adobe and explorer now without a problem thanks a lot my best regards

12-05-2007, 09:32 AM	#18 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,531 OS: WinXP and Vista	Re: Photoshop Cs3 and IE7 crash on Kernel32.dll offset:00018943 That is good to hear. Please continue with these final instructions and helpful links: The following procedure will clear out the tools we've used as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point. Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK: ComboFix /u -------------------------------------------------------------------- To help protect your computer in the future I recommend that you get the following free programs if you do not already have them: McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad. SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items. It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page. IESpyAD Zoned Out to block access to malicious websites so you cannot be redirected to them from an infected site or email. This severely impairs attempts to infect your system as it basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released. In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles: PC Safety and Security--What Do I Need? HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein THE ANTI-SPYWARE TUTORIAL MAKING INTERNET EXPLORER SAFER Understanding and Using Firewalls Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. ----------------------------------------------------- Follow the list above and the potential for infection will reduce dramatically. Kindly respond one more time and let me know if we may consider this thread resolved. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

05-27-2008, 02:26 AM	#19 (permalink)
coolboyxxx Registered User Join Date: Nov 2007 Posts: 15 OS: xp home edition	Re: Photoshop Cs3 and IE7 crash on Kernel32.dll offset:00018943 sorry i missed your last reply....yes this thread was resolved...thanks a lot