trojans

Geeks to Go Forums > Security > Virus, Spyware, Malware Removal

Today's New Content

trojans got a couple of trojans i can´t get rid off

#1 barbs2

Group: Member
Posts: 39
Joined: 12-August 05

Posted 16 October 2006 - 04:42 PM

First off all i want to say im not a cpu beginner i have 25 yars and cpu since 10 so i´m no fool.

Whoever i´m needing of some pro help, i didn´t had problem with trojans before the ones i had i could get rid off them always with an adware program and some manual cleaning help in regedit.

Unfortunetely my nephew use my cpu some times is only 9 so i does some crappy stuff and some times when i arrive i've some spywares.

this time i can´t get rid of them i´ve made the scan with spydoctor and i get rid of some, ewido as get rid of others, but i still have pop ups and advestementise all the time and they say im clean of spyware, i know that isn´t true because i'm expericing some cpu instability slow downs and the pop ups.

I´ve search my tasks and the regestry and i can´t see nothing strange but maybe some of you pro's can.

Help

Thanks in advance

Logfile of HijackThis v1.99.1
Scan saved at 23:33:25, on 16-10-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\Fast.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\System32\fast.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Documents and Settings\João Barradas\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.pt
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {13AEC861-5CF8-4FE8-8035-DBF4ECB0487E} - C:\WINDOWS\system32\wvusp.dll (file missing)
O2 - BHO: (no name) - {1E604CBE-DECE-B4F5-443B-00036B6D3E3A} - C:\WINDOWS\system32\rxoqxbe.dll
O2 - BHO: (no name) - {2686055E-D24F-8EC5-D3A3-06D84F9DD169} - C:\WINDOWS\system32\zqrtxgb.dll
O2 - BHO: (no name) - {270C366C-FEB9-8563-67A8-0A72232784D2} - C:\WINDOWS\system32\bbxjru.dll
O2 - BHO: (no name) - {2F8DE6FC-28A5-1F62-8E95-00CA4747FD72} - C:\WINDOWS\system32\lcthjsd.dll
O2 - BHO: (no name) - {4F45B6F5-D630-40D4-348C-0387239F1A96} - C:\WINDOWS\system32\jbelfmf.dll
O2 - BHO: (no name) - {534377A1-DF1B-ADAA-6162-02CADC497EC5} - C:\WINDOWS\system32\ilbphqi.dll
O2 - BHO: (no name) - {560CF0D1-CFFE-5A05-9558-08BC7858A25F} - C:\WINDOWS\system32\rdfjhne.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mgqmefk.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\mgqmefk.dll,cdwfcsc
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunOnce: [eISS_cleanup] "C:\DOCUME~1\JOOBAR~1\LOCALS~1\Temp\cacu_001.exe" /cleanup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.gom-team.com
O15 - Trusted Zone: http://www.lavasoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1110214985414
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124141135979
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemreq...m/sysreqlab.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BEB1C2F-B9D9-47DD-8132-D464E9B8C611}: NameServer = 195.23.129.126,194.79.69.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{F5C73810-D4F3-413C-8668-3372B8E52B42}: NameServer = 195.23.129.126,194.79.69.222
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

#2 Wizard

Group: Retired Staff
Posts: 5,661
Joined: 27-February 05

Posted 17 October 2006 - 04:48 AM

Hi Barbs2 and Welcome to GeekstoGo!

Please download Combofix to your desktop.
http://download.blee...Bs/combofix.exe

Doubleclick combo.exe to launch the application.

Follow the prompts that will be displayed on the screen.

Don't click on the window while the fix is running, because that will cause your system to hang.

When finished, it should produce a log, combofix.txt

Please post that log in the next reply.

#3 barbs2

Group: Member
Posts: 39
Joined: 12-August 05

Posted 17 October 2006 - 10:45 AM

Sorry for taking so long but i´m only avalaible between 5 PM to 1 AM

Here it is:

JoÆo Barradas - 06-10-17 17:36:10,62 Service Pack 2
ComboFix 06.10.16 - Running from: "C:\Documents and Settings\JoÆo Barradas\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\ismini.exe
C:\WINDOWS\system32\components
C:\Program Files\Common Files\{1001B677-07CF-2070-0905-02011306015f}
C:\Program Files\Common Files\{1001B677-07D0-2070-0905-02011306015f}
C:\Program Files\Common Files\{3001B677-07CF-2070-0905-02011306015f}
C:\Program Files\Common Files\{3001B677-07D0-2070-0905-02011306015f}

((((((((((((((((((((((((((((((( Files Created from 2006-09-17 to 2006-10-17 ))))))))))))))))))))))))))))))))))

2006-10-16 15:26 373,898 ---hs---- C:\WINDOWS\system32\psuvw.ini2
2006-10-14 23:40 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-14 23:10 94,720 --a------ C:\WINDOWS\system32\mgqmefk.dll
2006-10-14 23:10 72,704 --a------ C:\WINDOWS\system32\bbxjru.dll
2006-10-14 22:32 50,944 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2006-10-14 22:32 30,560 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys
2006-10-13 19:38 93,696 --a------ C:\WINDOWS\system32\rpbludj.dll
2006-10-13 19:38 72,704 --a------ C:\WINDOWS\system32\lcthjsd.dll
2006-10-12 21:19 93,696 --a------ C:\WINDOWS\system32\yaxappk.dll
2006-10-12 21:19 72,192 --a------ C:\WINDOWS\system32\rdfjhne.dll
2006-10-11 20:01 94,208 --a------ C:\WINDOWS\system32\ahnhvye.dll
2006-10-11 20:01 72,704 --a------ C:\WINDOWS\system32\zqrtxgb.dll
2006-10-11 18:25 94,208 --a------ C:\WINDOWS\system32\zgevcqb.dll
2006-10-11 18:25 72,704 --a------ C:\WINDOWS\system32\rxoqxbe.dll
2006-10-11 17:57 93,696 --a------ C:\WINDOWS\system32\hnlfzul.dll
2006-10-11 17:57 72,704 --a------ C:\WINDOWS\system32\ilbphqi.dll
2006-10-09 19:23 366,923 ---hs---- C:\WINDOWS\system32\psuvw.bak2
2006-10-08 19:23 378,907 ---hs---- C:\WINDOWS\system32\psuvw.bak1
2006-10-08 19:12 94,208 --a------ C:\WINDOWS\system32\dyuifqh.dll
2006-10-08 19:12 72,704 --a------ C:\WINDOWS\system32\jbelfmf.dll
2006-09-30 14:10 262,144 --a------ C:\WINDOWS\system32\TomsMoComp_ff.dll
2006-09-30 14:10 112,640 --a------ C:\WINDOWS\system32\libmpeg2_ff.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-10-17 17:38 -------- d-------- C:\Program Files\Common Files
2006-10-17 17:35 -------- d-------- C:\Documents and Settings\Joao Barradas\Application Data\Azureus
2006-10-17 17:27 -------- d-------- C:\Program Files\Symantec AntiVirus
2006-10-16 23:19 -------- d-------- C:\Program Files\STOPzilla!
2006-10-16 22:38 -------- d-------- C:\Program Files\Common Files\iS3
2006-10-16 22:27 -------- d-------- C:\Program Files\TuneUp Utilities 2006
2006-10-16 22:18 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-16 22:18 -------- d-------- C:\Program Files\SoftwareDoctor
2006-10-14 23:39 -------- d-------- C:\Program Files\Grisoft
2006-10-14 23:03 -------- d-------- C:\Program Files\Spyware Doctor
2006-10-13 20:58 -------- d-------- C:\Documents and Settings\Joao Barradas\Application Data\Real
2006-10-13 20:52 -------- d-------- C:\Program Files\Common Files\Real
2006-10-10 19:23 -------- d-------- C:\Documents and Settings\Joao Barradas\Application Data\PC Tools
2006-10-09 21:48 -------- d-------- C:\Documents and Settings\Joao Barradas\Application Data\Lavasoft
2006-10-07 18:54 -------- d-------- C:\Documents and Settings\Joao Barradas\Application Data\Adobe
2006-10-07 16:38 -------- d-------- C:\Documents and Settings\Joao Barradas\Application Data\Apple Computer
2006-10-07 16:10 -------- d-------- C:\Program Files\QuickTime
2006-10-07 16:07 -------- d-------- C:\Program Files\Apple Software Update
2006-10-06 19:49 -------- d-------- C:\Program Files\eMule
2006-10-04 17:38 -------- d-------- C:\Program Files\Gabest
2006-09-30 14:10 -------- d-------- C:\Program Files\Cucusoft
2006-09-28 18:48 -------- d-------- C:\Program Files\Pcsx2
2006-09-27 22:00 -------- d-------- C:\Documents and Settings\Joao Barradas\Application Data\Rock Manager
2006-09-23 22:57 -------- d-------- C:\Documents and Settings\Joao Barradas\Application Data\Skype
2006-09-13 06:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-08-30 19:19 -------- d-------- C:\Program Files\Mozilla Firefox
2006-08-27 01:11 223128 --a------ C:\WINDOWS\system32\drivers\vaxscsi.sys
2006-08-26 23:24 -------- d-------- C:\Documents and Settings\Joao Barradas\Application Data\.BTuga
2006-08-26 22:59 -------- d-------- C:\Program Files\Alcohol Soft
2006-08-26 22:58 223128 --a------ C:\WINDOWS\system32\drivers\dtscsi.sys
2006-08-26 22:58 -------- d-------- C:\Program Files\DAEMON Tools
2006-08-26 22:52 96256 --a------ C:\WINDOWS\system32\drivers\sptd4765.sys
2006-08-26 22:52 643072 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2006-08-25 16:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-23 20:16 -------- d-------- C:\Program Files\Azureus
2006-08-21 19:52 -------- d-------- C:\Program Files\Windows Media Player
2006-08-21 13:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 10:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 10:14 128896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-16 12:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll
2006-08-15 19:57 247866 --a------ C:\WINDOWS\Alcohol_Toolbar_Uninstaller_8256.exe
2006-08-02 20:43 16384 --a------ C:\WINDOWS\system32\ac3config.exe
2006-07-27 14:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 09:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-06 16:28 45716 --a------ C:\Documents and Settings\Joao Barradas\Application Data\PatchUpdate_HP_CounterReport_Update_HPSU.log
2006-07-06 16:26 2176 --a------ C:\Documents and Settings\Joao Barradas\Application Data\HPSU_48BitScanUpdate.log
2006-07-06 16:19 2517 --a------ C:\Documents and Settings\Joao Barradas\Application Data\PatchUpdate_HP_ISRegionListUpdatelog_HPSU.log
2006-07-06 16:17 2965 --a------ C:\Documents and Settings\Joao Barradas\Application Data\PatchUpdate_InstantShareJPG.log
2006-07-06 16:15 3796 --a------ C:\Documents and Settings\Joao Barradas\Application Data\PatchUpdate_IZClosingDiscError.log
2006-07-06 16:12 5868 --a------ C:\Documents and Settings\Joao Barradas\Application Data\GdiplusUpgrade_MSIApproach_Wrapper.log
2006-07-06 16:08 49424 --a------ C:\Documents and Settings\Joao Barradas\Application Data\Update_HP_RedboxHprblog_HPSU.log

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\""
"LogitechSoftwareUpdate"="\"C:\\Program Files\\Logitech\\Video\\ManifestEngine.exe\" boot"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"CoolSwitch"="C:\\WINDOWS\\System32\\taskswitch.exe"
"FastUser"="C:\\WINDOWS\\System32\\fast.exe"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"CloneCDTray"="\"C:\\Program Files\\SlySoft\\CloneCD\\CloneCDTray.exe\" /s"
"LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE"
"LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe "
"LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"AudioDeck"="C:\\Program Files\\VIAudioi\\SBADeck\\ADeck.exe 1"
"NvMediaCenter"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"mgqmefk.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\mgqmefk.dll,cdwfcsc"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,04,00,00,c0
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"msdata"="moose.exe"
"NAV Auto Protect"="navprotect.exe"
"start extracting"="spoolvs.exe"
"start uploading"="smsss.exe"
"Spyware Doctor"=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runservices]
"start extracting"="spoolvs.exe"
"start uploading"="smsss.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"msdata"="moose.exe"
"NAV Auto Protect"="navprotect.exe"
"start extracting"="spoolvs.exe"
"start uploading"="smsss.exe"
"Spyware Doctor"=""

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runservices]
"start extracting"="spoolvs.exe"
"start uploading"="smsss.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=hex:91,00,00,00
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"ClassicShell"=dword:00000000
"NoThemesTab"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job
C:\WINDOWS\tasks\AF907913913BEFEF.job
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 06-10-17 17:38:56.61
C:\ComboFix.txt ... 06-10-17 17:38

ComboFix.txt (12.46K)
Number of downloads: 23

#4 Wizard

Group: Retired Staff
Posts: 5,661
Joined: 27-February 05

Posted 17 October 2006 - 01:19 PM

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

After posting those 2 logs,restart in Safe Mode and Scan fresh with Combo Fix.

Restart normal and post that log,please.

#5 barbs2

Group: Member
Posts: 39
Joined: 12-August 05

Posted 17 October 2006 - 02:18 PM

Logfile of HijackThis v1.99.1
Scan saved at 21:15:45, on 17-10-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\System32\fast.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\Fast.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\João Barradas\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.pt
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {13AEC861-5CF8-4FE8-8035-DBF4ECB0487E} - C:\WINDOWS\system32\wvusp.dll (file missing)
O2 - BHO: (no name) - {1E604CBE-DECE-B4F5-443B-00036B6D3E3A} - C:\WINDOWS\system32\rxoqxbe.dll (file missing)
O2 - BHO: (no name) - {2686055E-D24F-8EC5-D3A3-06D84F9DD169} - C:\WINDOWS\system32\zqrtxgb.dll (file missing)
O2 - BHO: (no name) - {270C366C-FEB9-8563-67A8-0A72232784D2} - C:\WINDOWS\system32\bbxjru.dll (file missing)
O2 - BHO: (no name) - {2F8DE6FC-28A5-1F62-8E95-00CA4747FD72} - C:\WINDOWS\system32\lcthjsd.dll (file missing)
O2 - BHO: (no name) - {4F45B6F5-D630-40D4-348C-0387239F1A96} - C:\WINDOWS\system32\jbelfmf.dll (file missing)
O2 - BHO: (no name) - {534377A1-DF1B-ADAA-6162-02CADC497EC5} - C:\WINDOWS\system32\ilbphqi.dll (file missing)
O2 - BHO: (no name) - {560CF0D1-CFFE-5A05-9558-08BC7858A25F} - C:\WINDOWS\system32\rdfjhne.dll (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mgqmefk.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\mgqmefk.dll,cdwfcsc
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.gom-team.com
O15 - Trusted Zone: http://www.lavasoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1110214985414
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124141135979
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemreq...m/sysreqlab.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BEB1C2F-B9D9-47DD-8132-D464E9B8C611}: NameServer = 195.23.129.126,194.79.69.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{F5C73810-D4F3-413C-8668-3372B8E52B42}: NameServer = 195.23.129.126,194.79.69.222
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

wait for my combo fix please

Attached File(s)

VundoFix.txt (1.6K)
Number of downloads: 22

#6 Wizard

Group: Retired Staff
Posts: 5,661
Joined: 27-February 05

Posted 17 October 2006 - 02:35 PM

No problem,let me get a better view of this log.

VundoFix V6.2.5

Checking Java version...

Java version is 1.4.2.1

Scan started at 20:35:15 17-10-2006

Listing files found while scanning....

C:\WINDOWS\system32\ahnhvye.dll
C:\WINDOWS\system32\bbxjru.dll
C:\WINDOWS\system32\dyuifqh.dll
C:\WINDOWS\system32\ilbphqi.dll
C:\WINDOWS\system32\jbelfmf.dll
C:\WINDOWS\system32\lcthjsd.dll
C:\WINDOWS\system32\rdfjhne.dll
C:\WINDOWS\system32\rxoqxbe.dll
C:\WINDOWS\system32\zgevcqb.dll
C:\WINDOWS\system32\zqrtxgb.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ahnhvye.dll
C:\WINDOWS\system32\ahnhvye.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\bbxjru.dll
C:\WINDOWS\system32\bbxjru.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\dyuifqh.dll
C:\WINDOWS\system32\dyuifqh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ilbphqi.dll
C:\WINDOWS\system32\ilbphqi.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jbelfmf.dll
C:\WINDOWS\system32\jbelfmf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\lcthjsd.dll
C:\WINDOWS\system32\lcthjsd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rdfjhne.dll
C:\WINDOWS\system32\rdfjhne.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rxoqxbe.dll
C:\WINDOWS\system32\rxoqxbe.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\zgevcqb.dll
C:\WINDOWS\system32\zgevcqb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\zqrtxgb.dll
C:\WINDOWS\system32\zqrtxgb.dll Has been deleted!

Performing Repairs to the registry.
Done!

#7 barbs2

Group: Member
Posts: 39
Joined: 12-August 05

Posted 17 October 2006 - 02:41 PM

Here it is hope you got some good news

JoÆo Barradas - 06-10-17 21:29:03,92 Service Pack 2
ComboFix 06.10.16 - Running from: "C:\Documents and Settings\JoÆo Barradas\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-09-17 to 2006-10-17 ))))))))))))))))))))))))))))))))))

2006-10-16 15:26 373,898 ---hs---- C:\WINDOWS\system32\psuvw.ini2
2006-10-14 23:40 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-14 23:10 94,720 --a------ C:\WINDOWS\system32\mgqmefk.dll
2006-10-14 22:32 50,944 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2006-10-14 22:32 30,560 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys
2006-10-13 19:38 93,696 --a------ C:\WINDOWS\system32\rpbludj.dll
2006-10-12 21:19 93,696 --a------ C:\WINDOWS\system32\yaxappk.dll
2006-10-11 17:57 93,696 --a------ C:\WINDOWS\system32\hnlfzul.dll
2006-10-09 19:23 366,923 ---hs---- C:\WINDOWS\system32\psuvw.bak2
2006-10-08 19:23 378,907 ---hs---- C:\WINDOWS\system32\psuvw.bak1
2006-09-30 14:10 262,144 --a------ C:\WINDOWS\system32\TomsMoComp_ff.dll
2006-09-30 14:10 112,640 --a------ C:\WINDOWS\system32\libmpeg2_ff.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-10-17 21:19 -------- d-------- C:\Program Files\Symantec AntiVirus
2006-10-17 20:28 -------- d-------- C:\Documents and Settings\Joao Barradas\Application Data\Azureus
2006-10-17 17:38 -------- d-------- C:\Program Files\Common Files
2006-10-16 23:19 -------- d-------- C:\Program Files\STOPzilla!
2006-10-16 22:38 -------- d-------- C:\Program Files\Common Files\iS3
2006-10-16 22:27 -------- d-------- C:\Program Files\TuneUp Utilities 2006
2006-10-16 22:18 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-16 22:18 -------- d-------- C:\Program Files\SoftwareDoctor
2006-10-14 23:39 -------- d-------- C:\Program Files\Grisoft
2006-10-14 23:03 -------- d-------- C:\Program Files\Spyware Doctor
2006-10-13 20:58 -------- d-------- C:\Documents and Settings\Joao Barradas\Application Data\Real
2006-10-13 20:52 -------- d-------- C:\Program Files\Common Files\Real
2006-10-10 19:23 -------- d-------- C:\Documents and Settings\Joao Barradas\Application Data\PC Tools
2006-10-09 21:48 -------- d-------- C:\Documents and Settings\Joao Barradas\Application Data\Lavasoft
2006-10-07 18:54 -------- d-------- C:\Documents and Settings\Joao Barradas\Application Data\Adobe
2006-10-07 16:38 -------- d-------- C:\Documents and Settings\Joao Barradas\Application Data\Apple Computer
2006-10-07 16:10 -------- d-------- C:\Program Files\QuickTime
2006-10-07 16:07 -------- d-------- C:\Program Files\Apple Software Update
2006-10-06 19:49 -------- d-------- C:\Program Files\eMule
2006-10-04 17:38 -------- d-------- C:\Program Files\Gabest
2006-09-30 14:10 -------- d-------- C:\Program Files\Cucusoft
2006-09-28 18:48 -------- d-------- C:\Program Files\Pcsx2
2006-09-27 22:00 -------- d-------- C:\Documents and Settings\Joao Barradas\Application Data\Rock Manager
2006-09-23 22:57 -------- d-------- C:\Documents and Settings\Joao Barradas\Application Data\Skype
2006-09-13 06:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-08-30 19:19 -------- d-------- C:\Program Files\Mozilla Firefox
2006-08-27 01:11 223128 --a------ C:\WINDOWS\system32\drivers\vaxscsi.sys
2006-08-26 23:24 -------- d-------- C:\Documents and Settings\Joao Barradas\Application Data\.BTuga
2006-08-26 22:59 -------- d-------- C:\Program Files\Alcohol Soft
2006-08-26 22:58 223128 --a------ C:\WINDOWS\system32\drivers\dtscsi.sys
2006-08-26 22:58 -------- d-------- C:\Program Files\DAEMON Tools
2006-08-26 22:52 96256 --a------ C:\WINDOWS\system32\drivers\sptd4765.sys
2006-08-26 22:52 643072 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2006-08-25 16:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-23 20:16 -------- d-------- C:\Program Files\Azureus
2006-08-21 19:52 -------- d-------- C:\Program Files\Windows Media Player
2006-08-21 13:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 10:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 10:14 128896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-16 12:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll
2006-08-15 19:57 247866 --a------ C:\WINDOWS\Alcohol_Toolbar_Uninstaller_8256.exe
2006-08-02 20:43 16384 --a------ C:\WINDOWS\system32\ac3config.exe
2006-07-27 14:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 09:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-06 16:28 45716 --a------ C:\Documents and Settings\Joao Barradas\Application Data\PatchUpdate_HP_CounterReport_Update_HPSU.log
2006-07-06 16:26 2176 --a------ C:\Documents and Settings\Joao Barradas\Application Data\HPSU_48BitScanUpdate.log
2006-07-06 16:19 2517 --a------ C:\Documents and Settings\Joao Barradas\Application Data\PatchUpdate_HP_ISRegionListUpdatelog_HPSU.log
2006-07-06 16:17 2965 --a------ C:\Documents and Settings\Joao Barradas\Application Data\PatchUpdate_InstantShareJPG.log
2006-07-06 16:15 3796 --a------ C:\Documents and Settings\Joao Barradas\Application Data\PatchUpdate_IZClosingDiscError.log
2006-07-06 16:12 5868 --a------ C:\Documents and Settings\Joao Barradas\Application Data\GdiplusUpgrade_MSIApproach_Wrapper.log
2006-07-06 16:08 49424 --a------ C:\Documents and Settings\Joao Barradas\Application Data\Update_HP_RedboxHprblog_HPSU.log

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\""
"LogitechSoftwareUpdate"="\"C:\\Program Files\\Logitech\\Video\\ManifestEngine.exe\" boot"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"CoolSwitch"="C:\\WINDOWS\\System32\\taskswitch.exe"
"FastUser"="C:\\WINDOWS\\System32\\fast.exe"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"CloneCDTray"="\"C:\\Program Files\\SlySoft\\CloneCD\\CloneCDTray.exe\" /s"
"LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE"
"LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe "
"LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"AudioDeck"="C:\\Program Files\\VIAudioi\\SBADeck\\ADeck.exe 1"
"NvMediaCenter"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"mgqmefk.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\mgqmefk.dll,cdwfcsc"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,04,00,00,c0
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"msdata"="moose.exe"
"NAV Auto Protect"="navprotect.exe"
"start extracting"="spoolvs.exe"
"start uploading"="smsss.exe"
"Spyware Doctor"=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runservices]
"start extracting"="spoolvs.exe"
"start uploading"="smsss.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"msdata"="moose.exe"
"NAV Auto Protect"="navprotect.exe"
"start extracting"="spoolvs.exe"
"start uploading"="smsss.exe"
"Spyware Doctor"=""

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runservices]
"start extracting"="spoolvs.exe"
"start uploading"="smsss.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=hex:91,00,00,00
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"ClassicShell"=dword:00000000
"NoThemesTab"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job
C:\WINDOWS\tasks\AF907913913BEFEF.job
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 06-10-17 21:31:33.54
C:\ComboFix.txt ... 06-10-17 21:31
C:\ComboFix2.txt ... 06-10-17 17:38

Attached File(s)

ComboFix.txt (11.39K)
Number of downloads: 23

#8 Wizard

Group: Retired Staff
Posts: 5,661
Joined: 27-February 05

Posted 17 October 2006 - 02:54 PM

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

Save it to your desktop.
Please double-click Killbox.exe to run it.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\mgqmefk.dll
C:\WINDOWS\system32\rpbludj.dll
C:\WINDOWS\system32\yaxappk.dll
C:\WINDOWS\system32\hnlfzul.dll
C:\WINDOWS\system32\psuvw.ini2
C:\WINDOWS\system32\psuvw.bak2
C:\WINDOWS\system32\psuvw.bak1
Return to Killbox, go to the File menu, and choose Paste from Clipboard.
Select Delete on Reboot and Unregister .dll before Deleting
then Click on the All Files button.
Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

Follow the Instruction on the F-Secure page for proper installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply.

#9 barbs2

Group: Member
Posts: 39
Joined: 12-August 05

Posted 19 October 2006 - 12:56 PM

Sorry for the very late answer but unfortunately besides the scan taking very long it crashed 3 times, 2 times in the scan and other in the cleaning.

Here it is:

Scanning Report
Thursday, October 19, 2006 17:40:11 - 19:53:27
Computer name: JB
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ G:\

--------------------------------------------------------------------------------

Result: 2 malware found
Tracking Cookie (spyware)
System (Disinfected)
W32/Malware (virus)
C:\WINDOWS\SYSTEM32\MACROMED\SHOCKWAVE 10\POSTUPDATE.EXE (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 37641
System: 5309
Not scanned: 11
Actions:
Disinfected: 1
Renamed: 0
Deleted: 0
None: 1
Submitted: 1
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\DRIVERS\AGP440.SYS
C:\WINDOWS\SYSTEM32\DRIVERS\DTSCSI.SYS
C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS
C:\WINDOWS\SYSTEM32\DRIVERS\VAXSCSI.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\DOCUMENTS AND SETTINGS\JOãO BARRADAS\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS DEFENDER\FILETRACKER\{591A7A40-BF22-4792-B8BE-866A17948E6C}

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure AVP: 6.0.171, 2006-10-19
F-Secure Libra: 2.4.1, 2006-10-19
F-Secure Orion: 1.2.37, 2006-10-19
F-Secure Blacklight: 1.0.31, 0000-00-00
F-Secure Pegasus: 1.19.0, 2006-08-29
F-Secure Draco: 1.0.35, 2006-10-06
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

#10 Wizard

Group: Retired Staff
Posts: 5,661
Joined: 27-February 05

Posted 19 October 2006 - 03:06 PM

Restart in Safe Mode and Scan fresh with Combo Fix.

Restart normal and post that log please.

#11 barbs2

Group: Member
Posts: 39
Joined: 12-August 05

Posted 19 October 2006 - 04:46 PM

I forgot to tell you now when my cpu restarts windows gets an run dll error message saying a file is missing is one of those i told me to erase with kill box but i click ok in the message and the cpu work fine i don´t get it.

JoÆo Barradas - 06-10-19 23:12:17,81 Service Pack 2
ComboFix 06.10.16 - Running from: "C:\Documents and Settings\JoÆo Barradas\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-09-19 to 2006-10-19 ))))))))))))))))))))))))))))))))))

2006-10-14 23:40 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-14 22:32 50,944 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2006-10-14 22:32 30,560 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys
2006-09-30 14:10 262,144 --a------ C:\WINDOWS\system32\TomsMoComp_ff.dll
2006-09-30 14:10 112,640 --a------ C:\WINDOWS\system32\libmpeg2_ff.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-10-19 23:06 -------- d-------- C:\Program Files\Symantec AntiVirus
2006-10-19 20:40 -------- d-------- C:\Documents and Settings\Joao Barradas\Application Data\Azureus
2006-10-17 17:38 -------- d-------- C:\Program Files\Common Files
2006-10-16 23:19 -------- d-------- C:\Program Files\STOPzilla!
2006-10-16 22:38 -------- d-------- C:\Program Files\Common Files\iS3
2006-10-16 22:27 -------- d-------- C:\Program Files\TuneUp Utilities 2006
2006-10-16 22:18 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-16 22:18 -------- d-------- C:\Program Files\SoftwareDoctor
2006-10-14 23:39 -------- d-------- C:\Program Files\Grisoft
2006-10-14 23:03 -------- d-------- C:\Program Files\Spyware Doctor
2006-10-13 20:58 -------- d-------- C:\Documents and Settings\Joao Barradas\Application Data\Real
2006-10-13 20:52 -------- d-------- C:\Program Files\Common Files\Real
2006-10-10 19:23 -------- d-------- C:\Documents and Settings\Joao Barradas\Application Data\PC Tools
2006-10-09 21:48 -------- d-------- C:\Documents and Settings\Joao Barradas\Application Data\Lavasoft
2006-10-07 18:54 -------- d-------- C:\Documents and Settings\Joao Barradas\Application Data\Adobe
2006-10-07 16:38 -------- d-------- C:\Documents and Settings\Joao Barradas\Application Data\Apple Computer
2006-10-07 16:10 -------- d-------- C:\Program Files\QuickTime
2006-10-07 16:07 -------- d-------- C:\Program Files\Apple Software Update
2006-10-06 19:49 -------- d-------- C:\Program Files\eMule
2006-10-04 17:38 -------- d-------- C:\Program Files\Gabest
2006-09-30 14:10 -------- d-------- C:\Program Files\Cucusoft
2006-09-28 18:48 -------- d-------- C:\Program Files\Pcsx2
2006-09-27 22:00 -------- d-------- C:\Documents and Settings\Joao Barradas\Application Data\Rock Manager
2006-09-23 22:57 -------- d-------- C:\Documents and Settings\Joao Barradas\Application Data\Skype
2006-09-13 06:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-08-30 19:19 -------- d-------- C:\Program Files\Mozilla Firefox
2006-08-27 01:11 223128 --a------ C:\WINDOWS\system32\drivers\vaxscsi.sys
2006-08-26 23:24 -------- d-------- C:\Documents and Settings\Joao Barradas\Application Data\.BTuga
2006-08-26 22:59 -------- d-------- C:\Program Files\Alcohol Soft
2006-08-26 22:58 223128 --a------ C:\WINDOWS\system32\drivers\dtscsi.sys
2006-08-26 22:58 -------- d-------- C:\Program Files\DAEMON Tools
2006-08-26 22:52 96256 --a------ C:\WINDOWS\system32\drivers\sptd4765.sys
2006-08-26 22:52 643072 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2006-08-25 16:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-23 20:16 -------- d-------- C:\Program Files\Azureus
2006-08-21 19:52 -------- d-------- C:\Program Files\Windows Media Player
2006-08-21 13:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 10:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 10:14 128896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-16 12:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll
2006-08-15 19:57 247866 --a------ C:\WINDOWS\Alcohol_Toolbar_Uninstaller_8256.exe
2006-08-02 20:43 16384 --a------ C:\WINDOWS\system32\ac3config.exe
2006-07-27 14:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 09:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-06 16:28 45716 --a------ C:\Documents and Settings\Joao Barradas\Application Data\PatchUpdate_HP_CounterReport_Update_HPSU.log
2006-07-06 16:26 2176 --a------ C:\Documents and Settings\Joao Barradas\Application Data\HPSU_48BitScanUpdate.log
2006-07-06 16:19 2517 --a------ C:\Documents and Settings\Joao Barradas\Application Data\PatchUpdate_HP_ISRegionListUpdatelog_HPSU.log
2006-07-06 16:17 2965 --a------ C:\Documents and Settings\Joao Barradas\Application Data\PatchUpdate_InstantShareJPG.log
2006-07-06 16:15 3796 --a------ C:\Documents and Settings\Joao Barradas\Application Data\PatchUpdate_IZClosingDiscError.log
2006-07-06 16:12 5868 --a------ C:\Documents and Settings\Joao Barradas\Application Data\GdiplusUpgrade_MSIApproach_Wrapper.log
2006-07-06 16:08 49424 --a------ C:\Documents and Settings\Joao Barradas\Application Data\Update_HP_RedboxHprblog_HPSU.log

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\""
"LogitechSoftwareUpdate"="\"C:\\Program Files\\Logitech\\Video\\ManifestEngine.exe\" boot"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"CoolSwitch"="C:\\WINDOWS\\System32\\taskswitch.exe"
"FastUser"="C:\\WINDOWS\\System32\\fast.exe"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"CloneCDTray"="\"C:\\Program Files\\SlySoft\\CloneCD\\CloneCDTray.exe\" /s"
"LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE"
"LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe "
"LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"AudioDeck"="C:\\Program Files\\VIAudioi\\SBADeck\\ADeck.exe 1"
"NvMediaCenter"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"mgqmefk.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\mgqmefk.dll,cdwfcsc"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,04,00,00,c0
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"msdata"="moose.exe"
"NAV Auto Protect"="navprotect.exe"
"start extracting"="spoolvs.exe"
"start uploading"="smsss.exe"
"Spyware Doctor"=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runservices]
"start extracting"="spoolvs.exe"
"start uploading"="smsss.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"msdata"="moose.exe"
"NAV Auto Protect"="navprotect.exe"
"start extracting"="spoolvs.exe"
"start uploading"="smsss.exe"
"Spyware Doctor"=""

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runservices]
"start extracting"="spoolvs.exe"
"start uploading"="smsss.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=hex:91,00,00,00
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"ClassicShell"=dword:00000000
"NoThemesTab"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job
C:\WINDOWS\tasks\AF907913913BEFEF.job
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 06-10-19 23:15:02.64
C:\ComboFix.txt ... 06-10-19 23:15
C:\ComboFix2.txt ... 06-10-17 21:31
C:\ComboFix3.txt ... 06-10-17 17:38

Attached File(s)

ComboFix.txt (10.97K)
Number of downloads: 20

#12 Wizard

Group: Retired Staff
Posts: 5,661
Joined: 27-February 05

Posted 20 October 2006 - 12:20 AM

I am attaching a zip folder,please download to the desktop and unzip.

Locate and double click Clr.reg and allow it to merge into the registry.

Restart and see if the same error message appears?

Please run the Bit Defender Online Scan
http://www.bitdefend...m/scan8/ie.html

You must use Internet Explorer for this scanner.

Install the ActiveX and Click on "Click here to Scan"

Allow it to update and Scan the Machine.

It should disinfect or delete whatever it finds that is infected.

Save the report in generates in a text format please and post it back here along with a fresh HijackThis log.

Attached File(s)

Clr.zip (314bytes)
Number of downloads: 65

#13 barbs2

Group: Member
Posts: 39
Joined: 12-August 05

Posted 21 October 2006 - 11:43 AM

The error message dsen´t apear anymore thanks.

Phew, that scan has taken a lot of time

here it is the hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 18:40:43, on 21-10-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\Fast.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\System32\fast.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Documents and Settings\João Barradas\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.pt
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {13AEC861-5CF8-4FE8-8035-DBF4ECB0487E} - C:\WINDOWS\system32\wvusp.dll (file missing)
O2 - BHO: (no name) - {1E604CBE-DECE-B4F5-443B-00036B6D3E3A} - C:\WINDOWS\system32\rxoqxbe.dll (file missing)
O2 - BHO: (no name) - {2686055E-D24F-8EC5-D3A3-06D84F9DD169} - C:\WINDOWS\system32\zqrtxgb.dll (file missing)
O2 - BHO: (no name) - {270C366C-FEB9-8563-67A8-0A72232784D2} - C:\WINDOWS\system32\bbxjru.dll (file missing)
O2 - BHO: (no name) - {2F8DE6FC-28A5-1F62-8E95-00CA4747FD72} - C:\WINDOWS\system32\lcthjsd.dll (file missing)
O2 - BHO: (no name) - {4F45B6F5-D630-40D4-348C-0387239F1A96} - C:\WINDOWS\system32\jbelfmf.dll (file missing)
O2 - BHO: (no name) - {534377A1-DF1B-ADAA-6162-02CADC497EC5} - C:\WINDOWS\system32\ilbphqi.dll (file missing)
O2 - BHO: (no name) - {560CF0D1-CFFE-5A05-9558-08BC7858A25F} - C:\WINDOWS\system32\rdfjhne.dll (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.gom-team.com
O15 - Trusted Zone: http://www.lavasoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1110214985414
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124141135979
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec.../ols3/fscax.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemreq...m/sysreqlab.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BEB1C2F-B9D9-47DD-8132-D464E9B8C611}: NameServer = 195.23.129.126,194.79.69.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{F5C73810-D4F3-413C-8668-3372B8E52B42}: NameServer = 195.23.129.126,194.79.69.222
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

#14 Wizard

Group: Retired Staff
Posts: 5,661
Joined: 27-February 05

Posted 22 October 2006 - 05:31 AM

Do you have the Bit Defender Report?

Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {13AEC861-5CF8-4FE8-8035-DBF4ECB0487E} - C:\WINDOWS\system32\wvusp.dll (file missing)

O2 - BHO: (no name) - {1E604CBE-DECE-B4F5-443B-00036B6D3E3A} - C:\WINDOWS\system32\rxoqxbe.dll (file missing)

O2 - BHO: (no name) - {2686055E-D24F-8EC5-D3A3-06D84F9DD169} - C:\WINDOWS\system32\zqrtxgb.dll (file missing)

O2 - BHO: (no name) - {270C366C-FEB9-8563-67A8-0A72232784D2} - C:\WINDOWS\system32\bbxjru.dll (file missing)

O2 - BHO: (no name) - {2F8DE6FC-28A5-1F62-8E95-00CA4747FD72} - C:\WINDOWS\system32\lcthjsd.dll (file missing)

O2 - BHO: (no name) - {4F45B6F5-D630-40D4-348C-0387239F1A96} - C:\WINDOWS\system32\jbelfmf.dll (file missing)

O2 - BHO: (no name) - {534377A1-DF1B-ADAA-6162-02CADC497EC5} - C:\WINDOWS\system32\ilbphqi.dll (file missing)

O2 - BHO: (no name) - {560CF0D1-CFFE-5A05-9558-08BC7858A25F} - C:\WINDOWS\system32\rdfjhne.dll (file missing)

O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - (no file)

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

O3 - Toolbar: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button

Post a fresh HijackThis log and the Bit Defender results in the next reply please.

#15 barbs2

Group: Member
Posts: 39
Joined: 12-August 05

Posted 23 October 2006 - 10:31 AM

Done,

Logfile of HijackThis v1.99.1
Scan saved at 17:29:33, on 23-10-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\Fast.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\System32\fast.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Documents and Settings\João Barradas\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.pt
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.gom-team.com
O15 - Trusted Zone: http://www.lavasoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1110214985414
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124141135979
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec.../ols3/fscax.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemreq...m/sysreqlab.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BEB1C2F-B9D9-47DD-8132-D464E9B8C611}: NameServer = 195.23.129.126,194.79.69.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{F5C73810-D4F3-413C-8668-3372B8E52B42}: NameServer = 195.23.129.126,194.79.69.222
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

Sorry but i´ve erased the bit defender file i don´t have it anymore.

Back to Virus, Spyware, Malware Removal

Share this topic:

2 Pages
1
2
→

Please log in to reply

trojans - Geeks to Go Forums

trojans got a couple of trojans i can´t get rid off

#1 barbs2

#2 Wizard

#3 barbs2

#4 Wizard

#5 barbs2

Attached File(s)

#6 Wizard

#7 barbs2

Attached File(s)

#8 Wizard

#9 barbs2

#10 Wizard

#11 barbs2

Attached File(s)

#12 Wizard

Attached File(s)

#13 barbs2

#14 Wizard

#15 barbs2

Share this topic:

Related Topics: