Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

PP.exe.exe and IE hijacked!

Started by V-GER , Mar 22 2007 08:12 AM

  • Please log in to reply

#1
V-GER
Posted 22 March 2007 - 08:12 AM

V-GER

    Member

  • Member
  • PipPip
  • 36 posts
Have a big problem. Was having IE problem where the browser would not come up. I ran AdawareSE and it removed a few items. I then upgraded Ewido to AVG which I guess is their new name. That discovered worm.barunum.f (not sure if that is spelled right). On restart I got a pp.exe.exe file warning. I searched on google that this was a virus. I downloaded a program called Prevx1 which said it would remove it. Now my PC is in perpetual reboot. My desktop comes up with:
error loading C:\Windows\urrppm.dll
then it reboots automatically. Please help! Thank you for your response!
P.S. Have windows XP Pro
  • 0

Advertisements

#2
loophole
Posted 22 March 2007 - 08:59 AM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :whistling: Can you start the computer in safe mode, and I'm assuming you are using another computer to post from?

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

  • 0

#3
V-GER
Posted 22 March 2007 - 09:45 AM

V-GER

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Thank you for your quick response. This is a work computer so thanks again. Here is my Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:32:17 AM, on 3/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Ron\Desktop\HiJackThis_v2.exe

O2 - BHO: Shell Doc Object and Control Helper Class - {00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000} - C:\WINDOWS\system32\shdocvs.dll
O2 - BHO: Shell Event Object Class - {00534B55-3155-CA4F-B41D-0E922121D03C} - C:\WINDOWS\system32\cscentfy.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3ef0685f-e11f-4208-b362-bdce875461c5} - C:\WINDOWS\system32\elsons.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} - C:\WINDOWS\system32\tmp2E5.tmp.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [fryHighRes] rundll32 atipmogl.dll,DetectHighResMonitor
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [aouei] C:\Documents and Settings\Ron\Application Data\ratorefaci\sysrtmvs.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\urrppm.dll",setvm
O4 - HKLM\..\Run: [sysinter] C:\WINDOWS\system32\adirss.exe
O4 - HKLM\..\Run: [lnwin.exe] C:\WINDOWS\system32\lnwin.exe
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [adirka] C:\WINDOWS\system32\adirka.exe
O4 - HKLM\..\Policies\Explorer\Run: [1] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Policies\Explorer\Run: [Generic Host Process For Win32 Services] C:\WINDOWS\system32\svñhost.exe
O4 - HKCU\..\Policies\Explorer\Run: [Client Server Runtime Process] C:\WINDOWS\system32\ñsrss.exe
O4 - HKCU\..\Policies\Explorer\Run: [{5CBEC635-0190-1033-0715-950210290001}] "C:\Program Files\Common Files\{5CBEC635-0190-1033-0715-950210290001}\Update.exe" mc-110-12-0000509
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral....bs/pmupd806.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {76A2A0AB-38B7-46DB-8E47-F10CDE4D7920} - http://aerial.leepa....plugins/ncs.cab
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} - http://moneycentral....s/pmupdate2.exe
O20 - Winlogon Notify: elsons - C:\WINDOWS\SYSTEM32\elsons.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Prevx Agent (PREVXAgent) - Prevx - C:\Program Files\Prevx1\PXAgent.exe

--
End of file - 6303 bytes
  • 0

#4
loophole
Posted 22 March 2007 - 10:45 AM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :whistling:

We dont support the version of Hijack you are using is still Beta, but we will deal with that in a bit.

Lets try this, you can download the following file and move it to your computer. If we get lucky you may be able to stay in normal windows

Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • 0

#5
V-GER
Posted 22 March 2007 - 11:27 AM

V-GER

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Here is the ComboFix log:
"Ron" - 07-03-22 13:11:34 Service Pack 2
ComboFix 07-03-22.2 - Running from: "C:\Documents and Settings\Ron\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2007-02-22 to 2007-03-22 ))))))))))))))))))))))))))))))))))


2007-03-22 11:52 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-03-22 09:40 <DIR> d-------- C:\DOCUME~1\Ron\APPLIC~1\Prevx
2007-03-22 09:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Prevx
2007-03-22 09:38 13,712,232 --a------ C:\InstallPREVX102030010.exe
2007-03-22 09:32 0 --a------ C:\WINDOWS\system32\comcbx2.dll
2007-03-22 08:49 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-03-22 08:41 0 --a------ C:\WINDOWS\system32\kiscbxz.dat
2007-03-21 17:43 5 --a------ C:\WINDOWS\system32\fontqxet.dll
2007-03-21 17:09 8,047 --a------ C:\WINDOWS\system32\msratnit.dll
2007-03-21 16:31 8 --a------ C:\WINDOWS\system32\commnet8.dll
2007-03-21 16:24 4 --a------ C:\WINDOWS\system32\defrasw.dll
2007-03-21 16:20 8 --a------ C:\WINDOWS\system32\sdfinacs.dll
2007-03-21 16:20 14 --a------ C:\WINDOWS\system32\rasqervy.dll
2007-03-21 16:20 0 --a------ C:\WINDOWS\system32\kiscbxw.dat
2007-03-21 16:18 23,040 --a------ C:\WINDOWS\system32\cscentfy.dll
2007-03-21 16:18 115 --a------ C:\WINDOWS\system32\wuasirvy.dll
2007-03-21 16:18 1,573 --a------ C:\WINDOWS\system32\comcs32c.dll
2007-03-21 14:57 27,235 --a------ C:\WINDOWS\system32\jkklm.exe
2007-03-21 14:57 19,795 --a------ C:\WINDOWS\system32\elsons.dll
2007-03-21 14:52 8,504 --a------ C:\WINDOWS\system32\pmnlmlm.dll
2007-03-21 14:48 37,406 --a------ C:\WINDOWS\system32\lsasss.exe
2007-03-21 14:48 <DIR> d-------- C:\WINDOWS\bak
2007-03-17 14:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WhiteCap (Holiday Edition)
2007-03-10 12:48 <DIR> d-------- C:\Program Files\QuickTime
2007-03-07 10:49 <DIR> d-------- C:\DOCUME~1\Ron\APPLIC~1\WinRAR


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-22 09:44 24 --a------ C:\WINDOWS\system32\dvcstatebkp-{00000000-00000000-0000000f-00001102-00000002-80611102}.dat
2007-03-22 09:44 24 --a------ C:\WINDOWS\system32\dvcstate-{00000000-00000000-0000000f-00001102-00000002-80611102}.dat
2007-03-22 08:52 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2007-03-21 14:48 -------- d-------- C:\Program Files\microsoft activesync
2007-03-21 14:48 -------- d-------- C:\Program Files\messenger
2007-03-21 14:48 -------- d-------- C:\DOCUME~1\Ron\APPLIC~1\ratorefaci
2007-03-21 14:47 37406 --a------ C:\WINDOWS\updreg.exe
2007-02-17 11:36 -------- d-------- C:\Program Files\google


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\""
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"adirka"="C:\\WINDOWS\\system32\\adirka.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"WINDVDPatch"="CTHELPER.EXE"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"Jet Detection"="\"C:\\Program Files\\Creative\\SBLive\\PROGRAM\\ADGJDet.exe\""
"fryHighRes"="rundll32 atipmogl.dll,DetectHighResMonitor"
"AGRSMMSG"="AGRSMMSG.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"aouei"="C:\\Documents and Settings\\Ron\\Application Data\\ratorefaci\\sysrtmvs.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Lexmark_X79-55"="C:\\WINDOWS\\system32\\lsasss.exe"
"2chkdsk"="rundll32.exe \"C:\\WINDOWS\\urrppm.dll\",setvm"
"PrevxOne"="\"C:\\Program Files\\Prevx1\\PXConsole.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SymWSC"=dword:00000002
"SNDSrvc"=dword:00000003
"SBService"=dword:00000002
"SAVScan"=dword:00000003
"navapsvc"=dword:00000003
"ccSetMgr"=dword:00000002
"ccPwdSvc"=dword:00000003
"ccEvtMgr"=dword:00000002
"Symantec Core LC"=dword:00000002
"KodakCCS"=dword:00000002
"FGLRYUtil"=dword:00000002
"APCPBEAgent"=dword:00000002


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"DisableLocalMachineRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"1"="C:\\WINDOWS\\svchost.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisableLocalUserRun"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"Generic Host Process For Win32 Services"="C:\\WINDOWS\\system32\\svñhost.exe"
"Client Server Runtime Process"="C:\\WINDOWS\\system32\\ñsrss.exe"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\elsons

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV\
NetworkService REG_MULTI_SZ DnsCache\
rpcss REG_MULTI_SZ RpcSs\
imgsvc REG_MULTI_SZ StiSvc\
termsvcs REG_MULTI_SZ TermService\
HTTPFilter REG_MULTI_SZ HTTPFilter\
DcomLaunch REG_MULTI_SZ DcomLaunchTermService\



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-03-22 13:20:44
C:\ComboFix2.txt ... 07-03-22 13:04
  • 0

#6
loophole
Posted 22 March 2007 - 11:43 AM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi, I need a bit to go over this and create a fix, can you do this in the meantime and go ahead and post a new hijack log with your current version of Hijack

A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it.
  • Please download LSPFix from here.
  • Run the LSPFix.exe that you have just finished downloading.
  • Check the I know what I'm doing box.
  • In the Keep box you should see one or more instances of rsvp32_2.dll.
  • Select every instance of rsvp32_2.dll and move each one to the Remove box by clicking the >> button.
  • If the rsvp32_2.dll file only appears on the right sid then just click fix checked and close the program
  • When you are done click Finish>>.

  • 0

#7
V-GER
Posted 22 March 2007 - 12:34 PM

V-GER

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Did as requested with LSPfix. Here is the newHJT log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 2:32:02 PM, on 3/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\UpdReg.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\Common Files\Sonic Shared\cinetray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\Program Files\AutoCAD LT 2004\aclt.exe
C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe
C:\Documents and Settings\Ron\Desktop\HiJackThis_v2.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Shell Event Object Class - {00534B55-3155-CA4F-B41D-0E922121D03C} - C:\WINDOWS\system32\cscentfy.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3ef0685f-e11f-4208-b362-bdce875461c5} - C:\WINDOWS\system32\elsons.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [fryHighRes] rundll32 atipmogl.dll,DetectHighResMonitor
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [aouei] C:\Documents and Settings\Ron\Application Data\ratorefaci\sysrtmvs.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\urrppm.dll",setvm
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKLM\..\Policies\Explorer\Run: [1] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Policies\Explorer\Run: [Generic Host Process For Win32 Services] C:\WINDOWS\system32\svñhost.exe
O4 - HKCU\..\Policies\Explorer\Run: [Client Server Runtime Process] C:\WINDOWS\system32\ñsrss.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral....bs/pmupd806.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {76A2A0AB-38B7-46DB-8E47-F10CDE4D7920} - http://aerial.leepa....plugins/ncs.cab
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} - http://moneycentral....s/pmupdate2.exe
O20 - Winlogon Notify: elsons - C:\WINDOWS\SYSTEM32\elsons.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Prevx Agent (PREVXAgent) - Prevx - C:\Program Files\Prevx1\PXAgent.exe

--
End of file - 5428 bytes
  • 0

#8
loophole
Posted 22 March 2007 - 01:58 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :whistling:

Good work

Ok please download the attached zip file [attachment=13581:fixit.zip], extract it to your desktop and only to your desktop. it should create a new folder called fixit. open this folder and double click the fixit.bat. I'm assuming you still cant get into normal windows, this needs to be ran from safe mode

after combofix runs please post the results back into this thread and let me know if you can boot to normal windows yet
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP