Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

vtsqo.dll Vundo CANT Remove; Reboots + MORE [CLOSED]


  • This topic is locked This topic is locked

#1
thedroop

thedroop

    New Member

  • Member
  • Pip
  • 4 posts
Hello! First I would like to thank you for this great forum, I have had troubles before and always found a solutions while searching these threads, Now I have an issue non of these threads can help me with, maybe you can? PLEASE!

okay here is my issue-

Basically my desktop disappears but everything works fine- I have to CTRL-ATL-DLT << File << New Task & for example I type "c:" Then I can access my desktop and files within like a 5-8 seconds time frame.

Okay here is my problem- I think I see what I need to delete- For example, here is VundoFix.txt Info- HERE IS MY PROBLEM!

I will run the Vundo scan for about 20 mins & it finally finds some files- When I hit "Remove Vundo"

It starts to remove them... but then BOOM, I get a bluescreen and it says something down the line "If this is the first time you have seen this screen, please restart your computer normally & all this other stuff"

AND I CAN NOT BOOT INTO SAFEMODE AT ALL! It just gets into safemode and reboots itself


Here is what Vudofix.txt says-

VundoFix V6.7.8

Checking Java version...

Scan started at 6:45:02 AM 2/10/2008

Listing files found while scanning....

C:\WINDOWS\system32\NCTAudioCDGrabber2.dll
C:\WINDOWS\system32\NCTAudioFile2.dll
C:\WINDOWS\system32\NCTAudioPlayer2.dll
C:\WINDOWS\system32\NCTAudioRecord2.dll
C:\WINDOWS\system32\NCTAVIFile.dll
C:\WINDOWS\system32\NCTQuickTimeFile.dll
C:\WINDOWS\system32\NCTVideoCoreM.dll
C:\WINDOWS\system32\NCTWMAFile2.dll
C:\WINDOWS\system32\oqstv.ini
C:\WINDOWS\system32\oqstv.ini2
C:\WINDOWS\system32\vtsqo.dll
C:\WINDOWS\system32\vtsqo.exe

Beginning removal...

When it starts the removal process my pc goes to that screen like 4 seconds after I click "remove vundo"

Look2Me-Destroyer - That does the same thing
I also have a full version of XoftSpySE- That also did nothing for me

Here is my Hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:54:44 PM, on 2/10/2008
Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr .exe" /background
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1187668526781
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\WINDOWS\SYSTEM32\VundoFixSVC.exe

--
End of file - 2843 bytes

Thank you so much for assistance, I have no idea what to do

I'll just keep trying in the meantime, thanks
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#3
thedroop

thedroop

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
ComboFix 08-02-12.1 - Randy Lewis 2008-02-12 13:17:41.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.702 [GMT -8:00]
Running from: C:\Documents and Settings\Randy Lewis\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-12 to 2008-02-12 )))))))))))))))))))))))))))))))
.

2008-02-10 19:44 . 2008-02-10 19:44 77 --a------ C:\WINDOWS\lsoon.ini
2008-02-10 19:38 . 2008-02-10 19:38 19,456 --a------ C:\WINDOWS\system32\Partizan.exe
2008-02-10 19:38 . 2008-02-10 19:38 41 --a------ C:\WINDOWS\system32\Partizan.RRI
2008-02-10 19:37 . 2008-02-10 19:37 <DIR> d-------- C:\Documents and Settings\Randy Lewis\Application Data\Regrun
2008-02-10 19:37 . 2008-02-10 19:44 <DIR> d-------- C:\backreg
2008-02-10 19:37 . 2008-02-10 19:53 25,773 --a------ C:\WINDOWS\system32\drivers\regguard.sys
2008-02-10 19:37 . C:\WINDOWS\(2) C:\ComboFix\winstart.bat
2008-02-10 19:31 . 2008-02-10 19:31 <DIR> d-------- C:\Program Files\Greatis
2008-02-10 18:54 . 2008-02-10 18:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-10 18:34 . 2008-02-10 18:34 339,968 --a------ C:\WINDOWS\system32\RCX3EA.tmp
2008-02-10 05:57 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-10 05:33 . 2008-02-10 05:55 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-10 05:33 . 2008-02-10 05:33 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-10 03:35 . 2008-02-10 03:35 <DIR> d-------- C:\Program Files\CleanUp!
2008-02-10 03:05 . 2008-02-10 03:05 306,432 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-02-10 03:05 . 2007-12-20 10:41 29,440 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-02-10 02:22 . 2008-02-10 02:22 <DIR> d-------- C:\Documents and Settings\Randy Lewis\Application Data\URSoft
2008-02-09 03:21 . 2008-02-12 13:07 <DIR> d-------- C:\wIRC
2008-02-09 03:15 . 1999-12-17 10:13 86,016 --a------ C:\WINDOWS\unvise32.exe
2008-02-09 02:38 . 2008-02-09 02:47 <DIR> d-------- C:\Documents and Settings\Randy Lewis\Application Data\mIRC
2008-02-06 06:19 . 2008-02-10 02:18 960 --a------ C:\WINDOWS\ARPR.INI
2008-01-31 06:23 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-31 06:23 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-30 18:53 . 2008-01-31 02:46 <DIR> d-------- C:\Documents and Settings\Randy Lewis\Contacts
2008-01-30 18:52 . 2008-01-30 18:52 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-01-30 18:47 . 2008-01-30 18:51 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-30 18:46 . 2008-01-30 18:52 <DIR> d-------- C:\Program Files\Windows Live
2008-01-30 18:46 . 2008-01-30 18:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-01-30 18:02 . 2008-01-30 18:02 54,608 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-01-23 16:45 . 2008-01-23 16:45 <DIR> d-------- C:\Documents and Settings\Randy Lewis\Application Data\Aim
2008-01-23 16:44 . 2008-01-23 16:44 <DIR> d-------- C:\Program Files\AOD
2008-01-23 16:44 . 2008-02-10 02:36 <DIR> d-------- C:\Program Files\AIM
2008-01-17 00:02 . 2008-01-17 00:02 <DIR> d-------- C:\Program Files\RAR Password Cracker
2008-01-16 23:44 . 2008-01-16 23:44 <DIR> d-------- C:\Program Files\Intelore
2008-01-16 23:36 . 2008-01-16 23:59 <DIR> d-------- C:\Program Files\Atomic RAR Password Recovery
2008-01-16 14:31 . 2008-01-16 14:31 <DIR> d-------- C:\Program Files\ESEA
2008-01-13 19:35 . 2008-01-17 00:10 <DIR> d-------- C:\Program Files\PDF Password Cracker Pro v3.0
2008-01-13 19:35 . 2008-01-13 19:36 454 --a------ C:\WINDOWS\crackpdf.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-12 21:17 --------- d-----w C:\Program Files\Steam
2008-02-11 02:32 --------- d-----w C:\Program Files\XoftSpySE
2008-02-10 13:56 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-02-10 13:56 --------- d-----w C:\Program Files\Bonjour
2008-02-10 11:05 --------- d-----w C:\Program Files\TuneUp Utilities 2008
2008-02-10 11:00 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-10 10:28 --------- d-----w C:\Program Files\Xfire
2008-02-10 10:28 --------- d-----w C:\Program Files\Hide IP Platinum
2008-02-10 10:28 --------- d-----w C:\Program Files\Full Speed
2008-02-09 03:57 --------- d-----w C:\Documents and Settings\Randy Lewis\Application Data\Xfire
2008-02-01 11:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-24 00:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-20 11:51 --------- d-----w C:\Program Files\DivX
2008-01-20 09:38 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-10 11:57 --------- d-----w C:\Program Files\YoutubeGet
2008-01-10 11:48 --------- d-----w C:\Program Files\Invisible IP Map
2008-01-10 11:38 --------- d-----w C:\Program Files\Lavasoft
2008-01-10 11:38 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-10 11:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-10 11:29 --------- d-----w C:\Documents and Settings\Randy Lewis\Application Data\TuneUp Software
2008-01-10 11:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-01-04 21:59 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-01-04 21:58 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-01-04 21:58 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-01-04 21:58 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-01-04 21:57 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-01-04 21:57 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-01-04 21:57 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-01-04 21:57 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-01-04 21:57 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-01-04 21:57 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-01-04 21:57 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-01-04 21:57 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-01-04 21:56 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-01-04 21:56 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-12-31 11:00 --------- d-----w C:\Program Files\RapidLeecher
2007-12-30 08:35 --------- d-----w C:\Program Files\PrevxCSI
2007-12-30 08:17 24,576 ----a-w C:\WINDOWS\system32\VundoFixSVC.exe
2007-12-30 07:56 --------- d-----w C:\Documents and Settings\Randy Lewis\Application Data\PrevxCSI
2007-12-30 07:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-30 05:46 106,496 ----a-w C:\WINDOWS\SiSUSBrg .exe
2007-12-30 04:08 32,764 ----a-w C:\WINDOWS\17PHolmes11.exe
2007-12-23 08:24 --------- d-----w C:\Documents and Settings\Randy Lewis\Application Data\Ventrilo
2007-12-16 08:31 --------- d-----w C:\Documents and Settings\Randy Lewis\Application Data\Winamp
2007-12-12 11:32 --------- d-----w C:\Program Files\ESET
2007-12-12 11:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESET
2007-12-01 08:31 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2007-12-01 08:27 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2007-12-01 08:27 9,216 ----a-w C:\WINDOWS\system32\scrnsave.scr
2007-12-01 08:27 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2007-12-01 08:27 704,512 ----a-w C:\WINDOWS\system32\ss3dfo.scr
2007-12-01 08:27 679,936 ----a-w C:\WINDOWS\system32\sstext3d.scr
2007-12-01 08:27 610,304 ----a-w C:\WINDOWS\system32\sspipes.scr
2007-12-01 08:27 47,104 ----a-w C:\WINDOWS\system32\ssmypics.scr
2007-12-01 08:27 393,216 ----a-w C:\WINDOWS\system32\ssflwbox.scr
2007-12-01 08:27 32,256 ----a-w C:\WINDOWS\system32\wpabaln.exe
2007-12-01 08:27 30,720 ----a-w C:\WINDOWS\system32\xcopy.exe
2007-12-01 08:27 29,696 ----a-w C:\WINDOWS\system32\format.com
2007-12-01 08:27 220,672 ----a-w C:\WINDOWS\system32\logon.scr
2007-12-01 08:27 20,992 ----a-w C:\WINDOWS\system32\ssmarque.scr
2007-12-01 08:27 19,968 ----a-w C:\WINDOWS\system32\ssbezier.scr
2007-12-01 08:27 18,944 ----a-w C:\WINDOWS\system32\ssmyst.scr
2007-12-01 08:27 165,888 ----a-w C:\WINDOWS\system32\wuauclt1.exe
2007-12-01 08:27 16,896 ----a-w C:\WINDOWS\system32\more.com
2007-12-01 08:27 155,648 ----a-w C:\WINDOWS\system32\wscript.exe
2007-12-01 08:27 14,336 ----a-w C:\WINDOWS\system32\ssstars.scr
2007-12-01 08:27 13,824 ----a-w C:\WINDOWS\system32\wscntfy.exe
2007-12-01 08:27 12,800 ----a-w C:\WINDOWS\system32\tree.com
2007-12-01 08:27 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2007-12-01 08:27 11,264 ----a-w C:\WINDOWS\system32\wpnpinst.exe
2007-12-01 08:26 990,208 ----a-w C:\WINDOWS\system32\syssetup.dll
2007-12-01 08:26 99,328 ----a-w C:\WINDOWS\system32\winscard.dll
2007-12-01 08:26 98,304 ----a-w C:\WINDOWS\system32\ahui.exe
2007-12-01 08:26 96,768 ----a-w C:\WINDOWS\system32\srvsvc.dll
2007-12-01 08:26 95,744 ----a-w C:\WINDOWS\system32\scardsvr.exe
2007-12-01 08:26 93,696 ----a-w C:\WINDOWS\system32\tscfgwmi.dll
2007-12-01 08:26 92,672 ----a-w C:\WINDOWS\system32\wlnotify.dll
2007-12-01 08:26 91,648 ----a-w C:\WINDOWS\system32\xactsrv.dll
2007-12-01 08:26 90,112 ----a-w C:\WINDOWS\system32\wshext.dll
2007-12-01 08:26 90,112 ----a-w C:\WINDOWS\system32\trkwks.dll
2007-12-01 08:26 9,216 ----a-w C:\WINDOWS\system32\proxycfg.exe
2007-12-01 08:26 89,600 ----a-w C:\WINDOWS\system32\smlogsvc.exe
2007-12-01 08:26 87,040 ----a-w C:\WINDOWS\system32\diantz.exe
2007-12-01 08:26 86,016 ----a-w C:\WINDOWS\system32\netsh.exe
2007-12-01 08:26 858,624 ----a-w C:\WINDOWS\system32\tapi3.dll
2007-12-01 08:26 83,456 ----a-w C:\WINDOWS\system32\dpvsetup.exe
2007-12-01 08:26 82,944 ----a-w C:\WINDOWS\system32\eventtriggers.exe
2007-12-01 08:26 82,944 ----a-w C:\WINDOWS\system32\dfrgfat.exe
2007-12-01 08:26 82,432 ----a-w C:\WINDOWS\system32\ws2_32.dll
2007-12-01 08:26 80,896 ----a-w C:\WINDOWS\system32\wscsvc.dll
2007-12-01 08:26 8,192 ----a-w C:\WINDOWS\system32\smbinst.exe
2007-12-01 08:26 78,848 ----a-w C:\WINDOWS\system32\msiexec.exe
2007-12-01 08:26 78,336 ----a-w C:\WINDOWS\system32\tlntsess.exe
2007-12-01 08:26 77,824 ----a-w C:\WINDOWS\system32\tasklist.exe
2007-12-01 08:26 77,824 ----a-w C:\WINDOWS\system32\shrpubw.exe
2007-12-01 08:26 77,312 ----a-w C:\WINDOWS\system32\sdbinst.exe
.
<pre>
----a-w			39,792 2007-12-30 05:29:50  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w		 1,410,304 2007-12-30 05:46:20  C:\Program Files\ESET\ESET NOD32 Antivirus\egui .exe
----a-w		   310,784 2008-02-11 03:49:45  C:\Program Files\Greatis\RegRunSuite\lsoon .exe
----a-w		   132,496 2007-12-30 05:46:12  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w		   286,720 2008-02-10 10:11:05  C:\Program Files\K-Lite Codec Pack\QuickTime\qttask  .exe
----a-w		 1,266,936 2008-02-10 10:11:12  C:\Program Files\Steam\steam .exe
----a-w		 5,724,184 2008-02-11 03:49:56  C:\Program Files\Windows Live\Messenger\msnmsgr		.exe
----a-w		 6,095,872 2008-02-11 03:49:21  C:\Program Files\Windows Live\Messenger\msnmsgr	   .exe
----a-w		 6,095,872 2008-02-11 03:35:22  C:\Program Files\Windows Live\Messenger\msnmsgr	  .exe
----a-w		 6,095,872 2008-02-11 03:13:32  C:\Program Files\Windows Live\Messenger\msnmsgr	 .exe
----a-w		 6,467,584 2008-02-11 03:07:51  C:\Program Files\Windows Live\Messenger\msnmsgr	.exe
----a-w		 6,095,872 2008-02-10 14:18:48  C:\Program Files\Windows Live\Messenger\msnmsgr   .exe
----a-w		 6,095,872 2008-02-10 14:11:25  C:\Program Files\Windows Live\Messenger\msnmsgr  .exe
----a-w		 5,724,184 2008-02-11 04:12:01  C:\Program Files\Windows Live\Messenger\msnmsgr .exe
----a-w		   106,496 2007-12-30 05:46:06  C:\WINDOWS\SiSUSBrg .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Regrun2"="C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2007-06-28 23:43 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-28 23:43 81920]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2007-12-01 00:26 169984]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"RunStartupScriptSync"= 0 (0x0)
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 1 (0x1)
"MemCheckBoxInRunDlg"= 0 (0x0)
"NoAutoTrayNotify"= 0 (0x0)
"NoResolveTrack"= 0 (0x0)
"NoResolveSearch"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"NoDesktopCleanupWizard"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
"{F552DDE6-2090-4bf4-B924-6141E87789A5}"= C:\Program Files\Greatis\RegRunSuite\RRShell.dll [2004-11-02 09:15 368711]

[HKLM\~\startupfolder\C:^Documents and Settings^Randy Lewis^Start Menu^Programs^Startup^Xfire.lnk]
backup=C:\WINDOWS\pss\Xfire.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Randy Lewis^Start Menu^Programs^Startup^YouTube Uploader.lnk]
backup=C:\WINDOWS\pss\YouTube Uploader.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2007-12-03 16:56 19952 C:\Documents and Settings\Randy Lewis\Local Settings\Application Data\Google\Update\1.0.91.0\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InvisibleIPMap]
--a------ 2007-09-18 12:21 2475520 C:\Program Files\Invisible IP Map\InvisibleIP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\system32\vtsqo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2007-12-01 00:26 1695232 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2008-02-10 02:10 6095872 C:\Program Files\Windows Live\Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ProxyWay]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2007-06-21 14:06 1318912 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2007-11-14 15:06]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2007-12-01 00:26]
S3 RegGuard;RegGuard;C:\WINDOWS\system32\Drivers\regguard.sys [2008-02-10 19:53]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-02-10 03:05]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" []

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2008-02-09 01:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe
"2008-02-07 19:15:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-12 21:08:50 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-02-11 02:27:33 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-12 13:18:40
Windows 5.1.2600 Service Pack 3, v.3264 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-12 13:19:28
ComboFix-quarantined-files.txt 2008-02-12 21:19:01
ComboFix2.txt 2007-12-30 08:46:43
.
2008-02-01 11:02:54 --- E O F ---









Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:20:25 PM, on 2/12/2008
Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Regrun2] C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1187668526781
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\WINDOWS\SYSTEM32\VundoFixSVC.exe

--
End of file - 2887 bytes

Nice! Combfix seemed to delete and fix the issue right away, some programs get funny errors but I think I can fix that

let me know if anything looks fishy otherwise I think im fixed :)

thank you so much!!!
  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
1. Close any open browsers.

Download the attached CFScript file to the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

  • 0

#5
thedroop

thedroop

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
I spoke too soon earlier- It came back, I did another combofix scan then I did the new combofix scan & here is the new log

ComboFix 08-02-12.1 - Randy Lewis 2008-02-12 18:03:23.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.663 [GMT -8:00]
Running from: C:\Documents and Settings\Randy Lewis\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Randy Lewis\Desktop\CFScript.txt.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\17PHolmes11.exe
C:\WINDOWS\system32\vtsqo.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\17PHolmes11.exe

.
((((((((((((((((((((((((( Files Created from 2008-01-13 to 2008-02-13 )))))))))))))))))))))))))))))))
.

2008-02-10 19:44 . 2008-02-10 19:44 77 --a------ C:\WINDOWS\lsoon.ini
2008-02-10 19:38 . 2008-02-10 19:38 19,456 --a------ C:\WINDOWS\system32\Partizan.exe
2008-02-10 19:38 . 2008-02-10 19:38 41 --a------ C:\WINDOWS\system32\Partizan.RRI
2008-02-10 19:37 . 2008-02-10 19:37 <DIR> d-------- C:\Documents and Settings\Randy Lewis\Application Data\Regrun
2008-02-10 19:37 . 2008-02-10 19:44 <DIR> d-------- C:\backreg
2008-02-10 19:37 . 2008-02-10 19:53 25,773 --a------ C:\WINDOWS\system32\drivers\regguard.sys
2008-02-10 19:37 . C:\WINDOWS\(2) C:\ComboFix\winstart.bat
2008-02-10 19:31 . 2008-02-10 19:31 <DIR> d-------- C:\Program Files\Greatis
2008-02-10 18:54 . 2008-02-10 18:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-10 18:34 . 2008-02-10 18:34 339,968 --a------ C:\WINDOWS\system32\RCX3EA.tmp
2008-02-10 05:57 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-02-10 05:33 . 2008-02-10 05:55 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-10 05:33 . 2008-02-10 05:33 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-10 03:35 . 2008-02-10 03:35 <DIR> d-------- C:\Program Files\CleanUp!
2008-02-10 03:05 . 2008-02-10 03:05 306,432 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-02-10 03:05 . 2007-12-20 10:41 29,440 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-02-10 02:22 . 2008-02-10 02:22 <DIR> d-------- C:\Documents and Settings\Randy Lewis\Application Data\URSoft
2008-02-09 03:21 . 2008-02-12 13:23 <DIR> d-------- C:\wIRC
2008-02-09 03:15 . 1999-12-17 10:13 86,016 --a------ C:\WINDOWS\unvise32.exe
2008-02-09 02:38 . 2008-02-09 02:47 <DIR> d-------- C:\Documents and Settings\Randy Lewis\Application Data\mIRC
2008-02-06 06:19 . 2008-02-10 02:18 960 --a------ C:\WINDOWS\ARPR.INI
2008-01-31 06:23 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-01-31 06:23 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-01-30 18:53 . 2008-01-31 02:46 <DIR> d-------- C:\Documents and Settings\Randy Lewis\Contacts
2008-01-30 18:52 . 2008-01-30 18:52 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-01-30 18:47 . 2008-01-30 18:51 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-30 18:46 . 2008-01-30 18:52 <DIR> d-------- C:\Program Files\Windows Live
2008-01-30 18:46 . 2008-01-30 18:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-01-30 18:02 . 2008-01-30 18:02 54,608 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-01-23 16:45 . 2008-01-23 16:45 <DIR> d-------- C:\Documents and Settings\Randy Lewis\Application Data\Aim
2008-01-23 16:44 . 2008-01-23 16:44 <DIR> d-------- C:\Program Files\AOD
2008-01-23 16:44 . 2008-02-10 02:36 <DIR> d-------- C:\Program Files\AIM
2008-01-17 00:02 . 2008-01-17 00:02 <DIR> d-------- C:\Program Files\RAR Password Cracker
2008-01-16 23:44 . 2008-01-16 23:44 <DIR> d-------- C:\Program Files\Intelore
2008-01-16 23:36 . 2008-01-16 23:59 <DIR> d-------- C:\Program Files\Atomic RAR Password Recovery
2008-01-16 14:31 . 2008-01-16 14:31 <DIR> d-------- C:\Program Files\ESEA
2008-01-13 19:35 . 2008-01-17 00:10 <DIR> d-------- C:\Program Files\PDF Password Cracker Pro v3.0
2008-01-13 19:35 . 2008-01-13 19:36 454 --a------ C:\WINDOWS\crackpdf.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-13 02:03 --------- d-----w C:\Program Files\Steam
2008-02-11 02:32 --------- d-----w C:\Program Files\XoftSpySE
2008-02-10 13:56 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-02-10 13:56 --------- d-----w C:\Program Files\Bonjour
2008-02-10 11:05 --------- d-----w C:\Program Files\TuneUp Utilities 2008
2008-02-10 11:00 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-10 10:28 --------- d-----w C:\Program Files\Xfire
2008-02-10 10:28 --------- d-----w C:\Program Files\Hide IP Platinum
2008-02-10 10:28 --------- d-----w C:\Program Files\Full Speed
2008-02-09 03:57 --------- d-----w C:\Documents and Settings\Randy Lewis\Application Data\Xfire
2008-02-01 11:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-24 00:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-20 11:51 --------- d-----w C:\Program Files\DivX
2008-01-20 09:38 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-10 11:57 --------- d-----w C:\Program Files\YoutubeGet
2008-01-10 11:48 --------- d-----w C:\Program Files\Invisible IP Map
2008-01-10 11:38 --------- d-----w C:\Program Files\Lavasoft
2008-01-10 11:38 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-10 11:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-10 11:29 --------- d-----w C:\Documents and Settings\Randy Lewis\Application Data\TuneUp Software
2008-01-10 11:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-01-04 21:59 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-01-04 21:58 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-01-04 21:58 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-01-04 21:58 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-01-04 21:57 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-01-04 21:57 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-01-04 21:57 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-01-04 21:57 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-01-04 21:57 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-01-04 21:57 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-01-04 21:57 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-01-04 21:57 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-01-04 21:56 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-01-04 21:56 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-12-31 11:00 --------- d-----w C:\Program Files\RapidLeecher
2007-12-30 08:35 --------- d-----w C:\Program Files\PrevxCSI
2007-12-30 08:17 24,576 ----a-w C:\WINDOWS\system32\VundoFixSVC.exe
2007-12-30 07:56 --------- d-----w C:\Documents and Settings\Randy Lewis\Application Data\PrevxCSI
2007-12-30 07:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-30 05:46 106,496 ----a-w C:\WINDOWS\SiSUSBrg.exe
2007-12-23 08:24 --------- d-----w C:\Documents and Settings\Randy Lewis\Application Data\Ventrilo
2007-12-16 08:31 --------- d-----w C:\Documents and Settings\Randy Lewis\Application Data\Winamp
2007-12-01 08:31 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2007-12-01 08:27 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2007-12-01 08:27 9,216 ----a-w C:\WINDOWS\system32\scrnsave.scr
2007-12-01 08:27 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2007-12-01 08:27 704,512 ----a-w C:\WINDOWS\system32\ss3dfo.scr
2007-12-01 08:27 679,936 ----a-w C:\WINDOWS\system32\sstext3d.scr
2007-12-01 08:27 610,304 ----a-w C:\WINDOWS\system32\sspipes.scr
2007-12-01 08:27 47,104 ----a-w C:\WINDOWS\system32\ssmypics.scr
2007-12-01 08:27 393,216 ----a-w C:\WINDOWS\system32\ssflwbox.scr
2007-12-01 08:27 32,256 ----a-w C:\WINDOWS\system32\wpabaln.exe
2007-12-01 08:27 30,720 ----a-w C:\WINDOWS\system32\xcopy.exe
2007-12-01 08:27 29,696 ----a-w C:\WINDOWS\system32\format.com
2007-12-01 08:27 220,672 ----a-w C:\WINDOWS\system32\logon.scr
2007-12-01 08:27 20,992 ----a-w C:\WINDOWS\system32\ssmarque.scr
2007-12-01 08:27 19,968 ----a-w C:\WINDOWS\system32\ssbezier.scr
2007-12-01 08:27 18,944 ----a-w C:\WINDOWS\system32\ssmyst.scr
2007-12-01 08:27 165,888 ----a-w C:\WINDOWS\system32\wuauclt1.exe
2007-12-01 08:27 16,896 ----a-w C:\WINDOWS\system32\more.com
2007-12-01 08:27 155,648 ----a-w C:\WINDOWS\system32\wscript.exe
2007-12-01 08:27 14,336 ----a-w C:\WINDOWS\system32\ssstars.scr
2007-12-01 08:27 13,824 ----a-w C:\WINDOWS\system32\wscntfy.exe
2007-12-01 08:27 12,800 ----a-w C:\WINDOWS\system32\tree.com
2007-12-01 08:27 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2007-12-01 08:27 11,264 ----a-w C:\WINDOWS\system32\wpnpinst.exe
2007-12-01 08:26 990,208 ----a-w C:\WINDOWS\system32\syssetup.dll
2007-12-01 08:26 99,328 ----a-w C:\WINDOWS\system32\winscard.dll
2007-12-01 08:26 98,304 ----a-w C:\WINDOWS\system32\ahui.exe
2007-12-01 08:26 96,768 ----a-w C:\WINDOWS\system32\srvsvc.dll
2007-12-01 08:26 95,744 ----a-w C:\WINDOWS\system32\scardsvr.exe
2007-12-01 08:26 93,696 ----a-w C:\WINDOWS\system32\tscfgwmi.dll
2007-12-01 08:26 92,672 ----a-w C:\WINDOWS\system32\wlnotify.dll
2007-12-01 08:26 91,648 ----a-w C:\WINDOWS\system32\xactsrv.dll
2007-12-01 08:26 90,112 ----a-w C:\WINDOWS\system32\wshext.dll
2007-12-01 08:26 90,112 ----a-w C:\WINDOWS\system32\trkwks.dll
2007-12-01 08:26 9,216 ----a-w C:\WINDOWS\system32\proxycfg.exe
2007-12-01 08:26 89,600 ----a-w C:\WINDOWS\system32\smlogsvc.exe
2007-12-01 08:26 87,040 ----a-w C:\WINDOWS\system32\diantz.exe
2007-12-01 08:26 86,016 ----a-w C:\WINDOWS\system32\netsh.exe
2007-12-01 08:26 858,624 ----a-w C:\WINDOWS\system32\tapi3.dll
2007-12-01 08:26 83,456 ----a-w C:\WINDOWS\system32\dpvsetup.exe
2007-12-01 08:26 82,944 ----a-w C:\WINDOWS\system32\eventtriggers.exe
2007-12-01 08:26 82,944 ----a-w C:\WINDOWS\system32\dfrgfat.exe
2007-12-01 08:26 82,432 ----a-w C:\WINDOWS\system32\ws2_32.dll
2007-12-01 08:26 80,896 ----a-w C:\WINDOWS\system32\wscsvc.dll
2007-12-01 08:26 8,192 ----a-w C:\WINDOWS\system32\smbinst.exe
2007-12-01 08:26 78,848 ----a-w C:\WINDOWS\system32\msiexec.exe
2007-12-01 08:26 78,336 ----a-w C:\WINDOWS\system32\tlntsess.exe
2007-12-01 08:26 77,824 ----a-w C:\WINDOWS\system32\tasklist.exe
2007-12-01 08:26 77,824 ----a-w C:\WINDOWS\system32\shrpubw.exe
2007-12-01 08:26 77,312 ----a-w C:\WINDOWS\system32\sdbinst.exe
2007-12-01 08:26 77,312 ----a-w C:\WINDOWS\system32\rtcshare.exe
2007-12-01 08:26 769,024 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\helpctr.exe
2007-12-01 08:26 76,800 ----a-w C:\WINDOWS\system32\nslookup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Regrun2"="C:\PROGRA~1\Greatis\REGRUN~1\WatchDog.exe" [ ]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr .exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2007-06-28 23:43 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-28 23:43 81920]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2007-12-01 00:26 169984]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"RunStartupScriptSync"= 0 (0x0)
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 1 (0x1)
"MemCheckBoxInRunDlg"= 0 (0x0)
"NoAutoTrayNotify"= 0 (0x0)
"NoResolveTrack"= 0 (0x0)
"NoResolveSearch"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"NoDesktopCleanupWizard"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
"{F552DDE6-2090-4bf4-B924-6141E87789A5}"= C:\Program Files\Greatis\RegRunSuite\RRShell.dll [2004-11-02 09:15 368711]

[HKLM\~\startupfolder\C:^Documents and Settings^Randy Lewis^Start Menu^Programs^Startup^Xfire.lnk]
backup=C:\WINDOWS\pss\Xfire.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Randy Lewis^Start Menu^Programs^Startup^YouTube Uploader.lnk]
backup=C:\WINDOWS\pss\YouTube Uploader.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2007-12-03 16:56 19952 C:\Documents and Settings\Randy Lewis\Local Settings\Application Data\Google\Update\1.0.91.0\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InvisibleIPMap]
--a------ 2007-09-18 12:21 2475520 C:\Program Files\Invisible IP Map\InvisibleIP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2007-12-01 00:26 1695232 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2008-02-10 19:49 5724184 C:\Program Files\Windows Live\Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ProxyWay]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2007-06-21 14:06 1318912 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2007-11-14 15:06]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2007-12-01 00:26]
S3 RegGuard;RegGuard;C:\WINDOWS\system32\Drivers\regguard.sys [2008-02-10 19:53]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-02-10 03:05]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" []

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2008-02-09 01:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe
"2008-02-07 19:15:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-13 01:57:35 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-02-11 02:27:33 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-12 18:04:32
Windows 5.1.2600 Service Pack 3, v.3264 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-12 18:05:18
ComboFix-quarantined-files.txt 2008-02-13 02:04:50
ComboFix2.txt 2008-02-13 02:00:52
ComboFix3.txt 2008-02-12 21:51:33
ComboFix4.txt 2008-02-12 21:19:28
ComboFix5.txt 2007-12-30 08:46:43
.
2008-02-01 11:02:54 --- E O F ---


  • 0

#6
thedroop

thedroop

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Great! I think that did it!

I did the next step you asked me & everything seems to be running fine now!!

Thanks alot!
  • 0

#7
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Looks good

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.


Also post a new HijackThis log
  • 0

#8
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP