Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

VUNDO (vtsqo.dll) - pop ups, changes advertisements, bogs down compute


  • This topic is locked This topic is locked

#1
rascluk

rascluk

    Member

  • Member
  • PipPip
  • 14 posts
Hi, I've been trying to get rid of Vundo for a couple of months. I used to have Norton Antivirus and swithched to Trend Mirco when subscription to Norton was up but Trend could not get rid of Vundo. Everytime I use Internet Explorer I get additional pop up windows and also the web advertisements on the pages change telling me I am infected with a virus. I have tried all your suggestions on your site with no luck. I have run Trend Micro scan, AVG, SuperAntiVirus, Vundofix, Virtumundobegone and others and everytime vtsqo.dll in windows/sys32 directory is the only one I can't get rid of (Trend Micro tells me the name is Cryp_Tap). I would appreciate any suggestions or help. Thanks in advance.

Here is a hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:18:54 AM, on 02/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\STEVEK~1\LOCALS~1\Temp\lxbtbmgr.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\STEVEK~1\LOCALS~1\Temp\DeleteSatellite.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\DOCUME~1\STEVEK~1\LOCALS~1\Temp\UfSeAgnt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\Dependent\HSChkProxyExe.exe
C:\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\kdfmgr.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F3 - REG:win.ini: load=C:\WINDOWS\system32\vtsqo.exe
N3 - Netscape 7: user_pref("browser.startup.homepage","http://www.sony.com/vaiopeople"); (C:\Documents and Settings\STEVE KULCSAR\Application Data\Mozilla\Profiles\default\n7ass3bz.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\STEVE KULCSAR\Application Data\Mozilla\Profiles\default\n7ass3bz.slt\prefs.js)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,[email protected]
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe"
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\DOCUME~1\STEVEK~1\LOCALS~1\Temp\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunServices: [System Security Updates] thyhta.exe
O4 - HKLM\..\RunServices: [Windows XP Service Pack 2] sp2update.exe
O4 - HKLM\..\RunServices: [MicrosoftUpdate] syshelper.exe
O4 - HKLM\..\RunServices: [MSChoExE] suge.exe
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\DOCUME~1\STEVEK~1\LOCALS~1\Temp\DeleteSatellite.exe" nowait
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SureCleanProfessional] "C:\PROGRA~1\PANICW~1\SURECL~1\SRClean.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Update] wserv32.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [System Security Updates] thyhta.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MicrosoftUpdate] syshelper.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MSChoExE] suge.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows System Serivce] winserv.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [MicrosoftUpdate] syshelper.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Update] wserv32.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [MicrosoftUpdate] syshelper.exe (User 'Default user')
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony...ct/VaioInfo.CAB
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral....bs/pmupd806.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://mooley.axisca...activex/AMC.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....302/Coupons.cab
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} - http://moneycentral....s/pmupdate2.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfi...ll/gtdownls.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - D:\iPod\Debs Ipod\iPod Updater 2005-11-17\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe (file missing)
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbtcoms.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

--
End of file - 14577 bytes



Here is SuperAntiSpyware Log:

SUPERAntiSpyware Scan Log
Generated 01/01/2008 at 11:52 AM

Application Version : 3.6.1000

Core Rules Database Version : 3371
Trace Rules Database Version: 1366

Scan type : Complete Scan
Total Scan Time : 01:41:24

Memory items scanned : 563
Memory threats detected : 1
Registry items scanned : 7083
Registry threats detected : 5
File items scanned : 97307
File threats detected : 12

Unclassified.Unknown Origin/System
C:\WINDOWS\SYSTEM32\VTSQO.DLL
C:\WINDOWS\SYSTEM32\VTSQO.DLL

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{783150EC-B350-430E-ABF7-741A90640490}
HKCR\CLSID\{783150EC-B350-430E-ABF7-741A90640490}
HKCR\CLSID\{783150EC-B350-430E-ABF7-741A90640490}\InprocServer32
HKCR\CLSID\{783150EC-B350-430E-ABF7-741A90640490}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{783150EC-B350-430E-ABF7-741A90640490}

Adware.Tracking Cookie
C:\Documents and Settings\Steve Kulcsar\Cookies\steve [email protected][1].txt
C:\Documents and Settings\Steve Kulcsar\Cookies\steve [email protected][1].txt
C:\Documents and Settings\Steve Kulcsar\Cookies\steve [email protected][1].txt
C:\Documents and Settings\Steve Kulcsar\Cookies\steve [email protected][2].txt
C:\Documents and Settings\Steve Kulcsar\Cookies\steve [email protected][2].txt
C:\Documents and Settings\Steve Kulcsar\Cookies\steve [email protected][1].txt
C:\Documents and Settings\Steve Kulcsar\Cookies\steve [email protected][2].txt
C:\Documents and Settings\Steve Kulcsar\Cookies\steve [email protected][1].txt
C:\Documents and Settings\Steve Kulcsar\Cookies\steve [email protected][1].txt

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\OQSTV.INI
C:\WINDOWS\SYSTEM32\OQSTV.INI2

Here is Panda Log:


Incident Status Location

Adware:adware/sahagent Not disinfected c:\windows\system32\SahHtml.exe
Adware:adware/mediatickets Not disinfected c:\windows\mtu.bat
Adware:adware/sbsoft Not disinfected c:\windows\webdlg32.inf
Adware:adware/ncase Not disinfected Windows Registry
Potentially unwanted tool:application/myway Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0494D0D9-F8E0-41AD-92A3-14154ECE70AC}
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Steve Kulcsar\Cookies\[email protected][2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Steve Kulcsar\Cookies\[email protected][1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Steve Kulcsar\Cookies\[email protected][1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Steve Kulcsar\Cookies\[email protected][1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Steve Kulcsar\Desktop\VirtumundoBeGone.exe
Adware:Adware/EliteBar Not disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\R62RGMOP\silent_install[1].exe


I ran AVG in SAFE MODE as suggested but it would not let me save the report. If needed I can try again and post if needed. Thankyou.
  • 0

Advertisements


#2
Tigger93

Tigger93

    Trusted Helper

  • Retired Staff
  • 1,870 posts
Hello and Welcome to Geekstogo! :)

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#3
rascluk

rascluk

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Thank you for the help.

Here is the combofix log:

ComboFix 08-02-25 - Steve Kulcsar 2008-02-24 16:02:32.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.118 [GMT -6:00]
Running from: C:\Documents and Settings\Steve Kulcsar\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\GhostSurf 2005\DeleteSatellite.exe
C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Temp\bkR11
C:\WINDOWS\cookies.ini
C:\WINDOWS\Fonts\acrsecB.fon
C:\WINDOWS\Fonts\acrsecI.fon
C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
C:\WINDOWS\system32\bcjoapoh.ini
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\daSgo02
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\system32\fwwgddpf.ini
C:\WINDOWS\system32\iraeftdc.ini
C:\WINDOWS\system32\oqstv.ini
C:\WINDOWS\system32\oqstv.ini2
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\RCX1D.tmp
C:\WINDOWS\system32\SahHtml.exe
C:\WINDOWS\system32\tiywvexd.ini
C:\WINDOWS\system32\vtsqo.dll
C:\WINDOWS\system32\xmlparse.dll
C:\WINDOWS\system32\xmltok.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2008-01-25 to 2008-02-25 )))))))))))))))))))))))))))))))
.

2008-02-24 11:12 . 2008-02-24 11:12 5,779 --a------ C:\WINDOWS\system32\sacestpp.dll
2008-02-24 11:11 . 2008-02-24 11:11 5,765 --a------ C:\WINDOWS\system32\xfkrslvy.dll
2008-02-24 11:02 . 2008-02-24 11:02 5,779 --a------ C:\WINDOWS\system32\pgbrhlvu.dll
2008-02-24 11:02 . 2008-02-24 11:02 5,765 --a------ C:\WINDOWS\system32\qfclynwp.dll
2008-02-23 20:39 . 2008-02-23 20:39 5,779 --a------ C:\WINDOWS\system32\rscgourw.dll
2008-02-23 20:37 . 2008-02-23 20:37 5,765 --a------ C:\WINDOWS\system32\vmusdjnv.dll
2008-02-23 17:42 . 2008-02-23 17:42 5,779 --a------ C:\WINDOWS\system32\pgmqvcdy.dll
2008-02-23 17:39 . 2008-02-23 17:39 5,765 --a------ C:\WINDOWS\system32\qwruhmkv.dll
2008-02-23 15:54 . 2008-02-25 16:03 333,312 --a------ C:\WINDOWS\system32\vtsqo.exe
2008-02-23 15:00 . 2008-02-23 15:00 5,779 --a------ C:\WINDOWS\system32\rwtrujtd.dll
2008-02-23 14:58 . 2008-02-23 14:58 5,765 --a------ C:\WINDOWS\system32\voabokgc.dll
2008-02-23 11:45 . 2008-02-23 11:45 5,765 --a------ C:\WINDOWS\system32\yynrjmrb.dll
2008-02-23 11:42 . 2008-02-23 11:42 5,779 --a------ C:\WINDOWS\system32\nhotmjfu.dll
2008-02-22 11:45 . 2008-02-22 11:45 5,765 --a------ C:\WINDOWS\system32\wcwqcboq.dll
2008-02-22 11:42 . 2008-02-22 11:42 5,779 --a------ C:\WINDOWS\system32\pidbrfaw.dll
2008-02-21 11:42 . 2008-02-21 11:42 5,765 --a------ C:\WINDOWS\system32\hayeopfd.dll
2008-02-21 11:41 . 2008-02-21 11:41 5,779 --a------ C:\WINDOWS\system32\biichwpl.dll
2008-02-21 05:50 . 2008-02-21 05:50 5,765 --a------ C:\WINDOWS\system32\clpobfil.dll
2008-02-21 05:49 . 2008-02-21 05:49 5,779 --a------ C:\WINDOWS\system32\tvxqmpgu.dll
2008-02-20 22:45 . 2008-02-20 22:45 5,765 --a------ C:\WINDOWS\system32\lheeitcd.dll
2008-02-20 22:43 . 2008-02-20 22:43 5,779 --a------ C:\WINDOWS\system32\irikagtj.dll
2008-02-20 21:30 . 2008-02-20 21:30 5,765 --a------ C:\WINDOWS\system32\nsrlvggj.dll
2008-02-20 21:28 . 2008-02-20 21:28 5,779 --a------ C:\WINDOWS\system32\uohatebh.dll
2008-02-20 13:54 . 2008-02-20 13:54 5,765 --a------ C:\WINDOWS\system32\bsealvlg.dll
2008-02-20 13:51 . 2008-02-20 13:51 5,779 --a------ C:\WINDOWS\system32\kelhisoq.dll
2008-02-17 19:40 . 2008-02-17 19:40 5,765 --a------ C:\WINDOWS\system32\yyumtfvl.dll
2008-02-17 08:41 . 2008-02-17 08:41 5,779 --a------ C:\WINDOWS\system32\soaohgnm.dll
2008-02-17 08:40 . 2008-02-17 08:40 5,765 --a------ C:\WINDOWS\system32\fuyhjvks.dll
2008-02-15 17:39 . 2008-02-15 17:39 5,779 --a------ C:\WINDOWS\system32\ogdnpvgo.dll
2008-02-15 17:36 . 2008-02-15 17:36 5,765 --a------ C:\WINDOWS\system32\jcekcakt.dll
2008-02-12 08:11 . 2008-02-12 08:11 5,801 --a------ C:\WINDOWS\system32\bnetjkrm.dll
2008-02-12 08:05 . 2008-02-12 08:05 5,809 --a------ C:\WINDOWS\system32\cdvkykjh.dll
2008-02-11 08:11 . 2008-02-11 08:11 5,801 --a------ C:\WINDOWS\system32\qtyiujnx.dll
2008-02-11 08:08 . 2008-02-11 08:08 5,809 --a------ C:\WINDOWS\system32\pwmjibww.dll
2008-02-09 11:15 . 2008-02-09 11:15 5,801 --a------ C:\WINDOWS\system32\sqtojfcm.dll
2008-02-09 11:09 . 2008-02-09 11:09 5,809 --a------ C:\WINDOWS\system32\bnlystgw.dll
2008-02-08 11:09 . 2008-02-08 11:09 5,801 --a------ C:\WINDOWS\system32\nvdwxlcj.dll
2008-02-08 11:07 . 2008-02-08 11:07 5,809 --a------ C:\WINDOWS\system32\bsgkwqsb.dll
2008-02-07 11:09 . 2008-02-07 11:09 5,801 --a------ C:\WINDOWS\system32\emalgqdc.dll
2008-02-07 11:06 . 2008-02-07 11:06 5,809 --a------ C:\WINDOWS\system32\cdpcmyaq.dll
2008-02-06 04:26 . 2008-02-06 04:26 5,801 --a------ C:\WINDOWS\system32\hdxsffnp.dll
2008-02-05 23:10 . 2008-02-05 23:10 5,809 --a------ C:\WINDOWS\system32\vfpwyswn.dll
2008-02-04 23:13 . 2008-02-04 23:13 5,801 --a------ C:\WINDOWS\system32\mgxfstef.dll
2008-02-04 23:07 . 2008-02-04 23:07 5,809 --a------ C:\WINDOWS\system32\bxyspctp.dll
2008-01-25 19:27 . 2008-01-25 19:27 5,773 --a------ C:\WINDOWS\system32\oohsmcvv.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-25 22:07 --------- d-----w C:\Program Files\Lexmark 5200 Series
2008-02-25 22:07 --------- d-----w C:\Program Files\GhostSurf 2005
2008-02-24 17:02 --------- d-----w C:\Program Files\Lx_cats
2008-02-24 03:21 --------- d-----w C:\Program Files\Kazaa
2008-02-24 03:19 --------- d-----w C:\Program Files\Google
2008-02-24 03:17 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2007-12-26 17:25 --------- d-----w C:\Program Files\iTunes
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{E7620C98-FCCC-40E5-92EC-C7685D2E1E40}

[HKEY_CLASSES_ROOT\clsid\{e7620c98-fccc-40e5-92ec-c7685d2e1e40}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EC525605-2266-4775-8F78-A68A6446465C}]
[HKEY_CLASSES_ROOT\TSToolbar.TSProtectorBar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"SureCleanProfessional"="C:\PROGRA~1\PANICW~1\SURECL~1\SRClean.exe" [ ]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"SUPERAntiSpyware"="D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [ ]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [ ]
"ZTgServerSwitch"="c:\program files\support.com\client\bin\tgcmd.exe" [ ]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [ ]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [ ]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-08-18 19:56 4841472]
"AGRSMMSG"="AGRSMMSG.exe" []
"VAIO Recovery"="C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"System Security Updates"="thyhta.exe" []
"Windows XP Service Pack 2"="sp2update.exe" []
"MicrosoftUpdate"="syshelper.exe" []
"MSChoExE"="suge.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Update"="wserv32.exe" []
"System Security Updates"="thyhta.exe" []
"MicrosoftUpdate"="syshelper.exe" []
"MSChoExE"="suge.exe" []
"Windows System Serivce"="winserv.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"MicrosoftUpdate"="syshelper.exe" []

C:\Documents and Settings\Steve Kulcsar\Start Menu\Programs\Startup\
Scheduler.lnk - C:\Program Files\GhostSurf 2005\Scheduler daemon.exe [2004-03-09 15:47:16 86133]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 00:05:26 29696]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2004-02-25 01:35:22 10872]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2003-06-25 05:25:38 614531]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 02:15:54 65588]
WinZip Quick Pick.lnk - C:\WinZip\WZQKPICK.EXE [2005-01-10 20:35:02 106560]

C:\DOCUME~1\STEVEK~1\STARTM~1\Programs\Startup\
Scheduler.lnk - C:\Program Files\GhostSurf 2005\Scheduler daemon.exe [2004-03-09 15:47:16 86133]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= D:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
D:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\vtsqo.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\GhostSurf 2005\\Proxy.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\WINDOWS\\explorer.exe"=
"C:\\Program Files\\Java\\j2re1.4.2_01\\launch4j-tmp\\yahtzee.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 odysseyIM3;Odyssey Network Services Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM3.sys [2003-05-14 16:01]
S3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;C:\WINDOWS\System32\CBTNDIS5.SYS [2003-07-16 22:28]
S3 IPN2120;Wireless-B PCI Adapter Driver;C:\WINDOWS\system32\DRIVERS\LSIPNDS.sys []
S3 Partizan;Partizan;C:\WINDOWS\system32\drivers\Partizan.sys [2007-12-04 05:56]
S4 MicrosoftCorporation;MicrosoftUpdate;"C:\WINDOWS\System32\syshelper.exe" []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-25 16:26:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-25 16:30:53
ComboFix-quarantined-files.txt 2008-02-25 22:30:43
.
2008-02-13 15:05:21 --- E O F ---


Here is Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:36:26 PM, on 02/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WinZip\WZQKPICK.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\Dependent\HSChkProxyExe.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\WINDOWS\system32\kdfmgr.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
N3 - Netscape 7: user_pref("browser.startup.homepage","http://www.sony.com/vaiopeople"); (C:\Documents and Settings\STEVE KULCSAR\Application Data\Mozilla\Profiles\default\n7ass3bz.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\STEVE KULCSAR\Application Data\Mozilla\Profiles\default\n7ass3bz.slt\prefs.js)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\RunServices: [System Security Updates] thyhta.exe
O4 - HKLM\..\RunServices: [Windows XP Service Pack 2] sp2update.exe
O4 - HKLM\..\RunServices: [MicrosoftUpdate] syshelper.exe
O4 - HKLM\..\RunServices: [MSChoExE] suge.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SureCleanProfessional] "C:\PROGRA~1\PANICW~1\SURECL~1\SRClean.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Update] wserv32.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [System Security Updates] thyhta.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MicrosoftUpdate] syshelper.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MSChoExE] suge.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows System Serivce] winserv.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [MicrosoftUpdate] syshelper.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Update] wserv32.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [MicrosoftUpdate] syshelper.exe (User 'Default user')
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony...ct/VaioInfo.CAB
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral....bs/pmupd806.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://mooley.axisca...activex/AMC.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....302/Coupons.cab
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} - http://moneycentral....s/pmupdate2.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfi...ll/gtdownls.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - D:\iPod\Debs Ipod\iPod Updater 2005-11-17\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe (file missing)
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbtcoms.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

--
End of file - 13043 bytes
  • 0

#4
Tigger93

Tigger93

    Trusted Helper

  • Retired Staff
  • 1,870 posts
First, Download LSPFix.exe to a convenient location. Do NOT run this program. This is only to be used if you lose Internet Access after removing Kazaa.

Next, download KazaaBegone.zip, and unzip it to a convenient location.

Run KazaaBegone
  • Double click KazaaBegone from where you unzipped it.
  • Select Search & destroy all installed components
  • Click Go
  • Close KazaaBegone

In the event that you lose Internet access after removing Kazaa, please double-click LSPFix.exe that you downloaded earlier. Check the "I know what I'm doing" button. You will see 2 panels. If there is any file listed in the "Remove" panel on the right-side, leave it as is and just click "Finish>>" then reboot your computer and you should now have access to the Internet. If nothing is listed under the "Remove Panel", do NOT do anything - just close the program. You will need to use another computer to come back here for further instructions on what to do.

---------

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\sacestpp.dll
C:\WINDOWS\system32\xfkrslvy.dll
C:\WINDOWS\system32\pgbrhlvu.dll
C:\WINDOWS\system32\qfclynwp.dll
C:\WINDOWS\system32\rscgourw.dll
C:\WINDOWS\system32\vmusdjnv.dll
C:\WINDOWS\system32\pgmqvcdy.dll
C:\WINDOWS\system32\qwruhmkv.dll
C:\WINDOWS\system32\vtsqo.exe
C:\WINDOWS\system32\rwtrujtd.dll
C:\WINDOWS\system32\voabokgc.dll
C:\WINDOWS\system32\yynrjmrb.dll
C:\WINDOWS\system32\nhotmjfu.dll
C:\WINDOWS\system32\wcwqcboq.dll
C:\WINDOWS\system32\pidbrfaw.dll
C:\WINDOWS\system32\hayeopfd.dll
C:\WINDOWS\system32\biichwpl.dll
C:\WINDOWS\system32\clpobfil.dll
C:\WINDOWS\system32\tvxqmpgu.dll
C:\WINDOWS\system32\lheeitcd.dll
C:\WINDOWS\system32\irikagtj.dll
C:\WINDOWS\system32\nsrlvggj.dll
C:\WINDOWS\system32\uohatebh.dll
C:\WINDOWS\system32\bsealvlg.dll
C:\WINDOWS\system32\kelhisoq.dll
C:\WINDOWS\system32\yyumtfvl.dll
C:\WINDOWS\system32\soaohgnm.dll
C:\WINDOWS\system32\fuyhjvks.dll
C:\WINDOWS\system32\ogdnpvgo.dll
C:\WINDOWS\system32\jcekcakt.dll
C:\WINDOWS\system32\bnetjkrm.dll
C:\WINDOWS\system32\cdvkykjh.dll
C:\WINDOWS\system32\qtyiujnx.dll
C:\WINDOWS\system32\pwmjibww.dll
C:\WINDOWS\system32\sqtojfcm.dll
C:\WINDOWS\system32\bnlystgw.dll
C:\WINDOWS\system32\nvdwxlcj.dll
C:\WINDOWS\system32\bsgkwqsb.dll
C:\WINDOWS\system32\emalgqdc.dll
C:\WINDOWS\system32\cdpcmyaq.dll
C:\WINDOWS\system32\hdxsffnp.dll
C:\WINDOWS\system32\vfpwyswn.dll
C:\WINDOWS\system32\mgxfstef.dll
C:\WINDOWS\system32\bxyspctp.dll
C:\WINDOWS\system32\oohsmcvv.dll



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#5
rascluk

rascluk

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Here is the Combofix log:

ComboFix 08-02-25 - Steve Kulcsar 2008-02-25 20:39:01.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.174 [GMT -6:00]
Running from: C:\Documents and Settings\Steve Kulcsar\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Steve Kulcsar\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\biichwpl.dll
C:\WINDOWS\system32\bnetjkrm.dll
C:\WINDOWS\system32\bnlystgw.dll
C:\WINDOWS\system32\bsealvlg.dll
C:\WINDOWS\system32\bsgkwqsb.dll
C:\WINDOWS\system32\bxyspctp.dll
C:\WINDOWS\system32\cdpcmyaq.dll
C:\WINDOWS\system32\cdvkykjh.dll
C:\WINDOWS\system32\clpobfil.dll
C:\WINDOWS\system32\emalgqdc.dll
C:\WINDOWS\system32\fuyhjvks.dll
C:\WINDOWS\system32\hayeopfd.dll
C:\WINDOWS\system32\hdxsffnp.dll
C:\WINDOWS\system32\irikagtj.dll
C:\WINDOWS\system32\jcekcakt.dll
C:\WINDOWS\system32\kelhisoq.dll
C:\WINDOWS\system32\lheeitcd.dll
C:\WINDOWS\system32\mgxfstef.dll
C:\WINDOWS\system32\nhotmjfu.dll
C:\WINDOWS\system32\nsrlvggj.dll
C:\WINDOWS\system32\nvdwxlcj.dll
C:\WINDOWS\system32\ogdnpvgo.dll
C:\WINDOWS\system32\oohsmcvv.dll
C:\WINDOWS\system32\pgbrhlvu.dll
C:\WINDOWS\system32\pgmqvcdy.dll
C:\WINDOWS\system32\pidbrfaw.dll
C:\WINDOWS\system32\pwmjibww.dll
C:\WINDOWS\system32\qfclynwp.dll
C:\WINDOWS\system32\qtyiujnx.dll
C:\WINDOWS\system32\qwruhmkv.dll
C:\WINDOWS\system32\rscgourw.dll
C:\WINDOWS\system32\rwtrujtd.dll
C:\WINDOWS\system32\sacestpp.dll
C:\WINDOWS\system32\soaohgnm.dll
C:\WINDOWS\system32\sqtojfcm.dll
C:\WINDOWS\system32\tvxqmpgu.dll
C:\WINDOWS\system32\uohatebh.dll
C:\WINDOWS\system32\vfpwyswn.dll
C:\WINDOWS\system32\vmusdjnv.dll
C:\WINDOWS\system32\voabokgc.dll
C:\WINDOWS\system32\vtsqo.exe
C:\WINDOWS\system32\wcwqcboq.dll
C:\WINDOWS\system32\xfkrslvy.dll
C:\WINDOWS\system32\yynrjmrb.dll
C:\WINDOWS\system32\yyumtfvl.dll
.

Here is the Highjack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:53, on 2008-02-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WinZip\WZQKPICK.EXE
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\Dependent\HSChkProxyExe.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\WINDOWS\system32\kdfmgr.exe
C:\Program Files\Outlook Express\msimn.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
N3 - Netscape 7: user_pref("browser.startup.homepage","http://www.sony.com/vaiopeople"); (C:\Documents and Settings\STEVE KULCSAR\Application Data\Mozilla\Profiles\default\n7ass3bz.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\STEVE KULCSAR\Application Data\Mozilla\Profiles\default\n7ass3bz.slt\prefs.js)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,[email protected]
O4 - HKLM\..\RunServices: [System Security Updates] thyhta.exe
O4 - HKLM\..\RunServices: [Windows XP Service Pack 2] sp2update.exe
O4 - HKLM\..\RunServices: [MicrosoftUpdate] syshelper.exe
O4 - HKLM\..\RunServices: [MSChoExE] suge.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SureCleanProfessional] "C:\PROGRA~1\PANICW~1\SURECL~1\SRClean.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Update] wserv32.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [System Security Updates] thyhta.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MicrosoftUpdate] syshelper.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MSChoExE] suge.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows System Serivce] winserv.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [MicrosoftUpdate] syshelper.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Update] wserv32.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [MicrosoftUpdate] syshelper.exe (User 'Default user')
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony...ct/VaioInfo.CAB
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral....bs/pmupd806.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://mooley.axisca...activex/AMC.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....302/Coupons.cab
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} - http://moneycentral....s/pmupdate2.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart...ploadClient.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfi...ll/gtdownls.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - d:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - D:\iPod\Debs Ipod\iPod Updater 2005-11-17\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe (file missing)
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbtcoms.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

--
End of file - 13160 bytes
  • 0

#6
Tigger93

Tigger93

    Trusted Helper

  • Retired Staff
  • 1,870 posts
The Combofix log got cut, can you post it again please?
  • 0

#7
rascluk

rascluk

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
I checked and that was all that was in the combofix.txt file so I repeated your last instruction of moving the CFScript onto Combo Fix. Combo Fix starts to run and then I get an error that says:

Expired-08-02-25.2
Current date is 2008-02-24.
This copy of Combo Fix has expired.
Please download an updated copy

Also, after this error there is no Combo Fix on my computer. So I downloaded it to my Desktop again and the same thing happened. I tried it 3 different times using the 3 links you provided earlier.

Not sure what to do now? I will say the computer hasn't worked this good in months and since your last instructions I have not had one pop up window or ad replacement.

Attached Thumbnails

  • combofix_error.jpg

  • 0

#8
Tigger93

Tigger93

    Trusted Helper

  • Retired Staff
  • 1,870 posts
Quite odd.

Let's do this instead:

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\biichwpl.dll
    C:\WINDOWS\system32\bnetjkrm.dll
    C:\WINDOWS\system32\bnlystgw.dll
    C:\WINDOWS\system32\bsealvlg.dll
    C:\WINDOWS\system32\bsgkwqsb.dll
    C:\WINDOWS\system32\bxyspctp.dll
    C:\WINDOWS\system32\cdpcmyaq.dll
    C:\WINDOWS\system32\cdvkykjh.dll
    C:\WINDOWS\system32\clpobfil.dll
    C:\WINDOWS\system32\emalgqdc.dll
    C:\WINDOWS\system32\fuyhjvks.dll
    C:\WINDOWS\system32\hayeopfd.dll
    C:\WINDOWS\system32\hdxsffnp.dll
    C:\WINDOWS\system32\irikagtj.dll
    C:\WINDOWS\system32\jcekcakt.dll
    C:\WINDOWS\system32\kelhisoq.dll
    C:\WINDOWS\system32\lheeitcd.dll
    C:\WINDOWS\system32\mgxfstef.dll
    C:\WINDOWS\system32\nhotmjfu.dll
    C:\WINDOWS\system32\nsrlvggj.dll
    C:\WINDOWS\system32\nvdwxlcj.dll
    C:\WINDOWS\system32\ogdnpvgo.dll
    C:\WINDOWS\system32\oohsmcvv.dll
    C:\WINDOWS\system32\pgbrhlvu.dll
    C:\WINDOWS\system32\pgmqvcdy.dll
    C:\WINDOWS\system32\pidbrfaw.dll
    C:\WINDOWS\system32\pwmjibww.dll
    C:\WINDOWS\system32\qfclynwp.dll
    C:\WINDOWS\system32\qtyiujnx.dll
    C:\WINDOWS\system32\qwruhmkv.dll
    C:\WINDOWS\system32\rscgourw.dll
    C:\WINDOWS\system32\rwtrujtd.dll
    C:\WINDOWS\system32\sacestpp.dll
    C:\WINDOWS\system32\soaohgnm.dll
    C:\WINDOWS\system32\sqtojfcm.dll
    C:\WINDOWS\system32\tvxqmpgu.dll
    C:\WINDOWS\system32\uohatebh.dll
    C:\WINDOWS\system32\vfpwyswn.dll
    C:\WINDOWS\system32\vmusdjnv.dll
    C:\WINDOWS\system32\voabokgc.dll
    C:\WINDOWS\system32\vtsqo.exe
    C:\WINDOWS\system32\wcwqcboq.dll
    C:\WINDOWS\system32\xfkrslvy.dll
    C:\WINDOWS\system32\yynrjmrb.dll
    C:\WINDOWS\system32\yyumtfvl.dll
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
  • 0

#9
rascluk

rascluk

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Here is the log for Move It:

File/Folder C:\WINDOWS\system32\biichwpl.dll not found.
File/Folder C:\WINDOWS\system32\bnetjkrm.dll not found.
File/Folder C:\WINDOWS\system32\bnlystgw.dll not found.
File/Folder C:\WINDOWS\system32\bsealvlg.dll not found.
File/Folder C:\WINDOWS\system32\bsgkwqsb.dll not found.
File/Folder C:\WINDOWS\system32\bxyspctp.dll not found.
File/Folder C:\WINDOWS\system32\cdpcmyaq.dll not found.
File/Folder C:\WINDOWS\system32\cdvkykjh.dll not found.
File/Folder C:\WINDOWS\system32\clpobfil.dll not found.
File/Folder C:\WINDOWS\system32\emalgqdc.dll not found.
File/Folder C:\WINDOWS\system32\fuyhjvks.dll not found.
File/Folder C:\WINDOWS\system32\hayeopfd.dll not found.
File/Folder C:\WINDOWS\system32\hdxsffnp.dll not found.
File/Folder C:\WINDOWS\system32\irikagtj.dll not found.
File/Folder C:\WINDOWS\system32\jcekcakt.dll not found.
File/Folder C:\WINDOWS\system32\kelhisoq.dll not found.
File/Folder C:\WINDOWS\system32\lheeitcd.dll not found.
File/Folder C:\WINDOWS\system32\mgxfstef.dll not found.
File/Folder C:\WINDOWS\system32\nhotmjfu.dll not found.
File/Folder C:\WINDOWS\system32\nsrlvggj.dll not found.
File/Folder C:\WINDOWS\system32\nvdwxlcj.dll not found.
File/Folder C:\WINDOWS\system32\ogdnpvgo.dll not found.
File/Folder C:\WINDOWS\system32\oohsmcvv.dll not found.
File/Folder C:\WINDOWS\system32\pgbrhlvu.dll not found.
File/Folder C:\WINDOWS\system32\pgmqvcdy.dll not found.
File/Folder C:\WINDOWS\system32\pidbrfaw.dll not found.
File/Folder C:\WINDOWS\system32\pwmjibww.dll not found.
File/Folder C:\WINDOWS\system32\qfclynwp.dll not found.
File/Folder C:\WINDOWS\system32\qtyiujnx.dll not found.
File/Folder C:\WINDOWS\system32\qwruhmkv.dll not found.
File/Folder C:\WINDOWS\system32\rscgourw.dll not found.
File/Folder C:\WINDOWS\system32\rwtrujtd.dll not found.
File/Folder C:\WINDOWS\system32\sacestpp.dll not found.
File/Folder C:\WINDOWS\system32\soaohgnm.dll not found.
File/Folder C:\WINDOWS\system32\sqtojfcm.dll not found.
File/Folder C:\WINDOWS\system32\tvxqmpgu.dll not found.
File/Folder C:\WINDOWS\system32\uohatebh.dll not found.
File/Folder C:\WINDOWS\system32\vfpwyswn.dll not found.
File/Folder C:\WINDOWS\system32\vmusdjnv.dll not found.
File/Folder C:\WINDOWS\system32\voabokgc.dll not found.
File/Folder C:\WINDOWS\system32\vtsqo.exe not found.
File/Folder C:\WINDOWS\system32\wcwqcboq.dll not found.
File/Folder C:\WINDOWS\system32\xfkrslvy.dll not found.
File/Folder C:\WINDOWS\system32\yynrjmrb.dll not found.
File/Folder C:\WINDOWS\system32\yyumtfvl.dll not found.

OTMoveIt2 v1.0.20 log created on 02252008_173521
  • 0

#10
Tigger93

Tigger93

    Trusted Helper

  • Retired Staff
  • 1,870 posts
Looks like Combofix got it after all. :)

  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

Are you still having any problems?
  • 0

#11
rascluk

rascluk

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Finished the last step - just rebooted. Computer seems to be working like it was a few months ago - no popups and not bogging down. You guys are amazing! Thank you! Is there somewhere to donate on your website? You guys are awesome for helping those who are not as computer literate as you. Thank you again!
  • 0

#12
Tigger93

Tigger93

    Trusted Helper

  • Retired Staff
  • 1,870 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP