Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

bad infection [CLOSED]


  • This topic is locked This topic is locked

#1
wiccapyre

wiccapyre

    New Member

  • Member
  • Pip
  • 3 posts
I was trying to repair a computer for a friend. I have tried cleaning several times it locked out taskmanager and other things now i get constant rundll errors for every program that tries to start posted hijack this log below. I looked at some post about similar problems and still no joy. AD AWARE will not install i have avg 8 on it and no connection to the internet as well for that computer have been transferring files on a thumb drive. any help would be hot.






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:15:40 PM, on 7/6/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Safe mode

Running processes:
C:\Windows\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe,C:\Windows\system32\iftuyszv.exe,
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)
O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {78C036C4-0C14-4F1C-B414-425141B09697} - C:\Windows\system32\BF.dll (file missing)
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TPPOLL10] C:\Program Files\Topro\TP6810\TPPOLL10.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [RRT-Auto] E:\RRT.exe auto
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [LSA Shellu] C:\Users\Raven\lsass.exe
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Raven\AppData\Local\Temp\geBsqRjH.dll,#1
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Raven\AppData\Local\Temp\iifgDVOI.dll,c
O4 - HKCU\..\Run: [62dc5fcf] rundll32.exe "C:\Users\Raven\AppData\Local\Temp\tnsqgbxu.dll",b
O4 - HKCU\..\Run: [Host Process] C:\Users\Raven\svchost.exe
O4 - HKCU\..\Run: [BM61ef6c53] Rundll32.exe "C:\Users\Raven\AppData\Local\Temp\uidrodff.dll",s
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User '?')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?')
O4 - HKUS\S-1-5-21-812040565-374060242-918218977-1000\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (User '?')
O4 - HKUS\S-1-5-21-812040565-374060242-918218977-1000\..\Run: [LSA Shellu] C:\Users\Raven\lsass.exe (User '?')
O4 - HKUS\S-1-5-21-812040565-374060242-918218977-1000\..\Run: [MSServer] rundll32.exe C:\Users\Raven\AppData\Local\Temp\geBsqRjH.dll,#1 (User '?')
O4 - HKUS\S-1-5-21-812040565-374060242-918218977-1000\..\Run: [cmds] rundll32.exe C:\Users\Raven\AppData\Local\Temp\iifgDVOI.dll,c (User '?')
O4 - HKUS\S-1-5-21-812040565-374060242-918218977-1000\..\Run: [62dc5fcf] rundll32.exe "C:\Users\Raven\AppData\Local\Temp\tnsqgbxu.dll",b (User '?')
O4 - HKUS\S-1-5-21-812040565-374060242-918218977-1000\..\Run: [Host Process] C:\Users\Raven\svchost.exe (User '?')
O4 - HKUS\S-1-5-21-812040565-374060242-918218977-1000\..\Run: [BM61ef6c53] Rundll32.exe "C:\Users\Raven\AppData\Local\Temp\uidrodff.dll",s (User '?')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O13 - Gopher Prefix:
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: UStorage Server Service - OTi - C:\Windows\system32\UStorSrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7629 bytes
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Please download SmitfraudFix (by S!Ri) to your Desktop.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.




Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#3
wiccapyre

wiccapyre

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Ok I ran the smitfruadfix log is posted below. I tried running dss.exe and error come up the server endpoint cannot perform the operation and the dependency service group failed to start. addtionally the following errors popped up during the smitfruadfix

VACFIX.EXE BAD IMAGE
IEDFIX.EXE BAD IMAGE
404FIX.EXE BAD IMAGE
UIFIX.EXE BAD IMAGE

NOT SURE IF THAT MEANS ANYTHING. I AM ON A DIFFERENT COMPUTER WITH THE OTHER ONE RIGHT BESIDE ME SO I CAN STAY CONNECTED. WHEN I START WINDOWS I GET VARIOUS ERRORS RUNDLL ERRORS.

SmitFraudFix v2.329

Scan done at 19:30:06.68, Sun 07/06/2008
Run from E:\SmitfraudFix
OS: Microsoft Windows [Version 6.0.6000] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost
::1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\Windows\accesss.exe Deleted
C:\Windows\astctl32.ocx Deleted
C:\Windows\avpcc.dll Deleted
C:\Windows\clrssn.exe Deleted
C:\Windows\cpan.dll Deleted
C:\Windows\default.htm Deleted
C:\Windows\iexplorer.exe Deleted
C:\Windows\loader.exe Deleted
C:\Windows\mtwirl32.dll Deleted
C:\Windows\notepad32.exe Deleted
C:\Windows\olehelp.exe Deleted
C:\Windows\systeem.exe Deleted
C:\Windows\systemcritical.exe Deleted
C:\Windows\time.exe Deleted
C:\Windows\users32.exe Deleted
C:\Windows\waol.exe Deleted
C:\Windows\win32e.exe Deleted
C:\Windows\win64.exe Deleted
C:\Windows\winajbm.dll Deleted
C:\Windows\window.exe Deleted
C:\Windows\winmgnt.exe Deleted
C:\Windows\x.exe Deleted
C:\Windows\xplugin.dll Deleted
C:\Windows\xxxvideo.hta Deleted
C:\Windows\y.exe Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS



»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End




ONE MORE THING IT SEEMS THAT I CAN'T RUN ANY APPS WHEN I AM IN NORMAL WINDOWS EVERYTHING SAYS DEPENDENCY SERVICE FAILED TO START.

Edited by wiccapyre, 06 July 2008 - 07:49 PM.

  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Can you run DSS from Safe mode and post the logs ?
  • 0

#5
wiccapyre

wiccapyre

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
here is the requested info sorry for the delay been working a lot and thank you for the help by the way it is greatly appreciated

Deckard's System Scanner v20071014.68
Run by Raven on 2008-07-10 23:23:07
Computer is in Safe Mode.
--------------------------------------------------------------------------------

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 1014 MiB (1024 MiB recommended).


-- HijackThis (run as Raven.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:24:02, on 7/10/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Safe mode

Running processes:
C:\Windows\Explorer.EXE
C:\Users\Raven\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Raven.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe,C:\Windows\system32\iftuyszv.exe,
O1 - Hosts: ::1 localhost
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {78C036C4-0C14-4F1C-B414-425141B09697} - C:\Windows\system32\BF.dll (file missing)
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\System32\msconfig.exe" /auto
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Host Process] C:\Users\Raven\svchost.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User '?')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?')
O4 - HKUS\S-1-5-21-812040565-374060242-918218977-1000\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (User '?')
O4 - HKUS\S-1-5-21-812040565-374060242-918218977-1000\..\Run: [Host Process] C:\Users\Raven\svchost.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O13 - Gopher Prefix:
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: UStorage Server Service - OTi - C:\Windows\system32\UStorSrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 4119 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-27 19:54:53 408 --a------ C:\Windows\Tasks\Norton Security Scan.job


-- Files created between 2008-06-10 and 2008-07-10 -----------------------------

2008-07-06 19:31:04 0 -rahs---- C:\MSDOS.SYS
2008-07-06 19:31:04 0 -rahs---- C:\IO.SYS
2008-07-06 19:30:35 1632 --a------ C:\Windows\system32\tmp.reg
2008-07-06 19:26:51 25600 --a------ C:\Windows\system32\WS2Fix.exe
2008-07-06 19:26:51 289144 --a------ C:\Windows\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-07-06 19:26:51 86528 --a------ C:\Windows\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-07-06 19:26:51 288417 --a------ C:\Windows\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-07-06 19:26:51 53248 --a------ C:\Windows\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-07-06 19:26:51 82944 --a------ C:\Windows\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-07-06 19:26:51 51200 --a------ C:\Windows\system32\dumphive.exe
2008-07-06 19:26:51 81920 --a------ C:\Windows\system32\404Fix.exe <Not Verified; S!Ri.URZ; 404Fix>
2008-07-06 17:15:19 0 d-------- C:\Program Files\Trend Micro
2008-07-06 11:55:35 0 d-------- C:\Users\All Users\TEMP
2008-07-05 16:54:09 0 d--h----- C:\$AVG8.VAULT$
2008-07-05 16:49:18 0 d-------- C:\Windows\system32\drivers\Avg
2008-07-05 16:48:45 0 d-------- C:\Program Files\AVG
2008-07-05 16:48:44 0 d-------- C:\Users\All Users\avg8
2008-07-05 16:38:52 511 --a------ C:\Users\Raven\957.bat
2008-07-03 01:48:51 24064 --a------ C:\Windows\sistem.exe
2008-07-03 01:48:50 8960 --a------ C:\Windows\msupdate.exe
2008-07-03 01:48:50 17664 --a------ C:\Windows\mssys.exe
2008-07-03 01:48:50 28928 --a------ C:\Windows\internet.exe
2008-07-03 01:48:50 27648 --a------ C:\Windows\inetinf.exe
2008-07-03 01:48:50 18944 --a------ C:\Windows\iedll.exe
2008-07-03 01:48:49 13824 --a------ C:\Windows\funny.exe
2008-07-03 01:48:49 28928 --a------ C:\Windows\funniest.exe
2008-07-03 01:48:49 18176 --a------ C:\Windows\explorer32.exe
2008-07-03 01:48:49 12032 --a------ C:\Windows\explore.exe
2008-07-03 01:48:49 13312 --a------ C:\Windows\ctrlpan.dll
2008-06-29 19:17:49 510 --a------ C:\Users\Raven\36.bat
2008-06-29 16:02:30 0 d-------- C:\Program Files\Lavasoft
2008-06-29 16:02:29 0 d-------- C:\Users\All Users\Lavasoft
2008-06-29 15:00:54 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-28 16:35:56 9984 --a------ C:\Windows\svcinit.exe
2008-06-28 16:35:56 17664 --a------ C:\Windows\svchost32.exe
2008-06-28 16:35:56 10240 --a------ C:\Windows\searchword.dll
2008-06-28 16:35:55 18176 --a------ C:\Windows\rundll16.exe
2008-06-28 16:35:55 25856 --a------ C:\Windows\quicken.exe
2008-06-28 16:35:55 13312 --a------ C:\Windows\qttasks.exe
2008-06-28 16:35:54 21504 --a------ C:\Windows\mswsc20.dll
2008-06-28 16:35:54 29696 --a------ C:\Windows\mswsc10.dll
2008-06-28 16:35:53 31744 --a------ C:\Windows\msspi.dll
2008-06-28 16:35:53 28160 --a------ C:\Windows\msconfd.dll
2008-06-28 16:35:51 14080 --a------ C:\Windows\helpcvs.exe
2008-06-28 16:35:51 31232 --a------ C:\Windows\gfmnaaa.dll
2008-06-28 16:35:49 31488 --a------ C:\Windows\editpad.exe
2008-06-28 16:35:49 16384 --a------ C:\Windows\dnsrelay.dll
2008-06-28 16:35:49 11264 --a------ C:\Windows\directx32.exe
2008-06-28 16:35:49 21504 --a------ C:\Windows\ctfmon32.exe
2008-06-28 16:20:49 0 d--hs---- C:\Windows\UmF2ZW4
2008-06-28 16:20:49 0 d-------- C:\Program Files\Network Monitor
2008-06-28 16:20:26 86144 --a------ C:\Windows\system32\drivers\mrxdavv.sys
2008-06-28 16:20:19 41984 --a------ C:\Windows\mrofinu1000106.exe
2008-06-28 16:20:16 4 --a------ C:\Windows\system32\hljwugsf.bin
2008-06-28 16:20:13 0 d-------- C:\Windows\system32\xsir
2008-06-28 16:20:13 0 d-------- C:\Windows\system32\vec3
2008-06-28 16:20:13 0 d-------- C:\Windows\system32\f10
2008-06-28 16:20:13 0 d-------- C:\Windows\system32\bam
2008-06-28 16:20:11 511 --a------ C:\Users\Raven\368.bat
2008-06-28 16:20:03 0 d-------- C:\Windows\system32\modtrux18
2008-06-28 16:20:03 0 d-------- C:\Temp
2008-06-26 15:06:55 114688 --a------ C:\Users\Raven\zia02640
2008-06-26 06:20:56 0 d--hs---- C:\found.000
2008-06-22 03:00:44 0 d-------- C:\Windows\CheckSur
2008-06-17 15:58:06 139264 --a------ C:\Windows\system32\OPDSL.DLL <Not Verified; ; MU828it Dynamic Link Library>
2008-06-17 15:58:05 139264 --a------ C:\Windows\system32\UStorSrv.exe <Not Verified; OTi; OTi Content Service>


-- Find3M Report ---------------------------------------------------------------

2008-07-06 19:47:56 35 --a------ C:\Users\Raven\AppData\Roaming\SetValue.bat
2008-07-06 19:47:56 691 --a------ C:\Users\Raven\AppData\Roaming\GetValue.vbs
2008-07-06 12:02:53 0 d-------- C:\Program Files\Common Files\AOL
2008-07-05 16:35:00 0 d-------- C:\Users\Raven\AppData\Roaming\LimeWire
2008-06-29 15:29:11 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-29 15:28:37 0 d-------- C:\Program Files\Common Files
2008-06-29 15:25:54 0 d-------- C:\Program Files\LimeWire
2008-06-27 18:00:00 0 d-------- C:\Program Files\Norton Security Scan
2008-06-21 06:08:14 0 d-------- C:\Program Files\Windows Mail
2008-06-03 20:02:04 0 d-------- C:\Users\Raven\AppData\Roaming\Adobe
2008-06-01 18:57:23 0 d-------- C:\Program Files\Common Files\Real
2008-06-01 18:57:19 0 d-------- C:\Users\Raven\AppData\Roaming\Real
2008-06-01 18:04:49 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-31 14:43:43 0 d-------- C:\Program Files\QuickTime
2008-05-31 14:40:23 0 d-------- C:\Program Files\Apple Software Update
2008-05-31 14:39:44 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-30 14:27:35 0 d-------- C:\Users\Raven\AppData\Roaming\Identities
2008-05-29 14:33:01 77 --a------ C:\Windows\system32\9679.bat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{467faeb2-5f5b-4c81-bae0-2a4752ca7f4e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{587dbf2d-9145-4c9e-92c2-1f953da73773}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6cc1c91a-ae8b-4373-a5b4-28ba1851e39a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{78C036C4-0C14-4F1C-B414-425141B09697}]
C:\Windows\system32\BF.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{79369d5c-2903-4b7a-ade2-d5e0dee14d24}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{799a370d-5993-4887-9df7-0a4756a77d00}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98dbbf16-ca43-4c33-be80-99e6694468a4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a55581dc-2cdb-4089-8878-71a080b22342}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b847676d-72ac-4393-bfff-43a1eb979352}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bc97b254-b2b9-4d40-971d-78e0978f5f26}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [01/01/2008 23:53]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11]
"NeroFilterCheck"="C:\Windows\system32\NeroCheck.exe" [07/09/2001 10:50]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 22:37]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [07/05/2008 16:48]
"MSConfig"="C:\Windows\System32\msconfig.exe" [11/02/2006 04:45]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [12/17/2007 17:13]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [02/01/2008 15:32]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [11/02/2006 07:35]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [11/02/2006 07:36]
"Host Process"="C:\Users\Raven\svchost.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\Windows\system32\userinit.exe,C:\Windows\system32\iftuyszv.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\62dc5fcf]
rundll32.exe "C:\Users\Raven\AppData\Local\Temp\tnsqgbxu.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM61ef6c53]
Rundll32.exe "C:\Users\Raven\AppData\Local\Temp\uidrodff.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cmds]
rundll32.exe C:\Users\Raven\AppData\Local\Temp\iifgDVOI.dll,c

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSA Shellu]
C:\Users\Raven\lsass.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSServer]
rundll32.exe C:\Users\Raven\AppData\Local\Temp\geBsqRjH.dll,#1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RRT-Auto]
E:\RRT.exe auto

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPPOLL10]
C:\Program Files\Topro\TP6810\TPPOLL10.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a512fc91-48cb-11dd-918b-a838e2bfac90}]
AutoRun\command- E:\setupSNK.exe

*Newly Created Service* - ECACHE

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-07-10 23:24:39 ------------
  • 0

#6
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Bit of malware there

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
  • 0

#7
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP