Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

trojan dropper generic rgq [CLOSED]

Started by borat77 , Jan 03 2008 01:51 AM

  • This topic is locked This topic is locked

#1
borat77
Posted 03 January 2008 - 01:51 AM

borat77

    New Member

  • Member
  • Pip
  • 4 posts
Hello, I have been looking at all of the help for many of the posters and I am in need of some of this amazing advice. I recently got the trojan dropper generic rgq and I have no idea how to get rid of it and if I could get some help that would be amazing. Hope this work and thanks for anyone that would try to help.

Jason.
  • 0

Advertisements

#2
borat77
Posted 03 January 2008 - 02:00 AM

borat77

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hello again, like i said in the previous topic I am not very computer smart but I figured i need to download hijack this and here is the files it gave me. I hope this helps anyone that would try and give me a hand.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TELUS\TELUS eProtect\Fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG7\avgwb.dat
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F3 - REG:win.ini: load=C:\WINDOWS\system32\ddayx.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [TELUS_eCare_Lite_McciTrayApp] C:\Program Files\TELUS_eCare_Lite\eCareTrayApp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USBToolbox\Res.EXE
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [TEPA.exe] "C:\Program Files\TELUS\eProtect Advisor\TEPA.exe" /AUTORUN
O4 - HKLM\..\Run: [TELUS eProtect] "C:\Program Files\TELUS\TELUS eProtect\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\TELUS\TELUS eProtect\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye
O4 - HKCU\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner.KRAMER\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: TELUS eProtect Update Service (RPSUpdaterR) - TELUS - C:\Program Files\TELUS\TELUS eProtect\rpsupdaterR.exe
O23 - Service: TELUS eProtect Firewall (RP_FWS) - TELUS - C:\Program Files\TELUS\TELUS eProtect\Fws.exe

--
End of file - 8595 bytes
  • 0

#3
loophole
Posted 03 January 2008 - 03:10 AM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi Jason :)

If you have any questions during this topic, feel free to ask

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

*note* if you lose internet connection Click start >> run and type ipconfig /renew or simply reboot
  • 0

#4
borat77
Posted 03 January 2008 - 11:36 AM

borat77

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
thank you so much for the quick reply I really appreciate that. here is the combo fix and the hijack this info that you asked for.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\pac.txt
C:\winlogon.exe
C:\x.dat
C:\z.dat
D:\Autorun.inf
C:\WINDOWS\Fonts\'

.
((((((((((((((((((((((((( Files Created from 2007-12-03 to 2008-01-03 )))))))))))))))))))))))))))))))
.

2008-01-03 10:03 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-03 09:50 . 2008-01-03 09:51 <DIR> d-------- C:\Documents and Settings\Sheila\Application Data\AVG7
2008-01-03 00:58 . 2008-01-03 00:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-03 00:42 . 2008-01-03 00:42 <DIR> d-------- C:\Deckard
2008-01-02 23:42 . 2008-01-03 09:57 <DIR> d-------- C:\Documents and Settings\Owner.KRAMER\Application Data\AVG7
2008-01-02 23:42 . 2008-01-02 23:42 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-02 23:41 . 2008-01-02 23:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-02 23:41 . 2008-01-03 09:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-02 23:33 . 2007-03-06 13:24 55,296 --a------ C:\WINDOWS\system32\drivers\rp_skt32.sys
2008-01-02 23:32 . 2008-01-02 23:32 <DIR> d-------- C:\Program Files\Common Files\Authentium
2008-01-02 23:32 . 2007-04-19 11:36 48,384 --a------ C:\WINDOWS\system32\drivers\rp_pkt32.sys
2008-01-02 23:31 . 2008-01-02 23:31 <DIR> d-------- C:\Program Files\Raxco
2008-01-02 23:31 . 2008-01-02 23:31 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-01-02 23:31 . 2008-01-02 23:31 <DIR> d-------- C:\Program Files\CA
2008-01-02 23:31 . 2008-01-02 23:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Raxco
2008-01-02 23:28 . 2008-01-02 23:28 <DIR> d-------- C:\Documents and Settings\Owner.KRAMER\Application Data\InstallShield
2008-01-02 23:14 . 2008-01-02 23:14 <DIR> d-------- C:\Documents and Settings\Sheila\Application Data\InstallShield
2008-01-02 23:05 . 2008-01-02 23:36 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-02 22:33 . 2008-01-03 09:44 8,345 --ahs---- C:\WINDOWS\system32\xyadd.ini2
2008-01-02 22:33 . 2008-01-03 09:47 8,345 --ahs---- C:\WINDOWS\system32\xyadd.ini
2008-01-02 22:31 . 2008-01-02 22:31 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-01-02 22:28 . 2008-01-02 22:28 <DIR> d-------- C:\WINDOWS\system32\ardCo18
2008-01-02 22:28 . 2008-01-02 22:28 <DIR> d-------- C:\temp\cEeer12
2008-01-02 22:28 . 2008-01-02 22:28 134 --a------ C:\n.bat
2008-01-02 22:23 . 2008-01-02 22:31 <DIR> d-------- C:\Documents and Settings\Owner.KRAMER\Application Data\LimeWire
2007-12-29 21:05 . 2008-01-02 22:33 <DIR> d-------- C:\Program Files\USBToolbox
2007-12-25 16:11 . 2008-01-02 22:33 <DIR> d-------- C:\Program Files\iTunes
2007-12-25 16:11 . 2007-12-25 16:11 <DIR> d-------- C:\Program Files\iPod
2007-12-25 16:11 . 2008-01-02 22:18 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-25 16:11 . 2007-12-25 16:11 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-25 16:09 . 2008-01-02 22:33 <DIR> d-------- C:\Program Files\QuickTime
2007-12-25 16:08 . 2007-12-25 16:08 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-12-25 16:08 . 2007-12-25 16:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-12-25 16:08 . 2007-10-31 14:09 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2007-12-13 21:19 . 2007-12-28 16:45 <DIR> d-------- C:\Documents and Settings\Sheila\Application Data\Apple Computer
2007-12-11 10:57 . 2007-12-11 10:57 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-12-11 10:57 . 2007-12-11 10:57 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2007-12-06 19:07 . 2007-12-06 19:07 102,400 --a------ C:\WINDOWS\system32\SampleGrabber.ax

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-03 07:14 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-01-03 06:30 --------- d-----w C:\Program Files\TELUS
2008-01-03 06:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\TELUS
2008-01-03 06:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-03 06:18 --------- d-----w C:\Documents and Settings\Sheila\Application Data\TELUS
2008-01-03 06:18 --------- d-----w C:\Documents and Settings\Owner.KRAMER\Application Data\TELUS
2008-01-03 05:33 --------- d-----w C:\Program Files\TELUS_eCare_Lite
2008-01-03 05:33 --------- d-----w C:\Program Files\Digital Media Reader
2007-12-27 05:44 --------- d-----w C:\Program Files\World of Warcraft
2007-12-27 02:07 --------- d-----w C:\Documents and Settings\Owner.KRAMER\Application Data\Apple Computer
2007-12-25 23:08 --------- d-----w C:\Program Files\Apple Software Update
2007-12-15 23:07 --------- d-----w C:\Documents and Settings\Sheila\Application Data\Image Zone Express
2007-12-01 17:54 --------- d-----w C:\Documents and Settings\Sheila\Application Data\AdobeUM
2007-11-30 07:31 --------- d-----w C:\Program Files\DivX
2007-11-27 21:21 180,152 ----a-w C:\Documents and Settings\Sheila\Application Data\GDIPFONTCACHEV1.DAT
2007-11-13 20:28 --------- d-----w C:\Documents and Settings\Sheila\Application Data\HP
2007-11-13 20:25 --------- d-----w C:\Documents and Settings\Owner.KRAMER\Application Data\HP
2007-11-13 20:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2007-11-13 20:19 --------- d-----w C:\Program Files\Hewlett-Packard
2007-11-13 20:19 --------- d-----w C:\Program Files\Common Files\HP
2007-11-13 20:13 --------- d-----w C:\Program Files\HP
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-12 23:27 --------- d-----w C:\Documents and Settings\Sheila\Application Data\Talkback
2007-11-12 21:51 --------- d-----w C:\Program Files\Common Files\Motive
2007-11-12 21:51 --------- d-----w C:\Documents and Settings\Owner.KRAMER\Application Data\Motive
2007-11-12 21:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Motive
2007-11-12 21:46 --------- d-----w C:\Program Files\TELUS eCare
2007-11-11 00:25 --------- d-----w C:\Program Files\Web Publish
2007-11-09 16:31 --------- d-----w C:\Documents and Settings\Owner.KRAMER\Application Data\uTorrent
2007-10-24 05:39 4,009,472 --sha-w C:\Program Files\ehthumbs.db
2007-10-24 05:38 1,379,328 --sha-w C:\Program Files\Common Files\ehthumbs.db
2007-06-14 03:54 1,392 ----a-w C:\Documents and Settings\Owner.KRAMER\Application Data\wklnhst.dat
2007-02-02 03:44 180,152 ----a-w C:\Documents and Settings\Owner.KRAMER\Application Data\GDIPFONTCACHEV1.DAT
2007-01-13 05:13 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.
----a-w		 2,061,816 2008-01-03 06:36:58  C:\Program Files\TELUS\eProtect Advisor\TEPA .exe
----a-w		   310,000 2008-01-03 06:37:55  C:\Program Files\TELUS\TELUS eProtect\Rps .exe
----a-w			13,552 2008-01-03 06:36:55  C:\Program Files\TELUS\TELUS eProtect\ZkRunOnceR .exe
----a-w			64,512 2008-01-03 06:05:27  C:\WINDOWS\ehome\ehtray .exe
----a-w			15,360 2008-01-03 06:36:57  C:\WINDOWS\system32\ctfmon .exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00DC0058-A87E-4D19-9C26-F1AAC98AD4D7}]
C:\WINDOWS\system32\vtuutur.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{748A361A-425D-4F25-8EC5-DADD976A4215}]
C:\WINDOWS\system32\ddayx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 12:00 15360]
"WeatherEye"="C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 20:56 64512]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [ ]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-14 01:01 16010752 C:\WINDOWS\RTHDCPL.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-09-18 07:32 7204864]
"nwiz"="nwiz.exe" [2005-09-18 07:32 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-09-18 07:32 86016]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 15:19 77312 C:\WINDOWS\arpwrmsg.exe]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [ ]
"TELUS_eCare_Lite_McciTrayApp"="C:\Program Files\TELUS_eCare_Lite\eCareTrayApp.exe" [ ]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"USB Storage Toolbox"="C:\Program Files\USBToolbox\Res.EXE" [ ]
"TELUS eProtect"="C:\Program Files\TELUS\TELUS eProtect\Rps.exe" [ ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-03 09:46 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 12:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-02 23:41 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2007-01-13 15:46:38]
HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2002-12-02 21:56:10]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{00DC0058-A87E-4D19-9C26-F1AAC98AD4D7}"= C:\WINDOWS\system32\vtuutur.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuutur]
vtuutur.dll

R2 McciCMService;McciCMService;"C:\Program Files\Common Files\Motive\McciCMService.exe" [2007-09-26 10:43]
S3 MREMP50;MREMP50 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS [2007-09-26 10:43]
S3 MREMP50a64;MREMP50a64 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS []
S3 MRESP50;MRESP50 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS [2007-09-26 10:43]
S3 MRESP50a64;MRESP50a64 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS []
S3 Radialpoint Security Services;TELUS eProtect;C:\WINDOWS\system32\dllhost.exe [2004-08-10 12:00]
S3 VNUSB;VN Series Device;C:\WINDOWS\system32\DRIVERS\VNUSB.sys [2006-04-07 18:06]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1944cca1-36d9-11db-8d88-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2007-12-28 04:39:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-03 10:16:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-03 10:26:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-03 17:26:19
.
2007-12-12 04:32:05 --- E O F ---
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TELUS\TELUS eProtect\Fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {00DC0058-A87E-4D19-9C26-F1AAC98AD4D7} - C:\WINDOWS\system32\vtuutur.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\TELUS\TELUS eProtect\pkR.dll
O2 - BHO: (no name) - {748A361A-425D-4F25-8EC5-DADD976A4215} - C:\WINDOWS\system32\ddayx.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [TELUS_eCare_Lite_McciTrayApp] C:\Program Files\TELUS_eCare_Lite\eCareTrayApp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USBToolbox\Res.EXE
O4 - HKLM\..\Run: [TELUS eProtect] "C:\Program Files\TELUS\TELUS eProtect\Rps.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner.KRAMER\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - Winlogon Notify: vtuutur - vtuutur.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: TELUS eProtect Update Service (RPSUpdaterR) - TELUS - C:\Program Files\TELUS\TELUS eProtect\rpsupdaterR.exe
O23 - Service: TELUS eProtect Firewall (RP_FWS) - TELUS - C:\Program Files\TELUS\TELUS eProtect\Fws.exe
  • 0

#5
loophole
Posted 03 January 2008 - 01:19 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi again

Download RenV.exe to your desktop.
http://download.blee...s/Beta/RenV.exe

Double click RenV.exe to run it.

A text will open with some info just close it . Next, referring to the picture below drag and drop that new text file onto RenV.exe

Posted Image


Please rescan with combofix and post the log and a new hijack log.
  • 0

#6
borat77
Posted 03 January 2008 - 09:58 PM

borat77

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
thanks so much for the help I think i have gotten most of the worm but there is still this annoying popup that keeps happening it says hpproductassistant insert disk and i keep cancelling and it will keep poping up. If you have any advice on that I would much appreciate it. Thanks again here is the combofix report and the hijack this

Jason.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\xyadd.ini
C:\WINDOWS\system32\xyadd.ini2

.
((((((((((((((((((((((((( Files Created from 2007-12-04 to 2008-01-04 )))))))))))))))))))))))))))))))
.

2008-01-03 12:03 . 2008-01-03 12:03 <DIR> d-------- C:\Program Files\Common Files\Authentium
2008-01-03 12:03 . 2007-03-06 13:24 55,296 --a------ C:\WINDOWS\system32\drivers\rp_skt32.sys
2008-01-03 12:03 . 2007-04-19 11:36 48,384 --a------ C:\WINDOWS\system32\drivers\rp_pkt32.sys
2008-01-03 12:02 . 2008-01-03 12:02 <DIR> d-------- C:\Program Files\Raxco
2008-01-03 12:02 . 2008-01-03 12:02 <DIR> d-------- C:\Program Files\CA
2008-01-03 12:02 . 2008-01-03 12:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Raxco
2008-01-03 12:01 . 2008-01-03 12:07 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-01-03 11:56 . 2008-01-03 11:56 <DIR> d-------- C:\Documents and Settings\Owner.KRAMER\Application Data\InstallShield
2008-01-03 10:03 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-03 09:50 . 2008-01-03 12:05 <DIR> d-------- C:\Documents and Settings\Sheila\Application Data\AVG7
2008-01-03 00:58 . 2008-01-03 00:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-03 00:42 . 2008-01-03 00:42 <DIR> d-------- C:\Deckard
2008-01-02 23:42 . 2008-01-03 12:05 <DIR> d-------- C:\Documents and Settings\Owner.KRAMER\Application Data\AVG7
2008-01-02 23:42 . 2008-01-02 23:42 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-02 23:41 . 2008-01-03 12:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-02 23:14 . 2008-01-02 23:14 <DIR> d-------- C:\Documents and Settings\Sheila\Application Data\InstallShield
2008-01-02 22:31 . 2008-01-02 22:31 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-01-02 22:28 . 2008-01-03 11:43 <DIR> d-------- C:\WINDOWS\system32\ardCo18
2008-01-02 22:28 . 2008-01-02 22:28 <DIR> d-------- C:\temp\cEeer12
2008-01-02 22:28 . 2008-01-02 22:28 134 --a------ C:\n.bat
2008-01-02 22:23 . 2008-01-02 22:31 <DIR> d-------- C:\Documents and Settings\Owner.KRAMER\Application Data\LimeWire
2007-12-29 21:05 . 2008-01-02 22:33 <DIR> d-------- C:\Program Files\USBToolbox
2007-12-25 16:11 . 2008-01-02 22:33 <DIR> d-------- C:\Program Files\iTunes
2007-12-25 16:11 . 2007-12-25 16:11 <DIR> d-------- C:\Program Files\iPod
2007-12-25 16:11 . 2008-01-02 22:18 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-25 16:11 . 2007-12-25 16:11 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-25 16:09 . 2008-01-02 22:33 <DIR> d-------- C:\Program Files\QuickTime
2007-12-25 16:08 . 2007-12-25 16:08 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-12-25 16:08 . 2007-12-25 16:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-12-25 16:08 . 2007-10-31 14:09 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2007-12-13 21:19 . 2007-12-28 16:45 <DIR> d-------- C:\Documents and Settings\Sheila\Application Data\Apple Computer
2007-12-11 10:57 . 2007-12-11 10:57 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-12-11 10:57 . 2007-12-11 10:57 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2007-12-06 19:07 . 2007-12-06 19:07 102,400 --a------ C:\WINDOWS\system32\SampleGrabber.ax

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-03 20:53 --------- d-----w C:\Documents and Settings\Sheila\Application Data\TELUS
2008-01-03 19:28 --------- d-----w C:\Documents and Settings\Owner.KRAMER\Application Data\TELUS
2008-01-03 19:00 --------- d-----w C:\Program Files\TELUS
2008-01-03 19:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\TELUS
2008-01-03 18:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-03 07:14 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-01-03 06:36 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
2008-01-03 05:33 --------- d-----w C:\Program Files\TELUS_eCare_Lite
2008-01-03 05:33 --------- d-----w C:\Program Files\Digital Media Reader
2007-12-27 05:44 --------- d-----w C:\Program Files\World of Warcraft
2007-12-27 02:07 --------- d-----w C:\Documents and Settings\Owner.KRAMER\Application Data\Apple Computer
2007-12-25 23:08 --------- d-----w C:\Program Files\Apple Software Update
2007-12-15 23:07 --------- d-----w C:\Documents and Settings\Sheila\Application Data\Image Zone Express
2007-12-01 17:54 --------- d-----w C:\Documents and Settings\Sheila\Application Data\AdobeUM
2007-11-30 07:31 --------- d-----w C:\Program Files\DivX
2007-11-27 21:21 180,152 ----a-w C:\Documents and Settings\Sheila\Application Data\GDIPFONTCACHEV1.DAT
2007-11-13 20:28 --------- d-----w C:\Documents and Settings\Sheila\Application Data\HP
2007-11-13 20:25 --------- d-----w C:\Documents and Settings\Owner.KRAMER\Application Data\HP
2007-11-13 20:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2007-11-13 20:19 --------- d-----w C:\Program Files\Hewlett-Packard
2007-11-13 20:19 --------- d-----w C:\Program Files\Common Files\HP
2007-11-13 20:13 --------- d-----w C:\Program Files\HP
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-12 23:27 --------- d-----w C:\Documents and Settings\Sheila\Application Data\Talkback
2007-11-12 21:51 --------- d-----w C:\Program Files\Common Files\Motive
2007-11-12 21:51 --------- d-----w C:\Documents and Settings\Owner.KRAMER\Application Data\Motive
2007-11-12 21:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Motive
2007-11-12 21:46 --------- d-----w C:\Program Files\TELUS eCare
2007-11-11 00:25 --------- d-----w C:\Program Files\Web Publish
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-28 00:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-24 05:39 4,009,472 --sha-w C:\Program Files\ehthumbs.db
2007-10-24 05:38 1,379,328 --sha-w C:\Program Files\Common Files\ehthumbs.db
2007-10-20 00:56 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-10-20 00:56 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-10-20 00:56 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-10-20 00:56 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-10-20 00:54 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-10-20 00:54 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-10-20 00:54 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-10-20 00:54 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-10-20 00:54 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-10-20 00:54 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-10-18 09:06 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-10-18 09:03 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-10-18 09:03 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-10-18 09:03 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-10-18 09:03 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-10-18 09:03 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-10-18 09:03 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-10-18 09:02 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-06-14 03:54 1,392 ----a-w C:\Documents and Settings\Owner.KRAMER\Application Data\wklnhst.dat
2007-02-02 03:44 180,152 ----a-w C:\Documents and Settings\Owner.KRAMER\Application Data\GDIPFONTCACHEV1.DAT
2007-01-13 05:13 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( snapshot@2008-01-03_10.26.01.07 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-08-06 03:56:34 64,512 ----a-w C:\WINDOWS\ehome\ehtray.exe
+ 2008-01-03 06:05:27 64,512 ----a-w C:\WINDOWS\ehome\ehtray.exe
- 2008-01-03 06:33:29 10,134 ----a-r C:\WINDOWS\Installer\{0EFED4A3-64ED-470B-A860-BFA5B470845E}\ARPPRODUCTICON.exe
+ 2008-01-03 19:03:50 10,134 ----a-r C:\WINDOWS\Installer\{0EFED4A3-64ED-470B-A860-BFA5B470845E}\ARPPRODUCTICON.exe
- 2008-01-03 06:32:14 26,582 ----a-r C:\WINDOWS\Installer\{212F5777-1190-4DEF-8E4D-6B2F313B45E7}\PerfectDisk.exe
+ 2008-01-03 19:02:44 26,582 ----a-r C:\WINDOWS\Installer\{212F5777-1190-4DEF-8E4D-6B2F313B45E7}\PerfectDisk.exe
- 2008-01-03 06:32:58 10,134 ----a-r C:\WINDOWS\Installer\{336844B0-0CB8-4C73-80E6-383FB169BC0E}\ARPPRODUCTICON.exe
+ 2008-01-03 19:03:28 10,134 ----a-r C:\WINDOWS\Installer\{336844B0-0CB8-4C73-80E6-383FB169BC0E}\ARPPRODUCTICON.exe
- 2008-01-03 06:34:09 10,134 ----a-r C:\WINDOWS\Installer\{3BC4489D-686F-4D34-AD7D-DAB727CC2D85}\ARPPRODUCTICON.exe
+ 2008-01-03 19:04:00 10,134 ----a-r C:\WINDOWS\Installer\{3BC4489D-686F-4D34-AD7D-DAB727CC2D85}\ARPPRODUCTICON.exe
- 2008-01-03 06:31:38 10,134 ----a-r C:\WINDOWS\Installer\{4023AAE4-E434-4028-85C5-8FF4159F7AF6}\ARPPRODUCTICON.exe
+ 2008-01-03 19:02:05 10,134 ----a-r C:\WINDOWS\Installer\{4023AAE4-E434-4028-85C5-8FF4159F7AF6}\ARPPRODUCTICON.exe
- 2008-01-03 06:30:45 10,134 ----a-r C:\WINDOWS\Installer\{5462A3AE-5D32-4613-876E-D0CD1756B6E5}\ARPPRODUCTICON.exe
+ 2008-01-03 19:01:01 10,134 ----a-r C:\WINDOWS\Installer\{5462A3AE-5D32-4613-876E-D0CD1756B6E5}\ARPPRODUCTICON.exe
- 2008-01-03 06:30:45 25,214 ----a-r C:\WINDOWS\Installer\{5462A3AE-5D32-4613-876E-D0CD1756B6E5}\Desktop_En_Rps_A64EE928C7A645A784CE59FBDBDD9D1B.exe
+ 2008-01-03 19:01:01 25,214 ----a-r C:\WINDOWS\Installer\{5462A3AE-5D32-4613-876E-D0CD1756B6E5}\Desktop_En_Rps_A64EE928C7A645A784CE59FBDBDD9D1B.exe
- 2008-01-03 06:30:45 25,214 ----a-r C:\WINDOWS\Installer\{5462A3AE-5D32-4613-876E-D0CD1756B6E5}\Sm_En_Rps_A64EE928C7A645A784CE59FBDBDD9D1B.exe
+ 2008-01-03 19:01:01 25,214 ----a-r C:\WINDOWS\Installer\{5462A3AE-5D32-4613-876E-D0CD1756B6E5}\Sm_En_Rps_A64EE928C7A645A784CE59FBDBDD9D1B.exe
- 2008-01-03 06:31:43 10,134 ----a-r C:\WINDOWS\Installer\{743F47C1-1194-4C70-8565-2E7A21379F4A}\ARPPRODUCTICON.exe
+ 2008-01-03 19:02:13 10,134 ----a-r C:\WINDOWS\Installer\{743F47C1-1194-4C70-8565-2E7A21379F4A}\ARPPRODUCTICON.exe
- 2008-01-03 06:31:54 10,134 ----a-r C:\WINDOWS\Installer\{760E1F3F-F2F6-47C7-B4F0-560B8ACA8999}\ARPPRODUCTICON.exe
+ 2008-01-03 19:02:21 10,134 ----a-r C:\WINDOWS\Installer\{760E1F3F-F2F6-47C7-B4F0-560B8ACA8999}\ARPPRODUCTICON.exe
- 2008-01-03 06:34:13 10,134 ----a-r C:\WINDOWS\Installer\{78B7F1F6-9D66-4509-B216-96F4ACBBAC15}\ARPPRODUCTICON.exe
+ 2008-01-03 19:04:01 10,134 ----a-r C:\WINDOWS\Installer\{78B7F1F6-9D66-4509-B216-96F4ACBBAC15}\ARPPRODUCTICON.exe
- 2008-01-03 06:33:38 10,134 ----a-r C:\WINDOWS\Installer\{A62AE053-EB18-4EEF-9EFD-FFE5A4244ADB}\ARPPRODUCTICON.exe
+ 2008-01-03 19:03:52 10,134 ----a-r C:\WINDOWS\Installer\{A62AE053-EB18-4EEF-9EFD-FFE5A4244ADB}\ARPPRODUCTICON.exe
- 2008-01-03 06:33:47 10,134 ----a-r C:\WINDOWS\Installer\{A642450B-A20E-420D-83F5-DF5C418C50D1}\ARPPRODUCTICON.exe
+ 2008-01-03 19:03:55 10,134 ----a-r C:\WINDOWS\Installer\{A642450B-A20E-420D-83F5-DF5C418C50D1}\ARPPRODUCTICON.exe
- 2008-01-03 06:34:06 10,134 ----a-r C:\WINDOWS\Installer\{AA47BB0B-933B-49DF-BE3A-17BFA60B7623}\ARPPRODUCTICON.exe
+ 2008-01-03 19:03:58 10,134 ----a-r C:\WINDOWS\Installer\{AA47BB0B-933B-49DF-BE3A-17BFA60B7623}\ARPPRODUCTICON.exe
- 2008-01-03 06:33:25 10,134 ----a-r C:\WINDOWS\Installer\{BAC15E33-870A-4D27-B247-999F6A735B45}\ARPPRODUCTICON.exe
+ 2008-01-03 19:03:48 10,134 ----a-r C:\WINDOWS\Installer\{BAC15E33-870A-4D27-B247-999F6A735B45}\ARPPRODUCTICON.exe
- 2008-01-03 06:33:23 10,134 ----a-r C:\WINDOWS\Installer\{BD6CB9F6-3AF3-49F0-BBD1-9D13495655F6}\ARPPRODUCTICON.exe
+ 2008-01-03 19:03:46 10,134 ----a-r C:\WINDOWS\Installer\{BD6CB9F6-3AF3-49F0-BBD1-9D13495655F6}\ARPPRODUCTICON.exe
- 2008-01-03 06:32:21 10,134 ----a-r C:\WINDOWS\Installer\{C66F62AD-551B-428F-9183-F5802333367F}\ARPPRODUCTICON.exe
+ 2008-01-03 19:02:59 10,134 ----a-r C:\WINDOWS\Installer\{C66F62AD-551B-428F-9183-F5802333367F}\ARPPRODUCTICON.exe
- 2008-01-03 06:33:43 10,134 ----a-r C:\WINDOWS\Installer\{D2E3D944-B08E-4446-B0C2-A0E66CB8A7C0}\ARPPRODUCTICON.exe
+ 2008-01-03 19:03:54 10,134 ----a-r C:\WINDOWS\Installer\{D2E3D944-B08E-4446-B0C2-A0E66CB8A7C0}\ARPPRODUCTICON.exe
- 2008-01-03 06:33:43 25,214 ----a-r C:\WINDOWS\Installer\{D2E3D944-B08E-4446-B0C2-A0E66CB8A7C0}\Sm_En_DiagD_7C6BED816D7E4AD1AEAF5A1ADB6C8676.exe
+ 2008-01-03 19:03:54 25,214 ----a-r C:\WINDOWS\Installer\{D2E3D944-B08E-4446-B0C2-A0E66CB8A7C0}\Sm_En_DiagD_7C6BED816D7E4AD1AEAF5A1ADB6C8676.exe
- 2008-01-03 06:33:57 10,134 ----a-r C:\WINDOWS\Installer\{DC626552-2C9D-4C5E-8367-22FB0C1758B0}\ARPPRODUCTICON.exe
+ 2008-01-03 19:03:57 10,134 ----a-r C:\WINDOWS\Installer\{DC626552-2C9D-4C5E-8367-22FB0C1758B0}\ARPPRODUCTICON.exe
- 2008-01-03 06:33:34 10,134 ----a-r C:\WINDOWS\Installer\{E2DAC54C-1560-4F00-B7CD-E9BD89ACFAFD}\ARPPRODUCTICON.exe
+ 2008-01-03 19:03:51 10,134 ----a-r C:\WINDOWS\Installer\{E2DAC54C-1560-4F00-B7CD-E9BD89ACFAFD}\ARPPRODUCTICON.exe
- 2004-08-10 19:00:00 15,360 -c--a-w C:\WINDOWS\system32\dllcache\ctfmon.exe
+ 2008-01-03 06:36:57 15,360 -c--a-w C:\WINDOWS\system32\dllcache\ctfmon.exe
- 2005-08-06 03:56:34 64,512 -c--a-w C:\WINDOWS\system32\dllcache\ehtray.exe
+ 2008-01-03 06:05:27 64,512 -c--a-w C:\WINDOWS\system32\dllcache\ehtray.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00DC0058-A87E-4D19-9C26-F1AAC98AD4D7}]
C:\WINDOWS\system32\vtuutur.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{748A361A-425D-4F25-8EC5-DADD976A4215}]
C:\WINDOWS\system32\ddayx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-02 23:36 15360]
"WeatherEye"="C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2008-01-02 23:05 64512]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [ ]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-14 01:01 16010752 C:\WINDOWS\RTHDCPL.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-09-18 07:32 7204864]
"nwiz"="nwiz.exe" [2005-09-18 07:32 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-09-18 07:32 86016]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 15:19 77312 C:\WINDOWS\arpwrmsg.exe]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [ ]
"TELUS_eCare_Lite_McciTrayApp"="C:\Program Files\TELUS_eCare_Lite\eCareTrayApp.exe" [ ]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"USB Storage Toolbox"="C:\Program Files\USBToolbox\Res.EXE" [ ]
"TEPA.exe"="C:\Program Files\TELUS\eProtect Advisor\TEPA.exe" [2007-05-14 09:10 2061816]
"TELUS eProtect"="C:\Program Files\TELUS\TELUS eProtect\Rps.exe" [2007-09-13 16:22 310000]
"-FreedomNeedsReboot"="C:\Program Files\TELUS\TELUS eProtect\ZkRunOnceR.exe" [2007-09-13 16:22 13552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"IndexCleaner"="C:\Program Files\TELUS\TELUS eProtect\IdxClnR.exe" [2007-09-13 16:21 61168]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-01-02 23:36 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2007-01-13 15:46:38]
HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2002-12-02 21:56:10]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{00DC0058-A87E-4D19-9C26-F1AAC98AD4D7}"= C:\WINDOWS\system32\vtuutur.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuutur]
vtuutur.dll

R2 McciCMService;McciCMService;"C:\Program Files\Common Files\Motive\McciCMService.exe" [2007-09-26 10:43]
S3 MREMP50;MREMP50 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS [2007-09-26 10:43]
S3 MREMP50a64;MREMP50a64 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS []
S3 MRESP50;MRESP50 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS [2007-09-26 10:43]
S3 MRESP50a64;MRESP50a64 NDIS Protocol Driver;C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS []
S3 Radialpoint Security Services;TELUS eProtect;C:\WINDOWS\system32\dllhost.exe [2004-08-10 12:00]
S3 VNUSB;VN Series Device;C:\WINDOWS\system32\DRIVERS\VNUSB.sys [2006-04-07 18:06]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1944cca1-36d9-11db-8d88-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2007-12-28 04:39:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-03 20:54:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-03 20:55:25
ComboFix-quarantined-files.txt 2008-01-04 03:55:17
ComboFix2.txt 2008-01-03 17:26:27
.
2007-12-12 04:32:05 --- E O F ---

nning processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TELUS\TELUS eProtect\Fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\TELUS\eProtect Advisor\TEPA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TELUS\TELUS eProtect\rpsupdaterR.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\TELUS\TELUS eProtect\RPS.exe
C:\Program Files\TELUS\eProtect Advisor\TEPAComHandler.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {00DC0058-A87E-4D19-9C26-F1AAC98AD4D7} - C:\WINDOWS\system32\vtuutur.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\TELUS\TELUS eProtect\pkR.dll
O2 - BHO: (no name) - {748A361A-425D-4F25-8EC5-DADD976A4215} - C:\WINDOWS\system32\ddayx.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [TELUS_eCare_Lite_McciTrayApp] C:\Program Files\TELUS_eCare_Lite\eCareTrayApp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USBToolbox\Res.EXE
O4 - HKLM\..\Run: [TEPA.exe] "C:\Program Files\TELUS\eProtect Advisor\TEPA.exe" /AUTORUN
O4 - HKLM\..\Run: [TELUS eProtect] "C:\Program Files\TELUS\TELUS eProtect\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\TELUS\TELUS eProtect\ZkRunOnceR.exe"
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\TELUS\TELUS eProtect\IdxClnR.exe"
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner.KRAMER\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - Winlogon Notify: vtuutur - vtuutur.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: TELUS eProtect Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\TELUS\TELUS eProtect\rpsupdaterR.exe
O23 - Service: TELUS eProtect Firewall (RP_FWS) - TELUS - C:\Program Files\TELUS\TELUS eProtect\Fws.exe
  • 0

#7
loophole
Posted 05 January 2008 - 09:09 AM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi and sorry for the slight delay

Do you have the disk. Something may have gotten corrupted by this virus

Please rescan with Hijackthis and place a check next to the following entries:

O2 - BHO: (no name) - {00DC0058-A87E-4D19-9C26-F1AAC98AD4D7} - C:\WINDOWS\system32\vtuutur.dll (file missing)
O20 - Winlogon Notify: vtuutur - vtuutur.dll (file missing)

Now click "Fix Checked" and close Hijackthis

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

  • 0

#8
loophole
Posted 16 January 2008 - 01:22 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP