Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Constant popups after various virus removal programs [RESOLVED]

Started by Phantasy66 , Jan 17 2008 10:53 AM

  • This topic is locked This topic is locked

#1
Phantasy66
Posted 17 January 2008 - 10:53 AM

Phantasy66

    Member

  • Member
  • PipPip
  • 26 posts
Hi,
I recently did a scan on my computer (after I started getting popups) with spybot search and destroy, adaware ad AVG. It found 58 threats, which were apparently dealt with, but I am still getting popups, can you help please? I am noticing my keyboard is playing up abit? Here's my hijack this log. Many thanks.
ogfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:52:59, on 17/01/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F3 - REG:win.ini: load=C:\Users\Carlos\AppData\Local\Temp\vturo.exe
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: McAfee Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - c:\program files\mcafee\mps\mcpopup.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [XboxStat] "c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\efecyaa.dll,#1
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [0203441200527173mcinstcleanup] C:\Users\Carlos\AppData\Local\Temp\020344~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Carlos\AppData\Local\Temp\vturo.dll,c
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Carlos\AppData\Local\Temp\pmkhe.dll,#1
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software GmbH - C:\Windows\System32\TuneUpDefragService.exe

--
End of file - 9305 bytes
  • 0

Advertisements

#2
BHowett
Posted 19 January 2008 - 06:07 PM

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts
Hello and welcome to Geeks To Go! My name is BHowett and I will be helping you to get sorted. If for any reason you do not understand any of the instructions, or are just unsure then please do not guess , simply post back with your query and we will go through it again.

The fixes may take several attempts and my replies may take some time but stick with it, and we will be sure to get you sorted.

NOTE: I am still in training so I have to let the experts check the content of my fixes before I post them. This may take a little longer but the fixes will be verified and correct.

I will post your first set of instructions shortly.
  • 0

#3
BHowett
Posted 20 January 2008 - 12:14 AM

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts
Hi Phantasy

Disable Spybot's TeaTimer. This is a two step process.

Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.
Don't forget to re-enable it, when your computer is clean.

===============================================

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#4
Phantasy66
Posted 20 January 2008 - 01:49 PM

Phantasy66

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Hi, thanks for your help Bhowett.
While i was runnng combofix, AVG kept telling me a trojan had been detected vturo.exe. I dont know if that helps.
Here's the logs:
ComboFix 08-01-20.1 - Carlos 2008-01-20 19:38:03.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1214 [GMT 0:00]
Running from: C:\Users\Carlos\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-20 to 2008-01-20 )))))))))))))))))))))))))))))))
.

2008-01-20 19:37 . 2000-08-31 08:00 51,200 --a------ C:\Windows\NirCmd.exe
2008-01-17 16:46 . 2008-01-17 16:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-17 11:56 . 2008-01-17 11:56 <DIR> d-------- C:\Users\All Users\Grisoft
2008-01-17 11:56 . 2008-01-17 12:08 <DIR> d-------- C:\Users\All Users\avg7
2008-01-17 11:56 . 2008-01-17 11:56 499,712 --a------ C:\Windows\System32\msvcp71.dll
2008-01-17 11:56 . 2008-01-17 11:56 348,160 --a------ C:\Windows\System32\msvcr71.dll
2008-01-17 11:56 . 2008-01-17 11:56 9,216 --a------ C:\Windows\System32\avgwlntf.dll
2008-01-16 23:47 . 2005-04-20 19:22 608,448 --a------ C:\Windows\System32\comctl32.ocx
2008-01-16 23:47 . 2006-03-03 11:07 143,360 --a------ C:\Windows\System32\dunzip32.dll
2008-01-16 23:46 . 2006-07-17 21:56 105,560 --a------ C:\Windows\System32\drivers\Mpfp.sys
2008-01-16 23:46 . 2006-07-27 17:12 1,808 --a------ C:\Windows\System32\subst.inf
2008-01-16 23:45 . 2008-01-16 23:45 <DIR> d-------- C:\Program Files\McAfee.com
2008-01-16 23:44 . 2008-01-16 23:50 <DIR> d-------- C:\Program Files\McAfee
2008-01-16 23:44 . 2008-01-16 23:47 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-01-16 23:43 . 2008-01-16 23:52 <DIR> d-------- C:\Users\All Users\McAfee
2008-01-14 16:15 . 2008-01-14 16:15 <DIR> d-------- C:\Program Files\Flagship Studios
2008-01-13 20:22 . 2007-07-16 15:53 48 --a------ C:\Windows\System32\readme.bat
2008-01-09 13:54 . 2008-01-09 13:54 <DIR> d-------- C:\Program Files\LucasArts
2008-01-09 13:34 . 2008-01-09 13:34 802,816 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-01-09 13:34 . 2008-01-09 13:34 216,760 --a------ C:\Windows\System32\drivers\netio.sys
2008-01-09 13:34 . 2008-01-09 13:34 167,424 --a------ C:\Windows\System32\tcpipcfg.dll
2008-01-09 13:34 . 2008-01-09 13:34 24,064 --a------ C:\Windows\System32\netcfg.exe
2008-01-09 13:34 . 2008-01-09 13:34 22,016 --a------ C:\Windows\System32\netiougc.exe
2008-01-09 13:33 . 2008-01-09 13:33 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-01-09 13:33 . 2008-01-09 13:33 1,686,016 --a------ C:\Windows\System32\gameux.dll
2008-01-09 13:33 . 2008-01-09 13:33 1,060,920 --a------ C:\Windows\System32\drivers\ntfs.sys
2008-01-09 13:33 . 2008-01-09 13:33 211,000 --a------ C:\Windows\System32\drivers\volsnap.sys
2008-01-09 13:33 . 2008-01-09 13:33 154,624 --a------ C:\Windows\System32\drivers\nwifi.sys
2008-01-09 13:33 . 2008-01-09 13:33 109,624 --a------ C:\Windows\System32\drivers\ataport.sys
2008-01-09 13:33 . 2008-01-09 13:33 45,112 --a------ C:\Windows\System32\drivers\pciidex.sys
2008-01-09 13:33 . 2008-01-09 13:33 21,560 --a------ C:\Windows\System32\drivers\atapi.sys
2008-01-09 13:33 . 2008-01-09 13:33 17,464 --a------ C:\Windows\System32\drivers\intelide.sys
2008-01-09 13:33 . 2008-01-09 13:33 11,776 --a------ C:\Windows\System32\sbunattend.exe
2008-01-06 11:40 . 2008-01-06 11:40 <DIR> d-------- C:\Program Files\iPod
2008-01-06 11:39 . 2008-01-06 11:39 <DIR> d-------- C:\Users\All Users\Apple Computer
2008-01-06 11:39 . 2008-01-06 11:39 <DIR> d-------- C:\Program Files\QuickTime
2008-01-06 11:39 . 2008-01-06 11:40 <DIR> d-------- C:\Program Files\iTunes
2008-01-06 11:38 . 2008-01-06 11:38 <DIR> d-------- C:\Users\All Users\Apple
2008-01-06 11:38 . 2008-01-06 11:38 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-01-06 11:38 . 2008-01-06 11:38 <DIR> d-------- C:\Program Files\Apple Software Update
2008-01-03 00:50 . 2008-01-03 00:50 <DIR> d-------- C:\Program Files\NAMCO BANDAI Games
2008-01-02 23:51 . 2008-01-14 17:12 107,888 --a------ C:\Windows\System32\CmdLineExt.dll
2008-01-02 22:23 . 2008-01-03 00:47 <DIR> d-------- C:\Company of Heroes
2008-01-02 22:22 . 2008-01-02 22:22 <DIR> d-------- C:\Command And Conquer 3
2008-01-02 22:18 . 2008-01-02 22:20 <DIR> d-------- C:\Flatout 2
2008-01-02 22:15 . 2008-01-02 22:15 <DIR> d-------- C:\Lego SW
2008-01-02 20:27 . 2008-01-05 13:27 <DIR> dr------- C:\Film
2007-12-27 18:28 . 2007-12-27 18:29 <DIR> d-------- C:\Program Files\Uplink
2007-12-27 18:27 . 2007-12-27 18:27 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2007-12-25 19:33 . 2007-12-25 19:33 <DIR> d-------- C:\Program Files\Microsoft IntelliPoint
2007-12-23 16:55 . 2007-12-23 16:55 <DIR> d-------- C:\Users\All Users\TuneUp Software
2007-12-23 16:55 . 2007-12-23 16:56 <DIR> d-------- C:\Program Files\TuneUp Utilities 2008
2007-12-23 16:55 . 2007-12-23 16:55 306,432 --a------ C:\Windows\System32\TuneUpDefragService.exe
2007-12-23 16:55 . 2007-12-20 10:41 29,440 --a------ C:\Windows\System32\uxtuneup.dll
2007-12-23 16:55 . 2007-12-20 10:44 16,640 --a------ C:\Windows\System32\authuitu.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-17 11:44 --------- d-----w C:\Program Files\Steam
2008-01-16 22:40 12,632 ----a-w C:\Windows\System32\lsdelete.exe
2008-01-13 20:27 --------- d-----w C:\Program Files\Sierra Entertainment
2008-01-13 20:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-11 17:50 --------- d-----w C:\Program Files\Common Files\Steam
2008-01-09 14:19 --------- d-----w C:\Program Files\Windows Sidebar
2008-01-09 14:19 --------- d-----w C:\Program Files\Windows Mail
2008-01-09 13:33 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-01-09 13:33 449,024 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-01-09 13:33 2,143,744 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-01-09 13:33 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-01-03 00:26 --------- d-----w C:\Program Files\THQ
2007-12-27 17:48 715,248 ----a-w C:\Windows\system32\drivers\sptd.sys
2007-12-25 13:12 22,328 ----a-w C:\Windows\system32\drivers\PnkBstrK.sys
2007-12-25 13:12 103,736 ----a-w C:\Windows\System32\PnkBstrB.exe
2007-12-23 16:54 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-19 21:44 66,872 ----a-w C:\Windows\System32\PnkBstrA.exe
2007-12-18 21:31 356,352 ----a-w C:\Windows\System32\nvuninst.exe
2007-12-18 20:19 --------- d-----w C:\Program Files\SopCast
2007-12-18 19:55 86,016 ----a-w C:\Windows\System32\nvsvc.dll
2007-12-18 19:55 81,920 ----a-w C:\Windows\System32\nvmctray.dll
2007-12-18 19:55 8,530,464 ----a-w C:\Windows\System32\nvcpl.dll
2007-12-18 19:55 8,238,720 ----a-w C:\Windows\system32\drivers\nvlddmkm.sys
2007-12-18 19:55 795,104 ----a-w C:\Windows\System32\dpinst.exe
2007-12-18 19:55 753,664 ----a-w C:\Windows\System32\nvcplui.exe
2007-12-18 19:55 7,098,368 ----a-w C:\Windows\System32\nvoglv32.dll
2007-12-18 19:55 6,549,504 ----a-w C:\Windows\System32\nvdisps.dll
2007-12-18 19:55 5,263,360 ----a-w C:\Windows\System32\nvd3dum.dll
2007-12-18 19:55 45,056 ----a-w C:\Windows\System32\nvmccsrs.dll
2007-12-18 19:55 385,024 ----a-w C:\Windows\System32\nvapi.dll
2007-12-18 19:55 356,352 ----a-w C:\Windows\System32\nvudisp.exe
2007-12-18 19:55 35,328 ----a-w C:\Windows\System32\nvcod100.dll
2007-12-18 19:55 35,328 ----a-w C:\Windows\System32\nvcod.dll
2007-12-18 19:55 307,200 ----a-w C:\Windows\System32\nvexpbar.dll
2007-12-18 19:55 3,710,976 ----a-w C:\Windows\System32\nvvitvs.dll
2007-12-18 19:55 3,420,160 ----a-w C:\Windows\System32\nvgames.dll
2007-12-18 19:55 229,376 ----a-w C:\Windows\System32\nvmccs.dll
2007-12-18 19:55 2,498,560 ----a-w C:\Windows\System32\nvwss.dll
2007-12-18 19:55 188,416 ----a-w C:\Windows\System32\nvmccss.dll
2007-12-18 19:55 147,456 ----a-w C:\Windows\System32\nvcolor.exe
2007-12-18 19:55 1,830,912 ----a-w C:\Windows\System32\nvwgf2um.dll
2007-12-18 19:55 1,228,800 ----a-w C:\Windows\System32\nvmobls.dll
2007-12-17 12:06 --------- d-s---w C:\Program Files\Xfire
2007-12-16 23:59 --------- d-----w C:\Program Files\DivX
2007-12-14 15:42 --------- d-----w C:\Program Files\SpeedFan
2007-12-13 10:27 --------- d-----w C:\Program Files\Final Fantasy VII
2007-12-13 07:51 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2007-12-13 07:51 824,832 ----a-w C:\Windows\System32\wininet.dll
2007-12-13 07:51 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2007-12-13 07:51 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2007-12-13 07:51 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2007-12-13 07:51 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2007-12-13 07:50 84,992 ----a-w C:\Windows\system32\drivers\srvnet.sys
2007-12-13 07:50 58,368 ----a-w C:\Windows\system32\drivers\mrxsmb20.sys
2007-12-13 07:50 56,320 ----a-w C:\Windows\System32\iesetup.dll
2007-12-13 07:50 130,048 ----a-w C:\Windows\system32\drivers\srv2.sys
2007-12-13 07:50 101,888 ----a-w C:\Windows\system32\drivers\mrxsmb.sys
2007-12-13 07:49 3,504,824 ----a-w C:\Windows\System32\ntkrnlpa.exe
2007-12-13 07:49 3,470,520 ----a-w C:\Windows\System32\ntoskrnl.exe
2007-12-12 00:29 --------- d-----w C:\Program Files\Sierra
2007-12-11 19:46 524,288 ----a-w C:\Windows\System32\DivXsm.exe
2007-12-11 19:46 3,596,288 ----a-w C:\Windows\System32\qt-dx331.dll
2007-12-11 19:45 200,704 ----a-w C:\Windows\System32\ssldivx.dll
2007-12-11 19:45 1,044,480 ----a-w C:\Windows\System32\libdivx.dll
2007-12-11 19:44 823,296 ----a-w C:\Windows\System32\divx_xx0c.dll
2007-12-11 19:44 823,296 ----a-w C:\Windows\System32\divx_xx07.dll
2007-12-11 19:44 81,920 ----a-w C:\Windows\System32\dpl100.dll
2007-12-11 19:44 802,816 ----a-w C:\Windows\System32\divx_xx11.dll
2007-12-11 19:44 682,496 ----a-w C:\Windows\System32\DivX.dll
2007-12-11 19:44 593,920 ----a-w C:\Windows\System32\dpuGUI11.dll
2007-12-11 19:44 57,344 ----a-w C:\Windows\System32\dpv11.dll
2007-12-11 19:44 53,248 ----a-w C:\Windows\System32\dpuGUI10.dll
2007-12-11 19:44 344,064 ----a-w C:\Windows\System32\dpus11.dll
2007-12-11 19:44 294,912 ----a-w C:\Windows\System32\dpu11.dll
2007-12-11 19:44 294,912 ----a-w C:\Windows\System32\dpu10.dll
2007-12-11 19:44 196,608 ----a-w C:\Windows\System32\dtu100.dll
2007-12-11 19:44 156,992 ----a-w C:\Windows\System32\DivXCodecVersionChecker.exe
2007-12-11 19:43 12,288 ----a-w C:\Windows\System32\DivXWMPExtType.dll
2007-12-11 16:42 --------- d-----w C:\Program Files\Common Files\AnimeVamp
2007-12-09 20:29 --------- d-----w C:\Program Files\ATITool
2007-12-06 23:09 --------- d-----w C:\Program Files\Activision
2007-11-17 16:18 1,244,672 ----a-w C:\Windows\System32\mcmde.dll
2007-11-15 07:54 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr
2007-11-15 07:54 67,584 ----a-w C:\Windows\System32\wlanhlp.dll
2007-11-15 07:54 542,720 ----a-w C:\Windows\System32\sysmain.dll
2007-11-15 07:54 502,784 ----a-w C:\Windows\System32\wlansvc.dll
2007-11-15 07:54 47,104 ----a-w C:\Windows\System32\wlanapi.dll
2007-11-15 07:54 297,984 ----a-w C:\Windows\System32\wlansec.dll
2007-11-15 07:54 290,816 ----a-w C:\Windows\System32\wlanmsm.dll
2007-11-15 07:54 24,064 ----a-w C:\Windows\System32\wtsapi32.dll
2007-11-15 07:54 2,923,520 ----a-w C:\Windows\explorer.exe
2007-11-15 07:54 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2007-11-15 07:53 8,704 ----a-w C:\Windows\System32\hcrstco.dll
2007-11-15 07:53 8,704 ----a-w C:\Windows\System32\hccoin.dll
2007-11-14 16:12 669,184 ----a-w C:\Windows\System32\pbsvc.exe
2007-10-29 00:02 36,864 ----a-w C:\Windows\System32\cdd.dll
2007-10-06 20:47 174 --sha-w C:\Program Files\desktop.ini
.
<pre>
----a-w			63,712 2008-01-17 11:43:04  C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy .exe
----a-w		 1,266,936 2008-01-17 11:43:06  C:\Program Files\Steam\Steam .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-09 13:33 1232896]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-10-17 12:10 171448]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 04:40 218032]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2007-12-19 20:13 486856]
"Steam"="C:\Program Files\Steam\Steam.exe" [ ]
"cmds"="C:\Users\Carlos\AppData\Local\Temp\vturo.dll" [2008-01-13 20:28 334336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-10-05 18:19 1006264]
"XboxStat"="c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 17:05 734264]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 23:47 31016]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06 40048]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 23:52 849280]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]
"MSServer"="C:\Windows\system32\efecyaa.dll" [ ]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-12-18 19:55 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-12-18 19:55 8530464]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-12-18 19:55 81920]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-17 11:56 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-17 11:56 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2008-01-17 11:56 9216 C:\Windows\System32\avgwlntf.dll

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\Users\Carlos\AppData\Local\Temp\vturo.exe

R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot []
R2 UxTuneUp;TuneUp Theme Extension;C:\Windows\System32\svchost.exe [2006-11-02 09:45]
R3 rt61x86;Sitecom RT61 Wireless Network Driver for Windows Vista;C:\Windows\system32\DRIVERS\netr61.sys [2006-12-13 06:38]
R3 RTL8169;Realtek 8169 NT Driver;C:\Windows\system32\DRIVERS\Rtlh86.sys [2006-11-02 07:30]
S3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2008-01-11 11:40]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\Windows\System32\TuneUpDefragService.exe [2007-12-23 16:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted REG_MULTI_SZ hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{36879e3b-a693-11dc-9713-001966354afe}]
\shell\AutoRun\command - F:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6fd2a4df-7cef-11dc-bdc5-001966354afe}]
\shell\AutoRun\command - E:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c26d7ac1-9158-11dc-9855-001966354afe}]
\shell\AutoRun\command - E:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f7cd8653-b4a8-11dc-b6f4-001966354afe}]
\shell\AutoRun\command - E:\Autorun.exe

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2008-01-18 17:16:10 C:\Windows\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe
"2008-01-20 19:30:20 C:\Windows\Tasks\User_Feed_Synchronization-{ACFCB4A1-D9E6-4BD6-A750-C5C084871AA4}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-20 19:40:32
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe [6.00.6000.16549]
-> C:\Users\Carlos\AppData\Local\Temp\vturo.dll
.
Completion time: 2008-01-20 19:41:14
.
2008-01-18 08:12:35 --- E O F ---
  • 0

#5
Phantasy66
Posted 20 January 2008 - 01:50 PM

Phantasy66

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:43:03, on 20/01/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F3 - REG:win.ini: load=C:\Users\Carlos\AppData\Local\Temp\vturo.exe
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [XboxStat] "c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\efecyaa.dll,#1
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Carlos\AppData\Local\Temp\vturo.dll,c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
  • 0

#6
BHowett
Posted 21 January 2008 - 09:36 AM

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts
Hi Phantasy

Disable Windows Defender.

Please disable Windows Defender as it may interfere with our fix.
Click on "Tools"
Click on "General Settings"
Scroll down to "Real-time protection options"
Uncheck "Turn on Real-time protection (recommended)"
Click "Save"
===============================================


It also appears you are using McAfee Internet Security suite & AVG7. I don’t know if all subscriptions are up to date, but remember you only want to use you Antivirus program. So please turn one of the two off. If you are going to use McAfee please turn the McAfee Real-time Scanner off until you get the all clear,

===============================================


Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

===============================================


Fix with HijackThis


(You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.)

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

F3 - REG:win.ini: load=C:\Users\Carlos\AppData\Local\Temp\vturo.exe
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\efecyaa.dll,#1
O4 - HKLM\..\Run: [0203441200527173mcinstcleanup] C:\Users\Carlos\AppData\Local\Temp\020344~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Carlos\AppData\Local\Temp\vturo.dll,c
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Carlos\AppData\Local\Temp\pmkhe.dll,#1


Now close all windows other than HiJackThis (especially Internet Explorer!), then click Fix Checked. Close HiJackThis. Reboot into safe mode..(Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.)

Using Windows Explorer (to get there right-click your Start button and go to "My Computer"or Hold down the Windows Key + E ), please delete these files (if present):

C:\Windows\system32\efecyaa.dll


After that, Reboot, in normal mode.

===============================================


Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


===============================================


Please post the vundofix.txt and a new HiJackThis log in your next reply.
  • 0

#7
Phantasy66
Posted 21 January 2008 - 12:05 PM

Phantasy66

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
thanks again for taking the time to sort out my problem.
Ive disabled windows defender and scanned with Vundofix.exe but it cannot find any problems.
I did have McAfee installed but i uninstalled it and there is nothing left of it.
  • 0

#8
BHowett
Posted 21 January 2008 - 01:48 PM

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts
no worries we will get it one way or another :)


Please rescan with ComboFix

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#9
Phantasy66
Posted 21 January 2008 - 05:42 PM

Phantasy66

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
ComboFix 08-01-20.1 - Carlos 2008-01-21 23:14:29.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1256 [GMT 0:00]
Running from: C:\Users\Carlos\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-21 to 2008-01-21 )))))))))))))))))))))))))))))))
.

2008-01-21 16:02 . 2008-01-21 16:02 <DIR> d-------- C:\VundoFix Backups
2008-01-20 19:37 . 2000-08-31 08:00 51,200 --a------ C:\Windows\NirCmd.exe
2008-01-17 16:46 . 2008-01-17 16:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-17 11:56 . 2008-01-17 11:56 <DIR> d-------- C:\Users\All Users\Grisoft
2008-01-17 11:56 . 2008-01-17 12:08 <DIR> d-------- C:\Users\All Users\avg7
2008-01-17 11:56 . 2008-01-17 11:56 499,712 --a------ C:\Windows\System32\msvcp71.dll
2008-01-17 11:56 . 2008-01-17 11:56 348,160 --a------ C:\Windows\System32\msvcr71.dll
2008-01-17 11:56 . 2008-01-17 11:56 9,216 --a------ C:\Windows\System32\avgwlntf.dll
2008-01-16 23:47 . 2005-04-20 19:22 608,448 --a------ C:\Windows\System32\comctl32.ocx
2008-01-16 23:47 . 2006-03-03 11:07 143,360 --a------ C:\Windows\System32\dunzip32.dll
2008-01-16 23:46 . 2006-07-17 21:56 105,560 --a------ C:\Windows\System32\drivers\Mpfp.sys
2008-01-16 23:46 . 2006-07-27 17:12 1,808 --a------ C:\Windows\System32\subst.inf
2008-01-16 23:45 . 2008-01-16 23:45 <DIR> d-------- C:\Program Files\McAfee.com
2008-01-16 23:44 . 2008-01-16 23:50 <DIR> d-------- C:\Program Files\McAfee
2008-01-16 23:44 . 2008-01-16 23:47 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-01-16 23:43 . 2008-01-16 23:52 <DIR> d-------- C:\Users\All Users\McAfee
2008-01-14 16:15 . 2008-01-14 16:15 <DIR> d-------- C:\Program Files\Flagship Studios
2008-01-13 20:22 . 2007-07-16 15:53 48 --a------ C:\Windows\System32\readme.bat
2008-01-09 13:54 . 2008-01-09 13:54 <DIR> d-------- C:\Program Files\LucasArts
2008-01-09 13:34 . 2008-01-09 13:34 802,816 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-01-09 13:34 . 2008-01-09 13:34 216,760 --a------ C:\Windows\System32\drivers\netio.sys
2008-01-09 13:34 . 2008-01-09 13:34 167,424 --a------ C:\Windows\System32\tcpipcfg.dll
2008-01-09 13:34 . 2008-01-09 13:34 24,064 --a------ C:\Windows\System32\netcfg.exe
2008-01-09 13:34 . 2008-01-09 13:34 22,016 --a------ C:\Windows\System32\netiougc.exe
2008-01-09 13:33 . 2008-01-09 13:33 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-01-09 13:33 . 2008-01-09 13:33 1,686,016 --a------ C:\Windows\System32\gameux.dll
2008-01-09 13:33 . 2008-01-09 13:33 1,060,920 --a------ C:\Windows\System32\drivers\ntfs.sys
2008-01-09 13:33 . 2008-01-09 13:33 211,000 --a------ C:\Windows\System32\drivers\volsnap.sys
2008-01-09 13:33 . 2008-01-09 13:33 154,624 --a------ C:\Windows\System32\drivers\nwifi.sys
2008-01-09 13:33 . 2008-01-09 13:33 109,624 --a------ C:\Windows\System32\drivers\ataport.sys
2008-01-09 13:33 . 2008-01-09 13:33 45,112 --a------ C:\Windows\System32\drivers\pciidex.sys
2008-01-09 13:33 . 2008-01-09 13:33 21,560 --a------ C:\Windows\System32\drivers\atapi.sys
2008-01-09 13:33 . 2008-01-09 13:33 17,464 --a------ C:\Windows\System32\drivers\intelide.sys
2008-01-09 13:33 . 2008-01-09 13:33 11,776 --a------ C:\Windows\System32\sbunattend.exe
2008-01-06 11:40 . 2008-01-06 11:40 <DIR> d-------- C:\Program Files\iPod
2008-01-06 11:39 . 2008-01-06 11:39 <DIR> d-------- C:\Users\All Users\Apple Computer
2008-01-06 11:39 . 2008-01-06 11:39 <DIR> d-------- C:\Program Files\QuickTime
2008-01-06 11:39 . 2008-01-06 11:40 <DIR> d-------- C:\Program Files\iTunes
2008-01-06 11:38 . 2008-01-06 11:38 <DIR> d-------- C:\Users\All Users\Apple
2008-01-06 11:38 . 2008-01-06 11:38 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-01-06 11:38 . 2008-01-06 11:38 <DIR> d-------- C:\Program Files\Apple Software Update
2008-01-03 00:50 . 2008-01-03 00:50 <DIR> d-------- C:\Program Files\NAMCO BANDAI Games
2008-01-02 23:51 . 2008-01-14 17:12 107,888 --a------ C:\Windows\System32\CmdLineExt.dll
2008-01-02 22:23 . 2008-01-03 00:47 <DIR> d-------- C:\Company of Heroes
2008-01-02 22:22 . 2008-01-02 22:22 <DIR> d-------- C:\Command And Conquer 3
2008-01-02 22:18 . 2008-01-02 22:20 <DIR> d-------- C:\Flatout 2
2008-01-02 22:15 . 2008-01-02 22:15 <DIR> d-------- C:\Lego SW
2008-01-02 20:27 . 2008-01-05 13:27 <DIR> dr------- C:\Film
2007-12-27 18:28 . 2007-12-27 18:29 <DIR> d-------- C:\Program Files\Uplink
2007-12-27 18:27 . 2007-12-27 18:27 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2007-12-25 19:33 . 2007-12-25 19:33 <DIR> d-------- C:\Program Files\Microsoft IntelliPoint
2007-12-23 16:55 . 2007-12-23 16:55 <DIR> d-------- C:\Users\All Users\TuneUp Software
2007-12-23 16:55 . 2007-12-23 16:56 <DIR> d-------- C:\Program Files\TuneUp Utilities 2008
2007-12-23 16:55 . 2007-12-23 16:55 306,432 --a------ C:\Windows\System32\TuneUpDefragService.exe
2007-12-23 16:55 . 2007-12-20 10:41 29,440 --a------ C:\Windows\System32\uxtuneup.dll
2007-12-23 16:55 . 2007-12-20 10:44 16,640 --a------ C:\Windows\System32\authuitu.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-17 11:44 --------- d-----w C:\Program Files\Steam
2008-01-16 22:40 12,632 ----a-w C:\Windows\System32\lsdelete.exe
2008-01-13 20:27 --------- d-----w C:\Program Files\Sierra Entertainment
2008-01-13 20:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-11 17:50 --------- d-----w C:\Program Files\Common Files\Steam
2008-01-09 14:19 --------- d-----w C:\Program Files\Windows Sidebar
2008-01-09 14:19 --------- d-----w C:\Program Files\Windows Mail
2008-01-09 13:33 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-01-09 13:33 449,024 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-01-09 13:33 2,143,744 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-01-09 13:33 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-01-03 00:26 --------- d-----w C:\Program Files\THQ
2007-12-27 17:48 715,248 ----a-w C:\Windows\system32\drivers\sptd.sys
2007-12-25 13:12 22,328 ----a-w C:\Windows\system32\drivers\PnkBstrK.sys
2007-12-25 13:12 103,736 ----a-w C:\Windows\System32\PnkBstrB.exe
2007-12-23 16:54 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-19 21:44 66,872 ----a-w C:\Windows\System32\PnkBstrA.exe
2007-12-18 21:31 356,352 ----a-w C:\Windows\System32\nvuninst.exe
2007-12-18 20:19 --------- d-----w C:\Program Files\SopCast
2007-12-18 19:55 86,016 ----a-w C:\Windows\System32\nvsvc.dll
2007-12-18 19:55 81,920 ----a-w C:\Windows\System32\nvmctray.dll
2007-12-18 19:55 8,530,464 ----a-w C:\Windows\System32\nvcpl.dll
2007-12-18 19:55 8,238,720 ----a-w C:\Windows\system32\drivers\nvlddmkm.sys
2007-12-18 19:55 795,104 ----a-w C:\Windows\System32\dpinst.exe
2007-12-18 19:55 753,664 ----a-w C:\Windows\System32\nvcplui.exe
2007-12-18 19:55 7,098,368 ----a-w C:\Windows\System32\nvoglv32.dll
2007-12-18 19:55 6,549,504 ----a-w C:\Windows\System32\nvdisps.dll
2007-12-18 19:55 5,263,360 ----a-w C:\Windows\System32\nvd3dum.dll
2007-12-18 19:55 45,056 ----a-w C:\Windows\System32\nvmccsrs.dll
2007-12-18 19:55 385,024 ----a-w C:\Windows\System32\nvapi.dll
2007-12-18 19:55 356,352 ----a-w C:\Windows\System32\nvudisp.exe
2007-12-18 19:55 35,328 ----a-w C:\Windows\System32\nvcod100.dll
2007-12-18 19:55 35,328 ----a-w C:\Windows\System32\nvcod.dll
2007-12-18 19:55 307,200 ----a-w C:\Windows\System32\nvexpbar.dll
2007-12-18 19:55 3,710,976 ----a-w C:\Windows\System32\nvvitvs.dll
2007-12-18 19:55 3,420,160 ----a-w C:\Windows\System32\nvgames.dll
2007-12-18 19:55 229,376 ----a-w C:\Windows\System32\nvmccs.dll
2007-12-18 19:55 2,498,560 ----a-w C:\Windows\System32\nvwss.dll
2007-12-18 19:55 188,416 ----a-w C:\Windows\System32\nvmccss.dll
2007-12-18 19:55 147,456 ----a-w C:\Windows\System32\nvcolor.exe
2007-12-18 19:55 1,830,912 ----a-w C:\Windows\System32\nvwgf2um.dll
2007-12-18 19:55 1,228,800 ----a-w C:\Windows\System32\nvmobls.dll
2007-12-17 12:06 --------- d-s---w C:\Program Files\Xfire
2007-12-16 23:59 --------- d-----w C:\Program Files\DivX
2007-12-14 15:42 --------- d-----w C:\Program Files\SpeedFan
2007-12-13 10:27 --------- d-----w C:\Program Files\Final Fantasy VII
2007-12-13 07:51 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2007-12-13 07:51 824,832 ----a-w C:\Windows\System32\wininet.dll
2007-12-13 07:51 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2007-12-13 07:51 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2007-12-13 07:51 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2007-12-13 07:51 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2007-12-13 07:50 84,992 ----a-w C:\Windows\system32\drivers\srvnet.sys
2007-12-13 07:50 58,368 ----a-w C:\Windows\system32\drivers\mrxsmb20.sys
2007-12-13 07:50 56,320 ----a-w C:\Windows\System32\iesetup.dll
2007-12-13 07:50 130,048 ----a-w C:\Windows\system32\drivers\srv2.sys
2007-12-13 07:50 101,888 ----a-w C:\Windows\system32\drivers\mrxsmb.sys
2007-12-13 07:49 3,504,824 ----a-w C:\Windows\System32\ntkrnlpa.exe
2007-12-13 07:49 3,470,520 ----a-w C:\Windows\System32\ntoskrnl.exe
2007-12-12 00:29 --------- d-----w C:\Program Files\Sierra
2007-12-11 19:46 524,288 ----a-w C:\Windows\System32\DivXsm.exe
2007-12-11 19:46 3,596,288 ----a-w C:\Windows\System32\qt-dx331.dll
2007-12-11 19:45 200,704 ----a-w C:\Windows\System32\ssldivx.dll
2007-12-11 19:45 1,044,480 ----a-w C:\Windows\System32\libdivx.dll
2007-12-11 19:44 823,296 ----a-w C:\Windows\System32\divx_xx0c.dll
2007-12-11 19:44 823,296 ----a-w C:\Windows\System32\divx_xx07.dll
2007-12-11 19:44 81,920 ----a-w C:\Windows\System32\dpl100.dll
2007-12-11 19:44 802,816 ----a-w C:\Windows\System32\divx_xx11.dll
2007-12-11 19:44 682,496 ----a-w C:\Windows\System32\DivX.dll
2007-12-11 19:44 593,920 ----a-w C:\Windows\System32\dpuGUI11.dll
2007-12-11 19:44 57,344 ----a-w C:\Windows\System32\dpv11.dll
2007-12-11 19:44 53,248 ----a-w C:\Windows\System32\dpuGUI10.dll
2007-12-11 19:44 344,064 ----a-w C:\Windows\System32\dpus11.dll
2007-12-11 19:44 294,912 ----a-w C:\Windows\System32\dpu11.dll
2007-12-11 19:44 294,912 ----a-w C:\Windows\System32\dpu10.dll
2007-12-11 19:44 196,608 ----a-w C:\Windows\System32\dtu100.dll
2007-12-11 19:44 156,992 ----a-w C:\Windows\System32\DivXCodecVersionChecker.exe
2007-12-11 19:43 12,288 ----a-w C:\Windows\System32\DivXWMPExtType.dll
2007-12-11 16:42 --------- d-----w C:\Program Files\Common Files\AnimeVamp
2007-12-09 20:29 --------- d-----w C:\Program Files\ATITool
2007-12-06 23:09 --------- d-----w C:\Program Files\Activision
2007-11-17 16:18 1,244,672 ----a-w C:\Windows\System32\mcmde.dll
2007-11-15 07:54 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr
2007-11-15 07:54 67,584 ----a-w C:\Windows\System32\wlanhlp.dll
2007-11-15 07:54 542,720 ----a-w C:\Windows\System32\sysmain.dll
2007-11-15 07:54 502,784 ----a-w C:\Windows\System32\wlansvc.dll
2007-11-15 07:54 47,104 ----a-w C:\Windows\System32\wlanapi.dll
2007-11-15 07:54 297,984 ----a-w C:\Windows\System32\wlansec.dll
2007-11-15 07:54 290,816 ----a-w C:\Windows\System32\wlanmsm.dll
2007-11-15 07:54 24,064 ----a-w C:\Windows\System32\wtsapi32.dll
2007-11-15 07:54 2,923,520 ----a-w C:\Windows\explorer.exe
2007-11-15 07:54 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2007-11-15 07:53 8,704 ----a-w C:\Windows\System32\hcrstco.dll
2007-11-15 07:53 8,704 ----a-w C:\Windows\System32\hccoin.dll
2007-11-14 16:12 669,184 ----a-w C:\Windows\System32\pbsvc.exe
2007-10-29 00:02 36,864 ----a-w C:\Windows\System32\cdd.dll
2007-10-06 20:47 174 --sha-w C:\Program Files\desktop.ini
.
<pre>
----a-w			63,712 2008-01-17 11:43:04  C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy .exe
----a-w		 1,266,936 2008-01-17 11:43:06  C:\Program Files\Steam\Steam .exe
</pre>


((((((((((((((((((((((((((((( snapshot@2008-01-20_19.40.47.00 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-20 19:34:30 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-01-21 23:12:16 67,584 --s-a-w C:\Windows\bootstat.dat
- 2008-01-20 19:35:40 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2008-01-21 15:37:41 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat
- 2008-01-20 19:36:41 1,310,720 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-01-21 23:14:27 1,310,720 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-01-20 19:35:39 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2008-01-21 14:26:25 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
- 2008-01-20 19:36:35 1,310,720 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-01-21 23:14:33 1,310,720 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-01-18 17:41:13 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-21 18:42:09 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-01-18 17:41:13 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-21 18:42:09 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-18 17:41:13 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-01-21 18:42:09 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-01-20 19:37:59 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
+ 2008-01-21 23:14:25 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
+ 2008-01-21 23:14:25 262,144 ---ha-w C:\Windows\System32\config\systemprofile\ntuser.dat.LOG1
- 2008-01-20 19:33:22 111,812 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-01-21 22:09:56 111,812 ----a-w C:\Windows\System32\perfc009.dat
- 2008-01-20 19:33:22 631,234 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-01-21 22:09:56 631,234 ----a-w C:\Windows\System32\perfh009.dat
- 2008-01-18 13:20:27 7,436 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2384733316-1052832952-1687537222-1000_UserData.bin
+ 2008-01-21 23:14:58 7,468 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2384733316-1052832952-1687537222-1000_UserData.bin
- 2008-01-20 19:37:08 57,750 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-01-21 23:14:58 58,224 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-01-18 17:41:46 36,584 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-01-21 23:14:54 36,896 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2008-01-16 00:27:36 208,656 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2008-01-21 22:58:34 212,068 ----a-w C:\Windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-09 13:33 1232896]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-10-17 12:10 171448]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 04:40 218032]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2007-12-19 20:13 486856]
"Steam"="C:\Program Files\Steam\Steam.exe" [ ]
"cmds"="C:\Users\Carlos\AppData\Local\Temp\vturo.dll" [2008-01-13 20:28 334336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-10-05 18:19 1006264]
"XboxStat"="c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 17:05 734264]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 23:47 31016]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06 40048]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 23:52 849280]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-12-18 19:55 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-12-18 19:55 8530464]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-12-18 19:55 81920]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-17 11:56 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-17 11:56 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2008-01-17 11:56 9216 C:\Windows\System32\avgwlntf.dll

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\Users\Carlos\AppData\Local\Temp\vturo.exe

R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot []
R2 UxTuneUp;TuneUp Theme Extension;C:\Windows\System32\svchost.exe [2006-11-02 09:45]
R3 rt61x86;Sitecom RT61 Wireless Network Driver for Windows Vista;C:\Windows\system32\DRIVERS\netr61.sys [2006-12-13 06:38]
R3 RTL8169;Realtek 8169 NT Driver;C:\Windows\system32\DRIVERS\Rtlh86.sys [2006-11-02 07:30]
S3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2008-01-11 11:40]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\Windows\System32\TuneUpDefragService.exe [2007-12-23 16:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted REG_MULTI_SZ hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{36879e3b-a693-11dc-9713-001966354afe}]
\shell\AutoRun\command - F:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6fd2a4df-7cef-11dc-bdc5-001966354afe}]
\shell\AutoRun\command - E:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c26d7ac1-9158-11dc-9855-001966354afe}]
\shell\AutoRun\command - E:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f7cd8653-b4a8-11dc-b6f4-001966354afe}]
\shell\AutoRun\command - E:\Autorun.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-18 17:16:10 C:\Windows\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe
"2008-01-21 22:22:06 C:\Windows\Tasks\User_Feed_Synchronization-{ACFCB4A1-D9E6-4BD6-A750-C5C084871AA4}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-21 23:17:09
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe [6.00.6000.16549]
-> C:\Users\Carlos\AppData\Local\Temp\vturo.dll
.
Completion time: 2008-01-21 23:17:54
ComboFix2.txt 2008-01-20 19:41:15
.
2008-01-18 08:12:35 --- E O F ---
  • 0

#10
Phantasy66
Posted 21 January 2008 - 05:43 PM

Phantasy66

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:42:39, on 21/01/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9d.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F3 - REG:win.ini: load=C:\Users\Carlos\AppData\Local\Temp\vturo.exe
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [XboxStat] "c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Carlos\AppData\Local\Temp\vturo.dll,c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software GmbH - C:\Windows\System32\TuneUpDefragService.exe

--
End of file - 8443 bytes
  • 0

#11
BHowett
Posted 22 January 2008 - 02:57 PM

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts
Hi Phantasy,

sorry for the delay



1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\Users\Carlos\AppData\Local\Temp\vturo.exe 
C:\Users\Carlos\AppData\Local\Temp\vturo.dll

RENV::
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy .exe
C:\Program Files\Steam\Steam .exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cmds"=-
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=-


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#12
Phantasy66
Posted 22 January 2008 - 05:47 PM

Phantasy66

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Hey thanks again, I really appreciate you taking the time to help me with my problem

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:46:21, on 22/01/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [XboxStat] "c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software GmbH - C:\Windows\System32\TuneUpDefragService.exe

--
End of file - 8026 bytes

ComboFix 08-01-20.1 - Carlos 2008-01-22 21:38:34.4 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.863 [GMT 0:00]
Running from: C:\Users\Carlos\Desktop\ComboFix.exe
Command switches used :: C:\Users\Carlos\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Users\Carlos\AppData\Local\Temp\vturo.dll
C:\Users\Carlos\AppData\Local\Temp\vturo.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Users\Carlos\AppData\Local\Temp\vturo.dll

.
((((((((((((((((((((((((( Files Created from 2007-12-22 to 2008-01-22 )))))))))))))))))))))))))))))))
.

2008-01-21 16:02 . 2008-01-21 16:02 <DIR> d-------- C:\VundoFix Backups
2008-01-20 19:37 . 2000-08-31 08:00 51,200 --a------ C:\Windows\NirCmd.exe
2008-01-17 16:46 . 2008-01-17 16:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-17 11:56 . 2008-01-17 11:56 <DIR> d-------- C:\Users\All Users\Grisoft
2008-01-17 11:56 . 2008-01-17 12:08 <DIR> d-------- C:\Users\All Users\avg7
2008-01-17 11:56 . 2008-01-17 11:56 499,712 --a------ C:\Windows\System32\msvcp71.dll
2008-01-17 11:56 . 2008-01-17 11:56 348,160 --a------ C:\Windows\System32\msvcr71.dll
2008-01-17 11:56 . 2008-01-17 11:56 9,216 --a------ C:\Windows\System32\avgwlntf.dll
2008-01-16 23:47 . 2005-04-20 19:22 608,448 --a------ C:\Windows\System32\comctl32.ocx
2008-01-16 23:47 . 2006-03-03 11:07 143,360 --a------ C:\Windows\System32\dunzip32.dll
2008-01-16 23:46 . 2006-07-17 21:56 105,560 --a------ C:\Windows\System32\drivers\Mpfp.sys
2008-01-16 23:46 . 2006-07-27 17:12 1,808 --a------ C:\Windows\System32\subst.inf
2008-01-16 23:45 . 2008-01-16 23:45 <DIR> d-------- C:\Program Files\McAfee.com
2008-01-16 23:44 . 2008-01-16 23:50 <DIR> d-------- C:\Program Files\McAfee
2008-01-16 23:44 . 2008-01-16 23:47 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-01-16 23:43 . 2008-01-16 23:52 <DIR> d-------- C:\Users\All Users\McAfee
2008-01-14 16:15 . 2008-01-14 16:15 <DIR> d-------- C:\Program Files\Flagship Studios
2008-01-13 20:22 . 2007-07-16 15:53 48 --a------ C:\Windows\System32\readme.bat
2008-01-09 13:54 . 2008-01-09 13:54 <DIR> d-------- C:\Program Files\LucasArts
2008-01-09 13:34 . 2008-01-09 13:34 802,816 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-01-09 13:34 . 2008-01-09 13:34 216,760 --a------ C:\Windows\System32\drivers\netio.sys
2008-01-09 13:34 . 2008-01-09 13:34 167,424 --a------ C:\Windows\System32\tcpipcfg.dll
2008-01-09 13:34 . 2008-01-09 13:34 24,064 --a------ C:\Windows\System32\netcfg.exe
2008-01-09 13:34 . 2008-01-09 13:34 22,016 --a------ C:\Windows\System32\netiougc.exe
2008-01-09 13:33 . 2008-01-09 13:33 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-01-09 13:33 . 2008-01-09 13:33 1,686,016 --a------ C:\Windows\System32\gameux.dll
2008-01-09 13:33 . 2008-01-09 13:33 1,060,920 --a------ C:\Windows\System32\drivers\ntfs.sys
2008-01-09 13:33 . 2008-01-09 13:33 211,000 --a------ C:\Windows\System32\drivers\volsnap.sys
2008-01-09 13:33 . 2008-01-09 13:33 154,624 --a------ C:\Windows\System32\drivers\nwifi.sys
2008-01-09 13:33 . 2008-01-09 13:33 109,624 --a------ C:\Windows\System32\drivers\ataport.sys
2008-01-09 13:33 . 2008-01-09 13:33 45,112 --a------ C:\Windows\System32\drivers\pciidex.sys
2008-01-09 13:33 . 2008-01-09 13:33 21,560 --a------ C:\Windows\System32\drivers\atapi.sys
2008-01-09 13:33 . 2008-01-09 13:33 17,464 --a------ C:\Windows\System32\drivers\intelide.sys
2008-01-09 13:33 . 2008-01-09 13:33 11,776 --a------ C:\Windows\System32\sbunattend.exe
2008-01-06 11:40 . 2008-01-06 11:40 <DIR> d-------- C:\Program Files\iPod
2008-01-06 11:39 . 2008-01-06 11:39 <DIR> d-------- C:\Users\All Users\Apple Computer
2008-01-06 11:39 . 2008-01-06 11:39 <DIR> d-------- C:\Program Files\QuickTime
2008-01-06 11:39 . 2008-01-06 11:40 <DIR> d-------- C:\Program Files\iTunes
2008-01-06 11:38 . 2008-01-06 11:38 <DIR> d-------- C:\Users\All Users\Apple
2008-01-06 11:38 . 2008-01-06 11:38 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-01-06 11:38 . 2008-01-06 11:38 <DIR> d-------- C:\Program Files\Apple Software Update
2008-01-03 00:50 . 2008-01-03 00:50 <DIR> d-------- C:\Program Files\NAMCO BANDAI Games
2008-01-02 23:51 . 2008-01-14 17:12 107,888 --a------ C:\Windows\System32\CmdLineExt.dll
2008-01-02 22:23 . 2008-01-03 00:47 <DIR> d-------- C:\Company of Heroes
2008-01-02 22:22 . 2008-01-02 22:22 <DIR> d-------- C:\Command And Conquer 3
2008-01-02 22:18 . 2008-01-02 22:20 <DIR> d-------- C:\Flatout 2
2008-01-02 22:15 . 2008-01-02 22:15 <DIR> d-------- C:\Lego SW
2008-01-02 20:27 . 2008-01-05 13:27 <DIR> dr------- C:\Film
2007-12-27 18:28 . 2007-12-27 18:29 <DIR> d-------- C:\Program Files\Uplink
2007-12-27 18:27 . 2007-12-27 18:27 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2007-12-25 19:33 . 2007-12-25 19:33 <DIR> d-------- C:\Program Files\Microsoft IntelliPoint
2007-12-23 16:55 . 2007-12-23 16:55 <DIR> d-------- C:\Users\All Users\TuneUp Software
2007-12-23 16:55 . 2007-12-23 16:56 <DIR> d-------- C:\Program Files\TuneUp Utilities 2008
2007-12-23 16:55 . 2007-12-23 16:55 306,432 --a------ C:\Windows\System32\TuneUpDefragService.exe
2007-12-23 16:55 . 2007-12-20 10:41 29,440 --a------ C:\Windows\System32\uxtuneup.dll
2007-12-23 16:55 . 2007-12-20 10:44 16,640 --a------ C:\Windows\System32\authuitu.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-22 21:40 --------- d-----w C:\Program Files\Steam
2008-01-16 22:40 12,632 ----a-w C:\Windows\System32\lsdelete.exe
2008-01-13 20:27 --------- d-----w C:\Program Files\Sierra Entertainment
2008-01-13 20:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-11 17:50 --------- d-----w C:\Program Files\Common Files\Steam
2008-01-09 14:19 --------- d-----w C:\Program Files\Windows Sidebar
2008-01-09 14:19 --------- d-----w C:\Program Files\Windows Mail
2008-01-09 13:33 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-01-09 13:33 449,024 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-01-09 13:33 2,143,744 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-01-09 13:33 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-01-03 00:26 --------- d-----w C:\Program Files\THQ
2007-12-27 17:48 715,248 ----a-w C:\Windows\system32\drivers\sptd.sys
2007-12-25 13:12 22,328 ----a-w C:\Windows\system32\drivers\PnkBstrK.sys
2007-12-25 13:12 103,736 ----a-w C:\Windows\System32\PnkBstrB.exe
2007-12-23 16:54 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-19 21:44 66,872 ----a-w C:\Windows\System32\PnkBstrA.exe
2007-12-18 21:31 356,352 ----a-w C:\Windows\System32\nvuninst.exe
2007-12-18 20:19 --------- d-----w C:\Program Files\SopCast
2007-12-18 19:55 86,016 ----a-w C:\Windows\System32\nvsvc.dll
2007-12-18 19:55 81,920 ----a-w C:\Windows\System32\nvmctray.dll
2007-12-18 19:55 8,530,464 ----a-w C:\Windows\System32\nvcpl.dll
2007-12-18 19:55 8,238,720 ----a-w C:\Windows\system32\drivers\nvlddmkm.sys
2007-12-18 19:55 795,104 ----a-w C:\Windows\System32\dpinst.exe
2007-12-18 19:55 753,664 ----a-w C:\Windows\System32\nvcplui.exe
2007-12-18 19:55 7,098,368 ----a-w C:\Windows\System32\nvoglv32.dll
2007-12-18 19:55 6,549,504 ----a-w C:\Windows\System32\nvdisps.dll
2007-12-18 19:55 5,263,360 ----a-w C:\Windows\System32\nvd3dum.dll
2007-12-18 19:55 45,056 ----a-w C:\Windows\System32\nvmccsrs.dll
2007-12-18 19:55 385,024 ----a-w C:\Windows\System32\nvapi.dll
2007-12-18 19:55 356,352 ----a-w C:\Windows\System32\nvudisp.exe
2007-12-18 19:55 35,328 ----a-w C:\Windows\System32\nvcod100.dll
2007-12-18 19:55 35,328 ----a-w C:\Windows\System32\nvcod.dll
2007-12-18 19:55 307,200 ----a-w C:\Windows\System32\nvexpbar.dll
2007-12-18 19:55 3,710,976 ----a-w C:\Windows\System32\nvvitvs.dll
2007-12-18 19:55 3,420,160 ----a-w C:\Windows\System32\nvgames.dll
2007-12-18 19:55 229,376 ----a-w C:\Windows\System32\nvmccs.dll
2007-12-18 19:55 2,498,560 ----a-w C:\Windows\System32\nvwss.dll
2007-12-18 19:55 188,416 ----a-w C:\Windows\System32\nvmccss.dll
2007-12-18 19:55 147,456 ----a-w C:\Windows\System32\nvcolor.exe
2007-12-18 19:55 1,830,912 ----a-w C:\Windows\System32\nvwgf2um.dll
2007-12-18 19:55 1,228,800 ----a-w C:\Windows\System32\nvmobls.dll
2007-12-17 12:06 --------- d-s---w C:\Program Files\Xfire
2007-12-16 23:59 --------- d-----w C:\Program Files\DivX
2007-12-14 15:42 --------- d-----w C:\Program Files\SpeedFan
2007-12-13 10:27 --------- d-----w C:\Program Files\Final Fantasy VII
2007-12-13 07:51 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2007-12-13 07:51 824,832 ----a-w C:\Windows\System32\wininet.dll
2007-12-13 07:51 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2007-12-13 07:51 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2007-12-13 07:51 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2007-12-13 07:51 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2007-12-13 07:50 84,992 ----a-w C:\Windows\system32\drivers\srvnet.sys
2007-12-13 07:50 58,368 ----a-w C:\Windows\system32\drivers\mrxsmb20.sys
2007-12-13 07:50 56,320 ----a-w C:\Windows\System32\iesetup.dll
2007-12-13 07:50 130,048 ----a-w C:\Windows\system32\drivers\srv2.sys
2007-12-13 07:50 101,888 ----a-w C:\Windows\system32\drivers\mrxsmb.sys
2007-12-13 07:49 3,504,824 ----a-w C:\Windows\System32\ntkrnlpa.exe
2007-12-13 07:49 3,470,520 ----a-w C:\Windows\System32\ntoskrnl.exe
2007-12-12 00:29 --------- d-----w C:\Program Files\Sierra
2007-12-11 19:46 524,288 ----a-w C:\Windows\System32\DivXsm.exe
2007-12-11 19:46 3,596,288 ----a-w C:\Windows\System32\qt-dx331.dll
2007-12-11 19:45 200,704 ----a-w C:\Windows\System32\ssldivx.dll
2007-12-11 19:45 1,044,480 ----a-w C:\Windows\System32\libdivx.dll
2007-12-11 19:44 823,296 ----a-w C:\Windows\System32\divx_xx0c.dll
2007-12-11 19:44 823,296 ----a-w C:\Windows\System32\divx_xx07.dll
2007-12-11 19:44 81,920 ----a-w C:\Windows\System32\dpl100.dll
2007-12-11 19:44 802,816 ----a-w C:\Windows\System32\divx_xx11.dll
2007-12-11 19:44 682,496 ----a-w C:\Windows\System32\DivX.dll
2007-12-11 19:44 593,920 ----a-w C:\Windows\System32\dpuGUI11.dll
2007-12-11 19:44 57,344 ----a-w C:\Windows\System32\dpv11.dll
2007-12-11 19:44 53,248 ----a-w C:\Windows\System32\dpuGUI10.dll
2007-12-11 19:44 344,064 ----a-w C:\Windows\System32\dpus11.dll
2007-12-11 19:44 294,912 ----a-w C:\Windows\System32\dpu11.dll
2007-12-11 19:44 294,912 ----a-w C:\Windows\System32\dpu10.dll
2007-12-11 19:44 196,608 ----a-w C:\Windows\System32\dtu100.dll
2007-12-11 19:44 156,992 ----a-w C:\Windows\System32\DivXCodecVersionChecker.exe
2007-12-11 19:43 12,288 ----a-w C:\Windows\System32\DivXWMPExtType.dll
2007-12-11 16:42 --------- d-----w C:\Program Files\Common Files\AnimeVamp
2007-12-09 20:29 --------- d-----w C:\Program Files\ATITool
2007-12-06 23:09 --------- d-----w C:\Program Files\Activision
2007-11-17 16:18 1,244,672 ----a-w C:\Windows\System32\mcmde.dll
2007-11-15 07:54 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr
2007-11-15 07:54 67,584 ----a-w C:\Windows\System32\wlanhlp.dll
2007-11-15 07:54 542,720 ----a-w C:\Windows\System32\sysmain.dll
2007-11-15 07:54 502,784 ----a-w C:\Windows\System32\wlansvc.dll
2007-11-15 07:54 47,104 ----a-w C:\Windows\System32\wlanapi.dll
2007-11-15 07:54 297,984 ----a-w C:\Windows\System32\wlansec.dll
2007-11-15 07:54 290,816 ----a-w C:\Windows\System32\wlanmsm.dll
2007-11-15 07:54 24,064 ----a-w C:\Windows\System32\wtsapi32.dll
2007-11-15 07:54 2,923,520 ----a-w C:\Windows\explorer.exe
2007-11-15 07:54 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2007-11-15 07:53 8,704 ----a-w C:\Windows\System32\hcrstco.dll
2007-11-15 07:53 8,704 ----a-w C:\Windows\System32\hccoin.dll
2007-11-14 16:12 669,184 ----a-w C:\Windows\System32\pbsvc.exe
2007-10-29 00:02 36,864 ----a-w C:\Windows\System32\cdd.dll
2007-10-06 20:47 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((( snapshot_2008-01-21_23.17.21.88 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-21 23:12:16 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-01-22 19:27:10 67,584 --s-a-w C:\Windows\bootstat.dat
- 2008-01-20 19:37:40 1,196,032 ----a-w C:\Windows\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-22 21:38:08 1,196,032 ----a-w C:\Windows\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-20 19:37:41 1,196,032 ----a-w C:\Windows\erdnt\Hiv-backup\Users\00000002\NTUSER.DAT
+ 2008-01-22 21:38:08 1,196,032 ----a-w C:\Windows\erdnt\Hiv-backup\Users\00000002\NTUSER.DAT
- 2008-01-20 19:37:41 4,321,280 ----a-w C:\Windows\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-22 21:38:09 4,321,280 ----a-w C:\Windows\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-20 19:37:41 2,277,376 ----a-w C:\Windows\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-22 21:38:09 2,277,376 ----a-w C:\Windows\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-21 15:37:41 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2008-01-22 01:42:08 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat
- 2008-01-21 23:14:27 1,310,720 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-01-22 19:29:25 1,310,720 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-01-21 14:26:25 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2008-01-22 01:42:08 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
- 2008-01-21 23:14:33 1,310,720 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-01-22 19:29:19 1,310,720 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-01-21 18:42:09 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-22 00:08:21 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-01-21 18:42:09 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-22 00:08:21 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-21 18:42:09 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-01-22 00:08:21 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-01-21 23:14:25 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
+ 2008-01-22 21:38:28 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
- 2008-01-21 22:09:56 111,812 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-01-22 19:34:23 111,812 ----a-w C:\Windows\System32\perfc009.dat
- 2008-01-21 22:09:56 631,234 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-01-22 19:34:23 631,234 ----a-w C:\Windows\System32\perfh009.dat
- 2008-01-21 23:14:58 7,468 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2384733316-1052832952-1687537222-1000_UserData.bin
+ 2008-01-22 19:29:51 7,468 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2384733316-1052832952-1687537222-1000_UserData.bin
- 2008-01-21 23:14:58 58,224 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-01-22 19:29:51 58,434 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-01-21 23:14:54 36,896 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-01-22 19:29:50 37,110 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-09 13:33 1232896]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54 5674352]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-10-17 12:10 171448]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 04:40 218032]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2007-12-19 20:13 486856]
"Steam"="C:\Program Files\Steam\Steam.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-10-05 18:19 1006264]
"XboxStat"="c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 17:05 734264]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 23:47 31016]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06 40048]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 23:52 849280]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-12-18 19:55 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-12-18 19:55 8530464]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-12-18 19:55 81920]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-17 11:56 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-17 11:56 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2008-01-17 11:56 9216 C:\Windows\System32\avgwlntf.dll

R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot []
R2 UxTuneUp;TuneUp Theme Extension;C:\Windows\System32\svchost.exe [2006-11-02 09:45]
R3 rt61x86;Sitecom RT61 Wireless Network Driver for Windows Vista;C:\Windows\system32\DRIVERS\netr61.sys [2006-12-13 06:38]
R3 RTL8169;Realtek 8169 NT Driver;C:\Windows\system32\DRIVERS\Rtlh86.sys [2006-11-02 07:30]
S3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2008-01-11 11:40]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\Windows\System32\TuneUpDefragService.exe [2007-12-23 16:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted REG_MULTI_SZ hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{36879e3b-a693-11dc-9713-001966354afe}]
\shell\AutoRun\command - F:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6fd2a4df-7cef-11dc-bdc5-001966354afe}]
\shell\AutoRun\command - E:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c26d7ac1-9158-11dc-9855-001966354afe}]
\shell\AutoRun\command - E:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f7cd8653-b4a8-11dc-b6f4-001966354afe}]
\shell\AutoRun\command - E:\Autorun.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-18 17:16:10 C:\Windows\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe
"2008-01-21 22:22:06 C:\Windows\Tasks\User_Feed_Synchronization-{ACFCB4A1-D9E6-4BD6-A750-C5C084871AA4}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-22 21:41:06
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-22 21:41:42
ComboFix-quarantined-files.txt 2008-01-22 21:41:40
ComboFix2.txt 2008-01-21 23:36:40
ComboFix3.txt 2008-01-21 23:17:55
ComboFix4.txt 2008-01-20 19:41:15
.
2008-01-18 08:12:35 --- E O F ---
  • 0

#13
BHowett
Posted 23 January 2008 - 07:42 AM

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts
Hi Phantasy

Looks like we did it, good job :)


Remove Tools Used
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK


    • Posted Image

  • When shown the disclaimer, Select "2"

The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.

===============================================


This is my standard post for when you are clear - which you now are - or seem to be. Please advise me of any problems you still have.

  • First
  • Disable and Enable System Restore. - You should disable and re-enable system restore to make sure there are no infected files found in a restore point.

    For Vista

    1. Click Start
    2. Right click Computer > Properties > Choose Advanced System Settings option in left menu listing.
    3. If UAC is enabled you will get a UAC prompt > click Continue
    4. Click System Protection tab
    5. Then Untick any Drive Listed ( see pic below ) and in the popup window click Turn Off System Restore
    6. Click Apply > OK


    Posted Image


    To re-enable System Restore, follow steps 1-4 then Tick the Drives you wish to enable System Restore on and click Apply and OK


    Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

    Posted Image 1.) Watch what you download!
    Many freeware programs, and P2P programs like Grokster, Imesh, Kazaa and others are amongst the most notorious, come with an enormous amount of bundled spyware that will eat system resources, slow down your system, clash with other installed software, or just plain crash your browser or even Windows itself. If you insist on using a P2P program, please read This Article written by Mike Healan of Spywareinfo.com fame. It is an updated and comprehensive article that gives in-depth detail about which P2P programs are "safe" to use.

    Posted Image 2.) Go to Intenet Explorer > Tools > Windows Update > Product Updates, and install ALL High-Priority Security Updates listed. If you're running Windows XP, that of course includes the Service Pack 2! If you suspect your computer is infected with Malware of any type, we advise you to not install SP2 if you don't already have it. You can post a HijackThis log on our Forums to get free Expert help cleaning your machine. Once you are sure you have a clean system, it is highly recommended to install SP2 to help prevent against future infections.

    It's important to always keep current with the latest security fixes from Microsoft.
    Install those patches for Internet Explorer, and make sure your installation of Java VM is up-to-date. There are some well known security bugs with Microsoft Java VM which are exploited regularly by browser hijackers.

    Posted Image 3.) Open Intenet Explorer and go to Internet Options > Security > Internet, then press "Default Level", then OK. Now press "Custom Level." In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".

    Now you will be asked whether you want ActiveX objects to be executed and whether you want software to be installed.
    Sites that you know for sure are above suspicion can be moved to the Trusted Zone in Internet Option > Security.

    So why is ActiveX so dangerous that you have to increase the security for it?
    When your browser runs an activex control, it is running an executable program. It's no different from doubleclicking an exe file on your hard drive.
    Would you run just any random file downloaded off a web site without knowing what it is and what it does?

    Posted Image 4.) Install Javacool's SpywareBlaster

    It will protect you from most spy/foistware in it's database by blocking installation of their ActiveX objects.

    Download and install, download the latest updates, and you'll see a list of all spyware programs covered by the program (NOTE: this is NOT spyware found on your computer) Press "Enable All Protection", and you're done.
    The spyware that you told Spywareblaster to set the "kill bit" for won't be a hazard to you any longer. Although it won't protect you from every form of spyware known to man, it is a very potent extra layer of protection.
    Don't forget to check for updates every week or so.

    Posted Image 5.) Let's also not forget that Spybot Search & Destroy has the Immunize feature which works roughly the same way. Another feature within Spybot is the TeaTimer option. This option immediately detects known malicious processes wanting to start and terminates them. TeaTimer also detects when something wants to change some critical registry keys and gives you an option to allow them or not.

    Posted Image 6.) Microsoft now offers their own free malicious software blocking tool. Windows Defender improves Internet browsing safety by guarding over fifty (50) ways spyware can enter your PC.

    Posted Image 7.) Another excellent program by Javacool we recommend is SpywareGuard.
    It provides a degree of real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method.

    Posted Image 8.) IE-SPYAD puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. Another good hosts program is mvpshosts. This little program packs a powerful punch as it block ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial.

    *It is important to note that all of the above programs/files can be run simultaneously on your system. They will work together in layers, so to speak, to help protect your computer. However, the following suggestions are designed to only run one of each. It is not a good idea to run more than one firewall, and one anti-virus program. Running more than one of these at a time can cause system crashes, high system usage and/or conflicts with each other.*

    Posted Image 9.) It is critical that you use a firewall to protect your computer from hackers. We don't recommend the firewall that comes built in to Windows. It doesn't block everything that may try to get in, and the entire firewall is written to the registry. As various kinds of malware hack the Registry in order to disable the Windows firewall, it's far preferable to install one of the excellent third party solutions. Three good ones that are freeware to boot are ZoneAlarm, Kerio and Sygate

    Posted Image 10.) An Anti-Virus product is a necessity. There are many excellent programs that you can purchase. However, we choose to advocate the use of free programs whenever possible. Some very good and easy-to-use free A/V programs are AVG, Avast, and AntiVir. It's a good idea to set these to receive automatic updates so you are always as fully protected as possible from the newest virus threats.
    NOTE: DO NOT install more than one anti-virus program. They will conflict, and provide less protection, not more.



    Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Thanks for letting us help you!
  • 0

#14
Phantasy66
Posted 23 January 2008 - 08:02 AM

Phantasy66

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Thank you so much for all your help, you were great!
I will try to keep my computer clean. Its good to know there are people like you are out there to help people fight against virus's!
Many thanks
Best Wishes
Carl
  • 0

#15
ScHwErV
Posted 23 January 2008 - 12:39 PM

ScHwErV

    Member 5k

  • Retired Staff
  • 21,285 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP