Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Random Windows Error Popups, Ie Ad Popups, Spoolsv.exe Seems Heavily Involved


  • This topic is locked This topic is locked
5 replies to this topic

#1 quadeh

quadeh

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 04 August 2007 - 03:01 PM

Every once and a while I get a windows error message saying "this file could not be downloaded," coupled usually with an IE popup. Additionally, sometimes it seems an infected executable is actively keeping Firefox from starting, and I get a fatal error that keeps the program from running, though sometimes using the control panel to manually end suspicious looking processes seems to alleviate this. Have run Adaware, Spybot, Kapersky, and Symantic all multiple times in varying combinations, which solves most of the problems for a little while, but they all eventually come back. Thanks in advance for any help!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:00:43 PM, on 8/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\AGEIA Technologies\TrayIcon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\svhost.exe
C:\WINDOWS\retadpu1000106.exe
C:\DOCUME~1\JOHNNY~1\LOCALS~1\Temp\MBDownloader_876919.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Documents and Settings\Johnny V\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\lcevfxbk.dll",forkonce
O4 - HKLM\..\Run: [NBInstall] C:\DOCUME~1\JOHNNY~1\LOCALS~1\Temp\MBDownloader_876919.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKUS\S-1-5-18\..\RunOnce: [WMC_WMPDBExport] C:\Program Files\Windows Media Player\wmdbexport.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [WMC_WMPDBExport] C:\Program Files\Windows Media Player\wmdbexport.exe (User 'Default user')
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1156199676500
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9956 bytes

BC AdBot (Login to Remove)

 


m

#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:32 AM

Posted 04 August 2007 - 06:45 PM

Hello and welcome aboard :flowers:

Yup, looks like a few infections. I'll do my best.

Firstly, you seem to have Kaspersky and Norton both active. You should only use 1 anti-virus app active; if you use many at the same time they WILL cause problems. If you only use the other as a on-demand scanner, then it's fine :huh:

1. Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES.
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt in your next reply.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

======

2. Please download Brute Force Uninstaller to your desktop.
  • Right-click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

4. Please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by double-clicking BFU.exe
  • Behind the scriptline to execute field click the folder icon Posted Image and select alcanshorty.bfu
  • Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the Complete script execution box to pop up and hit OK.
  • Press Exit to terminate the BFU program.
=====

5. Please download Combofix to your desktop:
  • Double-click combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply, along with the VundoFix log aswell as a fresh HijackThis log (might need to post several replies to get all fit in). :thumbsup:
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Hi there, stranger!

#3 quadeh

quadeh
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:32 AM

Posted 05 August 2007 - 01:36 AM

Thanks a lot! Here are the logs:


VundoFix V6.5.6

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 1:49:31 AM 8/5/2007

Listing files found while scanning....

C:\WINDOWS\system32\ddayv.dll
C:\windows\system32\hpucgicp.dll
C:\windows\system32\pcigcuph.ini
C:\windows\system32\saghfmsw.dll
C:\WINDOWS\system32\srutv.bak1
C:\WINDOWS\system32\srutv.bak2
C:\WINDOWS\system32\srutv.ini
C:\WINDOWS\system32\srutv.ini2
C:\WINDOWS\system32\srutv.tmp
C:\WINDOWS\system32\vturs.dll
C:\WINDOWS\system32\vyadd.bak1
C:\WINDOWS\system32\vyadd.bak2
C:\WINDOWS\system32\vyadd.ini
C:\WINDOWS\system32\vyadd.ini2
C:\WINDOWS\system32\vyadd.tmp
C:\windows\system32\wsmfhgas.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ddayv.dll
C:\WINDOWS\system32\ddayv.dll Has been deleted!

Attempting to delete C:\windows\system32\hpucgicp.dll
C:\windows\system32\hpucgicp.dll Has been deleted!

Attempting to delete C:\windows\system32\pcigcuph.ini
C:\windows\system32\pcigcuph.ini Has been deleted!

Attempting to delete C:\windows\system32\saghfmsw.dll
C:\windows\system32\saghfmsw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\srutv.bak1
C:\WINDOWS\system32\srutv.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\srutv.bak2
C:\WINDOWS\system32\srutv.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\srutv.ini
C:\WINDOWS\system32\srutv.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\srutv.ini2
C:\WINDOWS\system32\srutv.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\srutv.tmp
C:\WINDOWS\system32\srutv.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\vyadd.bak1
C:\WINDOWS\system32\vyadd.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\vyadd.bak2
C:\WINDOWS\system32\vyadd.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\vyadd.ini
C:\WINDOWS\system32\vyadd.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\vyadd.ini2
C:\WINDOWS\system32\vyadd.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\vyadd.tmp
C:\WINDOWS\system32\vyadd.tmp Has been deleted!

Attempting to delete C:\windows\system32\wsmfhgas.ini
C:\windows\system32\wsmfhgas.ini Has been deleted!

Performing Repairs to the registry.
Done!

------------------------------------------------------------------------------------------------------------------------------------------------------------

ComboFix 07-08-04.3 - "Johnny V" 2007-08-05 2:05:45.1 [GMT -4:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\JOHNNY~1\APPLIC~1\WinTouch
C:\DOCUME~1\JOHNNY~1\APPLIC~1\WinTouch\wintouch.cfg
C:\Program Files\svhost
C:\Program Files\svhost\wr-1-0000077.exe
C:\Program Files\winpop
C:\Program Files\winpop\UnInstall.exe
C:\WINDOWS\b103.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\b138.exe
C:\WINDOWS\poolsv.exe
C:\WINDOWS\retadpu1000106.exe
C:\WINDOWS\retadpu572.exe
C:\WINDOWS\retadpu77.exe
C:\WINDOWS\svhost.exe
C:\WINDOWS\system32\anemnbuv.exe
C:\WINDOWS\system32\b02FdUe
C:\WINDOWS\system32\b10FdUe
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\driver\w717.exe
C:\WINDOWS\system32\eeaujftm.exe
C:\WINDOWS\system32\F2
C:\WINDOWS\system32\F3
C:\WINDOWS\system32\hgghggh.dll
C:\WINDOWS\system32\ioroqelj.exe
C:\WINDOWS\system32\iqpcolap.exe
C:\WINDOWS\system32\jnrngcuq.exe
C:\WINDOWS\system32\jvxemgea.dll
C:\WINDOWS\system32\kuhjeleg.exe
C:\WINDOWS\system32\opwjmkpn.exe
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\ptojwdml.exe
C:\WINDOWS\system32\qrqss.bak1
C:\WINDOWS\system32\qrqss.ini
C:\WINDOWS\system32\ssqrq.dll
C:\WINDOWS\system32\vrxscvcp.exe
C:\WINDOWS\system32\vtutsts.dll
C:\WINDOWS\system32\vxhacefm.exe
C:\WINDOWS\system32\win
C:\WINDOWS\system32\wvuvutu.dll
C:\WINDOWS\system32\xltwdeue.exe
C:\WINDOWS\system32\ydiqqjnh.exe
C:\WINDOWS\system32\yurgapvs.exe
C:\WINDOWS\system32\Z1
C:\WINDOWS\system32\Z11
C:\WINDOWS\system32\Z3
C:\WINDOWS\system32\Z5
C:\WINDOWS\system32\Z7
C:\WINDOWS\wr.txt


((((((((((((((((((((((((( Files Created from 2007-07-05 to 2007-08-05 )))))))))))))))))))))))))))))))


2007-08-05 02:04 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-05 02:04 <DIR> d-------- C:\bintheredunthat
2007-08-05 01:55 <DIR> d-------- C:\bfu
2007-08-05 01:49 <DIR> d-------- C:\VundoFix Backups
2007-08-04 06:50 <DIR> d-------- C:\WINDOWS\system32\f02WtR
2007-08-04 06:50 <DIR> d-------- C:\WINDOWS\system32\configs
2007-08-04 02:24 <DIR> d-------- C:\Python25
2007-08-04 02:22 <DIR> d-------- C:\Program Files\YafRay
2007-08-04 02:14 <DIR> d-------- C:\tmp
2007-08-04 02:10 <DIR> d-------- C:\Program Files\Blender Foundation
2007-08-04 01:36 125,504 --a------ C:\WINDOWS\system32\lcevfxbk.dll
2007-08-01 02:37 <DIR> d-------- C:\Program Files\Capcom
2007-07-28 13:34 126,016 --a------ C:\WINDOWS\system32\qsvgxhed.dll
2007-07-24 20:36 <DIR> d-------- C:\DOCUME~1\JOHNNY~1\APPLIC~1\Right Hemisphere
2007-07-24 20:35 <DIR> d-------- C:\Program Files\Right Hemisphere
2007-07-24 20:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Right Hemisphere
2007-07-21 03:10 <DIR> d-------- C:\Program Files\Pixologic
2007-07-21 02:55 <DIR> d-------- C:\Pixologic.zbrush.v3.0.cracked-arn
2007-07-20 18:13 90,112 --a------ C:\WINDOWS\system32\RegDACL.exe
2007-07-20 18:13 9,006 --a------ C:\clean.bat
2007-07-20 18:13 53,248 --a------ C:\WINDOWS\system32\process.exe
2007-07-20 18:13 4,096 --a------ C:\WINDOWS\system32\reboot.exe
2007-07-17 23:56 14,355,744 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-07-17 23:55 1,978,912 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-07-17 23:55 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-07-17 23:53 <DIR> d-------- C:\KAV
2007-07-17 19:12 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-07-17 19:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-07-09 01:35 <DIR> d-------- C:\DOCUME~1\JOHNNY~1\APPLIC~1\Dr. DivX 2.0 OSS


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-05 02:17 73 --a------ C:\WINDOWS\system32\ssprs.dll
2007-08-05 02:17 341 --a------ C:\WINDOWS\system32\lsprst7.dll
2007-08-05 02:14 193292 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-08-05 02:14 185180 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-08-01 02:40 --------- d-------- C:\DOCUME~1\JOHNNY~1\APPLIC~1\Azureus
2007-07-29 17:04 --------- d-------- C:\Program Files\Sony
2007-07-29 16:57 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-29 16:56 --------- d-------- C:\Program Files\Ubisoft
2007-07-18 07:32 --------- d-------- C:\Program Files\Symantec AntiVirus
2007-07-17 07:38 --------- d-------- C:\Program Files\Online Services
2007-07-16 23:58 --------- d-------- C:\DOCUME~1\JOHNNY~1\APPLIC~1\FileZilla
2007-07-16 01:59 --------- d-------- C:\DOCUME~1\JOHNNY~1\APPLIC~1\gtk-2.0
2007-07-15 23:26 --------- d-------- C:\Program Files\Windows Plus
2007-07-09 02:15 --------- d-------- C:\Program Files\mIRC
2007-07-09 01:39 --------- d-------- C:\Program Files\DivX
2007-07-02 15:41 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-07-02 15:41 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-02 15:41 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-02 15:41 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-02 15:37 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-07-02 15:37 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-07-02 15:37 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-07-02 15:37 740442 --a------ C:\WINDOWS\system32\DivX.dll
2007-07-02 15:37 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-07-02 15:37 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-07-02 15:37 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-07-02 15:37 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-07-02 15:37 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-07-02 15:37 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-07-02 15:37 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-07-02 15:37 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-07-02 15:36 124472 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-07-02 15:36 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-06-29 01:36 --------- d-------- C:\Program Files\Xplosiv
2007-06-28 20:10 --------- d-------- C:\Program Files\Deus Ex - Invisible War
2007-06-17 20:55 --------- d-------- C:\DOCUME~1\JOHNNY~1\APPLIC~1\Media Player Classic
2007-06-17 20:54 --------- d-------- C:\Program Files\K-Lite Codec Pack
2007-06-17 20:44 --------- d-------- C:\Program Files\CCleaner
2007-06-09 06:14 564224 --a------ C:\WINDOWS\system32\x264vfw.dll
2007-06-08 20:31 --------- d-------- C:\Program Files\CDisplay
2007-06-03 14:31 10752 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-06-02 01:10 52736 --a------ C:\WINDOWS\ipuninst.exe
2007-05-16 11:12 86528 --------- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 11:12 85504 --------- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 11:12 683520 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 11:12 510976 --------- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 11:12 1314816 --------- C:\WINDOWS\system32\dllcache\msoe.dll
2006-08-17 19:35:18 8 --sh--r C:\WINDOWS\system32\DC1664B6F2.sys
2006-08-17 19:35:20 2,516 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5AAAB5C2-6D20-4D03-B624-E46AB8C2F846}]
C:\WINDOWS\system32\vturs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6944ED4C-ACF6-48E9-FFBB-9DAAFEF207C2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A9EF7D64-47D3-4EE3-BE07-B00ECB2A4A95}]
C:\WINDOWS\system32\ddayv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 14:01]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 23:20 C:\WINDOWS\stsystra.exe]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 07:56]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 03:12]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 05:20]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 13:22]
"nwiz"="nwiz.exe" [2006-10-22 13:22 C:\WINDOWS\system32\nwiz.exe]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 16:16]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 20:14]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-05-27 04:40]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-09-14 16:09]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 13:22]
"AGEIA PhysX SysTray"="C:\Program Files\AGEIA Technologies\TrayIcon.exe" [2006-09-08 10:01]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-02 15:24]
"svhost"="C:\WINDOWS\svhost.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 05:00]
"Aim6"="" []
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2007-05-03 17:43]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"WMC_WMPDBExport"=C:\Program Files\Windows Media Player\wmdbexport.exe
"TSClientMSIUninstaller"=cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
dlbcserv.lnk - C:\Program Files\Dell Photo Printer 720\dlbcserv.exe [2006-08-22 12:23:44]
Extender Resource Monitor.lnk - C:\WINDOWS\ehome\RMSysTry.exe [2005-10-20 19:55:40]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggfdcc]
hggfdcc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljhggda]
ljhggda.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mdc]
notification.dll 2005-01-26 15:52 294912 C:\WINDOWS\system32\notification.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqrq]
C:\WINDOWS\system32\ssqrq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vturs]
C:\WINDOWS\system32\vturs.dll

R0 iastor;Intel AHCI Controller;C:\WINDOWS\system32\drivers\iastor.sys
R1 ELhid;ELhid;C:\WINDOWS\system32\DRIVERS\ELhid.sys
R1 ELkbd;ELkbd;C:\WINDOWS\system32\DRIVERS\ELkbd.sys
R1 ELmon;ELmon;C:\WINDOWS\system32\DRIVERS\ELmon.sys
R1 ELmou;ELmou;C:\WINDOWS\system32\DRIVERS\ELmou.sys
R2 atksgt;atksgt;C:\WINDOWS\system32\DRIVERS\atksgt.sys
R2 lirsgt;lirsgt;C:\WINDOWS\system32\DRIVERS\lirsgt.sys
R2 RMSvc;Media Center Extender Resource Monitor;C:\WINDOWS\ehome\RMSvc.exe
R3 ATIAVPCI;ATI Unified AVStream service;C:\WINDOWS\system32\DRIVERS\atinavrr.sys
R3 e1express;Intel® PRO/1000 PCI Express Network Connection Driver;C:\WINDOWS\system32\DRIVERS\e1e5132.sys
R3 ELacpi;ELacpi;C:\WINDOWS\system32\DRIVERS\ELacpi.sys
R3 STHDA;SigmaTel High Definition Audio CODEC;C:\WINDOWS\system32\drivers\sthda.sys
S3 CEUSBAUD;DigiTech USB MIDI Driver;C:\WINDOWS\system32\Drivers\CEUSBAUD.sys
S3 E100B;Intel® PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
S3 idsvc;Windows CardSpace;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"
S3 MHN;MHN;C:\WINDOWS\System32\svchost.exe -k netsvcs
S3 MHNDRV;MHN driver;C:\WINDOWS\system32\DRIVERS\mhndrv.sys
S3 MPE;BDA MPE Filter;C:\WINDOWS\system32\DRIVERS\MPE.sys
S3 MSSQL$SONY_MEDIAMGR;MSSQL$SONY_MEDIAMGR;C:\Program Files\VstPlugins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe -sSONY_MEDIAMGR
S3 muIO;muIO;\??\C:\WINDOWS\system32\muIO.sys
S3 nenum13E;nenum13E;\??\C:\DOCUME~1\JOHNNY~1\LOCALS~1\Temp\nenum13E.sys
S3 PnkBstrK;PnkBstrK;\??\C:\WINDOWS\system32\drivers\PnkBstrK.sys
S3 QWAVE;QWAVE service;C:\WINDOWS\system32\svchost.exe -k QWAVE
S3 QWAVEDRV;QWAVE driver;C:\WINDOWS\system32\DRIVERS\qwavedrv.sys
S3 SQLAgent$SONY_MEDIAMGR;SQLAgent$SONY_MEDIAMGR;C:\Program Files\VstPlugins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE -i SONY_MEDIAMGR
S3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE QWAVE


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{35cf3857-345e-11db-909e-001372280749}]
AutoRun\command- F:\Installer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe


Contents of the 'Scheduled Tasks' folder
2007-08-02 17:24:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-05 02:16:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

C:\WINDOWS\system32\lsprst7.tgz

scan completed successfully
hidden files: 1

**************************************************************************

Completion time: 2007-08-05 2:20:10 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-05 02:19

--- E O F ---


------------------------------------------------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:34:58 AM, on 8/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Johnny V\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5AAAB5C2-6D20-4D03-B624-E46AB8C2F846} - C:\WINDOWS\system32\vturs.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: 0 - {6944ED4C-ACF6-48E9-FFBB-9DAAFEF207C2} - (no file)
O2 - BHO: (no name) - {A9EF7D64-47D3-4EE3-BE07-B00ECB2A4A95} - C:\WINDOWS\system32\ddayv.dll (file missing)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKUS\S-1-5-18\..\RunOnce: [WMC_WMPDBExport] C:\Program Files\Windows Media Player\wmdbexport.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [WMC_WMPDBExport] C:\Program Files\Windows Media Player\wmdbexport.exe (User 'Default user')
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1156199676500
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O20 - Winlogon Notify: hggfdcc - hggfdcc.dll (file missing)
O20 - Winlogon Notify: ljhggda - ljhggda.dll (file missing)
O20 - Winlogon Notify: mdc - C:\WINDOWS\SYSTEM32\notification.dll
O20 - Winlogon Notify: ssqrq - C:\WINDOWS\system32\ssqrq.dll (file missing)
O20 - Winlogon Notify: vturs - C:\WINDOWS\system32\vturs.dll (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:32 AM

Posted 05 August 2007 - 10:27 AM

Hi again, lets continue :flowers:

Please print these instructions out, or write them down, as you can't read them during the fix.

Please run a scan with HijackThis and check the following objects for removal:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {5AAAB5C2-6D20-4D03-B624-E46AB8C2F846} - C:\WINDOWS\system32\vturs.dll (file missing)
O2 - BHO: 0 - {6944ED4C-ACF6-48E9-FFBB-9DAAFEF207C2} - (no file)
O2 - BHO: (no name) - {A9EF7D64-47D3-4EE3-BE07-B00ECB2A4A95} - C:\WINDOWS\system32\ddayv.dll (file missing)
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O20 - Winlogon Notify: hggfdcc - hggfdcc.dll (file missing)
O20 - Winlogon Notify: ljhggda - ljhggda.dll (file missing)
O20 - Winlogon Notify: ssqrq - C:\WINDOWS\system32\ssqrq.dll (file missing)
O20 - Winlogon Notify: vturs - C:\WINDOWS\system32\vturs.dll (file missing)


Now close ALL open windows but HijackThis and hit FIX CHECKED. Exit HijackThis.

===

Open notepad and copy/paste the text in the quotebox into it

File::
C:\WINDOWS\svhost.exe
C:\Documents and Settings\Johnny V\Local Settings\Temp\nenum13E.sys
C:\WINDOWS\system32\lcevfxbk.dll
C:\WINDOWS\system32\qsvgxhed.dll


Save it as CFScript.txt on your desktop.

Posted Image

Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

===

Please download AVG Anti-Spyware and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the setup program.
  • Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
    • If you aren't able to finish the update within AVG Anti-Spyware for a reason or another, you can install the manual updates here.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Close AVG Anti-Spyware, DO NOT run a scan just yet, we will shortly.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
  • IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning process:
  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware, reboot your system back into Normal Mode and post back with the AVG Anti-Spyware results aswell as the new combofix log. :thumbsup:

Hi there, stranger!

#5 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:32 AM

Posted 11 August 2007 - 08:42 AM

It's been a while. Still in need of help?
Hi there, stranger!

#6 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:32 AM

Posted 18 August 2007 - 09:42 AM

Due to lack of feedback, this thread has been closed. If you're the original poster and need this Topic reopened, please PM a Staff member.
Hi there, stranger!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users