Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/adware.sectoolbar Application


  • This topic is locked This topic is locked
4 replies to this topic

#1 optic

optic

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:05 PM

Posted 15 February 2008 - 04:52 AM

Hi there. I've been working on trying to remove hos adware/malware for several days now and I feel there is no end to it. My IE is the only browser to pick it up everytime I open my homepage and even though my NOD32 detects it and 'claims' to have deleted it, it comes back everytime I do a restart of my computer. I tried almost every other application I could find like Ad-ware, Eset Online Scanner, SpyBot, Trend-Micro online scanner, Stinger, even booting the system in 'safe mode' to try and find adware/malware failed.

Here is my latest HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:21:47 PM, on 15/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\cisvc.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Lavasoft\Personal Firewall\lpfw.exe
E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\Program Files\Eset\nod32krn.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
E:\Program Files\Eset\nod32kui.exe
E:\Program Files\ATI Technologies\ATI.ACE\cli.exe
E:\Program Files\PowerISO\SCDEmuApp.exe
E:\WINDOWS\System32\Drivers\SAP\FD.exe
E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
E:\Program Files\QuickTime\qttask.exe
E:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
E:\Program Files\MSN Messenger\msnmsgr.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
E:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
E:\WINDOWS\system32\wscntfy.exe
E:\Program Files\PC Connectivity Solution\ServiceLayer.exe
E:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
E:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
E:\Program Files\ATI Technologies\ATI.ACE\cli.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\WINDOWS\system32\cidaemon.exe
E:\WINDOWS\system32\cidaemon.exe
E:\Program Files\Winamp\winamp.exe
E:\Program Files\MSN Messenger\usnsvc.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cable.optusnet.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 165.228.130.10:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {00F6C529-EF33-4524-862A-BBC6E99AD272} - E:\WINDOWS\system32\geedc.dll (file missing)
O2 - BHO: {fe13be99-8570-c469-3e64-9ef2725a3ea2} - {2ae3a527-2fe9-46e3-964c-075899eb31ef} - E:\WINDOWS\system32\dwhdidjg.dll
O2 - BHO: (no name) - {446624E1-B767-4443-AA6E-0F355CAFD21B} - E:\WINDOWS\system32\vtuuuuu.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVIDIA nTune] "E:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [nod32kui] "E:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [ATICCC] "E:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SCDEmuApp.exe] E:\Program Files\PowerISO\SCDEmuApp.exe
O4 - HKLM\..\Run: [Personal Firewall] E:\Program Files\Lavasoft\Personal Firewall\lpfw.exe /waitservice
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [FD_SAP] E:\WINDOWS\System32\Drivers\SAP\FD.exe
O4 - HKLM\..\Run: [RemoteControl] "E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [amd_dc_opt] "E:\Program Files\AMD\amd_dc_opt\amd_dc_opt.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] E:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\RunOnce: [SpybotDeletingA8851] command /c del "E:\WINDOWS\system32\geedc.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4200] cmd /c del "E:\WINDOWS\system32\geedc.dll_old"
O4 - HKCU\..\Run: [SsAAD.exe] E:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [msnmsgr] "E:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PC Suite Tray] "E:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\RunOnce: [SpybotDeletingB8994] command /c del "E:\WINDOWS\system32\geedc.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6217] cmd /c del "E:\WINDOWS\system32\geedc.dll_old"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = E:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1194474443039
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1194474401164
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O20 - AppInit_DLLs: E:\PROGRA~1\Lavasoft\PERSON~1\wl_hook.dll
O20 - Winlogon Notify: vtuuuuu - E:\WINDOWS\SYSTEM32\vtuuuuu.dll
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Personal Firewall Service (LavasoftFirewall) - Agnitum Ltd. - E:\Program Files\Lavasoft\Personal Firewall\lpfw.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - E:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MSCSPTISRV - Sony Corporation - E:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - E:\Program Files\Eset\nod32krn.exe
O23 - Service: PACSPTISVR - Sony Corporation - E:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - E:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - E:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - E:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 9997 bytes

Thanks in advance.

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:05 PM

Posted 16 February 2008 - 02:15 AM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 optic

optic
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:05 PM

Posted 21 February 2008 - 08:35 PM

Sorry for long delay. I've been away due to business purposes

Here is the ComboFix log

ComboFix 08-02-22 - Gazza 2008-02-22 12:11:55.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.484 [GMT 11:00]
Running from: E:\Documents and Settings\Gazza\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\Program Files\Rainmeter\Skins\Bara-Rainmeter\_desktop.ini
E:\Program Files\Rainmeter\Skins\Bara-Rainmeter\panel_clock\_desktop.ini
E:\Program Files\Rainmeter\Skins\Bara-Rainmeter\panel_cpu\_desktop.ini
E:\Program Files\Rainmeter\Skins\Bara-Rainmeter\panel_date\_desktop.ini
E:\Program Files\Rainmeter\Skins\Bara-Rainmeter\panel_hdd\_desktop.ini
E:\Program Files\Rainmeter\Skins\Bara-Rainmeter\panel_mem\_desktop.ini
E:\Program Files\Rainmeter\Skins\Bara-Rainmeter\panel_net\_desktop.ini
E:\WINDOWS\cookies.ini
E:\WINDOWS\system32\cdeeg.ini
E:\WINDOWS\system32\cdeeg.ini2
E:\WINDOWS\system32\drivers\sfsync02.sys
E:\WINDOWS\system32\drivers\UIUSetup.exe
E:\WINDOWS\system32\mcrh.tmp
E:\WINDOWS\system32\qptowhcb.ini
E:\WINDOWS\system32\winupdate.exe
E:\WINDOWS\system32\yiudapxs.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SFSYNC02
-------\sfsync02


((((((((((((((((((((((((( Files Created from 2008-01-22 to 2008-02-22 )))))))))))))))))))))))))))))))
.

2008-02-22 12:17 . 2008-02-22 12:17 268 --ah----- E:\sqmdata04.sqm
2008-02-22 12:17 . 2008-02-22 12:17 244 --ah----- E:\sqmnoopt04.sqm
2008-02-22 11:09 . 2008-02-22 11:09 38,400 --a------ E:\WINDOWS\system32\vtuuuuu.Vdll
2008-02-22 10:19 . 2008-02-22 11:03 <DIR> d-------- E:\VundoFix Backups
2008-02-19 12:16 . 2008-02-20 12:20 1,246 --ahs---- E:\WINDOWS\system32\mcabrvhv.ini
2008-02-18 12:15 . 2008-02-18 21:37 1,066 --ahs---- E:\WINDOWS\system32\jhbtmtcb.ini
2008-02-17 12:16 . 2008-02-18 11:37 886 --ahs---- E:\WINDOWS\system32\oyfwilin.ini
2008-02-16 12:31 . 2008-02-17 00:28 646 --ahs---- E:\WINDOWS\system32\afoaixwo.ini
2008-02-15 18:10 . 2008-02-15 20:18 <DIR> d-------- E:\Documents and Settings\Gazza\.housecall6.6
2008-02-15 16:21 . 2008-02-15 16:21 <DIR> d-------- E:\Program Files\Spybot - Search & Destroy
2008-02-15 16:21 . 2008-02-15 17:53 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-15 16:05 . 2008-02-15 16:05 230 --a------ E:\WINDOWS\system32\spupdsvc.inf
2008-02-15 16:02 . 2006-11-07 22:01 66,048 --a------ E:\WINDOWS\ieResetIcons.exe
2008-02-15 13:38 . 2008-02-15 13:38 552 --a------ E:\WINDOWS\system32\d3d8caps.dat
2008-02-14 10:24 . 2008-02-15 16:50 <DIR> d-------- E:\Program Files\EsetOnlineScanner
2008-02-12 20:59 . 2008-02-12 20:59 <DIR> d-------- E:\Program Files\Trend Micro
2008-02-12 15:37 . 2008-02-12 15:37 38,400 --a------ E:\WINDOWS\system32\vtuuuuu.dll
2008-02-11 09:40 . 2008-02-11 09:40 2,715,648 --a------ E:\WINDOWS\system32\OnlineScanner.ocx
2008-02-11 09:39 . 2008-02-11 09:39 253,952 --a------ E:\WINDOWS\system32\OnlineScannerDLLA.dll
2008-02-11 09:39 . 2008-02-11 09:39 237,568 --a------ E:\WINDOWS\system32\OnlineScannerDLLW.dll
2008-02-08 18:55 . 2004-10-04 16:57 61,440 --a------ E:\WINDOWS\system32\W32N50.dll
2008-02-08 18:55 . 2004-10-04 16:57 16,292 --a------ E:\WINDOWS\system32\PCANDIS5.SYS
2008-02-08 18:55 . 2004-10-04 16:57 15,577 --a------ E:\WINDOWS\system32\PCANDIS3.VXD
2008-02-08 13:53 . 2008-02-08 13:53 110,592 --a------ E:\WINDOWS\system32\OnlineScannerLang.dll
2008-02-05 08:48 . 2008-02-05 08:48 77,824 --a------ E:\WINDOWS\system32\OnlineScannerUninstaller.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-20 17:49 --------- d-----w E:\Documents and Settings\Gazza\Application Data\uTorrent
2008-02-18 23:36 --------- d-----w E:\Program Files\Common Files\Adobe
2008-02-16 04:01 --------- d-----w E:\Program Files\Apollo DVD Creator
2008-02-13 14:42 --------- d-----w E:\Program Files\Microsoft Works
2008-02-13 12:26 --------- d-----w E:\Documents and Settings\Gazza\Application Data\LimeWire
2008-02-08 07:55 --------- d--h--w E:\Program Files\InstallShield Installation Information
2008-02-08 02:46 --------- d-----w E:\Program Files\Eset
2008-01-21 00:07 --------- d-----w E:\Program Files\Winamp
2007-12-23 03:07 --------- d-----w E:\Documents and Settings\Gazza\Application Data\Winamp
2007-12-04 18:38 550,912 ----a-w E:\WINDOWS\system32\oleaut32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00F6C529-EF33-4524-862A-BBC6E99AD272}]
E:\WINDOWS\system32\geedc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{14D9B8CB-3765-42FB-8A63-8CC2CF14FCD9}]
E:\WINDOWS\system32\awtss.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2ae3a527-2fe9-46e3-964c-075899eb31ef}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{446624E1-B767-4443-AA6E-0F355CAFD21B}]
2008-02-12 15:37 38400 --a------ E:\WINDOWS\system32\vtuuuuu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e16a2a8a-6ba3-429a-8022-64e0073bc155}]
E:\WINDOWS\system32\pvpewlwc.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SsAAD.exe"="E:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-05-08 06:17 81920]
"msnmsgr"="E:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54 5674352]
"ctfmon.exe"="E:\WINDOWS\system32\ctfmon.exe" [2004-08-04 18:56 15360]
"PC Suite Tray"="E:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2007-12-10 10:12 695808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-11-15 21:20 77824 E:\WINDOWS\SOUNDMAN.EXE]
"NVIDIA nTune"="E:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" [2004-12-06 12:06 532480]
"NeroFilterCheck"="E:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"SunJavaUpdateSched"="E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"nod32kui"="E:\Program Files\Eset\nod32kui.exe" [2006-03-03 20:13 917504]
"ATICCC"="E:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41 45056]
"SCDEmuApp.exe"="E:\Program Files\PowerISO\SCDEmuApp.exe" [2005-10-16 12:15 167936]
"Personal Firewall"="E:\Program Files\Lavasoft\Personal Firewall\lpfw.exe" [2005-11-03 15:43 91648]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" []
"FD_SAP"="E:\WINDOWS\System32\Drivers\SAP\FD.exe" [2006-05-30 22:43 197120]
"RemoteControl"="E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 21:24 32768]
"amd_dc_opt"="E:\Program Files\AMD\amd_dc_opt\amd_dc_opt.exe" [2006-06-28 16:42 106496]
"QuickTime Task"="E:\Program Files\QuickTime\qttask.exe" [2007-04-27 10:41 282624]
"PCSuiteTrayApplication"="E:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [ ]
"Adobe Reader Speed Launcher"="E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"d40f81b1"="E:\WINDOWS\system32\figcdkdy.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="E:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 18:56 15360]
"Nokia.PCSync"="E:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 17:35 1294336]

E:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - E:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24 258048]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{446624E1-B767-4443-AA6E-0F355CAFD21B}"= E:\WINDOWS\system32\vtuuuuu.dll [2008-02-12 15:37 38400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuuuuu]
vtuuuuu.dll 2008-02-12 15:37 38400 E:\WINDOWS\system32\vtuuuuu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=E:\PROGRA~1\Lavasoft\PERSON~1\wl_hook.dll

R1 FD;FD;E:\WINDOWS\system32\drivers\FD.sys [2006-05-30 22:43]
R1 VFILT;Lavasoft Firewall Kernel Driver;E:\Program Files\Lavasoft\Personal Firewall\kernel\FILTNT.SYS [2005-11-03 15:42]
R3 ADBLOCK.DLL;Lavasoft Firewall PlugIn (ADBLOCK.DLL);E:\Program Files\Lavasoft\Personal Firewall\kernel\ADBLOCK.DLL [2005-11-03 15:42]
R3 AmdTools;AMD Special Tools Driver;E:\WINDOWS\system32\DRIVERS\AmdTools.sys [2006-06-27 15:24]
R3 ARP.DLL;Lavasoft Firewall PlugIn (ARP.DLL);E:\Program Files\Lavasoft\Personal Firewall\kernel\ARP.DLL [2005-11-03 15:43]
R3 CONTENT.DLL;Lavasoft Firewall PlugIn (CONTENT.DLL);E:\Program Files\Lavasoft\Personal Firewall\kernel\CONTENT.DLL [2005-11-03 15:42]
R3 DNSCACHE.DLL;Lavasoft Firewall PlugIn (DNSCACHE.DLL);E:\Program Files\Lavasoft\Personal Firewall\kernel\DNSCACHE.DLL [2005-11-03 15:42]
R3 FTPFILT.DLL;Lavasoft Firewall PlugIn (FTPFILT.DLL);E:\Program Files\Lavasoft\Personal Firewall\kernel\FTPFILT.DLL [2005-11-03 15:42]
R3 HTMLFILT.DLL;Lavasoft Firewall PlugIn (HTMLFILT.DLL);E:\Program Files\Lavasoft\Personal Firewall\kernel\HTMLFILT.DLL [2005-11-03 15:42]
R3 HTTPFILT.DLL;Lavasoft Firewall PlugIn (HTTPFILT.DLL);E:\Program Files\Lavasoft\Personal Firewall\kernel\HTTPFILT.DLL [2005-11-03 15:42]
R3 IMAPFILT.DLL;Lavasoft Firewall PlugIn (IMAPFILT.DLL);E:\Program Files\Lavasoft\Personal Firewall\kernel\IMAPFILT.DLL [2005-11-03 15:42]
R3 MAILFILT.DLL;Lavasoft Firewall PlugIn (MAILFILT.DLL);E:\Program Files\Lavasoft\Personal Firewall\kernel\MAILFILT.DLL [2005-11-03 15:42]
R3 NNTPFILT.DLL;Lavasoft Firewall PlugIn (NNTPFILT.DLL);E:\Program Files\Lavasoft\Personal Firewall\kernel\NNTPFILT.DLL [2005-11-03 15:42]
R3 POP3FILT.DLL;Lavasoft Firewall PlugIn (POP3FILT.DLL);E:\Program Files\Lavasoft\Personal Firewall\kernel\POP3FILT.DLL [2005-11-03 15:42]
R3 PROTECT.DLL;Lavasoft Firewall PlugIn (PROTECT.DLL);E:\Program Files\Lavasoft\Personal Firewall\kernel\PROTECT.DLL [2005-11-03 15:42]
R3 SECRET.DLL;Lavasoft Firewall PlugIn (SECRET.DLL);E:\Program Files\Lavasoft\Personal Firewall\kernel\SECRET.DLL [2005-11-03 15:43]
S3 acfva;acfva;E:\WINDOWS\system32\DRIVERS\acfva.sys [2004-05-18 12:37]
S3 jswmidin;jswmidin;E:\DOCUME~1\Gazza\LOCALS~1\Temp\jswmidin.sys []
S3 lredbooo;lredbooo;E:\DOCUME~1\Gazza\LOCALS~1\Temp\lredbooo.sys []

.
Contents of the 'Scheduled Tasks' folder
"2007-05-26 08:34:47 E:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- E:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-22 12:20:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: E:\WINDOWS\system32\winlogon.exe
-> E:\WINDOWS\system32\vtuuuuu.dll
.
------------------------ Other Running Processes ------------------------
.
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\Program Files\Eset\nod32krn.exe
E:\Program Files\Windows Media Player\WMPNetwk.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\system32\rundll32.exe
E:\Program Files\PC Connectivity Solution\ServiceLayer.exe
E:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
E:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
E:\WINDOWS\System32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2008-02-22 12:24:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-22 01:24:24


Here is the new HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:27:43 PM, on 22/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Lavasoft\Personal Firewall\lpfw.exe
E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\Program Files\Eset\nod32krn.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
E:\Program Files\Eset\nod32kui.exe
E:\Program Files\ATI Technologies\ATI.ACE\cli.exe
E:\WINDOWS\system32\wscntfy.exe
E:\Program Files\PowerISO\SCDEmuApp.exe
E:\WINDOWS\System32\Drivers\SAP\FD.exe
E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
E:\Program Files\QuickTime\qttask.exe
E:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
E:\Program Files\MSN Messenger\msnmsgr.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
E:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
E:\WINDOWS\explorer.exe
E:\Program Files\PC Connectivity Solution\ServiceLayer.exe
E:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
E:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
E:\Program Files\ATI Technologies\ATI.ACE\cli.exe
E:\WINDOWS\system32\notepad.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cable.optusnet.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 165.228.130.10:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {00F6C529-EF33-4524-862A-BBC6E99AD272} - E:\WINDOWS\system32\geedc.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {14D9B8CB-3765-42FB-8A63-8CC2CF14FCD9} - E:\WINDOWS\system32\awtss.dll (file missing)
O2 - BHO: (no name) - {2ae3a527-2fe9-46e3-964c-075899eb31ef} - (no file)
O2 - BHO: (no name) - {446624E1-B767-4443-AA6E-0F355CAFD21B} - E:\WINDOWS\system32\vtuuuuu.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: {551cb370-0e46-2208-a924-3ab6a8a2a61e} - {e16a2a8a-6ba3-429a-8022-64e0073bc155} - E:\WINDOWS\system32\pvpewlwc.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVIDIA nTune] "E:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [nod32kui] "E:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [ATICCC] "E:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SCDEmuApp.exe] E:\Program Files\PowerISO\SCDEmuApp.exe
O4 - HKLM\..\Run: [Personal Firewall] E:\Program Files\Lavasoft\Personal Firewall\lpfw.exe /waitservice
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [FD_SAP] E:\WINDOWS\System32\Drivers\SAP\FD.exe
O4 - HKLM\..\Run: [RemoteControl] "E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [amd_dc_opt] "E:\Program Files\AMD\amd_dc_opt\amd_dc_opt.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] E:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [d40f81b1] rundll32.exe "E:\WINDOWS\system32\figcdkdy.dll",b
O4 - HKCU\..\Run: [SsAAD.exe] E:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [msnmsgr] "E:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PC Suite Tray] "E:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = E:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1194474443039
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1194474401164
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O20 - AppInit_DLLs: E:\PROGRA~1\Lavasoft\PERSON~1\wl_hook.dll
O20 - Winlogon Notify: vtuuuuu - E:\WINDOWS\SYSTEM32\vtuuuuu.dll
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Personal Firewall Service (LavasoftFirewall) - Agnitum Ltd. - E:\Program Files\Lavasoft\Personal Firewall\lpfw.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - E:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MSCSPTISRV - Sony Corporation - E:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - E:\Program Files\Eset\nod32krn.exe
O23 - Service: PACSPTISVR - Sony Corporation - E:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - E:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - E:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - E:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 10013 bytes


I've got another issue now. Its seems my NOD32 keeps popping up say my vtuuuuu.dll file is infected. Its caused by a Win32/Adware.Virtumonde application. Everytime I tried to delete the file, the alert screen keeps popping back up.

Any further resolution is appreciated plz.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:05 PM

Posted 22 February 2008 - 02:02 AM

Hi,

First of all... not sure where you have read the instructions to use Combofix, but the first step required before you run it is to install the Recovery Console.
Read here how to do this with Combofix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

The reason why Recovery Console is recommended is because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged. Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

Then, after you installed the Recovery Console...

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
E:\WINDOWS\system32\vtuuuuu.Vdll
E:\WINDOWS\system32\mcabrvhv.ini
E:\WINDOWS\system32\jhbtmtcb.ini
E:\WINDOWS\system32\oyfwilin.ini
E:\WINDOWS\system32\afoaixwo.ini
E:\WINDOWS\system32\vtuuuuu.dll
Folder::
E:\VundoFix Backups
Driver::
lredbooo
jswmidin
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00F6C529-EF33-4524-862A-BBC6E99AD272}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{14D9B8CB-3765-42FB-8A63-8CC2CF14FCD9}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2ae3a527-2fe9-46e3-964c-075899eb31ef}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{446624E1-B767-4443-AA6E-0F355CAFD21B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e16a2a8a-6ba3-429a-8022-64e0073bc155}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCSuiteTrayApplication"=-
"d40f81b1"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{446624E1-B767-4443-AA6E-0F355CAFD21B}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuuuuu]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:05 PM

Posted 07 March 2008 - 04:35 AM

Due to the lack of feedback, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users