HElp viruses , trojans, spyware

Advertise at AfterDawn.com

Link to us!

Private messages

Compose a private message

List of all updated threads

Threads without replies

Search messages

Sunday 7.9.2025 / 14:40

Search AfterDawn Forums:

afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > help viruses , trojans, spyware

Browse by topic

Forums

Start a new thread

HElp viruses , trojans, spyware

Jump to:

Posted

Message

tony909

Junior Member

8. July 2007 @ 07:55

Link to this message

i ranned hijack this and got

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:51:10 AM, on 7/8/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program Files\Dealio\kb105\Dealio.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [au] C:\Program Files\Dealio\DealioAU.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\System32\drvxor.dll,startup
O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win108.tmp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [svchost.exe] C:\WINDOWS\svchost.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb105\Dealio.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdat...b?1177739529915
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupd...b?1178001050171
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O21 - SSODL: msole - {D02589C2-FDAE-4A08-A224-AC5B329DD707} - C:\WINDOWS\msole.dll
O21 - SSODL: msdde - {AEC30926-AC21-4AED-8DEE-DFA61B4E8D46} - C:\WINDOWS\msdde.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\System32\o2flash.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 6373 bytes

what to do next to remove all the crap that i have,,
THANX

[ + quote]

Tonymontana

Auttaja

Suspended permanently

9. July 2007 @ 01:08

Link to this message

Please download VundoFix.exeto your desktop.
* Double-click *VundoFix.exe* to run it.
* Click the *Scan for Vundo* button.
* Once it's done scanning, click the *Remove Vundo* button.
* You will receive a prompt asking if you want to remove the files, click "YES"
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click *OK*.
* Please post the contents of C:\*vundofix.txt* Note: It is possible that VundoFix encountered a file it could not remove.In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the *Scan for Vundo* button." when VundoFix appears at reboot.

==========

Download and Run ComboFix
[*]Download this file from either of the two below listed places :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

[*]Then double click combofix.exe & follow the prompts.
[*]When finished, it shall produce a log for you. Post that log in your next reply
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

=========

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

[*] Open the extracted SDFix folder and double click RunThis.bat to start the script.
[*] Type Y to begin the cleanup process.
[*] It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
[*] Press any Key and it will restart the PC.
[*] When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
[*] Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
[*] Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

========

Rename HijackThis.exe

1. Right click on the HijackThis icon.

2. Select Rename.

3. Now type the following scanner.exe <<< NOTE: make sure to put period before exe when typing.
Hit the enter key on keyboard.

Double click on Scanner.exe.
Click on Do a system scan and save a logfile. Post log in next reply.

[ + quote]

Don´t send your HijackThis log to another user topic. Remember to describe what kind of problems you have. (In my opinion afterdawn has very unsupportive attitude against malware fighters)
How to send HijackThis log (step 3-5)Hijackthis login lähettämisohjeet (Finland)
My profile "Therefore I say to you, do not worry about your life, what you will eat or what you will drink; nor about your body, what you will put on."
My home forum (Finland) Geeks To Go - Another place
List of rogue programs. (Finland) For exampe MSG+ is there. Another list

This message has been edited since posting. Last time this message was edited on 9. July 2007 @ 01:43

tony909

Junior Member

11. July 2007 @ 18:29

Link to this message

this is the log i got for combofix:

"Administrator" - 2007-07-11 19:23:27 - ComboFix 07-07-12.3 - Service Pack 1 [SAFE MODE]

/wow section - STAGE #8

((((((((((((((((((((((((( Files Created from 2007-06-12 to 2007-07-12 )))))))))))))))))))))))))))))))

2007-07-11 19:22 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-11 11:13 <DIR> d-------- C:\WINDOWS\LastGood
2007-07-08 13:13 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Ahead
2007-07-08 09:00 <DIR> d-------- C:\VundoFix Backups
2007-07-08 08:49 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-08 08:49 <DIR> d-------- C:\hjt
2007-07-08 07:40 12,288 --a------ C:\WINDOWS\mgrs.exe
2007-07-07 11:48 <DIR> d-------- C:\Program Files\QuickTime
2007-07-07 11:39 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-07-07 08:38 10,240 --a------ C:\WINDOWS\system32\syswin.exe
2007-07-07 08:27 31,254 --a------ C:\WINDOWS\system32\urqqqrr.dll
2007-07-07 08:27 <DIR> d-------- C:\WINDOWS\system32\?ystem
2007-07-07 01:14 <DIR> d-------- C:\DOCUME~1\ADMINI~1\.housecall6.6
2007-07-07 00:32 <DIR> d-------- C:\WINDOWS\privacy_danger
2007-07-06 23:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-07-06 23:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Office Genuine Advantage
2007-07-06 18:35 465 --a------ C:\WINDOWS\system32\vjgoofle.ini.ren
2007-07-06 18:35 128,576 --a------ C:\WINDOWS\system32\elfoogjv.dll.ren
2007-07-06 18:27 1,850,823 --a------ C:\WINDOWS\system32\rtstv.bak2.ren
2007-07-05 20:42 90,240 --a------ C:\WINDOWS\system32\drivers\sptd7501.sys
2007-07-05 20:42 643,072 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-07-05 20:24 6,369 --a------ C:\WINDOWS\system32\rtstv.bak1.ren
2007-07-05 20:24 1,889,455 --ahs---- C:\WINDOWS\system32\rtstv.ini.ren
2007-07-05 20:19 <DIR> d-------- C:\Program Files\?icrosoft.NET
2007-07-05 20:02 <DIR> d-------- C:\Program Files\BearShare
2007-07-02 20:28 <DIR> d-------- C:\Program Files\MagicISO
2007-07-01 18:12 <DIR> d-------- C:\Program Files\PowerISO
2007-07-01 15:11 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Simply Super Software
2007-07-01 14:50 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-07-01 14:49 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2007-07-01 14:49 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2007-07-01 14:49 <DIR> d-------- C:\Program Files\Trojan Remover
2007-07-01 14:49 <DIR> d-------- C:\DOCUME~1\Vero\APPLIC~1\Simply Super Software
2007-07-01 14:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Simply Super Software
2007-06-30 21:57 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-30 13:20 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-30 13:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-30 13:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-06-30 12:09 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-30 12:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-30 12:04 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-06-30 12:03 <DIR> d-------- C:\Program Files\Yahoo!
2007-06-30 12:02 <DIR> d-------- C:\Program Files\CCleaner
2007-06-30 12:01 <DIR> d--hs---- C:\WINDOWS\CSC
2007-06-30 11:58 1,048,576 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-30 11:51 <DIR> d-------- C:\Program Files\Spyware Eliminator Professional Full
2007-06-30 11:51 <DIR> d-------- C:\DOCUME~1\Vero\APPLIC~1\AntiSpywareDAT
2007-06-30 10:14 22,112 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-06-30 08:14 74,752 --a------ C:\WINDOWS\msdde.dll
2007-06-30 08:14 53,760 --a------ C:\WINDOWS\msole.dll
2007-06-30 08:14 22,016 --a------ C:\WINDOWS\main_uninstaller.exe
2007-06-30 08:13 <DIR> d-------- C:\Program Files\NewMediaCodec
2007-06-29 20:11 <DIR> d-------- C:\SHREK_2_US_4X3
2007-06-28 12:24 <DIR> d-------- C:\Program Files\Gabest
2007-06-26 15:09 <DIR> d-------- C:\Program Files\Real Alternative
2007-06-26 15:09 <DIR> d-------- C:\Program Files\Media Player Classic
2007-06-26 15:09 <DIR> d-------- C:\DOCUME~1\Vero\APPLIC~1\Real
2007-06-26 15:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Real
2007-06-26 15:04 <DIR> d-------- C:\DOCUME~1\Vero\APPLIC~1\Media Player Classic
2007-06-26 14:55 90,112 --ah----- C:\WINDOWS\vstriplangue.exe
2007-06-26 14:55 849,408 --a------ C:\WINDOWS\system32\DivX.dll
2007-06-26 14:55 63,488 --a------ C:\WINDOWS\system32\MMRegOCX.exe
2007-06-26 14:55 487,424 --a------ C:\WINDOWS\system32\MSVCP70.DLL
2007-06-26 14:55 48,640 --ah----- C:\WINDOWS\vStrip.exe
2007-06-26 14:55 44,544 --ah----- C:\WINDOWS\vStrip_css.dll
2007-06-26 14:55 344,064 --a------ C:\WINDOWS\system32\MSVCR70.DLL
2007-06-26 14:55 123 --a------ C:\WINDOWS\system32\98NT.bat
2007-06-26 14:55 114,176 --a------ C:\WINDOWS\system32\bgregister.exe
2007-06-26 14:55 1,700,352 --a------ C:\WINDOWS\system32\gdiplus.DLL
2007-06-26 14:55 1,335,296 --a------ C:\WINDOWS\system32\PSIKey.dll
2007-06-26 14:55 <DIR> d-------- C:\Program Files\RM-X Player V4.2
2007-06-24 23:00 <DIR> d-------- C:\DEJA_VU_US_16X9
2007-06-20 20:11 <DIR> d-------- C:\WINDOWS\Prefetch
2007-06-19 19:57 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-06-19 03:39 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-06-18 11:21 <DIR> d-------- C:\MI3_DOMESTIC_D1_WS
2007-06-17 16:13 <DIR> d-------- C:\Program Files\Google
2007-06-17 16:13 <DIR> d-------- C:\DOCUME~1\Vero\APPLIC~1\Google
2007-06-17 14:13 <DIR> d-------- C:\Program Files\Tropical Fish 3D Screensaver
2007-06-17 14:12 1 --a------ C:\WINDOWS\system32\sav950231.sys
2007-06-17 14:12 1 --a------ C:\WINDOWS\system32\sav87312.sys
2007-06-17 14:12 <DIR> d-------- C:\Program Files\Dealio
2007-06-17 14:11 5,836,800 --a------ C:\WINDOWS\system32\3D Supernova.scr
2007-06-17 14:11 5,570,560 --a------ C:\WINDOWS\system32\3D Galaxy Journey.scr
2007-06-17 14:11 4,014,080 --a------ C:\WINDOWS\system32\3D Interstellar Voyager.scr
2007-06-17 14:11 3,878,912 --a------ C:\WINDOWS\system32\3D Solar Traveler.scr
2007-06-17 14:11 291,776 --a------ C:\WINDOWS\system32\DealioKit97-stub-0.exe
2007-06-17 14:11 2,226,176 --a------ C:\WINDOWS\system32\3D Solar System.scr
2007-06-17 14:11 <DIR> d-------- C:\Program Files\3Deep Space
2007-06-17 13:58 <DIR> d-------- C:\Program Files\Screensavers.com
2007-06-17 13:33 <DIR> d-------- C:\My Downloads
2007-06-17 13:26 <DIR> d-------- C:\Program Files\Lavasoft Ad-Aware
2007-06-17 08:28 271,224 --a------ C:\WINDOWS\system32\mucltui.dll

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-11 19:29:38 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-07-08 07:12:57 -------- d-----w C:\Program Files\?icrosoft.NET
2007-06-21 03:09:12 -------- d-----w C:\Program Files\Messenger
2007-06-21 02:51:55 -------- d-----w C:\Program Files\Windows NT
2007-06-21 02:51:44 -------- d-----w C:\Program Files\Movie Maker
2007-06-04 22:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 22:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 22:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-06-01 04:00:27 -------- d-----w C:\Program Files\uTorrent
2007-05-16 04:54:52 -------- d-----w C:\Program Files\RipIt4Me
2007-05-16 04:48:15 -------- d-----w C:\Program Files\DVD Decrypter
2007-05-16 04:43:08 -------- d-----w C:\Program Files\DVD Shrink
2007-05-03 05:50:54 48,776 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-05-02 22:26:54 315,392 ----a-w C:\WINDOWS\HideWin.exe
2007-05-01 23:17:11 0 ----a-w C:\WINDOWS\nsreg.dat
2007-05-01 03:19:14 516,608 ----a-w C:\WINDOWS\system32\winlogon.exe
2007-04-28 04:28:38 0 --sha-r C:\MSDOS.SYS
2007-04-28 04:28:38 0 --sha-r C:\IO.SYS
2007-04-28 04:28:38 0 ----a-w C:\CONFIG.SYS
2007-04-28 04:28:38 0 ----a-w C:\AUTOEXEC.BAT
2007-04-28 04:23:58 21,640 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-17 05:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-04-13 22:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
2006-10-26 10:28 440384 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1E8A6170-7264-4D0F-BEAE-D42A53123C75}]
2006-09-06 07:18 93400 -ra------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{36B5DE60-B99B-4775-9DC5-EA538213FDE9}]
C:\WINDOWS\System32\vtstr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A87B991-A31F-4130-AE72-6D0C294BF082}]
2007-06-25 17:44 2407256 --a------ C:\Program Files\Dealio\kb105\Dealio.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
2006-10-27 00:48 2210608 --a------ C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"au"="C:\Program Files\Dealio\DealioAU.exe" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2007-06-15 17:00]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-04-09 05:23]
"BearShare"="C:\Program Files\BearShare\BearShare.exe" [2006-07-26 13:48]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-07-07 11:48]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2003-08-13 12:16]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [2006-10-27 00:48]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 05:29]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"{D02589C2-FDAE-4A08-A224-AC5B329DD707}"="C:\WINDOWS\msole.dll" [2007-06-30 01:29]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvusppo]
wvusppo.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages scecli

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ralink Wireless Utility.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Ralink Wireless Utility.lnk
backup=C:\WINDOWS\pss\Ralink Wireless Utility.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
"C:\Program Files\BearShare\BearShare.exe" /pause

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
"C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 1200 Series]
"C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
"C:\Program Files\Norton Internet Security\osCheck.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)

*Newly Created Service* - COMHOST

Contents of the 'Scheduled Tasks' folder
2007-06-16 03:06:07 C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - Vero.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-11 19:25:06
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-07-11 19:25:54

--- E O F ---

[ + quote]

Tonymontana

tony909

Junior Member

11. July 2007 @ 19:03

Link to this message

this is what i got after runin sdfix:

SDFix: Version 1.90

Run by Administrator on Wed 07/11/2007 at 07:35 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\privacy_danger\index.htm - Deleted
C:\WINDOWS\privacy_danger\images\capt.gif - Deleted
C:\WINDOWS\privacy_danger\images\danger.jpg - Deleted
C:\WINDOWS\privacy_danger\images\down.gif - Deleted
C:\WINDOWS\privacy_danger\images\spacer.gif - Deleted
C:\WINDOWS\dat.txt - Deleted
C:\WINDOWS\main_uninstaller.exe - Deleted
C:\WINDOWS\mgrs.exe - Deleted
C:\WINDOWS\msdde.dll - Deleted
C:\WINDOWS\msole.dll - Deleted
C:\WINDOWS\rs.txt - Deleted

Folder C:\WINDOWS\privacy_danger - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\Program Files\RM-X Player V4.2\ASProtect.dll
C:\Program Files\RM-X Player V4.2\lame_enc.dll
C:\Program Files\RM-X Player V4.2\viscomaudiodata.dll
C:\Program Files\RM-X Player V4.2\viscomaudioencoder.dll
C:\Program Files\RM-X Player V4.2\viscomframe.dll
C:\Program Files\RM-X Player V4.2\viscomqtde.dll
C:\Program Files\RM-X Player V4.2\viscomqtenc.dll
C:\Program Files\RM-X Player V4.2\viscomtran.dll
C:\Program Files\RM-X Player V4.2\viscomwave.dll
C:\WINDOWS\vStrip_css.dll
C:\WINDOWS\vStrip.exe
C:\WINDOWS\vstriplangue.exe
C:\Documents and Settings\Vero\Local Settings\Temp\BIT1.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT10.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT100.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT102.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT103.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT104.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT105.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT106.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT107.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT108.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT109.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT10A.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT10B.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT10D.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT10E.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT10F.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT11.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT110.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT111.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT118.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT119.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT11A.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT11B.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT11C.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT11F.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT12.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT121.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT122.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT123.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT124.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT125.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT126.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT127.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT128.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT129.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT12B.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT12E.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT12F.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT13.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT130.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT131.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT132.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT133.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT134.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT135.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT137.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT139.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT13B.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT13C.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT13D.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT13E.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT13F.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT14.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT140.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT141.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT142.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT143.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT144.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT145.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT146.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT148.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT149.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT14A.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT14B.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT14C.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT15.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT16.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT17.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT18.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT19.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT1A.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT1B.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT1C.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT1D.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT1E.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT1F.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT2.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT20.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT21.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT22.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT23.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT24.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT25.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT26.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT27.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT28.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT29.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT2A.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT2B.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT2C.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT2D.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT2E.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT2F.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT3.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT30.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT31.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT32.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT33.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT34.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT35.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT36.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT37.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT38.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT39.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT3A.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT3B.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT3C.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT3D.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT3E.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT3F.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT4.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT40.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT41.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT42.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT43.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT44.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT45.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT46.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT47.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT48.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT49.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT4A.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT4B.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT4C.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT4D.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT4E.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT4F.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT5.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT50.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT51.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT52.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT53.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT54.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT55.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT56.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT6.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT62.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT63.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT64.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT65.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT66.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT67.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT68.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT69.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT6A.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT6A7.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT6A8.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT6A9.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT6AF.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT6B.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT6B2.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT6B3.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT6B9.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT6BA.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT6BB.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT6C.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT6C0.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT6C1.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT6C2.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT6C7.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT6C8.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT6C9.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT6CA.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT6CF.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT6D.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT6D0.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT6D1.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT6D6.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT6D7.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT6D8.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT6D9.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT6DE.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT6DF.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT6E.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT6E0.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT6E5.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT6E6.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT6E7.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT6E8.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT6ED.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT6EE.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT6EF.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT6F.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT6F4.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT6F5.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT6F6.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT6F7.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT6FC.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT6FD.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT6FE.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT7.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT70.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT704.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT705.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT706.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT707.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT708.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT709.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT70A.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT70B.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT70C.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT70D.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT70F.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT71.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT711.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT713.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT719.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT71A.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT71C.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT71D.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT72.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT73.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT74.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT75.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT78.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT79.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT7A.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT7F.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT8.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT84.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT86.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT87.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT89.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT8A.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT8B.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT8C.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT8D.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT8E.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT8F.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT9.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT90.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT91.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT92.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT93.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT94.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT95.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT96.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT97.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT98.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT99.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT9A.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT9B.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT9C.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT9D.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT9E.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BIT9F.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITA.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITA1.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITA2.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITA3.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITA4.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITA5.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITA6.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITA7.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITA8.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITA9.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITAA.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITAD.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITAE.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITAF.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITB.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITB0.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITB1.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITB2.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITB3.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITB4.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITB5.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITB6.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITB7.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITB8.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITB9.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITBA.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITBB.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITBC.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITBD.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITBF.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITC.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITC0.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITC1.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITC2.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITC3.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITC4.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITC5.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITC6.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITC7.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITC8.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITC9.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITCA.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITCB.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITCC.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITCD.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITCE.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITCF.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITD.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITD0.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITD1.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITD2.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITD3.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITD4.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITD5.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITD6.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITD7.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITD8.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITDA.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITDB.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITDC.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITDD.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITDF.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITE.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITE0.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITE2.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITE3.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITE4.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITE5.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITE6.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITE7.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITE8.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITE9.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITEA.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITEB.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITEC.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITED.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITEE.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITEF.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITF.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITF0.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITF1.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITF2.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITF3.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITF4.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITF6.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITF7.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITF8.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITF9.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITFA.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITFB.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITFC.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITFD.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITFE.tmp
C:\Documents and Settings\Vero\Local Settings\Temp\BITFF.tmp

Finished

[ + quote]

Tonymontana

tony909

Junior Member

11. July 2007 @ 19:04

Link to this message

finally i got this from HijackThis log ,

[ + quote]

Tonymontana

tony909

Junior Member

11. July 2007 @ 19:04

Link to this message

Originally posted by tony909:
finally i got this from HijackThis log ,

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:00:47 PM, on 7/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gomyron.com/NjU2NA==/2/3560/homepage/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {36B5DE60-B99B-4775-9DC5-EA538213FDE9} - C:\WINDOWS\System32\vtstr.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Program Files\Dealio\kb105\Dealio.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O3 - Toolbar: (no name) - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program Files\Dealio\kb105\Dealio.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [au] C:\Program Files\Dealio\DealioAU.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: Compare Prices with &Dealio - C:\Program Files\Dealio\kb105\res\DealioSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb105\Dealio.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdat...b?1177739529915
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupd...b?1178001050171
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: wvusppo - wvusppo.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\System32\o2flash.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 7787 bytes

[ + quote]

Tonymontana

Auttaja

Suspended permanently

11. July 2007 @ 20:12

Link to this message

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

============

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :
*Restart your computer
*After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*nstead of Windows loading as normal, a menu with options should appear;
*Select the first option, to run Windows in Safe Mode, then press "Enter".
*Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

=========

Post these too log, and fres HijackThis log too

[ + quote]

tony909

Junior Member

12. July 2007 @ 19:07

Link to this message

here is what i got after running smitfraud

SmitFraudFix v2.203

Scan done at 19:56:30.82, Thu 07/12/2007
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\Program Files\NewMediaCodec\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{4882FB22-892C-472E-BBC4-60E950766973}: DhcpNameServer=24.116.39.12 24.116.2.34
HKLM\SYSTEM\CS1\Services\Tcpip\..\{4882FB22-892C-472E-BBC4-60E950766973}: DhcpNameServer=24.116.39.12 24.116.2.34
HKLM\SYSTEM\CS2\Services\Tcpip\..\{4882FB22-892C-472E-BBC4-60E950766973}: DhcpNameServer=24.116.39.12 24.116.2.34
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.116.39.12 24.116.2.34
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.116.39.12 24.116.2.34
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=24.116.39.12 24.116.2.34

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

[ + quote]

Tonymontana

tony909

Junior Member

12. July 2007 @ 19:09

Link to this message

results from hijack this

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:09:08 PM, on 7/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {36B5DE60-B99B-4775-9DC5-EA538213FDE9} - C:\WINDOWS\System32\vtstr.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Program Files\Dealio\kb105\Dealio.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O3 - Toolbar: (no name) - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program Files\Dealio\kb105\Dealio.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [au] C:\Program Files\Dealio\DealioAU.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb105\Dealio.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdat...b?1177739529915
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupd...b?1178001050171
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: wvusppo - wvusppo.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\System32\o2flash.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 6373 bytes

[ + quote]

Tonymontana

Auttaja

Suspended permanently

12. July 2007 @ 21:10

Link to this message

1. Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.
This program is for XP and Windows 2000 only!

Double-click ATF Cleaner.exe to open it.

Under Main select the following:
*Windows Temp
*Current User Temp
*All Users Temp
*Temporary Internet Files
*Prefetch
*Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Click Exit on the Main menu to close the program.

========

[*]Then double click combofix.exe & follow the prompts.
[*]When finished, it shall produce a log for you. Post that log in your next reply
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

=====

Post also fresh HIJACKTHISlog from normal mode.

[ + quote]

This message has been edited since posting. Last time this message was edited on 12. July 2007 @ 21:11

anari11

Suspended permanently

13. July 2007 @ 08:56

Link to this message

these are malicious programs:

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win108.tmp.exe

O4 - HKLM\..\Policies\Explorer\Run: [svchost.exe] C:\WINDOWS\svchost.exe

[ + quote]

tony909

Junior Member

14. July 2007 @ 10:18

Link to this message

this is wat i got after runin combofix

"Administrator" - 2007-07-14 11:09:54 - ComboFix 07-07-12.3 - Service Pack 1 [SAFE MODE]

/wow section - STAGE #8

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\_000027_.tmp.dll

((((((((((((((((((((((((( Files Created from 2007-06-14 to 2007-07-14 )))))))))))))))))))))))))))))))

2007-07-14 09:45 593,408 --a------ C:\WINDOWS\system32\h323msp.dll
2007-07-14 09:45 548,352 --------- C:\WINDOWS\system32\rtcdll.dll
2007-07-14 09:45 439,808 --a------ C:\WINDOWS\system32\ipnathlp.dll
2007-07-12 19:44 1,704 --a------ C:\WINDOWS\system32\tmp.reg
2007-07-12 19:43 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-07-12 19:43 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-07-12 19:43 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-07-11 19:34 d-------- C:\WINDOWS\ERUNT
2007-07-11 19:22 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-08 13:13 d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Ahead
2007-07-08 09:00 d-------- C:\VundoFix Backups
2007-07-08 08:49 d-------- C:\Program Files\Trend Micro
2007-07-08 08:49 d-------- C:\hjt
2007-07-07 11:48 d-------- C:\Program Files\QuickTime
2007-07-07 11:39 d-------- C:\WINDOWS\system32\ActiveScan
2007-07-07 01:14 d-------- C:\DOCUME~1\ADMINI~1\.housecall6.6
2007-07-06 23:55 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-07-06 23:55 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Office Genuine Advantage
2007-07-06 18:35 465 --a------ C:\WINDOWS\system32\vjgoofle.ini.ren
2007-07-06 18:35 128,576 --a------ C:\WINDOWS\system32\elfoogjv.dll.ren
2007-07-06 18:27 1,850,823 --a------ C:\WINDOWS\system32\rtstv.bak2.ren
2007-07-05 20:42 90,240 --a------ C:\WINDOWS\system32\drivers\sptd7501.sys
2007-07-05 20:42 643,072 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-07-05 20:24 6,369 --a------ C:\WINDOWS\system32\rtstv.bak1.ren
2007-07-05 20:24 1,889,455 --ahs---- C:\WINDOWS\system32\rtstv.ini.ren
2007-07-05 20:02 d-------- C:\Program Files\BearShare
2007-07-02 20:28 d-------- C:\Program Files\MagicISO
2007-07-01 18:12 d-------- C:\Program Files\PowerISO
2007-07-01 15:11 d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Simply Super Software
2007-07-01 14:50 d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-07-01 14:49 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2007-07-01 14:49 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2007-07-01 14:49 d-------- C:\Program Files\Trojan Remover
2007-07-01 14:49 d-------- C:\DOCUME~1\Vero\APPLIC~1\Simply Super Software
2007-07-01 14:49 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Simply Super Software
2007-06-30 21:57 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-30 13:36 68,608 --a------ C:\WINDOWS\system32\mscms.dll
2007-06-30 13:20 d-------- C:\Program Files\Lavasoft
2007-06-30 13:20 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-30 13:00 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-06-30 12:09 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-30 12:06 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-30 12:04 d-------- C:\Program Files\SpywareBlaster
2007-06-30 12:03 d-------- C:\Program Files\Yahoo!
2007-06-30 12:02 d-------- C:\Program Files\CCleaner
2007-06-30 12:01 d--hs---- C:\WINDOWS\CSC
2007-06-30 11:58 1,048,576 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-30 11:51 d-------- C:\Program Files\Spyware Eliminator Professional Full
2007-06-30 11:51 d-------- C:\DOCUME~1\Vero\APPLIC~1\AntiSpywareDAT
2007-06-30 11:26 991,232 --a------ C:\WINDOWS\system32\esent.dll
2007-06-30 10:14 22,112 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-06-29 20:11 d-------- C:\SHREK_2_US_4X3
2007-06-28 12:24 d-------- C:\Program Files\Gabest
2007-06-26 15:09 d-------- C:\Program Files\Real Alternative
2007-06-26 15:09 d-------- C:\Program Files\Media Player Classic
2007-06-26 15:09 d-------- C:\DOCUME~1\Vero\APPLIC~1\Real
2007-06-26 15:09 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Real
2007-06-26 15:04 d-------- C:\DOCUME~1\Vero\APPLIC~1\Media Player Classic
2007-06-26 14:55 90,112 --ah----- C:\WINDOWS\vstriplangue.exe
2007-06-26 14:55 849,408 --a------ C:\WINDOWS\system32\DivX.dll
2007-06-26 14:55 63,488 --a------ C:\WINDOWS\system32\MMRegOCX.exe
2007-06-26 14:55 487,424 --a------ C:\WINDOWS\system32\MSVCP70.DLL
2007-06-26 14:55 48,640 --ah----- C:\WINDOWS\vStrip.exe
2007-06-26 14:55 44,544 --ah----- C:\WINDOWS\vStrip_css.dll
2007-06-26 14:55 344,064 --a------ C:\WINDOWS\system32\MSVCR70.DLL
2007-06-26 14:55 123 --a------ C:\WINDOWS\system32\98NT.bat
2007-06-26 14:55 114,176 --a------ C:\WINDOWS\system32\bgregister.exe
2007-06-26 14:55 1,700,352 --a------ C:\WINDOWS\system32\gdiplus.DLL
2007-06-26 14:55 1,335,296 --a------ C:\WINDOWS\system32\PSIKey.dll
2007-06-26 14:55 d-------- C:\Program Files\RM-X Player V4.2
2007-06-24 23:00 d-------- C:\DEJA_VU_US_16X9
2007-06-20 20:11 d-------- C:\WINDOWS\Prefetch
2007-06-19 19:57 d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-06-19 03:39 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-06-18 11:21 d-------- C:\MI3_DOMESTIC_D1_WS
2007-06-17 16:13 d-------- C:\Program Files\Google
2007-06-17 16:13 d-------- C:\DOCUME~1\Vero\APPLIC~1\Google
2007-06-17 14:13 d-------- C:\Program Files\Tropical Fish 3D Screensaver
2007-06-17 14:12 1 --a------ C:\WINDOWS\system32\sav950231.sys
2007-06-17 14:12 1 --a------ C:\WINDOWS\system32\sav87312.sys
2007-06-17 14:12 d-------- C:\Program Files\Dealio
2007-06-17 14:11 5,836,800 --a------ C:\WINDOWS\system32\3D Supernova.scr
2007-06-17 14:11 5,570,560 --a------ C:\WINDOWS\system32\3D Galaxy Journey.scr
2007-06-17 14:11 4,014,080 --a------ C:\WINDOWS\system32\3D Interstellar Voyager.scr
2007-06-17 14:11 3,878,912 --a------ C:\WINDOWS\system32\3D Solar Traveler.scr
2007-06-17 14:11 291,776 --a------ C:\WINDOWS\system32\DealioKit97-stub-0.exe
2007-06-17 14:11 2,226,176 --a------ C:\WINDOWS\system32\3D Solar System.scr
2007-06-17 14:11 d-------- C:\Program Files\3Deep Space
2007-06-17 13:33 d-------- C:\My Downloads
2007-06-17 13:26 d-------- C:\Program Files\Lavasoft Ad-Aware
2007-06-17 08:28 271,224 --a------ C:\WINDOWS\system32\mucltui.dll

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-14 17:27:15 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-07-14 01:49:10 -------- d-----w C:\Program Files\Messenger
2007-06-21 02:51:55 -------- d-----w C:\Program Files\Windows NT
2007-06-21 02:51:44 -------- d-----w C:\Program Files\Movie Maker
2007-06-04 22:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 22:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 22:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-06-01 04:00:27 -------- d-----w C:\Program Files\uTorrent
2007-05-16 04:54:52 -------- d-----w C:\Program Files\RipIt4Me
2007-05-16 04:48:15 -------- d-----w C:\Program Files\DVD Decrypter
2007-05-16 04:43:08 -------- d-----w C:\Program Files\DVD Shrink
2007-05-03 05:50:54 48,776 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-05-02 22:26:54 315,392 ----a-w C:\WINDOWS\HideWin.exe
2007-05-01 23:17:11 0 ----a-w C:\WINDOWS\nsreg.dat
2007-05-01 03:19:14 516,608 ----a-w C:\WINDOWS\system32\winlogon.exe
2007-04-28 04:28:38 0 --sha-r C:\MSDOS.SYS
2007-04-28 04:28:38 0 --sha-r C:\IO.SYS
2007-04-28 04:28:38 0 ----a-w C:\CONFIG.SYS
2007-04-28 04:28:38 0 ----a-w C:\AUTOEXEC.BAT
2007-04-28 04:23:58 21,640 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-17 05:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
2006-10-26 10:28 440384 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1E8A6170-7264-4D0F-BEAE-D42A53123C75}]
2006-09-06 07:18 93400 -ra------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{36B5DE60-B99B-4775-9DC5-EA538213FDE9}]
C:\WINDOWS\System32\vtstr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A87B991-A31F-4130-AE72-6D0C294BF082}]
2007-06-25 17:44 2407256 --a------ C:\Program Files\Dealio\kb105\Dealio.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
2006-10-27 00:48 2210608 --a------ C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"au"="C:\Program Files\Dealio\DealioAU.exe" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-07-07 11:48]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2003-08-13 12:16]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [2006-10-27 00:48]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 05:29]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvusppo]
wvusppo.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages scecli

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ralink Wireless Utility.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Ralink Wireless Utility.lnk
backup=C:\WINDOWS\pss\Ralink Wireless Utility.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
"C:\Program Files\BearShare\BearShare.exe" /pause

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
"C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 1200 Series]
"C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
"C:\Program Files\Norton Internet Security\osCheck.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner]
C:\Program Files\Trojan Remover\Trjscan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)

*Newly Created Service* - COMHOST
*Newly Created Service* - EHSCHED

Contents of the 'Scheduled Tasks' folder
2007-07-14 03:35:49 C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - Vero.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-14 11:10:16
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-07-14 11:11:05
C:\ComboFix-quarantined-files.txt ... 2007-07-14 11:10
C:\ComboFix2.txt ... 2007-07-11 19:25

--- E O F ---

[ + quote]

Tonymontana

tony909

Junior Member

14. July 2007 @ 10:21

Link to this message

got this after running hijack this

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:20:02 AM, on 7/14/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {36B5DE60-B99B-4775-9DC5-EA538213FDE9} - C:\WINDOWS\System32\vtstr.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Program Files\Dealio\kb105\Dealio.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O3 - Toolbar: (no name) - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program Files\Dealio\kb105\Dealio.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [au] C:\Program Files\Dealio\DealioAU.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb105\Dealio.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdat...b?1177739529915
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupd...b?1178001050171
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: wvusppo - wvusppo.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\System32\o2flash.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 6417 bytes

[ + quote]

Tonymontana

Auttaja

Suspended permanently

14. July 2007 @ 12:41

Link to this message

Open control panel and add/remove programs, remove dealio (if presents)

Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

O2 - BHO: (no name) - {36B5DE60-B99B-4775-9DC5-EA538213FDE9} - C:\WINDOWS\System32\vtstr.dll (file missing)
O3 - Toolbar: (no name) - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - (no file)
O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Program Files\Dealio\kb105\Dealio.dll
O3 - Toolbar: (no name) - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - (no file)
O4 - HKLM\..\Run: [au] C:\Program Files\Dealio\DealioAU.exe
O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb105\Dealio.dll
O20 - Winlogon Notify: wvusppo - wvusppo.dll (file missing)

Close ALL open windows
Click Fix Checked
Close HijackThis

Remove this folder C:\Program Files\Dealio

==========

Update Java
Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

*Download the latest version of Java(TM) SE Runtime Environment 6u2.
*Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
*Click the "Download" button to the right.
*Check the box that says: "Accept License Agreement".
*The page will refresh.
*Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
*Close any programs you may have running - especially your web browser.
*Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
*Check any item with Java Runtime Environment (JRE or J2SE) in the name.
*Click the Remove or Change/Remove button.
*Repeat as many times as necessary to remove each Java versions.
*Reboot your computer once all Java components are removed.
*Then from your desktop double-click on the download to install the newest version.

========

*Note: You will need to use Internet explorer for this scan
*Go here to run an online scan from F-Secure
*Click on Start scanning
*This will open a new internet explorer window
*It will require an activex control, please install it
*Click Accept
*Click Full System Scan
*It will now download the scanner, this may take a while, please be patient
*It will then start scanning, wait for the scan to finish
*Click Automatic cleaning (recommended)
*Wait for it finish the cleaning process
*Click show report
*This will open up a window with the results of the scan, copy and paste those results as a reply to this topic

Post fresh hijackthis log too.

[ + quote]

Start a new thread

afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > help viruses , trojans, spyware


		User name	Password

		Not registered yet? Register here. Lost your password? Click here.