« previous next »
Pages: 1 2 [3] 4 5 ... 8   Go Down

Author Topic: Virus... please help  (Read 71107 times)

0 Members and 1 Guest are viewing this topic.

mauserme

  • Guest
Re: Virus... please help
« Reply #30 on: October 19, 2007, 11:32:38 PM »
I'll review your logs in depth a little later.  For now I would like you to open OTMoveIt and kill this file as you did with the others

C:\sysudiq.exe


If you are now able to run WinpFid3U please run it and post its log.
Logged

mauserme

  • Guest
Re: Virus... please help
« Reply #31 on: October 20, 2007, 06:12:58 AM »
Here's the "post-review" fix:


Open HJT and click to Do a System Scan Only.  When complete place a check mark next to these lines

O2 - BHO: (no name) - {6DB3F881-19A2-4085-ABD0-DBD56E71F4F5} - C:\WINDOWS\system32\vtuuvsr.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\pttryjxd.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\pttryjxd.dll
O20 - Winlogon Notify: pttryjxd - C:\WINDOWS\SYSTEM32\pttryjxd.dll
O20 - Winlogon Notify: vtuuvsr - C:\WINDOWS\SYSTEM32\vtuuvsr.dll

Close all other windows including your browser, and click Fix Checked.  Close HJT.


Open OTMoveIt and paste the followign paths into the field to be moved

C:\sysudiq.exe
C:\WINDOWS\system32\rmqgcave.dll
C:\WINDOWS\system32\pttryjxd.dll
C:\WINDOWS\system32\sysdl133.exe
C:\WINDOWS\system32\vtuuvsr.dll
C:\WINDOWS\system32\sysdl132.exe
C:\WINDOWS\system32\khfec.dll
C:\Program Files\Coupons

Click the red Move It button and post the results in your next response.

Along with the OTMoveIt results please post fresh HJT (renamed) and ComboFix logs as well as a WinPFind log if it will run.

Logged

tryan21

  • Guest
Re: Virus... please help
« Reply #32 on: October 21, 2007, 05:28:36 PM »
Sorry it took so long. My computer wouldn't start up, well the Windows wouldn't load. It was giving me a message saying operation failed or something of the sort. After freaking out for a day I realized I had to go to last known good configuration. Also, I can't click on IE on my desktop. Everything will freeze then my screen goes blank, but my computer doesn't turn off, just the screen goes blank.

WinPFind3 logfile created on: 10/20/2007 8:18:46 PM
WinPFind3U by OldTimer - Version 1.0.42   Folder = C:\Documents and Settings\Tara & Paul\Desktop\WinPFind3u\
Microsoft Windows XP Service Pack 2, v.2096 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2096)
 
191.48 Mb Total Physical Memory | 24.14 Mb Available Physical Memory | 12.61% Memory free
466.86 Mb Paging File | 270.94 Mb Available in Paging File | 58.03% Paging File free
Paging file location(s): C:\pagefile.sys 288 576;
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 27.64 Gb Total Space | 12.80 Gb Free Space | 46.33% Space Free
Unable to calculate disk information.
E: Drive not present or media not loaded
F: Drive not present or media not loaded

Computer Name: LAPTOP
Current User Name: Tara & Paul
Logged in as Administrator.
Current Boot Mode: Normal


[Processes - Non-Microsoft Only]
ashdisp.exe -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 79224 bytes | Modified Date = 9/6/2007 3:06:10 AM | Attr =    ]
ashmaisv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 243064 bytes | Modified Date = 9/6/2007 3:05:42 AM | Attr =    ]
ashserv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 132472 bytes | Modified Date = 9/6/2007 3:06:04 AM | Attr =    ]
ashwebsv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 345464 bytes | Modified Date = 9/6/2007 3:04:44 AM | Attr =    ]
aswupdsv.exe -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 16248 bytes | Modified Date = 9/6/2007 2:54:58 AM | Attr =    ]
googletoolbarnotifier.exe -> %ProgramFiles%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe -> Google Inc. [Ver = 2, 0, 301, 1654 | Size = 68856 bytes | Modified Date = 7/19/2007 4:29:22 PM | Attr =    ]
jusched.exe -> %ProgramFiles%\Java\jre1.6.0_03\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 132496 bytes | Modified Date = 9/25/2007 1:11:36 AM | Attr =    ]
lssrvc.exe -> %CommonProgramFiles%\LightScribe\LSSrvc.exe -> Hewlett-Packard Company [Ver = 1.4.124.1 | Size = 61440 bytes | Modified Date = 10/19/2006 1:52:24 PM | Attr =    ]
nmbgmonitor.exe -> %CommonProgramFiles%\Ahead\Lib\NMBgMonitor.exe -> Nero AG [Ver = 1, 5, 13, 0 | Size = 143360 bytes | Modified Date = 12/23/2006 6:05:20 PM | Attr =    ]
nmindexingservice.exe -> %CommonProgramFiles%\Ahead\Lib\NMIndexingService.exe -> Nero AG [Ver = 1, 5, 13, 0 | Size = 262144 bytes | Modified Date = 12/23/2006 5:54:04 PM | Attr =    ]
nmindexstoresvr.exe -> %CommonProgramFiles%\Ahead\Lib\NMIndexStoreSvr.exe -> Nero AG [Ver = 1, 5, 13, 0 | Size = 905216 bytes | Modified Date = 12/23/2006 6:04:42 PM | Attr =    ]
superantispyware.exe -> %ProgramFiles%\SUPERAntiSpyware\SUPERAntiSpyware.exe -> SUPERAntiSpyware.com [Ver = 3, 9, 0, 1008 | Size = 1318912 bytes | Modified Date = 6/21/2007 2:06:28 PM | Attr =    ]
watchdog.exe -> %ProgramFiles%\mobile PhoneTools\WatchDog.exe ->  [Ver =  | Size = 36864 bytes | Modified Date = 9/7/2007 6:42:16 PM | Attr =    ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.42.0 | Size = 322560 bytes | Modified Date = 9/4/2007 10:47:26 AM | Attr =    ]

[Win32 Services - Non-Microsoft Only]
(aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 16248 bytes | Modified Date = 9/6/2007 2:54:58 AM | Attr =    ]
(avast! Antivirus) avast! Antivirus [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 132472 bytes | Modified Date = 9/6/2007 3:06:04 AM | Attr =    ]
(avast! Mail Scanner) avast! Mail Scanner [Win32_Own | On_Demand | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 243064 bytes | Modified Date = 9/6/2007 3:05:42 AM | Attr =    ]
(avast! Web Scanner) avast! Web Scanner [Win32_Own | On_Demand | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 345464 bytes | Modified Date = 9/6/2007 3:04:44 AM | Attr =    ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2096.503.0 | Size = 224768 bytes | Modified Date = 3/11/2004 6:18:58 PM | Attr =    ]
(gusvc) Google Updater Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> Google [Ver = 2.2.824.5515.beta | Size = 138680 bytes | Modified Date = 8/13/2007 2:14:18 PM | Attr =    ]
(LightScribeService) LightScribeService Direct Disc Labeling Service [Win32_Own | Auto | Running] -> %CommonProgramFiles%\LightScribe\LSSrvc.exe -> Hewlett-Packard Company [Ver = 1.4.124.1 | Size = 61440 bytes | Modified Date = 10/19/2006 1:52:24 PM | Attr =    ]
(NBService) NBService [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Nero\Nero 7\Nero BackItUp\NBService.exe -> Nero AG [Ver = 2, 7, 3, 1 | Size = 774144 bytes | Modified Date = 1/5/2007 1:41:10 PM | Attr =    ]
(NMIndexingService) NMIndexingService [Win32_Own | On_Demand | Running] -> %CommonProgramFiles%\Ahead\Lib\NMIndexingService.exe -> Nero AG [Ver = 1, 5, 13, 0 | Size = 262144 bytes | Modified Date = 12/23/2006 5:54:04 PM | Attr =    ]
« Last Edit: October 21, 2007, 05:38:54 PM by tryan21 »
Logged

tryan21

  • Guest
Re: Virus... please help
« Reply #33 on: October 21, 2007, 05:31:23 PM »
[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
Adobe Reader Speed Launcher -> %ProgramFiles%\Adobe\Reader 8.0\Reader\Reader_sl.exe -> Adobe Systems Incorporated [Ver = 8.0.0.0 | Size = 40048 bytes | Modified Date = 5/11/2007 3:06:32 AM | Attr =    ]
avast! -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 79224 bytes | Modified Date = 9/6/2007 3:06:10 AM | Attr =    ]
EPSON Stylus CX5800F Series -> %System32%\spool\drivers\w32x86\3\E_FATIALA.EXE -> SEIKO EPSON CORPORATION [Ver = 4.00 | Size = 98304 bytes | Modified Date = 5/9/2005 10:00:00 PM | Attr =    ]
NeroFilterCheck -> %CommonProgramFiles%\Ahead\Lib\NeroCheck.exe -> Nero AG [Ver = 1, 0, 0, 5 | Size = 155648 bytes | Modified Date = 9/7/2007 6:42:24 PM | Attr =    ]
SunJavaUpdateSched -> %ProgramFiles%\Java\jre1.6.0_03\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 132496 bytes | Modified Date = 9/25/2007 1:11:36 AM | Attr =    ]
WatchDog -> %ProgramFiles%\mobile PhoneTools\WatchDog.exe ->  [Ver =  | Size = 36864 bytes | Modified Date = 9/7/2007 6:42:16 PM | Attr =    ]
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ ->
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
Aim6 ->  -> File not found
BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} -> %CommonProgramFiles%\Ahead\Lib\NMBgMonitor.exe -> Nero AG [Ver = 1, 5, 13, 0 | Size = 143360 bytes | Modified Date = 12/23/2006 6:05:20 PM | Attr =    ]
P2kAutostart -> %UserDocuments%\P2kCommanderV330\P2kAutostart.exe -> File not found
SUPERAntiSpyware -> %ProgramFiles%\SUPERAntiSpyware\SUPERAntiSpyware.exe -> SUPERAntiSpyware.com [Ver = 3, 9, 0, 1008 | Size = 1318912 bytes | Modified Date = 6/21/2007 2:06:28 PM | Attr =    ]
swg -> %ProgramFiles%\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe -> Google Inc. [Ver = 2, 0, 301, 1654 | Size = 68856 bytes | Modified Date = 7/19/2007 4:29:22 PM | Attr =    ]
< ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks ->
{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} [HKLM] -> %ProgramFiles%\SUPERAntiSpyware\SASSEH.DLL [] -> SuperAdBlocker.com [Ver = 1, 0, 0, 1008 | Size = 77824 bytes | Modified Date = 12/20/2006 1:55:48 PM | Attr =    ]
{6DB3F881-19A2-4085-ABD0-DBD56E71F4F5} [HKLM] -> %System32%\vtuuvsr.dll [] ->  [Ver =  | Size = 33792 bytes | Modified Date = 10/17/2007 7:02:18 PM | Attr =    ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
!SASWinLogon -> %ProgramFiles%\SUPERAntiSpyware\SASWINLO.dll -> SUPERAntiSpyware.com [Ver = 1, 0, 0, 1046 | Size = 294912 bytes | Modified Date = 4/19/2007 1:41:36 PM | Attr =    ]
vtuuvsr -> %System32%\vtuuvsr.dll ->  [Ver =  | Size = 33792 bytes | Modified Date = 10/17/2007 7:02:18 PM | Attr =    ]
< CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\\NoDriveAutoRun -> 67108863 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\\NoDriveTypeAutoRun -> 255 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext ->  ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ ->  ->
< CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->  ->
Logged

tryan21

  • Guest
Re: Virus... please help
« Reply #34 on: October 21, 2007, 05:31:59 PM »
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ ->  ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ ->  ->
< HOSTS File > (27 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
127.0.0.1       localhost ->  ->
< Internet Explorer Settings > ->  ->
HKLM: Default_Page_URL -> http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF ->
HKLM: Main\\Default_Search_URL -> http://www.google.com/ie ->
HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
HKLM: Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKLM: Start Page -> about:blank ->
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKLM: Search\\Default_Search_URL -> http://www.google.com/ie ->
HKLM: SearchAssistant -> http://www.google.com/ie ->
HKCU: Local Page -> C:\WINDOWS\system32\blank.htm ->
HKCU: Search Bar -> http://www.google.com/ie ->
HKCU: Search Page -> http://www.google.com ->
HKCU: Start Page -> about:blank ->
HKCU: SearchAssistant -> http://www.google.com/ie ->
HKCU: ProxyEnable -> 0 ->
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %CommonProgramFiles%\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 8.0.0.2006102200 | Size = 62080 bytes | Modified Date = 10/22/2006 11:08:42 PM | Attr =    ]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} [HKLM] -> %ProgramFiles%\Yahoo!\Common\yiesrvc.dll [Yahoo! IE Services Button] -> Yahoo! Inc. [Ver = 2006, 10, 31, 3 | Size = 198136 bytes | Modified Date = 10/31/2006 1:33:52 PM | Attr =    ]
{6DB3F881-19A2-4085-ABD0-DBD56E71F4F5} [HKLM] -> %System32%\vtuuvsr.dll [Reg Data - Value does not exist] ->  [Ver =  | Size = 33792 bytes | Modified Date = 10/17/2007 7:02:18 PM | Attr =    ]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_03\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 501136 bytes | Modified Date = 9/25/2007 1:11:34 AM | Attr =    ]
{AA58ED58-01DD-4d91-8333-CF10577473F7} [HKLM] -> %ProgramFiles%\Google\googletoolbar1.dll [Google Toolbar Helper] -> Google Inc. [Ver = 4, 0, 1602, 1060 | Size = 2554944 bytes | Modified Date = 8/13/2007 2:17:18 PM | Attr = R  ]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} [HKLM] -> %ProgramFiles%\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll [Google Toolbar Notifier BHO] -> Google Inc. [Ver = 2, 1, 615, 5858 | Size = 654832 bytes | Modified Date = 8/13/2007 2:15:10 PM | Attr =    ]
{F4693D97-15DF-463C-B7B5-A237402E0AED} [HKLM] -> %System32%\opnkh.dll [Reg Data - Value does not exist] ->  [Ver =  | Size = 303200 bytes | Modified Date = 10/20/2007 6:28:42 PM | Attr =    ]
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
{2318C2B1-4965-11d4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar1.dll [&Google] -> Google Inc. [Ver = 4, 0, 1602, 1060 | Size = 2554944 bytes | Modified Date = 8/13/2007 2:17:18 PM | Attr = R  ]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar1.dll [&Google] -> Google Inc. [Ver = 4, 0, 1602, 1060 | Size = 2554944 bytes | Modified Date = 8/13/2007 2:17:18 PM | Attr = R  ]
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar1.dll [&Google] -> Google Inc. [Ver = 4, 0, 1602, 1060 | Size = 2554944 bytes | Modified Date = 8/13/2007 2:17:18 PM | Attr = R  ]
WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
WebBrowser\\{F0F8ECBE-D460-4B34-B007-56A92E8F84A7} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_03\bin\npjpi160_03.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 132496 bytes | Modified Date = 9/25/2007 1:11:34 AM | Attr =    ]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKCU] -> %ProgramFiles%\Java\jre1.6.0_03\bin\ssv.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 501136 bytes | Modified Date = 9/25/2007 1:11:34 AM | Attr =    ]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -> Reg Data - Value does not exist [ButtonText: Yahoo! Services] -> File not found
{92780B25-18CC-41C8-B9BE-3C9C571A8263} -> Reg Data - Value does not exist [ButtonText: Research] -> File not found
< Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ ->
E&xport to Microsoft Excel ->  -> File not found
< Default Protocols [HKLM] - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults ->
shell -> shell protocol not assigned ->
< Default Protocols [HKCU] - Select to Repair > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults ->
shell -> shell protocol not assigned ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
msdaipp -> Reg Data - Key not found -> File not found
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{17492023-C23A-453E-A040-C7C580BBF700} -> Windows Genuine Advantage Validation Tool - CodeBase = http://go.microsoft.com/fwlink/?linkid=39204 ->
{193C772A-87BE-4B19-A7BB-445B226FE9A1} -> ewidoOnlineScan Control - CodeBase = http://downloads.ewido.net/ewidoOnlineScan.cab ->
{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -> Symantec AntiVirus scanner - CodeBase = http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab ->
{30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -> Installation Support - CodeBase = C:\Program Files\Yahoo!\Common\Yinsthelper.dll ->
{406B5949-7190-4245-91A9-30A17DE16AD0} -> Snapfish Activia - CodeBase = http://photos.walmart.com/WalmartActivia.cab ->
{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} -> BDSCANONLINE Control - CodeBase = http://download.bitdefender.com/resources/scan8/oscan8.cab ->
{6414512B-B978-451D-A0D8-FCFDF33E833C} -> WUWebControl Class - CodeBase = http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186780356336 ->
{644E432F-49D3-41A1-8DD5-E099162EEEC5} -> Symantec RuFSI Utility Class - CodeBase = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab ->
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -> MUWebControl Class - CodeBase = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187926666522 ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} -> Java Plug-in 1.6.0_03 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab ->
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} -> Java Plug-in 1.6.0_03 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab ->
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -> Java Plug-in 1.6.0_03 - CodeBase = http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} ->  - CodeBase = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab ->
{F137B9BA-89EA-4B04-9C67-2074A9DF61FD} -> Photo Upload Plugin Class - CodeBase = http://cvs.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab? ->
Logged

tryan21

  • Guest
Re: Virus... please help
« Reply #35 on: October 21, 2007, 05:33:01 PM »
[Files/Folders - Created Within 30 days]
hiberfil.sys -> %SystemDrive%\hiberfil.sys ->  [Ver =  | Size = 200855552 bytes | Created Date = 1/1/1601 7:00:00 AM | Attr =  HS]
qoobox -> %SystemDrive%\qoobox ->  [Folder | Created Date = 10/16/2007 9:18:27 AM | Attr =    ]
VundoFix Backups -> %SystemDrive%\VundoFix Backups ->  [Folder | Created Date = 10/16/2007 2:32:40 PM | Attr =    ]
_OTMoveIt -> %SystemDrive%\_OTMoveIt ->  [Folder | Created Date = 10/19/2007 10:39:34 AM | Attr =    ]
catchme.exe -> %SystemRoot%\catchme.exe ->  [Ver =  | Size = 135168 bytes | Created Date = 10/16/2007 9:15:59 AM | Attr =    ]
NirCmd.exe -> %SystemRoot%\NirCmd.exe -> NirSoft [Ver = 2.00 | Size = 51200 bytes | Created Date = 10/16/2007 9:16:00 AM | Attr =    ]
pss -> %SystemRoot%\pss ->  [Folder | Created Date = 10/15/2007 9:23:21 AM | Attr =    ]
Thumbs.db -> %SystemRoot%\Thumbs.db ->  [Ver =  | Size = 7680 bytes | Created Date = 10/8/2007 11:54:27 AM | Attr =  HS]
@Alternate Data Stream - 0 bytes -> %SystemRoot%\Thumbs.db:encryptable ->
uccspecc.sys -> %SystemRoot%\uccspecc.sys ->  [Ver =  | Size = 31 bytes | Created Date = 10/3/2007 10:56:00 AM | Attr =  H ]
aylcodgp.ini -> %System32%\aylcodgp.ini ->  [Ver =  | Size = 693721 bytes | Created Date = 10/15/2007 11:16:02 AM | Attr =  HS]
comms2 -> %System32%\comms2 ->  [Folder | Created Date = 10/13/2007 9:20:19 PM | Attr =    ]
cpnprt2.cid -> %System32%\cpnprt2.cid -> Coupons, Inc. [Ver = 1, 0, 5, 0 | Size = 161112 bytes | Created Date = 10/3/2007 10:56:11 AM | Attr = RH ]
extdfugh.ini -> %System32%\extdfugh.ini ->  [Ver =  | Size = 693601 bytes | Created Date = 10/15/2007 10:41:28 AM | Attr =  HS]
hknpo.bak1 -> %System32%\hknpo.bak1 ->  [Ver =  | Size = 6513 bytes | Created Date = 10/20/2007 6:29:08 PM | Attr =  HS]
hknpo.ini -> %System32%\hknpo.ini ->  [Ver =  | Size = 529 bytes | Created Date = 10/20/2007 6:28:44 PM | Attr =  HS]
java.exe -> %System32%\java.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 135168 bytes | Created Date = 10/4/2007 3:01:42 PM | Attr =    ]
javacpl.cpl -> %System32%\javacpl.cpl -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 69632 bytes | Created Date = 10/4/2007 3:01:42 PM | Attr =    ]
javaw.exe -> %System32%\javaw.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 135168 bytes | Created Date = 10/4/2007 3:01:42 PM | Attr =    ]
javaws.exe -> %System32%\javaws.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 139264 bytes | Created Date = 10/4/2007 3:01:42 PM | Attr =    ]
mcrh.tmp -> %System32%\mcrh.tmp ->  [Ver =  | Size = 143 bytes | Created Date = 10/14/2007 9:02:03 AM | Attr =    ]
opnkh.dll -> %System32%\opnkh.dll ->  [Ver =  | Size = 303200 bytes | Created Date = 10/20/2007 6:28:35 PM | Attr =    ]
pmkli.dll -> %System32%\pmkli.dll ->  [Ver =  | Size = 312416 bytes | Created Date = 10/19/2007 1:51:43 PM | Attr =    ]
pttryjxd.dllbox -> %System32%\pttryjxd.dllbox ->  [Ver =  | Size = 17006 bytes | Created Date = 10/19/2007 8:14:03 AM | Attr =  HS]
que1 -> %System32%\que1 ->  [Folder | Created Date = 10/13/2007 9:20:47 PM | Attr =    ]
SpoonUninstall.exe -> %System32%\SpoonUninstall.exe ->  [Ver =  | Size = 4229496 bytes | Created Date = 10/7/2007 9:31:10 AM | Attr =    ]
@Alternate Data Stream - 26 bytes -> %System32%\SpoonUninstall.exe:Zone.Identifier ->
swreg.exe -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.8 | Size = 279552 bytes | Created Date = 10/17/2007 10:08:59 AM | Attr =    ]
swsc.exe -> %System32%\swsc.exe -> SteelWerX [Ver = 2.0.0.0 | Size = 370688 bytes | Created Date = 10/17/2007 10:08:59 AM | Attr =    ]
swxcacls.exe -> %System32%\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 212480 bytes | Created Date = 10/17/2007 10:08:59 AM | Attr =    ]
tmp.reg -> %System32%\tmp.reg ->  [Ver =  | Size = 2244 bytes | Created Date = 10/17/2007 9:48:44 AM | Attr =    ]
vosuuyod.ini -> %System32%\vosuuyod.ini ->  [Ver =  | Size = 693481 bytes | Created Date = 10/15/2007 10:05:52 AM | Attr =  HS]
vtuuvsr.dll -> %System32%\vtuuvsr.dll ->  [Ver =  | Size = 33792 bytes | Created Date = 10/17/2007 7:02:17 PM | Attr =    ]
eamon.sys -> %System32%\drivers\eamon.sys -> Eset  [Ver = 3,0,0,0 D built by: WinDDK | Size = 33288 bytes | Created Date = 9/21/2007 9:15:26 AM | Attr =    ]
easdrv.sys -> %System32%\drivers\easdrv.sys -> Eset [Ver = 3, 0, 414 RC1 | Size = 25096 bytes | Created Date = 9/21/2007 9:15:52 AM | Attr =    ]
epfwtdir.sys -> %System32%\drivers\epfwtdir.sys ->  [Ver =  | Size = 28680 bytes | Created Date = 9/21/2007 9:17:14 AM | Attr =    ]

[Files/Folders - Modified Within 30 days]
boot.ini -> %SystemDrive%\boot.ini ->  [Ver =  | Size = 194 bytes | Modified Date = 10/15/2007 10:28:42 AM | Attr =  HS]
Documents and Settings -> %SystemDrive%\Documents and Settings ->  [Folder | Modified Date = 10/18/2007 8:44:54 PM | Attr =    ]
hiberfil.sys -> %SystemDrive%\hiberfil.sys ->  [Ver =  | Size = 200855552 bytes | Modified Date = 10/20/2007 8:09:32 PM | Attr =  HS]
Program Files -> %ProgramFiles% ->  [Folder | Modified Date = 10/19/2007 9:16:26 AM | Attr = R  ]
qoobox -> %SystemDrive%\qoobox ->  [Folder | Modified Date = 10/19/2007 11:04:42 AM | Attr =    ]
System Volume Information -> %SystemDrive%\System Volume Information ->  [Folder | Modified Date = 10/18/2007 9:44:14 AM | Attr =  HS]
Temp -> %SystemDrive%\Temp ->  [Folder | Modified Date = 10/14/2007 9:00:08 AM | Attr =    ]
VundoFix Backups -> %SystemDrive%\VundoFix Backups ->  [Folder | Modified Date = 10/16/2007 2:32:42 PM | Attr =    ]
WINDOWS -> %SystemRoot% ->  [Folder | Modified Date = 10/19/2007 10:50:52 AM | Attr =    ]
_OTMoveIt -> %SystemDrive%\_OTMoveIt ->  [Folder | Modified Date = 10/19/2007 10:39:36 AM | Attr =    ]
Logged

tryan21

  • Guest
Re: Virus... please help
« Reply #36 on: October 21, 2007, 05:33:30 PM »
BDOSCAN8 -> %SystemRoot%\BDOSCAN8 ->  [Folder | Modified Date = 10/17/2007 2:15:54 PM | Attr =    ]
bootstat.dat -> %SystemRoot%\bootstat.dat ->  [Ver =  | Size = 2048 bytes | Modified Date = 10/20/2007 8:09:34 PM | Attr =   S]
catchme.exe -> %SystemRoot%\catchme.exe ->  [Ver =  | Size = 135168 bytes | Modified Date = 9/28/2007 9:06:10 AM | Attr =    ]
CSC -> %SystemRoot%\CSC ->  [Folder | Modified Date = 10/20/2007 6:54:54 PM | Attr =  HS]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files ->  [Folder | Modified Date = 10/4/2007 3:03:12 PM | Attr =   S]
EPISME00.SWB -> %SystemRoot%\EPISME00.SWB ->  [Ver =  | Size = 9662 bytes | Modified Date = 10/16/2007 9:49:56 AM | Attr =    ]
erdnt -> %SystemRoot%\erdnt ->  [Folder | Modified Date = 9/22/2007 8:46:58 AM | Attr =    ]
Help -> %SystemRoot%\Help ->  [Folder | Modified Date = 10/16/2007 9:51:28 AM | Attr =    ]
inf -> %SystemRoot%\inf ->  [Folder | Modified Date = 10/15/2007 9:19:54 AM | Attr =  H ]
Installer -> %SystemRoot%\Installer ->  [Folder | Modified Date = 10/4/2007 3:03:02 PM | Attr =  HS]
NeroDigital.ini -> %SystemRoot%\NeroDigital.ini ->  [Ver =  | Size = 69 bytes | Modified Date = 10/8/2007 11:54:28 AM | Attr =    ]
Prefetch -> %SystemRoot%\Prefetch ->  [Folder | Modified Date = 10/20/2007 7:42:32 PM | Attr =    ]
pss -> %SystemRoot%\pss ->  [Folder | Modified Date = 10/15/2007 9:25:28 AM | Attr =    ]
Registration -> %SystemRoot%\Registration ->  [Folder | Modified Date = 10/13/2007 9:14:48 PM | Attr =    ]
system.ini -> %SystemRoot%\system.ini ->  [Ver =  | Size = 227 bytes | Modified Date = 10/15/2007 10:28:42 AM | Attr =    ]
system32 -> %System32% ->  [Folder | Modified Date = 10/20/2007 8:19:12 PM | Attr =    ]
Tasks -> %SystemRoot%\Tasks ->  [Folder | Modified Date = 10/19/2007 10:51:36 AM | Attr =   S]
TEMP -> %SystemRoot%\TEMP ->  [Folder | Modified Date = 10/20/2007 8:17:28 PM | Attr =    ]
Thumbs.db -> %SystemRoot%\Thumbs.db ->  [Ver =  | Size = 7680 bytes | Modified Date = 10/8/2007 11:54:28 AM | Attr =  HS]
@Alternate Data Stream - 0 bytes -> %SystemRoot%\Thumbs.db:encryptable ->
uccspecc.sys -> %SystemRoot%\uccspecc.sys ->  [Ver =  | Size = 31 bytes | Modified Date = 10/3/2007 10:56:02 AM | Attr =  H ]
win.ini -> %SystemRoot%\win.ini ->  [Ver =  | Size = 573 bytes | Modified Date = 10/15/2007 10:28:42 AM | Attr =    ]
WindowsShellOld.Manifest.1 -> %SystemRoot%\WindowsShellOld.Manifest.1 ->  [Ver =  | Size = 82 bytes | Modified Date = 10/3/2007 10:56:02 AM | Attr =  H ]
Norton Security Scan.job -> %SystemRoot%\tasks\Norton Security Scan.job ->  [Ver =  | Size = 420 bytes | Modified Date = 10/12/2007 4:44:22 PM | Attr =    ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT ->  [Ver =  | Size = 6 bytes | Modified Date = 10/20/2007 8:10:30 PM | Attr =  H ]
aylcodgp.ini -> %System32%\aylcodgp.ini ->  [Ver =  | Size = 693721 bytes | Modified Date = 10/15/2007 4:28:14 PM | Attr =  HS]
CatRoot2 -> %System32%\CatRoot2 ->  [Folder | Modified Date = 10/20/2007 8:14:56 PM | Attr =    ]
comms2 -> %System32%\comms2 ->  [Folder | Modified Date = 10/13/2007 9:20:48 PM | Attr =    ]
cpnprt2.cid -> %System32%\cpnprt2.cid -> Coupons, Inc. [Ver = 1, 0, 5, 0 | Size = 161112 bytes | Modified Date = 10/3/2007 10:56:14 AM | Attr = RH ]
dllcache -> %System32%\dllcache ->  [Folder | Modified Date = 10/20/2007 8:05:30 PM | Attr = RHS]
drivers -> %System32%\drivers ->  [Folder | Modified Date = 10/19/2007 10:56:34 AM | Attr =    ]
extdfugh.ini -> %System32%\extdfugh.ini ->  [Ver =  | Size = 693601 bytes | Modified Date = 10/15/2007 11:06:10 AM | Attr =  HS]
hknpo.bak1 -> %System32%\hknpo.bak1 ->  [Ver =  | Size = 6513 bytes | Modified Date = 10/20/2007 6:29:10 PM | Attr =  HS]
hknpo.ini -> %System32%\hknpo.ini ->  [Ver =  | Size = 529 bytes | Modified Date = 10/20/2007 8:19:12 PM | Attr =  HS]
java.exe -> %System32%\java.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 135168 bytes | Modified Date = 9/24/2007 10:30:28 PM | Attr =    ]
javacpl.cpl -> %System32%\javacpl.cpl -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 69632 bytes | Modified Date = 9/24/2007 11:31:42 PM | Attr =    ]
javaw.exe -> %System32%\javaw.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 135168 bytes | Modified Date = 9/24/2007 10:30:30 PM | Attr =    ]
javaws.exe -> %System32%\javaws.exe -> Sun Microsystems, Inc. [Ver = 6.0.30.5 | Size = 139264 bytes | Modified Date = 9/24/2007 11:31:42 PM | Attr =    ]
mcrh.tmp -> %System32%\mcrh.tmp ->  [Ver =  | Size = 143 bytes | Modified Date = 10/14/2007 9:02:04 AM | Attr =    ]
opnkh.dll -> %System32%\opnkh.dll ->  [Ver =  | Size = 303200 bytes | Modified Date = 10/20/2007 6:28:42 PM | Attr =    ]
pmkli.dll -> %System32%\pmkli.dll ->  [Ver =  | Size = 312416 bytes | Modified Date = 10/19/2007 1:51:50 PM | Attr =    ]
pttryjxd.dllbox -> %System32%\pttryjxd.dllbox ->  [Ver =  | Size = 17006 bytes | Modified Date = 10/19/2007 12:44:18 PM | Attr =  HS]
que1 -> %System32%\que1 ->  [Folder | Modified Date = 10/16/2007 12:58:02 PM | Attr =    ]
Restore -> %System32%\Restore ->  [Folder | Modified Date = 10/18/2007 9:44:14 AM | Attr =    ]
SpoonUninstall.exe -> %System32%\SpoonUninstall.exe ->  [Ver =  | Size = 4229496 bytes | Modified Date = 10/7/2007 9:30:14 AM | Attr =    ]
@Alternate Data Stream - 26 bytes -> %System32%\SpoonUninstall.exe:Zone.Identifier ->
swreg.exe -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.8 | Size = 279552 bytes | Modified Date = 10/5/2007 10:07:32 AM | Attr =    ]
tmp.reg -> %System32%\tmp.reg ->  [Ver =  | Size = 2244 bytes | Modified Date = 10/17/2007 9:59:16 AM | Attr =    ]
vosuuyod.ini -> %System32%\vosuuyod.ini ->  [Ver =  | Size = 693481 bytes | Modified Date = 10/15/2007 10:37:28 AM | Attr =  HS]
vtuuvsr.dll -> %System32%\vtuuvsr.dll ->  [Ver =  | Size = 33792 bytes | Modified Date = 10/17/2007 7:02:18 PM | Attr =    ]
wpa.dbl -> %System32%\wpa.dbl ->  [Ver =  | Size = 2206 bytes | Modified Date = 10/20/2007 4:11:30 PM | Attr =    ]
eamon.sys -> %System32%\drivers\eamon.sys -> Eset  [Ver = 3,0,0,0 D built by: WinDDK | Size = 33288 bytes | Modified Date = 9/21/2007 9:15:26 AM | Attr =    ]
easdrv.sys -> %System32%\drivers\easdrv.sys -> Eset [Ver = 3, 0, 414 RC1 | Size = 25096 bytes | Modified Date = 9/21/2007 9:15:52 AM | Attr =    ]
epfwtdir.sys -> %System32%\drivers\epfwtdir.sys ->  [Ver =  | Size = 28680 bytes | Modified Date = 9/21/2007 9:17:14 AM | Attr =    ]
etc -> %System32%\drivers\etc ->  [Folder | Modified Date = 10/19/2007 10:56:30 AM | Attr =    ]

[File String Scan - Non-Microsoft Only]
@Alternate Data Stream - 0 bytes -> %SystemRoot%\Thumbs.db:encryptable ->
UPX! , UPX0 ,  -> %System32%\aswBoot.exe -> ALWIL Software [Ver = 4, 7, 1043, 0 | Size = 801144 bytes | Modified Date = 9/6/2007 3:09:50 AM | Attr =    ]
PEC2 ,  -> %System32%\dfrg.msc ->  [Ver =  | Size = 41397 bytes | Modified Date = 8/23/2001 5:00:00 AM | Attr =    ]
@Alternate Data Stream - 26 bytes -> %System32%\SpoonUninstall.exe:Zone.Identifier ->
USERTRUST ,  -> %System32%\SpoonUninstall.exe ->  [Ver =  | Size = 4229496 bytes | Modified Date = 10/7/2007 9:30:14 AM | Attr =    ]
UPX! , UPX0 ,  -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.8 | Size = 279552 bytes | Modified Date = 10/5/2007 10:07:32 AM | Attr =    ]
winsync ,  -> %System32%\wbdbase.deu ->  [Ver =  | Size = 1309184 bytes | Modified Date = 8/23/2001 5:00:00 AM | Attr =    ]
WSUD , UPX0 ,  -> %System32%\dllcache\hwxjpn.dll ->  [Ver =  | Size = 13463552 bytes | Modified Date = 8/23/2001 5:00:00 AM | Attr =    ]

< End of report >
Logged

tryan21

  • Guest
Re: Virus... please help
« Reply #37 on: October 21, 2007, 06:02:33 PM »
ComboFix 07-10-17.8 - Tara & Paul 2007-10-21  8:42:49.7 - NTFSx86
Script execution time was exceeded on script "C:\ComboFix\osid.vbs".
Script execution was terminated.
Running from: C:\Documents and Settings\Tara & Paul\Desktop\TryanFix.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\hknpo.bak1
C:\WINDOWS\system32\hknpo.bak1
C:\WINDOWS\system32\hknpo.ini
C:\WINDOWS\system32\hknpo.ini
C:\WINDOWS\system32\opnkh.dll
C:\WINDOWS\system32\pmkli.dll

.
(((((((((((((((((((((((((   Files Created from 2007-09-21 to 2007-10-21  )))))))))))))))))))))))))))))))
.

2007-10-18 20:41   <DIR>   d--------   C:\Program Files\Navilog1
2007-10-17 19:02   33,792   --a------   C:\WINDOWS\system32\vtuuvsr.dll
2007-10-17 09:48   2,244   --a------   C:\WINDOWS\system32\tmp.reg
2007-10-17 09:38   <DIR>   d--------   C:\Program Files\Trend Micro
2007-10-16 14:32   <DIR>   d--------   C:\VundoFix Backups
2007-10-16 09:51   <DIR>      C:\Documents and Settings\Tara 2007-10-16  09:51    <DIR>           Paul\Application Data\Help
2007-10-16 09:16   51,200   --a------   C:\WINDOWS\NirCmd.exe
2007-10-15 09:23   <DIR>   d--------   C:\WINDOWS\pss
2007-10-13 21:20   <DIR>   d--------   C:\WINDOWS\system32\que1
2007-10-13 21:20   <DIR>   d--------   C:\WINDOWS\system32\comms2
2007-10-07 09:31   <DIR>      C:\Documents and Settings\Tara 2007-10-07  09:31    <DIR>           Paul\Application Data\AccurateRip
2007-10-07 09:31   4,229,496   --a------   C:\WINDOWS\system32\SpoonUninstall.exe
2007-10-07 09:30   <DIR>   d--------   C:\Program Files\Illustrate
2007-10-04 15:00   <DIR>   d--------   C:\Program Files\Java
2007-10-04 14:57   <DIR>   d--------   C:\Program Files\Common Files\Java
2007-10-03 10:56   31   --ah-----   C:\WINDOWS\uccspecc.sys
2007-09-27 08:00   <DIR>   d--------   C:\Program Files\Common Files\Authentium Shared
2007-09-24 13:18   <DIR>      C:\Documents and Settings\Tara 2007-09-24  13:18    <DIR>           Paul\Application Data\Yahoo!
2007-09-24 13:10   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-09-24 13:03   <DIR>   d--------   C:\Program Files\Yahoo!
2007-09-23 11:15   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Eset
2007-09-23 11:06   <DIR>   d--------   C:\Program Files\SpywareBlaster
2007-09-21 09:17   28,680   --a------   C:\WINDOWS\system32\drivers\epfwtdir.sys
2007-09-21 09:15   33,288   --a------   C:\WINDOWS\system32\drivers\eamon.sys
2007-09-21 09:15   25,096   --a------   C:\WINDOWS\system32\drivers\easdrv.sys

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-21 02:49   ---------   d-----w   C:\Program Files\SUPERAntiSpyware
2007-10-17 02:26   ---------   d-----w   C:\Program Files\RogueRemover FREE
2007-10-13 13:35   ---------   d-----w   C:\Program Files\Common Files\Symantec Shared
2007-10-12 22:00   ---------   d-----w   C:\Program Files\Norton Security Scan
2007-10-08 18:54   ---------   d-----w   C:\Program Files\mobile PhoneTools
2007-10-08 18:54   ---------   d-----w   C:\Program Files\LiveUpdate
2007-10-07 16:31   ---------   d-----w   C:\Documents and Settings\Tara & Paul\Application Data\AccurateRip
2007-09-25 23:33   ---------   d-----w   C:\Program Files\Common Files\Adobe
2007-09-25 17:16   ---------   d-----w   C:\Documents and Settings\Tara & Paul\Application Data\Yahoo!
2007-09-23 19:16   ---------   d-----w   C:\Program Files\Google
2007-09-20 21:33   ---------   d-----w   C:\Program Files\Common Files\Download Manager
2007-09-20 02:15   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-09-20 02:14   ---------   d-----w   C:\Documents and Settings\Tara & Paul\Application Data\SUPERAntiSpyware.com
2007-09-20 02:12   ---------   d-----w   C:\Program Files\Common Files\Wise Installation Wizard
2007-09-19 17:15   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Grisoft
2007-09-09 07:06   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-09-06 10:09   801,144   ----a-w   C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:05   94,416   ----a-w   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 10:05   92,848   ----a-w   C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 10:03   23,152   ----a-w   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 10:02   42,912   ----a-w   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 10:00   95,608   ----a-w   C:\WINDOWS\system32\AVASTSS.scr
2007-09-06 10:00   26,624   ----a-w   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-08-31 04:06   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\CyberLink
2007-08-31 04:05   ---------   d-----w   C:\Documents and Settings\Tara & Paul\Application Data\CyberLink
2007-08-26 23:17   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2007-07-31 02:18   207,736   ----a-w   C:\WINDOWS\system32\muweb.dll
.

(((((((((((((((((((((((((((((   snapshot@2007-10-16_ 9.36.09.50   )))))))))))))))))))))))))))))))))))))))))
.
- 2007-08-15 17:13:10   181,248   ----a-w   C:\WINDOWS\BDOSCAN8\bdcore.dll
+ 2007-10-16 17:14:41   181,760   ----a-w   C:\WINDOWS\BDOSCAN8\bdcore.dll
- 2007-10-16 16:18:25   274,432   ----a-w   C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2007-10-21 15:42:14   274,432   ----a-w   C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2007-10-21 15:50:41   16,384   ----atw   C:\WINDOWS\TEMP\Perflib_Perfdata_5f8.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6DB3F881-19A2-4085-ABD0-DBD56E71F4F5}]
2007-10-17 19:02   33792   --a------   C:\WINDOWS\system32\vtuuvsr.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"WatchDog"="C:\Program Files\mobile PhoneTools\WatchDog.exe" [2007-09-07 18:42]
"EPSON Stylus CX5800F Series"="C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.exe" [2005-05-09 22:00]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 03:06]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-09-07 18:42]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"P2kAutostart"="C:\Documents and Settings\Tara & Paul\My Documents\P2kCommanderV330\P2kAutostart.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-19 16:29]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 18:05]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"Aim6"="" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
"{6DB3F881-19A2-4085-ABD0-DBD56E71F4F5}"= C:\WINDOWS\system32\vtuuvsr.dll [2007-10-17 19:02 33792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuuvsr]
vtuuvsr.dll 2007-10-17 19:02 33792 C:\WINDOWS\system32\vtuuvsr.dll

R1 easdrv;easdrv;C:\WINDOWS\system32\DRIVERS\easdrv.sys
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys
R2 eamon;EAMON;C:\WINDOWS\system32\DRIVERS\eamon.sys
R3 cwrwdm;SoundFusion(tm) WDM Driver;C:\WINDOWS\system32\DRIVERS\cwrwdm.sys
S3 AWINDIS5;AWINDIS5 Protocol Driver;\??\C:\WINDOWS\system32\AWINDIS5.SYS
S3 PRISM_ICB;NETGEAR WG511 Wireless LAN Driver;C:\WINDOWS\system32\DRIVERS\WG511ICB.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-12 23:44:20 C:\WINDOWS\Tasks\Norton Security Scan.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-21 08:52:35
Windows 5.1.2600 Service Pack 2, v.2096 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-21  8:59:15 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-19 11:04
C:\ComboFix3.txt ... 2007-10-17 10:15
.
   --- E O F ---
Logged

tryan21

  • Guest
Re: Virus... please help
« Reply #38 on: October 21, 2007, 06:03:49 PM »
Logfile of HijackThis v1.99.1
Scan saved at 9:03:09 AM, on 10/21/2007
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\atievxx.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HijackThis\hijacktryan.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {6DB3F881-19A2-4085-ABD0-DBD56E71F4F5} - C:\WINDOWS\system32\vtuuvsr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {9F017283-6106-4282-BADC-1E3B7B7D3A61} - C:\WINDOWS\system32\tuvus.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5800F Series] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE /P27 "EPSON Stylus CX5800F Series" /O6 "USB001" /M "Stylus CX5800F"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [P2kAutostart] C:\Documents and Settings\Tara & Paul\My Documents\P2kCommanderV330\P2kAutostart.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186780356336
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187926666522
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: vtuuvsr - C:\WINDOWS\SYSTEM32\vtuuvsr.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

Logged

mauserme

  • Guest
Re: Virus... please help
« Reply #39 on: October 21, 2007, 06:54:32 PM »
I have to be honest with you.  The system problems you describe are not a good sign and you have to face the possility that this will lead to a reformat.  I'm not giving up yet but you should back up any important data, pictures, etc to play it safe.  It would be wise to do this before proceeding any farther.


Start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

Quote
[Files/Folders - Created Within 30 days]
NY -> uccspecc.sys -> %SystemRoot%\uccspecc.sys
NY -> aylcodgp.ini -> %System32%\aylcodgp.ini
NY -> cpnprt2.cid -> %System32%\cpnprt2.cid
NY -> extdfugh.ini -> %System32%\extdfugh.ini
NY -> hknpo.bak1 -> %System32%\hknpo.bak1
NY -> hknpo.ini -> %System32%\hknpo.ini
NY -> mcrh.tmp -> %System32%\mcrh.tmp
NY -> opnkh.dll -> %System32%\opnkh.dll
NY -> pmkli.dll -> %System32%\pmkli.dll
NY -> pttryjxd.dllbox -> %System32%\pttryjxd.dllbox
NY -> tmp.reg -> %System32%\tmp.reg
NY -> vosuuyod.ini -> %System32%\vosuuyod.ini
NY -> vtuuvsr.dll -> %System32%\vtuuvsr.dll

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information in your next response.

Also let me know of any problems you encounter performing these steps or any continuing problems you are having with the computer.



Now open OTMovIt and copy the following into the paths to be moved field

C:\WINDOWS\system32\que1
C:\WINDOWS\system32\comms2
C:\WINDOWS\system32\tuvus.dll

Click the red Move It button and include the results with the WinPFind results.




Next,download ERUNT from here and back up your entire registry

http://www.snapfiles.com/get/erunt.html

Now open Notepad and copy everything within the quote box below into a new document.  Make sure there is no space about "REGEDIT4"

Quote
REGEDIT4

[-HKEY_CLASSES_ROOT\CLSID\{6DB3F881-19A2-4085-ABD0-DBD56E71F4F5}]

[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{6DB3F881-19A2-4085-ABD0-DBD56E71F4F5}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuuvsr]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6DB3F881-19A2-4085-ABD0-DBD56E71F4F5}"=-

Then in notepad go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
In the FILE NAME box type fix.reg
This will create a fix.reg file on your desktop. Right click the fix.reg file and select merge.  Accept the warning if it appears.


When that's finished open HJT and place a check mark next to any of these lines that remain

O2 - BHO: (no name) - {6DB3F881-19A2-4085-ABD0-DBD56E71F4F5} - C:\WINDOWS\system32\vtuuvsr.dll
O2 - BHO: (no name) - {9F017283-6106-4282-BADC-1E3B7B7D3A61} - C:\WINDOWS\system32\tuvus.dll
O20 - Winlogon Notify: vtuuvsr - C:\WINDOWS\SYSTEM32\vtuuvsr.dll

Close all other windows, browser included, and click fix checked.


In addition to the WinPFind and OTMoveIt results please give me fresh ComboFix and HJT logs.
Logged

tryan21

  • Guest
Re: Virus... please help
« Reply #40 on: October 22, 2007, 10:45:48 PM »
C:\WINDOWS\system32\que1 moved successfully.
C:\WINDOWS\system32\comms2 moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\tuvus.dll
C:\WINDOWS\system32\tuvus.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\tuvus.dll scheduled to be moved on reboot.
 
Created on 10/22/2007 13:43:07

WinPFind3U said it had to be restarted, then I got an error message saying Invalid floating point operation. I then restarted and no log popped up. Also got the same error message when I did OTMovIt.
Logged

tryan21

  • Guest
Re: Virus... please help
« Reply #41 on: October 23, 2007, 12:15:47 AM »
When I ran combofix I got an error message saying sed.cfexe has encountered a problem and needs to close. Here is the log:

ComboFix 07-10-17.8 - Tara & Paul 2007-10-22 14:00:12.8 - NTFSx86
Script execution time was exceeded on script "C:\ComboFix\osid.vbs".
Script execution was terminated.
Running from: C:\Documents and Settings\Tara & Paul\Desktop\TryanFix.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\check_LSA7.txt
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\evqdnvcu.dll
C:\WINDOWS\system32\lepmqbnt.dll
C:\WINDOWS\system32\suvut.bak1
C:\WINDOWS\system32\suvut.bak1
C:\WINDOWS\system32\suvut.bak2
C:\WINDOWS\system32\suvut.bak2
C:\WINDOWS\system32\suvut.ini
C:\WINDOWS\system32\suvut.ini
C:\WINDOWS\system32\tnbqmpel.ini
C:\WINDOWS\system32\tuvus.dll
C:\WINDOWS\system32\tuvus.dll
C:\WINDOWS\system32\tuvus.dll

.
(((((((((((((((((((((((((   Files Created from 2007-09-22 to 2007-10-22  )))))))))))))))))))))))))))))))
.

2007-10-18 20:41   <DIR>   d--------   C:\Program Files\Navilog1
2007-10-17 09:38   <DIR>   d--------   C:\Program Files\Trend Micro
2007-10-16 14:32   <DIR>   d--------   C:\VundoFix Backups
2007-10-16 09:51   <DIR>      C:\Documents and Settings\Tara 2007-10-16  09:51    <DIR>           Paul\Application Data\Help
2007-10-07 09:31   <DIR>      C:\Documents and Settings\Tara 2007-10-07  09:31    <DIR>           Paul\Application Data\AccurateRip
2007-10-07 09:30   <DIR>   d--------   C:\Program Files\Illustrate
2007-10-04 15:00   <DIR>   d--------   C:\Program Files\Java
2007-10-04 14:57   <DIR>   d--------   C:\Program Files\Common Files\Java
2007-09-27 08:00   <DIR>   d--------   C:\Program Files\Common Files\Authentium Shared
2007-09-24 13:18   <DIR>      C:\Documents and Settings\Tara 2007-09-24  13:18    <DIR>           Paul\Application Data\Yahoo!
2007-09-24 13:10   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-09-24 13:03   <DIR>   d--------   C:\Program Files\Yahoo!
2007-09-23 11:15   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Eset
2007-09-23 11:06   <DIR>   d--------   C:\Program Files\SpywareBlaster

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-21 02:49   ---------   d-----w   C:\Program Files\SUPERAntiSpyware
2007-10-18 02:02   33,792   ----a-w   C:\WINDOWS\system32\vtuuvsr.dll
2007-10-17 02:26   ---------   d-----w   C:\Program Files\RogueRemover FREE
2007-10-13 13:35   ---------   d-----w   C:\Program Files\Common Files\Symantec Shared
2007-10-12 22:00   ---------   d-----w   C:\Program Files\Norton Security Scan
2007-10-08 18:54   ---------   d-----w   C:\Program Files\mobile PhoneTools
2007-10-08 18:54   ---------   d-----w   C:\Program Files\LiveUpdate
2007-10-07 16:31   ---------   d-----w   C:\Documents and Settings\Tara & Paul\Application Data\AccurateRip
2007-10-07 16:30   4,229,496   ----a-w   C:\WINDOWS\system32\SpoonUninstall.exe
2007-09-25 23:33   ---------   d-----w   C:\Program Files\Common Files\Adobe
2007-09-25 17:16   ---------   d-----w   C:\Documents and Settings\Tara & Paul\Application Data\Yahoo!
2007-09-23 19:16   ---------   d-----w   C:\Program Files\Google
2007-09-21 16:17   28,680   ----a-w   C:\WINDOWS\system32\drivers\epfwtdir.sys
2007-09-21 16:15   33,288   ----a-w   C:\WINDOWS\system32\drivers\eamon.sys
2007-09-21 16:15   25,096   ----a-w   C:\WINDOWS\system32\drivers\easdrv.sys
2007-09-20 21:33   ---------   d-----w   C:\Program Files\Common Files\Download Manager
2007-09-20 02:15   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-09-20 02:14   ---------   d-----w   C:\Documents and Settings\Tara & Paul\Application Data\SUPERAntiSpyware.com
2007-09-20 02:12   ---------   d-----w   C:\Program Files\Common Files\Wise Installation Wizard
2007-09-19 17:15   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Grisoft
2007-09-09 07:06   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-09-06 10:09   801,144   ----a-w   C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:05   94,416   ----a-w   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 10:05   92,848   ----a-w   C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 10:03   23,152   ----a-w   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 10:02   42,912   ----a-w   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 10:00   95,608   ----a-w   C:\WINDOWS\system32\AVASTSS.scr
2007-09-06 10:00   26,624   ----a-w   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-08-31 04:06   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\CyberLink
2007-08-31 04:05   ---------   d-----w   C:\Documents and Settings\Tara & Paul\Application Data\CyberLink
2007-08-26 23:17   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2007-07-31 02:18   207,736   ----a-w   C:\WINDOWS\system32\muweb.dll
.

(((((((((((((((((((((((((((((   snapshot@2007-10-16_ 9.36.09.50   )))))))))))))))))))))))))))))))))))))))))
.
- 2007-08-15 17:13:10   181,248   ----a-w   C:\WINDOWS\BDOSCAN8\bdcore.dll
+ 2007-10-16 17:14:41   181,760   ----a-w   C:\WINDOWS\BDOSCAN8\bdcore.dll
+ 2005-10-20 19:02:28   163,328   ----a-w   C:\WINDOWS\erdnt\10-22-2007\ERDNT.EXE
+ 2007-10-22 20:50:15   4,370,432   ----a-w   C:\WINDOWS\erdnt\10-22-2007\Users\00000001\ntuser.dat
+ 2007-10-22 20:50:15   151,552   ----a-w   C:\WINDOWS\erdnt\10-22-2007\Users\00000002\UsrClass.dat
- 2007-10-16 16:18:25   274,432   ----a-w   C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2007-10-22 20:59:28   274,432   ----a-w   C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2007-10-22 21:10:52   16,384   ----atw   C:\WINDOWS\TEMP\Perflib_Perfdata_5ec.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6DB3F881-19A2-4085-ABD0-DBD56E71F4F5}]
2007-10-17 19:02   33792   --a------   C:\WINDOWS\system32\vtuuvsr.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"WatchDog"="C:\Program Files\mobile PhoneTools\WatchDog.exe" [2007-09-07 18:42]
"EPSON Stylus CX5800F Series"="C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.exe" [2005-05-09 22:00]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 03:06]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-09-07 18:42]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"P2kAutostart"="C:\Documents and Settings\Tara & Paul\My Documents\P2kCommanderV330\P2kAutostart.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-19 16:29]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 18:05]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
"Aim6"="" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
@=
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\Tara & Paul\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
"{6DB3F881-19A2-4085-ABD0-DBD56E71F4F5}"= C:\WINDOWS\system32\vtuuvsr.dll [2007-10-17 19:02 33792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuuvsr]
vtuuvsr.dll 2007-10-17 19:02 33792 C:\WINDOWS\system32\vtuuvsr.dll

R1 easdrv;easdrv;C:\WINDOWS\system32\DRIVERS\easdrv.sys
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys
R2 eamon;EAMON;C:\WINDOWS\system32\DRIVERS\eamon.sys
R3 cwrwdm;SoundFusion(tm) WDM Driver;C:\WINDOWS\system32\DRIVERS\cwrwdm.sys
S3 AWINDIS5;AWINDIS5 Protocol Driver;\??\C:\WINDOWS\system32\AWINDIS5.SYS
S3 PRISM_ICB;NETGEAR WG511 Wireless LAN Driver;C:\WINDOWS\system32\DRIVERS\WG511ICB.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-12 23:44:20 C:\WINDOWS\Tasks\Norton Security Scan.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-22 14:12:43
Windows 5.1.2600 Service Pack 2, v.2096 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-22 15:03:04 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-21 08:59
C:\ComboFix3.txt ... 2007-10-19 11:04
.
   --- E O F ---
Logged

tryan21

  • Guest
Re: Virus... please help
« Reply #42 on: October 23, 2007, 12:17:09 AM »
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:16:39 PM, on 10/22/2007
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\atievxx.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {6DB3F881-19A2-4085-ABD0-DBD56E71F4F5} - C:\WINDOWS\system32\vtuuvsr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5800F Series] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE /P27 "EPSON Stylus CX5800F Series" /O6 "USB001" /M "Stylus CX5800F"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [P2kAutostart] C:\Documents and Settings\Tara & Paul\My Documents\P2kCommanderV330\P2kAutostart.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186780356336
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187926666522
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: vtuuvsr - C:\WINDOWS\SYSTEM32\vtuuvsr.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 7803 bytes
Logged

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33900
  • malware fighter
Re: Virus... please help
« Reply #43 on: October 23, 2007, 12:45:28 AM »
Hi tryan21,

vtuuvsr.dll is a sign of a win trojan gen infection, and maxifiles trojan. More cleansing needs to be done,

polonus
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

mauserme

  • Guest
Re: Virus... please help
« Reply #44 on: October 23, 2007, 03:01:25 AM »
We're not going to worry about the sed.cfexe error at the moment but, as polonus said, we do need to rid your computer of vtuuvsr.dll for good.


1. Please open Notepad
Click Start , then Run
Type notepad .exe in the Run Box and hit Enter.

2. Now copy/paste the entire contents of the codebox below into the Notepad window:

Code: [Select]
File::
C:\WINDOWS\system32\vtuuvsr.dll

Registry::
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6DB3F881-19A2-4085-ABD0-DBD56E71F4F5}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6DB3F881-19A2-4085-ABD0-DBD56E71F4F5}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuuvsr]

3. Save the above as CFScript.txt

4. Drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.
« Last Edit: October 23, 2007, 03:04:10 AM by mauserme »
Logged
Pages: 1 2 [3] 4 5 ... 8   Go Up
« previous next »