Page 1 of 5 12345 LastLast
Results 1 to 10 of 49

Thread: Please Help Remove Virtumonde

  1. #1
    Member
    Join Date
    Oct 2007
    Posts
    67

    Default Please Help Remove Virtumonde

    I got my laptop about 5 months ago, and virtumonde has been on here as long as i can remember. Im constantly getting rid of it, but it just keeps coming back because i cant completely destroy it. I used search and destroy to get rid of it before posting here. It removed 2 out of 3 virtumonde items. The third could not be removed. It appears to be in the registry. One of the others that was removed was in the registry too, so im not sure why it cant remove it. Anyway, im posting search and destroy results here. Get back to me if you have any information!

    Virtumonde: [SBI $1B1C4D25] Executable (File, fixed)
    C:\Documents and Settings\Owner\Local Settings\Temp\removalfile.bat

    Virtumonde: [SBI $F3FA0F85] Uninstall settings (Registry key, fixing failed)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo

    Virtumonde: [SBI $F3FA0F85] Uninstall settings (Registry key, fixed)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo

    Win32.Small.azl: [SBI $2EBDADF4] Settings (Registry key, fixed)
    HKEY_USERS\S-1-5-21-417682724-2757141335-2312730193-1005\Software\WinAble


    --- Spybot - Search & Destroy version: 1.5 (build: 20070830) ---

    2007-10-13 unins000.exe (51.46.0.0)
    2007-08-31 blindman.exe (1.0.0.6)
    2007-08-31 SDMain.exe (1.0.0.4)
    2007-08-31 SDUpdate.exe (1.0.6.4)
    2007-08-31 SDWinSec.exe (1.0.0.8)
    2007-08-31 SpybotSD.exe (1.5.1.15)
    2007-08-31 TeaTimer.exe (1.5.0.9)
    2007-08-31 Update.exe (1.4.0.5)
    2007-08-31 advcheck.dll (1.5.3.0)
    2007-04-02 aports.dll (2.1.0.0)
    2007-04-02 DelZip179.dll (1.79.5.3)
    2007-08-31 SDHelper.dll (1.5.0.8)
    2007-08-31 Tools.dll (2.1.2.0)
    2007-07-25 Includes\Dialer.sbi (*)
    2007-08-29 Includes\Hijackers.sbi (*)
    2007-10-04 Includes\Keyloggers.sbi (*)
    2004-11-29 Includes\LSP.sbi (*)
    2007-05-30 Includes\Security.sbi (*)
    2007-10-24 Includes\Malware.sbi (*)
    2007-10-24 Includes\PUPS.sbi (*)
    2007-10-24 Includes\Spybots.sbi (*)
    2007-10-24 Includes\Trojans.sbi (*)
    2007-10-24 Includes\Cookies.sbi (*)
    2007-10-24 Includes\Revision.sbi (*)
    2007-08-21 Includes\Tracks.uti
    2007-10-24 Includes\TrojansC.sbi (*)
    2007-10-24 Includes\SpybotsC.sbi (*)
    2007-10-24 Includes\SecurityC.sbi (*)
    2007-10-24 Includes\PUPSC.sbi (*)
    2007-10-24 Includes\MalwareC.sbi (*)
    2007-10-24 Includes\KeyloggersC.sbi (*)
    2007-10-24 Includes\HijackersC.sbi (*)
    2007-10-24 Includes\DialerC.sbi (*)
    2008-12-24 Plugins\TCPIPAddress.dll

  2. #2
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Hello
    Welcome to Safer Networking.

    Please read Before You Post
    All advice given by anyone volunteering here, is taken at own risk.
    While best efforts are made to assist in removing infections safely, unexpected stuff can happen.


    Download and install Trendmicros Hijackthis

    Download the Trendmicro Hijackthis Installer, follow defauts and it will install in C:\Program Files\Trendmicro\Hijackthis and this is exactly where we want it to be.

    • Open HJT Scan and Save a Log File, it will open in Notepad
    • Go to Format and make sure Wordwrap is Unchecked
    • Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread.

    DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.


    This is important , do this before you post a Hijackthis log
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe<-- Right click on Hijackthis.exe ( looks like a man with a spyglass ) and rename it to Scanner.exe
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  3. #3
    Member
    Join Date
    Oct 2007
    Posts
    67

    Default HiJackThis

    Followed it perfectly.

    Heres the results!

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:05:15 PM, on 10/29/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16544)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Panda Security\Panda Antivirus 2008\pavsrv51.exe
    C:\Program Files\Panda Security\Panda Antivirus 2008\AVENGINE.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\ehome\ehtray.exe
    C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\PROGRA~1\LAUNCH~1\LManager.exe
    C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-Watch.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Panda Security\Panda Antivirus 2008\PsCtrls.exe
    C:\WINDOWS\system32\PSIService.exe
    C:\Program Files\Panda Security\Panda Antivirus 2008\PsImSvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\system32\wbem\unsecapp.exe
    C:\Program Files\Panda Security\Panda Antivirus 2008\WebProxy.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Windows Media Player\wmplayer.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {B4810416-4B0B-4FDD-8B78-8048D3A2F4F7} - (no file)
    O4 - HKLM\..\Run: [ehTray] "C:\WINDOWS\ehome\ehtray.exe"
    O4 - HKLM\..\Run: [ntiMUI] "C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe"
    O4 - HKLM\..\Run: [Acer ePresentation HPD] "C:\Acer\Empowering Technology\ePresentation\ePresentation.exe"
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe " /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC"
    O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName"
    O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
    O4 - HKLM\..\Run: [Boot] "C:\Acer\Empowering Technology\ePower\Boot.exe"
    O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
    O4 - HKLM\..\Run: [LManager] "C:\PROGRA~1\LAUNCH~1\LManager.exe"
    O4 - HKLM\..\Run: [eRecoveryService] "C:\Acer\Empowering Technology\eRecovery\eRAgent.exe"
    O4 - HKLM\..\Run: [RTHDCPL] "RTHDCPL.EXE"
    O4 - HKLM\..\Run: [Alcmtr] "ALCMTR.EXE"
    O4 - HKLM\..\Run: [SManager] "smanager.7.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office X3\Programs\QFSCHD130.EXE"
    O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\Owner\LOCALS~1\Temp\{4B2A2EB2-BB44-4491-BBBB-7B923B2881AB}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"
    O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE" /s
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-Watch.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKLM\..\Policies\Explorer\Run: [svchost.exe] c:\windows\system32\svchost.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager...EGetPlugin.ocx
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/.../GAME_UNO1.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
    O16 - DPF: {8F4213B4-A970-4B3C-820D-343C693D5BF0} (SelfProvisioning.Wizard) - http://dsp02.eastlink.ca/SelfProvisioning.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
    O20 - Winlogon Notify: awtropn - awtropn.dll (file missing)
    O20 - Winlogon Notify: awvtr - C:\WINDOWS\
    O20 - Winlogon Notify: cmddrv - C:\WINDOWS\
    O20 - Winlogon Notify: gebcywx - C:\WINDOWS\
    O20 - Winlogon Notify: winbue32 - winbue32.dll (file missing)
    O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\PsCtrls.exe
    O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\pavsrv51.exe
    O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
    O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\PsImSvc.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 8984 bytes

  4. #4
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    You did a good job installing HJT B U T , the reason I asked you to rename it is because the thieves that have written the Vundo Trojan have written it to evade a HJT scan and by renaming it if Vundo is present it will show up on your log.

    Your heavily infected with Vundo it showed up without renaming it but it may not be showing it all so make sure you do this before you post a new HJT log.

    This is important , so this before you post a new log
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe<-- Right click on Hijackthis.exe ( looks like a man with a spyglass ) and rename it to Scanner.exe


    Please do this also..
    We need to disable the Tea Timer in Spybot Search and Destroy as to not interfere with the fix.
    • Open Spybot and go to Mode> Advanced Mode> Tools> Resident and take the checkmark out of Tea Timer



    Download ComboFix from Here or Here to your Desktop.
    • Double click combofix.exe and follow the prompts.
    • When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

    Note: Do not mouseclick combofix's window while its running. That may cause it to stall


    I need to see the Combofix log and a New HJT renamed please

    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  5. #5
    Member
    Join Date
    Oct 2007
    Posts
    67

    Exclamation Need Help Removing Viruses From D: Volume

    I performed an in depth scan using panda antivirus '08 and found many viruses. 3 of which could not be disinfected. They are in the D:\ System Volume Information.
    I can locate them and delete them, i know how to do that. But id just like to make sure that if i were to delete the files in the volume that it would not cause harm to my computer. Im posting a copy of the results which show the file names that are infected.
    Please get back to me if it is safe.

    MALWARE
    Id Description Type Active Severity Disinfectable Disinfected Location
    ;===================================================================================================================================================================================
    00371752 Adware/Yazzle Adware No 0 Yes Yes C:\system volume information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP78\A0054172.EXE
    00506844 Adware/WinAntivirus2006 Adware No 0 Yes Yes C:\system volume information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP81\A0054300.DLL
    00531547 Trj/Downloader.OLY Virus/Trojan No 0 Yes Yes C:\system volume information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP78\A0054171.EXE
    00788689 Generic Trojan Virus/Trojan No 0 Yes Yes C:\system volume information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP81\A0054301.EXE
    00788689 Generic Trojan Virus/Trojan No 0 Yes Yes C:\system volume information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP48\A0033215.EXE
    00988749 Generic Malware Virus/Trojan No 0 Yes Yes C:\system volume information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP57\A0037055.DLL
    01048936 Generic Malware Virus/Trojan No 0 Yes Yes C:\system volume information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP81\A0054302.DLL
    01166293 Spyware/Virtumonde Spyware No 1 No No D:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP51\A0034635.exe[kasp_activator.exe]
    01166293 Spyware/Virtumonde Spyware No 1 No No D:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP64\A0047098.exe[kasp_activator.exe]
    01343045 Trj/Downloader.PUT Virus/Trojan No 0 No No D:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP51\A0034635.exe[kasp_vista_compatibilator.exe]
    01343045 Trj/Downloader.PUT Virus/Trojan No 0 No No D:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP64\A0047098.exe[kasp_vista_compatibilator.exe]
    02242231 Trj/Downloader.MDW Virus/Trojan No 1 No No D:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP51\A0034635.exe[kasp_vista_compatibilator.exe][o01PrEz1064.exe]
    02242231 Trj/Downloader.MDW Virus/Trojan No 1 No No D:\System Volume Information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP64\A0047098.exe[kasp_vista_compatibilator.exe][o01PrEz1064.exe]
    02559865 Adware/Yazzle Adware No 0 Yes Yes C:\system volume information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP83\A0057481.EXE
    02570052 Trj/Downloader.MDW Virus/Trojan No 1 Yes Yes C:\system volume information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP83\A0058946.EXE



    A few of these appear to be virtumonde, which i posted another threat trying to get rid of. Thanks.

  6. #6
    Member
    Join Date
    Oct 2007
    Posts
    67

    Default ComboFix

    ComboFix 07-10-29.1** - Owner 2007-10-29 20:49:23.1 - FAT32x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.357 [GMT -3:00]
    Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\All Users\Application Data\ErrorProtector Free
    C:\Documents and Settings\All Users\Application Data\ErrorProtector Free\Data\hours
    C:\Documents and Settings\All Users\Application Data\ErrorProtector Free\Data\ProductCode
    C:\Documents and Settings\Owner\Application Data\ErrorProtector Free
    C:\Documents and Settings\Owner\Application Data\ErrorProtector Free\Logs\update.log
    C:\Documents and Settings\Owner\ResErrors.log
    C:\Program Files\Common Files\companion wizard
    C:\Program Files\Common Files\Companion Wizard\CompWiz.xml
    C:\Program Files\outerinfo
    C:\Program Files\outerinfo\outerinfo.ico
    C:\Program Files\Temporary
    C:\temp\iee
    C:\temp\iee\tmpZTF.log
    C:\WINDOWS\addins\ntp2.ini
    C:\WINDOWS\system32\autorun.ini
    C:\WINDOWS\system32\info.txt
    C:\WINDOWS\system32\o01PrEz
    C:\WINDOWS\system32\ystem~1
    C:\WINDOWS\system32\ystem~1\?ystem\

    .
    ((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-29 )))))))))))))))))))))))))))))))
    .

    2007-10-29 20:48 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2007-10-29 20:04 <DIR> d-------- C:\Program Files\Trend Micro
    2007-10-13 21:10 <DIR> d-------- C:\WINDOWS\system32\PAV
    2007-10-13 21:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\sentinel
    2007-10-13 21:10 83,640 --a------ C:\WINDOWS\system32\drivers\pavdrv51.sys
    2007-10-13 21:10 248 --a------ C:\WINDOWS\system32\PavCPL.dat
    2007-10-13 21:09 <DIR> d-------- C:\Program Files\Panda Security
    2007-10-13 21:09 50,736 --a------ C:\WINDOWS\system32\avldr.dll
    2007-10-13 20:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2007-10-06 14:01 206 --a------ C:\WINDOWS\system32\ccefdec3_d.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-09-28 16:08 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
    2007-09-28 16:07 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
    2007-09-28 16:07 43,528 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
    2007-09-28 16:07 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
    2007-09-28 16:07 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
    2007-09-28 16:07 129,784 ------w C:\WINDOWS\system32\pxafs.dll
    2007-09-28 16:07 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
    2007-09-28 16:07 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
    2007-09-28 16:07 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
    2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
    2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
    2007-09-28 16:05 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
    2007-09-28 16:05 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
    2007-09-28 16:05 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
    2007-09-28 16:05 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
    2007-09-28 16:05 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
    2007-09-28 16:05 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
    2007-09-28 16:05 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
    2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
    2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
    2007-09-28 16:05 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
    2007-09-28 16:05 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
    2007-09-16 19:36 --------- d-----w C:\Program Files\WordPerfect Office X3
    2007-09-16 19:36 --------- d-----w C:\Program Files\Common Files\Corel
    2007-09-16 19:36 --------- d-----w C:\Program Files\Common Files\Borland Shared
    2007-09-04 22:26 342,049 ----a-w C:\WINDOWS\Invader Zim.exe
    2007-09-04 22:26 321,356 ----a-w C:\WINDOWS\Invader Zim.scr
    2007-09-04 22:26 321,356 ----a-w C:\WINDOWS\Inst9753.exe
    2007-09-04 22:26 30,208 ----a-w C:\WINDOWS\mickey32.dll
    2007-08-24 21:57 139,264 ----a-w C:\WINDOWS\War3Unin.exe
    2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
    2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\dllcache\inetcomm.dll
    2007-08-20 10:04 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
    2007-08-20 10:04 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
    2007-08-20 10:04 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
    2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
    2007-08-20 10:04 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
    2007-08-20 10:04 477,696 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
    2007-08-20 10:04 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
    2007-08-20 10:04 44,544 ----a-w C:\WINDOWS\system32\dllcache\iernonce.dll
    2007-08-20 10:04 384,512 ----a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
    2007-08-20 10:04 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
    2007-08-20 10:04 3,584,512 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
    2007-08-20 10:04 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
    2007-08-20 10:04 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
    2007-08-20 10:04 232,960 ----a-w C:\WINDOWS\system32\dllcache\webcheck.dll
    2007-08-20 10:04 230,400 ----a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
    2007-08-20 10:04 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
    2007-08-20 10:04 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
    2007-08-20 10:04 153,088 ----a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
    2007-08-20 10:04 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
    2007-08-20 10:04 124,928 ----a-w C:\WINDOWS\system32\dllcache\advpack.dll
    2007-08-20 10:04 105,984 ----a-w C:\WINDOWS\system32\dllcache\url.dll
    2007-08-20 10:04 102,400 ----a-w C:\WINDOWS\system32\dllcache\occache.dll
    2007-08-20 10:04 1,152,000 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
    2007-08-17 10:21 625,152 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
    2007-08-17 10:20 63,488 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
    2007-08-17 10:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
    2007-08-17 07:34 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
    2007-07-30 22:19 92,504 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
    2007-07-30 22:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
    2007-07-30 22:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
    2007-07-30 22:19 549,720 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
    2007-07-30 22:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
    2007-07-30 22:19 53,080 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
    2007-07-30 22:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
    2007-07-30 22:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
    2007-07-30 22:19 325,976 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
    2007-07-30 22:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
    2007-07-30 22:19 203,096 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
    2007-07-30 22:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
    2007-07-30 22:19 1,712,984 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
    2007-07-30 22:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
    2007-07-30 22:18 33,624 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
    2007-05-18 19:14:54 835,284 --sh--w C:\WINDOWS\system32\rtvwa.bak1
    2007-05-20 21:03:28 80 --sh--r C:\WINDOWS\system32\6D49A83273.dll
    2007-05-20 23:56:50 1,994 --sh--w C:\WINDOWS\system32\rtvwa.ini2
    2007-05-20 19:15:18 860,505 --sh--w C:\WINDOWS\system32\rtvwa.bak2
    2007-04-30 18:49:00 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007042320070430\index.dat
    2007-04-30 18:49:00 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007043020070501\index.dat
    2007-05-01 14:31:00 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007050120070502\index.dat
    2007-05-02 14:40:50 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007050220070503\index.dat
    2007-05-24 23:45:50 3,473 --sh--w C:\WINDOWS\addins\ntp2.ini2
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4810416-4B0B-4FDD-8B78-8048D3A2F4F7}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 13:56]
    "ntiMUI"="C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-11 17:15]
    "Acer ePresentation HPD"="C:\Acer\Empowering Technology\ePresentation\ePresentation.exe" [2006-03-31 16:39]
    "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-10 20:00]
    "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 20:00]
    "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 20:00]
    "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 20:00]
    "ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-05-30 12:11]
    "Boot"="C:\Acer\Empowering Technology\ePower\Boot.exe" [2006-03-15 22:12]
    "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 13:07]
    "LManager"="C:\PROGRA~1\LAUNCH~1\LManager.exe" [2006-06-23 06:59]
    "eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 14:40]
    "RTHDCPL"="RTHDCPL.EXE" [2007-04-10 15:28 C:\WINDOWS\RTHDCPL.exe]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
    "QuickFinder Scheduler"="C:\Program Files\WordPerfect Office X3\Programs\QFSCHD130.EXE" [2007-01-02 23:21]
    "APVXDWIN"="C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.exe" [2007-07-19 15:23]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 20:00]
    "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
    "AWMON"="C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-Watch.exe" [2005-05-25 12:12]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 05:15:54]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
    "InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
    avldr.dll 2007-02-15 20:02 50736 C:\WINDOWS\system32\avldr.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtropn]
    awtropn.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awvtr]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cmddrv]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebcywx]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winbue32]
    winbue32.dll

    R0 UBHelper;UBHelper;C:\WINDOWS\system32\drivers\UBHelper.sys
    R2 DritekPortIO;Dritek General Port I/O;\??\C:\PROGRA~1\LAUNCH~1\DPortIO.sys
    R2 int15;int15;\??\C:\WINDOWS\system32\drivers\int15.sys
    R2 tvicport;tvicport;\??\C:\WINDOWS\system32\drivers\tvicport.sys
    R3 DKbFltr;Dritek Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\DKbFltr.sys
    R3 EMSCR;EMSCR;C:\WINDOWS\system32\DRIVERS\EMS7SK.sys
    R3 ESDCR;ESDCR;C:\WINDOWS\system32\DRIVERS\ESD7SK.sys
    R3 ESMCR;ESMCR;C:\WINDOWS\system32\DRIVERS\ESM7SK.sys
    S3 XDva009;XDva009;\??\C:\WINDOWS\system32\XDva009.sys

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
    AutoRun\command - E:\SETUP.EXE

    *Newly Created Service* - CATCHME
    *Newly Created Service* - RKPAVPROC
    .
    Contents of the 'Scheduled Tasks' folder
    "2007-10-27 06:30:02 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job"
    - C:\Program Files\RegistrySmart\Reg\RegistrySmart.exe
    .
    **************************************************************************

    catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-10-29 20:50:49
    Windows 5.1.2600 Service Pack 2 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-10-29 20:51:12
    .
    --- E O F ---

  7. #7
    Member
    Join Date
    Oct 2007
    Posts
    67

    Default HijackThis

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:56:56 PM, on 10/29/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16544)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Panda Security\Panda Antivirus 2008\pavsrv51.exe
    C:\Program Files\Panda Security\Panda Antivirus 2008\AVENGINE.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\PROGRA~1\LAUNCH~1\LManager.exe
    C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-Watch.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Panda Security\Panda Antivirus 2008\PsCtrls.exe
    C:\WINDOWS\system32\PSIService.exe
    C:\Program Files\Panda Security\Panda Antivirus 2008\PsImSvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\system32\wbem\unsecapp.exe
    C:\Program Files\Panda Security\Panda Antivirus 2008\WebProxy.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Trend Micro\HijackThis\Scanner.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {B4810416-4B0B-4FDD-8B78-8048D3A2F4F7} - (no file)
    O4 - HKLM\..\Run: [ehTray] "C:\WINDOWS\ehome\ehtray.exe"
    O4 - HKLM\..\Run: [ntiMUI] "C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe"
    O4 - HKLM\..\Run: [Acer ePresentation HPD] "C:\Acer\Empowering Technology\ePresentation\ePresentation.exe"
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe " /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC"
    O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName"
    O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
    O4 - HKLM\..\Run: [Boot] "C:\Acer\Empowering Technology\ePower\Boot.exe"
    O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
    O4 - HKLM\..\Run: [LManager] "C:\PROGRA~1\LAUNCH~1\LManager.exe"
    O4 - HKLM\..\Run: [eRecoveryService] "C:\Acer\Empowering Technology\eRecovery\eRAgent.exe"
    O4 - HKLM\..\Run: [RTHDCPL] "RTHDCPL.EXE"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office X3\Programs\QFSCHD130.EXE"
    O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE" /s
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-Watch.exe"
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager...EGetPlugin.ocx
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/.../GAME_UNO1.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
    O16 - DPF: {8F4213B4-A970-4B3C-820D-343C693D5BF0} (SelfProvisioning.Wizard) - http://dsp02.eastlink.ca/SelfProvisioning.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
    O20 - Winlogon Notify: awtropn - awtropn.dll (file missing)
    O20 - Winlogon Notify: awvtr - C:\WINDOWS\
    O20 - Winlogon Notify: cmddrv - C:\WINDOWS\
    O20 - Winlogon Notify: gebcywx - C:\WINDOWS\
    O20 - Winlogon Notify: winbue32 - winbue32.dll (file missing)
    O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\PsCtrls.exe
    O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\pavsrv51.exe
    O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
    O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\PsImSvc.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 8320 bytes

  8. #8
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,956

    Default

    Hello.

    Is this the same computer you are being assisted with here: http://forums.spybot.info/showthread.php?p=131645
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  9. #9
    Member
    Join Date
    Oct 2007
    Posts
    67

    Default Reply

    Yes. Same computer.
    Last edited by tashi; 2007-10-30 at 03:46. Reason: merged two topics

  10. #10
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Great

    Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad

    File::
    C:\WINDOWS\system32\rtvwa.bak1
    C:\WINDOWS\system32\rtvwa.ini2
    C:\WINDOWS\system32\rtvwa.bak2


    Registry::

    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4810416-4B0B-4FDD-8B78-8048D3A2F4F7}]

    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtropn]
    awtropn.dll

    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awvtr]

    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cmddrv]

    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebcywx]

    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winbue32]
    winbue32.dll

    Save this as CFScript to your desktop.

    Then drag the CFScript into ComboFix.exe as you see in the screenshot below.





    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
    together with a new HijackThis log.


    Lets run this tool to make sure its all gone
    Download VundoFix to your desktop

    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will reboot your computer, click OK.
    • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.


    Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.




    Download CCleaner from here to clean temp files from your computer.
    • Double click on the file to start the installation of the program.
    • Select your language and click OK, then next.
    • Read the license agreement and click I Agree.
    • Click next to use the default install location. Click Install then finish to complete installation.
    • Double click the CCleaner shortcut on the desktop to start the program.
    • On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
    • If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
    • Click on the "Options" icon at the left side of the window, then click on "Advanced."
      deselect "Only delete files in Windows Temp folders older than 48 hours."
    • Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
    • Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
    • After CCleaner has completed its process, click Exit.

    *NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner!


    Let me see the Combofix log, the Vundofix log and a new HJT log please
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •