View Full Version : Infected & with many popups -Help?!
Help?
I've gone thru and ran many scans(incl. the Majorgeeks page infoz) but still not clean. I ran VundoFix to find:
"C:\windows\system32\vtutqpp.dll"
to be unfixable but a ?problem?
Any help is GREATLY APPRECIATED!!! I am so at wits end....any advice to keep my pc safer would be golden! -thnx!
Here are my Logs:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:56:41, on 06/08/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {023e8c54-bf01-4db2-91e4-5bcd50b32021} - C:\WINDOWS\system32\mprtor.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Real Alternative\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\iihifg.dll",forkonce
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: MA101 Configuration Utility .lnk = C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\mprtor.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\mprtor.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O20 - AppInit_DLLs: c:\windows\system32\vtutqpp.dll
O20 - Winlogon Notify: mprtor - C:\WINDOWS\SYSTEM32\mprtor.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
--
End of file - 5105 bytes
Hi bruzed
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
1. Download combofix from one of these links:
Link1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link2 (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Post:
- a fresh HijackThis log
- combofix report
- vundofix report
Hello Shaba + thanks!
As was before when Hijackthis was scanned the file:
"C:\windows\system32\vtutqpp.dll"
is STILL uncleanable even after the reboot/scan process.
Here are the requested logs:
C:\windows\system32\vtutqpp.dll
Beginning removal...
Attempting to delete C:\windows\system32\vtutqpp.dll
C:\windows\system32\vtutqpp.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\vtutqpp.dll
C:\windows\system32\vtutqpp.dll Could not be deleted.
Performing Repairs to the registry.
Done!
***************************************
ComboFix 07-08-07.6 - "Administrator" 2007-08-06 23:41:26.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.215 [GMT -7:00]
* Created a new restore point
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Autorun.inf
C:\DOCUME~1\ADMINI~1\APPLIC~1\tmp1.tmp.exe
C:\DOCUME~1\ADMINI~1\APPLIC~1\tmp2.tmp.exe
C:\DOCUME~1\ADMINI~1\APPLIC~1\tmpE05D.tmp.exe
C:\DOCUME~1\ADMINI~1\APPLIC~1\tmpE05E.tmp.exe
C:\DOCUME~1\ADMINI~1\APPLIC~1\tmpE05F.tmp.exe
C:\DOCUME~1\ADMINI~1\Desktop\internet.lnk
C:\Program Files\poolsv
C:\Program Files\poolsv\k11u72.exe
C:\Program Files\poolsv\svhost.exe
C:\Program Files\poolsv\wr-1-0000077.exe
C:\Program Files\svhost
C:\Program Files\svhost\wr-1-0000077.exe
C:\WINDOWS\poolsv.exe
C:\WINDOWS\system32\dn8442e354.dat
C:\WINDOWS\system32\mprtor.dll
C:\WINDOWS\system32\qwerty12.exe
C:\WINDOWS\system32\tmp2.tmp.dll
C:\WINDOWS\system32\vtutqpp.dll
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_DOMAINSERVICE
-------\DomainService
((((((((((((((((((((((((( Files Created from 2007-07-07 to 2007-08-07 )))))))))))))))))))))))))))))))
2007-08-06 23:21 977,920 --a--c--- C:\WINDOWS\system32\dllcache\msdtctm.dll
2007-08-06 23:21 977,920 --a------ C:\WINDOWS\system32\msdtctm.dll
2007-08-06 23:21 97,280 --a--c--- C:\WINDOWS\system32\dllcache\txflog.dll
2007-08-06 23:21 97,280 --a------ C:\WINDOWS\system32\txflog.dll
2007-08-06 23:21 82,432 --a--c--- C:\WINDOWS\system32\dllcache\mtxoci.dll
2007-08-06 23:21 82,432 --a------ C:\WINDOWS\system32\mtxoci.dll
2007-08-06 23:21 8,192 --a--c--- C:\WINDOWS\system32\dllcache\comrepl.exe
2007-08-06 23:21 64,512 --a--c--- C:\WINDOWS\system32\dllcache\mtxclu.dll
2007-08-06 23:21 64,512 --a--c--- C:\WINDOWS\system32\dllcache\colbact.dll
2007-08-06 23:21 64,512 --a------ C:\WINDOWS\system32\mtxclu.dll
2007-08-06 23:21 64,512 --a------ C:\WINDOWS\system32\colbact.dll
2007-08-06 23:21 6,656 --a--c--- C:\WINDOWS\system32\dllcache\migregdb.exe
2007-08-06 23:21 596,480 --a--c--- C:\WINDOWS\system32\dllcache\catsrvut.dll
2007-08-06 23:21 596,480 --a------ C:\WINDOWS\system32\catsrvut.dll
2007-08-06 23:21 499,200 --a--c--- C:\WINDOWS\system32\dllcache\comuid.dll
2007-08-06 23:21 499,200 --a------ C:\WINDOWS\system32\comuid.dll
2007-08-06 23:21 442,880 --a--c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-08-06 23:21 442,880 --a------ C:\WINDOWS\system32\rpcrt4.dll
2007-08-06 23:21 365,568 --a--c--- C:\WINDOWS\system32\dllcache\msdtcprx.dll
2007-08-06 23:21 365,568 --a------ C:\WINDOWS\system32\msdtcprx.dll
2007-08-06 23:21 226,816 --a--c--- C:\WINDOWS\system32\dllcache\es.dll
2007-08-06 23:21 226,816 --a------ C:\WINDOWS\system32\es.dll
2007-08-06 23:21 225,280 --a--c--- C:\WINDOWS\system32\dllcache\catsrv.dll
2007-08-06 23:21 225,280 --a------ C:\WINDOWS\system32\catsrv.dll
2007-08-06 23:21 214,528 --a--c--- C:\WINDOWS\system32\dllcache\rpcss.dll
2007-08-06 23:21 214,528 --a------ C:\WINDOWS\system32\rpcss.dll
2007-08-06 23:21 187,904 --a--c--- C:\WINDOWS\system32\dllcache\comadmin.dll
2007-08-06 23:21 150,528 --a--c--- C:\WINDOWS\system32\dllcache\msdtcuiu.dll
2007-08-06 23:21 150,528 --a------ C:\WINDOWS\system32\msdtcuiu.dll
2007-08-06 23:21 110,080 --a--c--- C:\WINDOWS\system32\dllcache\clbcatex.dll
2007-08-06 23:21 110,080 --a------ C:\WINDOWS\system32\clbcatex.dll
2007-08-06 23:21 1,177,088 --a--c--- C:\WINDOWS\system32\dllcache\comsvcs.dll
2007-08-06 23:21 1,177,088 --a------ C:\WINDOWS\system32\comsvcs.dll
2007-08-06 23:21 1,105,408 --a--c--- C:\WINDOWS\system32\dllcache\ole32.dll
2007-08-06 23:21 1,105,408 --a------ C:\WINDOWS\system32\ole32.dll
2007-08-06 23:20 73,728 --a--c--- C:\WINDOWS\system32\dllcache\nmcom.dll
2007-08-06 23:20 727,040 --a--c--- C:\WINDOWS\system32\dllcache\helpctr.exe
2007-08-06 23:20 593,408 --a--c--- C:\WINDOWS\system32\dllcache\h323msp.dll
2007-08-06 23:20 593,408 --a------ C:\WINDOWS\system32\h323msp.dll
2007-08-06 23:20 550,400 --a--c--- C:\WINDOWS\system32\dllcache\rtcdll.dll
2007-08-06 23:20 550,400 --a------ C:\WINDOWS\system32\rtcdll.dll
2007-08-06 23:20 48,640 --a--c--- C:\WINDOWS\system32\dllcache\browser.dll
2007-08-06 23:20 48,640 --a------ C:\WINDOWS\system32\browser.dll
2007-08-06 23:20 454,656 --a--c--- C:\WINDOWS\system32\dllcache\ipnathlp.dll
2007-08-06 23:20 454,656 --a------ C:\WINDOWS\system32\ipnathlp.dll
2007-08-06 23:20 40,960 --a--c--- C:\WINDOWS\system32\dllcache\evtgprov.dll
2007-08-06 23:20 364,544 --a--c--- C:\WINDOWS\system32\dllcache\callcont.dll
2007-08-06 23:20 36,864 --a--c--- C:\WINDOWS\system32\dllcache\mf3216.dll
2007-08-06 23:20 36,864 --a------ C:\WINDOWS\system32\mf3216.dll
2007-08-06 23:20 301,568 --a--c--- C:\WINDOWS\system32\dllcache\netapi32.dll
2007-08-06 23:20 253,952 --a--c--- C:\WINDOWS\system32\dllcache\mst120.dll
2007-08-06 23:12 218,624 --a--c--- C:\WINDOWS\system32\dllcache\srrstr.dll
2007-08-06 23:12 218,624 --a------ C:\WINDOWS\system32\srrstr.dll
2007-08-06 23:09 26,112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2007-08-06 23:09 <DIR> d--h-c--- C:\WINDOWS\$xpsp1hfm$
2007-08-06 22:42 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-06 21:25 <DIR> d-------- C:\WINDOWS\system32\bits
2007-08-06 19:17 2,390 --a------ C:\WINDOWS\system32\tmp.reg
2007-08-06 19:10 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-08-06 19:10 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-08-06 19:10 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-08-06 18:21 <DIR> d-------- C:\VundoFix Backups
2007-08-06 15:10 0 --a------ C:\WINDOWS\system32\SBRC.dat
2007-08-06 15:10 0 --a------ C:\WINDOWS\system32\SBFC.dat
2007-08-06 14:20 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sunbelt Software
2007-08-06 13:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sunbelt Software
2007-08-06 13:25 <DIR> d-------- C:\Program Files\Sunbelt Software
2007-08-05 17:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-05 17:45 <DIR> d-------- C:\Program Files\CCleaner
2007-08-05 17:33 <DIR> d-------- C:\WINDOWS\pss
2007-08-04 19:02 32,768 --a------ C:\WINDOWS\system32\FrogASPI.DLL
2007-08-04 19:02 <DIR> d-------- C:\Program Files\CDRWIN
2007-08-04 18:51 <DIR> d-------- C:\Program Files\CDRWIN 6
2007-08-04 18:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
2007-08-04 13:49 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-08-04 13:49 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-08-04 13:49 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-08-04 13:49 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-08-04 13:49 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-08-04 13:49 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-08-04 13:49 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-08-04 13:49 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2007-08-04 13:48 <DIR> d-------- C:\Program Files\Alwil Software
2007-08-04 10:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-08-03 15:59 <DIR> d-------- C:\Program Files\Combined Community Codec Pack
2007-08-03 12:36 0 --a------ C:\WINDOWS\nsreg.dat
2007-08-02 15:04 24,128 --a------ C:\WINDOWS\system32\ngt6lr73.exe
2007-08-01 08:10 <DIR> d-------- C:\Program Files\uTorrent
2007-08-01 08:10 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\uTorrent
2007-07-31 09:06 <DIR> d-------- C:\Program Files\Simple Star
2007-07-31 09:06 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Simple Star
2007-07-30 09:50 7,680 -----c--- C:\WINDOWS\system32\dllcache\bitsprx2.dll
2007-07-30 09:50 7,680 --------- C:\WINDOWS\system32\bitsprx2.dll
2007-07-30 09:50 7,168 -----c--- C:\WINDOWS\system32\dllcache\bitsprx3.dll
2007-07-30 09:50 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2007-07-30 09:50 361,984 --a--c--- C:\WINDOWS\system32\dllcache\qmgr.dll
2007-07-30 09:50 331,776 --a------ C:\WINDOWS\system32\winhttp.dll
2007-07-30 09:50 17,408 --a--c--- C:\WINDOWS\system32\dllcache\qmgrprxy.dll
2007-07-30 09:50 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2007-07-30 09:50 158,720 --------- C:\WINDOWS\system32\xpob2res.dll
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-03 12:03 41472 --ahsc--- C:\Program Files\Thumbs.db
2007-07-30 09:40 --------- d--h----- C:\Program Files\WindowsUpdate
2007-07-30 00:59 --------- d-------- C:\Program Files\K-Lite Codec Pack
2007-07-30 00:55 --------- d-------- C:\Program Files\Matroska Pack
2007-07-29 12:33 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-06-20 10:30 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\dvdcss
2007-06-15 14:37 27376 --a------ C:\WINDOWS\system32\SBBD.exe
2007-06-10 16:34 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\ROC
2007-05-22 11:02 163840 --a------ C:\WINDOWS\system32\unrar.dll
2005-05-03 07:50 100819 --a--c--- C:\Program Files\UHARC.EXE
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Real Alternative\Update_OB\realsched.exe" []
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-06-01 17:22]
"nwiz"="nwiz.exe" [2006-06-01 17:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-06-01 17:22]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"MMTray"="C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe" [2001-09-12 16:41]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 08:42]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-06-15 15:17]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 07:14]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-01-15 16:14]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
MA101 Configuration Utility .lnk - C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe [2006-09-20 09:41:08]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBCSSvc]
@="Service"
R2 MxlW2k;MxlW2k;C:\WINDOWS\System32\drivers\MxlW2k.sys
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\DNINDIS5.SYS
R3 NETGEAR NETGEAR MA101 USB Adapter(A);NETGEAR NETGEAR MA101 USB Adapter(A) Service for NETGEAR MA101 USB Adapter;C:\WINDOWS\System32\DRIVERS\ma1012ka.sys
R3 pcouffin;VSO Software pcouffin;C:\WINDOWS\System32\Drivers\pcouffin.sys
S3 atirage;atirage;C:\WINDOWS\System32\DRIVERS\atiragem.sys
S3 DM9102;DAVICOM 9102(A) PCI Fast Ethernet Based NT Driver;C:\WINDOWS\System32\DRIVERS\DM9PCI5.SYS
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-06 23:47:39
Windows 5.1.2600 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-06 23:50:58 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-06 23:50
--- E O F ---
*****************************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:53:27, on 06/08/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\Desktop\spyware.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
--
End of file - 2009 bytes
******************************
thnx!
Hi
"As was before when Hijackthis was scanned the file:
"C:\windows\system32\vtutqpp.dll"
is STILL uncleanable even after the reboot/scan process."
Combofix removed it:
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\vtutqpp.dll
Please post a fresh HijackThis log, that one is incomplete.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:10:36, on 07/08/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Real Alternative\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: MA101 Configuration Utility .lnk = C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
--
End of file - 4800 bytes
Hi
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)
Please click this link-->Jotti (http://virusscan.jotti.org/)
When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.
C:\WINDOWS\system32\ngt6lr73.exe
Please post back the results of the scan in your next post.
If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
File: ngt6lr73.exe
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 76b9af099fa9a542c843913093d4eaa0
Packers detected:
-
Bit9 reports: Not analyzed yet (more info)
Scan taken on 08 Aug 2007 17:00:36 (GMT)
A-Squared
Found nothing
AntiVir
Found TR/Crypt.ULPM.Gen
ArcaVir
Found Trojan.Vb.Kb
Avast
Found nothing
AVG Antivirus
Found BackDoor.Generic7.AAMD
BitDefender
Found GenPack:Win32.Worm.Luder.F
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found Trojan.Inject.351
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found Backdoor.Win32.VB.kb
Fortinet
Found W32/VB.KB!tr.bdr
Kaspersky Anti-Virus
Found Backdoor.Win32.VB.kb
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found W32/ZlFake.A.drp
Rising Antivirus
Found nothing
Sophos Antivirus
Found Mal/HckPk-A
VirusBuster
Found nothing
VBA32
Found Trojan.Win32.Small.oj
Last file scanned at least one scanner reported something about: PJautoPlay.rar (MD5: 63f66edd6d3cdf0801526e17c7c491b6, size: 815888 bytes), detected by:
Scanner Malware name
A-Squared X
AntiVir SPR/Ardamax.K.Gen
ArcaVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
CPsecure X
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus X
Fortinet X
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control X
Panda Antivirus X
Rising Antivirus X
Sophos Antivirus X
VirusBuster X
VBA32 X
Hi
Delete that file and empty Recycle Bin
Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
+ Extended (If available otherwise Standard)
o Scan Options:
+ Scan Archives
+ Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
Post:
- a fresh HijackThis log
- kaspersky report
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:49:01, on 07/08/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\Desktop\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Real Alternative\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: MA101 Configuration Utility .lnk = C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
--
End of file - 4817 bytes
*********************
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, August 07, 2007 10:47:03 PM
Operating System: Microsoft Windows XP Professional, (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 8/08/2007
Kaspersky Anti-Virus database records: 377235
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
H:\
Scan Statistics:
Total number of scanned objects: 83135
Number of viruses found: 10
Number of infected objects: 28
Number of suspicious objects: 0
Duration of the scan process: 02:14:58
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9lvv2f5b.default\cert8.db Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9lvv2f5b.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9lvv2f5b.default\history.dat Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9lvv2f5b.default\key3.db Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9lvv2f5b.default\parent.lock Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9lvv2f5b.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9lvv2f5b.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9lvv2f5b.default\webappsstore.sqlite Object is locked skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Ahead\Nero Home\bl.db Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Ahead\Nero Home\is2.db Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{BEA3805C-A152-46BF-8300-79917408DE21}\Microsoft\Outlook Express\cleanup.log Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{BEA3805C-A152-46BF-8300-79917408DE21}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{BEA3805C-A152-46BF-8300-79917408DE21}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\9lvv2f5b.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\9lvv2f5b.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\9lvv2f5b.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\9lvv2f5b.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OPQRSTUV\bind[1].com&t=1 Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe Infected: Trojan.Win32.Patched.af skipped
C:\QooBox\Quarantine\C\DOCUME~1\ADMINI~1\APPLIC~1\tmp1.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
C:\QooBox\Quarantine\C\Program Files\poolsv\svhost.exe.vir Infected: Trojan-Proxy.Win32.VB.x skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\qwerty12.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vtutqpp.dll.vir Infected: Trojan-Downloader.Win32.ConHook.bg skipped
C:\QooBox\Quarantine\catchme2007-08-06_234726.71.zip/mprtor.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
C:\QooBox\Quarantine\catchme2007-08-06_234726.71.zip ZIP: infected - 1 skipped
C:\System Volume Information\_restore{B7D28EEB-3895-4DD1-B576-8C427E4A3D09}\RP373\A0089960.rbf Infected: Trojan.Win32.Patched.af skipped
C:\System Volume Information\_restore{B7D28EEB-3895-4DD1-B576-8C427E4A3D09}\RP376\A0092528.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{B7D28EEB-3895-4DD1-B576-8C427E4A3D09}\RP376\A0092534.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{B7D28EEB-3895-4DD1-B576-8C427E4A3D09}\RP377\A0092563.exe Infected: Trojan-Proxy.Win32.VB.x skipped
C:\System Volume Information\_restore{B7D28EEB-3895-4DD1-B576-8C427E4A3D09}\RP377\A0092564.dll Infected: not-a-virus:AdWare.Win32.BHO.cz skipped
C:\System Volume Information\_restore{B7D28EEB-3895-4DD1-B576-8C427E4A3D09}\RP377\A0092566.exe Infected: Trojan.Win32.Patched.af skipped
C:\System Volume Information\_restore{B7D28EEB-3895-4DD1-B576-8C427E4A3D09}\RP377\A0092567.dll Infected: not-a-virus:Monitor.Win32.KeyLogger.w skipped
C:\System Volume Information\_restore{B7D28EEB-3895-4DD1-B576-8C427E4A3D09}\RP391\A0094288.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{B7D28EEB-3895-4DD1-B576-8C427E4A3D09}\RP391\A0094294.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{B7D28EEB-3895-4DD1-B576-8C427E4A3D09}\RP391\A0094295.dll Infected: Trojan-Downloader.Win32.ConHook.bg skipped
C:\System Volume Information\_restore{B7D28EEB-3895-4DD1-B576-8C427E4A3D09}\RP391\A0094297.exe Infected: Trojan-Proxy.Win32.VB.x skipped
C:\System Volume Information\_restore{B7D28EEB-3895-4DD1-B576-8C427E4A3D09}\RP391\A0094311.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
C:\System Volume Information\_restore{B7D28EEB-3895-4DD1-B576-8C427E4A3D09}\RP391\A0095321.exe Infected: Backdoor.Win32.VB.kb skipped
C:\System Volume Information\_restore{B7D28EEB-3895-4DD1-B576-8C427E4A3D09}\RP391\change.log Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd2893.sys Object is locked skipped
C:\WINDOWS\system32\drivers\vaxscsi.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_504.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\unp249451038.tmp Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\SUB\ksetup\recorder.exe/data0001 Infected: Trojan-Spy.Win32.PCspy.c skipped
E:\SUB\ksetup\recorder.exe Inno: infected - 1 skipped
E:\SUB\recorder.exe/data0001 Infected: Trojan-Spy.Win32.PCspy.c skipped
E:\SUB\recorder.exe Inno: infected - 1 skipped
Scan process completed.
Hi
Have you knowingly downloaded these?
E:\SUB\ksetup\recorder.exe/data0001 Infected: Trojan-Spy.Win32.PCspy.c skipped
E:\SUB\ksetup\recorder.exe Inno: infected - 1 skipped
E:\SUB\recorder.exe/data0001 Infected: Trojan-Spy.Win32.PCspy.c skipped
E:\SUB\recorder.exe Inno: infected - 1 skipped
Actually, looking at those, E: is a disc drive...
So a file on a disc has a trojan...?
Hi
Yes, these are bad files:
E:\SUB\ksetup\recorder.exe
E:\SUB\recorder.exe
Delete those and I recommend to change all online passwords just in case and contact online bank/credit card company if you have used their services via this computer.
Empty this folder:
C:\QooBox\Quarantine
Empty Recycle Bin
Still problems?
Is there any scans i should run to double check if the problems are off?
Hi
We can run another online scan if you like:
Please run this online scan:
Panda ActiveScan (http://www.pandasoftware.com/activescan/com/activescan_principal.htm)
Once you are on the Panda site, click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on Local Disks to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report, along with a new HijackThis Log
Panda Activescan
isn't working for me.
I tried it w/ IE and it didn't work. AVAST(anti-virus) dinged it as a threat and i continued to try it again w/ no anti-virus software on. Still didn't work. The scan page loads but with errors on the page.
Any other suggestions please?
Hi
Then try this:
* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found: http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
http://users.telenet.be/bluepatchy/miekiemoes/images/move.gif
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
mm_tray.exe;c:\program files\musicmatch\musicmatch jukebox;Trojan.Inject.351;Cured.;
**************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:59:24, on 09/08/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Real Alternative\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: MA101 Configuration Utility .lnk = C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
--
End of file - 5075 bytes
***************************************
Since getting infected my DVD-rw drive now fails to write and my 2nd HD is failing to be seen even in bios.
It looks like my virus/trojan problem is cured(I hope?!) -any advice to get these areas cured? A re-install?
Thanks again!
Hi
You can copy mm_tray.exe back from quarantine, it's false positive (it should be here -> C:\Documents and Settings\Administrator\DoctorWeb\quarantaine)
"Since getting infected my DVD-rw drive now fails to write and my 2nd HD is failing to be seen even in bios."
Try to re-install DVD-rw drivers.
As for 2nd HD, it might get soon broken.
I can forward you to some hardware forum for those for those issues, if you like, I can't unfortunately help much with those.
Any other issues?
Due to the lack of feedback this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.