[Closed] Please help with registry infection

Computer forums for help with removing malicious software (malware) and improving computer security

Welcome Guest to What the Tech! ( Log In | Register ) We specialize in the removal of malicious software (malware), but here you'll find free help and support for all your tech questions. We invite you to ask questions, share experiences, and learn. Explore our message boards, or register now to post messages of your own. Please Start Here. Register today (registration removes advertising)

What the Tech > Spyware / Malware / Virus Removal > HijackThis™ Logs and Infections Removal

[Closed] Please help with registry infection, Web sites popping up, Can you check my registry?

Options

ratracer View Member Profile	Jul 14 2008, 01:10 PM Post #1
New Member Group: New Member Posts: 2 Joined: 14-July 08 Member No.: 80,281 Operating System: XP	Thank you for your time Logfile of HijackThis v1.99.1 Scan saved at 2:43:27 PM, on 7/14/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\RTHDCPL.EXE C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Spyware Doctor\pctsTray.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Dell Support Center\bin\sprtcmd.exe C:\WINDOWS\System32\Rundll32.exe C:\Documents and Settings\Mike Krebs\Desktop\HijackThis.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\DNA\btdna.exe C:\Program Files\GetModule\GetModule19.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\Spyware Doctor\pctsAuxs.exe C:\Program Files\Spyware Doctor\pctsSvc.exe C:\Program Files\Dell Support Center\bin\sprtsvc.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\Program Files\Mozilla Firefox\firefox.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1080417 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1080417 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll O2 - BHO: bannerstyle browser optimizer - {b86aabb5-7f81-a081-0964-e1a70695ee19} - C:\WINDOWS\system32\vrknkrishurd.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter O4 - HKLM\..\Run: [{63ca5cf1-96f9-e522-04a0-b24e70375b9e}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\vrknkrishurd.dll" DllStart O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe" O4 - HKCU\..\Run: [GetModule19] "C:\Program Files\GetModule\GetModule19.exe" O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

LDTate View Member Profile	Jul 14 2008, 02:51 PM Post #2
Forum God Group: Root Admin Posts: 40,571 Joined: 23-September 04 From: Missouri, USA Member No.: 15,276	http://forums.whatthetech.com/How_To_Remov...eck_t92654.html

ratracer View Member Profile	Jul 15 2008, 11:37 AM Post #3
New Member Group: New Member Posts: 2 Joined: 14-July 08 Member No.: 80,281 Operating System: XP	Thank you so much. Something finally worked. Malwarebytes' Anti-Malware 1.20 Database version: 952 Windows 5.1.2600 Service Pack 2 11:36:11 AM 7/15/2008 mbam-log-7-15-2008 (11-35-45).txt Scan type: Full Scan (C:\\|D:\\|) Objects scanned: 74613 Time elapsed: 8 minute(s), 16 second(s) Memory Processes Infected: 1 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 2 Registry Data Items Infected: 0 Folders Infected: 2 Files Infected: 7 Memory Processes Infected: C:\Program Files\GetModule\GetModule19.exe (Trojan.Agent) -> No action taken. Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\icheck (Trojan.Agent) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\GetModule (Adware.Agent) -> No action taken. Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\getmodule19 (Trojan.Agent) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{63ca5cf1-96f9-e522-04a0-b24e70375b9e} (Trojan.Agent) -> No action taken. Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\Program Files\iCheck (Trojan.Agent) -> No action taken. C:\Program Files\GetModule (Trojan.Agent) -> No action taken. Files Infected: C:\Program Files\iCheck\iCheck.exe (Adware.ISM) -> No action taken. C:\Program Files\iCheck\Uninstall.exe (Trojan.Agent) -> No action taken. C:\Program Files\GetModule\dicik.gz (Trojan.Agent) -> No action taken. C:\Program Files\GetModule\GetModule19.exe (Trojan.Agent) -> No action taken. C:\Program Files\GetModule\kwdik.gz (Trojan.Agent) -> No action taken. C:\WINDOWS\system32\vrknkrishurd.dll (Trojan.Agent) -> No action taken. C:\WINDOWS\system32\000080.exe (Trojan.Agent) -> No action taken.

LDTate View Member Profile	Jul 15 2008, 02:22 PM Post #4
Forum God Group: Root Admin Posts: 40,571 Joined: 23-September 04 From: Missouri, USA Member No.: 15,276	Download ComboFix from Here or Here to your Desktop. Note: In the event you already have Combofix, please delete it from your desktop and download this new version . It is important that it is saved directly to your desktop -------------------------------------------------------------------- Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix. WARNING: IF you have not already done so Combofix will disconnect your machine from the Internet when it starts Please do not re-connect your machine back to the Internet until Combofix has completely finished. -------------------------------------------------------------------- Double click on combofix.exe & follow the prompts. When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ** *If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections. Give it atleast 20-30 minutes to finish

LDTate View Member Profile	Jul 26 2008, 05:25 AM Post #5
Forum God Group: Root Admin Posts: 40,571 Joined: 23-September 04 From: Missouri, USA Member No.: 15,276	Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log

« Next Oldest · HijackThis™ Logs and Infections Removal · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Topic Title	Replies	Topic Starter	Views	Last Action
HijackThis™ Logs and Infections Removal {closed} Malware / Adware	12	Jared 908B	295	34 minutes ago Last post by: Jared 908B
HijackThis™ Logs and Infections Removal [Closed] harison13	4	harison13	86	Today, 08:16 AM Last post by: RatHat
HijackThis™ Logs and Infections Removal [Closed] HijackThis Log, please help!	2	storobin	49	Yesterday, 08:39 PM Last post by: Tomk
HijackThis™ Logs and Infections Removal [Closed] Got a bad little hijacker/maleware/virus 12	16	kalvector	520	Yesterday, 08:39 PM Last post by: Tomk