Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93112 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

IE Defender Pop-ups and Trojan

Started by tpham , Oct 28 2007 01:38 PM

  • Please log in to reply
10 replies to this topic

#1 tpham

tpham

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 28 October 2007 - 01:38 PM

I don't know what's wrong with my computer. Windows keep popping up a warning that the computer infected and to download the IE Defender. I downloaded IE Defender thinking that it will scan and remove spyware infections. IE Defender is telling me that my computer is infected with:

File: IntelVideoDivX.II
Malware: IntelVideoCodec
Description: IntelVideoDivX.dll - Parasite, Trojan-Clicker.Win32.Delf.cqs Zlob

I ran a few anti-spyware programs such as AVG, SpyHunter, and CounterSpy. SpyHunter reported that my computer is infected with "Trojan.Vundo" and a bunch of spyware cookies. Please help! I also downloaded and ran HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 11:52:40 AM, on 10/28/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16546)

Running processes:
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\IE Defender\iedefender.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SpywareDetector\SDSystemTray.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IntelVideoCodec - {33A12BEB-3219-4CA8-99B4-733192704C62} - C:\Windows\System32\IntelVideoDivX.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe"
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [SD_Tips] iexplore http://www.spywarede.../tips_vista.htm
O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe -AUTO
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: psfus - C:\Windows\system32\psqlpwd.dll
O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: pinger - Unknown owner - C:\Toshiba\IVP\ISM\pinger.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)

    Advertisements

Register to Remove

#2 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,949 posts

Posted 28 October 2007 - 02:09 PM

Welcome to the forum...are you running Vista?

Please use this version of HJT...rescan the system and post a fresh log, MrC

http://www.trendsecu.../HiJackThis.exe

#3 tpham

tpham

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 28 October 2007 - 10:12 PM

I do have a Windows Vista. Here's the result from the new HijackThis scan. Thanks in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:02:07 PM, on 10/28/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16546)
Boot mode: Safe mode with network support

Running processes:
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\tpham\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BPO89RZJ\HiJackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IntelVideoCodec - {33A12BEB-3219-4CA8-99B4-733192704C62} - C:\Windows\System32\IntelVideoDivX.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe"
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [SD_Tips] iexplore http://www.spywarede.../tips_vista.htm
O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe -AUTO
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: pinger - Unknown owner - C:\Toshiba\IVP\ISM\pinger.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 7432 bytes

#4 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,949 posts

Posted 29 October 2007 - 05:20 AM

This should work on Vista.

Lets see if this gets it.

1. Download RVAXO.exe into a folder.

2. Double click on RVAXO.exe, then click "Installeren" to install the program.
("Bladeren" = Browse for Folder and "Annuleren" = Cancel)
It will install to a folder called Rvaxo

3. Now open up the Rvaxo folder and double click on RVAXO.cmd

You will see a small window pop up, and quickly some lines will run , then the window will close by itself, this is normal behavior.
Then it is possible for an uninstaller of some roque scanner to start up, do not close this but follow all prompts there, and let it run its course.

4. When it's done....reboot the computer.
Now double click on RVAXO.cmd again to run the program........Let it finish.

5. After it's done it will create a file called RVAXO-results.log in C:\
(C:\RVAXO-results.log)

Copy and paste it back here.

-----------------

Next.......

Please download SUPERAntiSpyware Home Edition (free)

Install it and double-click the icon on your desktop to run it.
It will ask if you want to update the program definitions, click Yes, Let it through your firewall!
Under Configuration and Preferences, click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked:
  • Close browsers before scanning
  • Scan for tracking cookies
  • Terminate memory threats before quarantining.
  • Ignore System Restore/Volume Information on ME and XP
  • Please leave the others unchecked.
  • Click the Close button to leave the control center screen.
On the main screen, under Scan for Harmful Software click Scan your computer.
On the left check C:\Fixed Drive.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan. Please be patient while it scans your computer.
After the scan is complete a summary box will appear. Click OK.
Make sure everything in the white box has a check next to it, then click Next.
It will quarantine what it found and if it asks if you want to reboot, click
Yes.

To retrieve the removal information - please do the following:
  • After reboot, double-click the SUPERAntispyware icon on your desktop.
  • Click Preferences . Click the Statistics/Logs tab .
  • Under Scanner Logs , double-click SUPERAntiSpyware Scan Log .
  • It will open in your default text editor (such as Notepad/Wordpad).
  • Please highlight everything , then right-click and choose copy.
  • Click close and close again to exit the program.
Now please paste the removal information along with a fresh HijackThis log in your reply. If it's a large log, you may need several replies to post it.
Please don't forget the log from RVAXO.

Good Luck, MrC

#5 tpham

tpham

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 29 October 2007 - 11:31 PM

This is the result from the file RVAXO-results.log. ----------------RVAXO.exe first run------------- Files found: C:\Windows\system32\IntelVideoDivX.dll Uninstallers Rogue scanners: Folders Found: C:\Program Files\IE Defender Hosts-file was reset, If you use a custom hosts file please replace it... --------------RVAXO.exe last run--------------- Files found: Folders Found: --------------RVAXO.exe finished----------------

#6 tpham

tpham

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 30 October 2007 - 06:47 AM

This is the SUPERAntiSpyware Scan Log removal information:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/30/2007 at 05:22 AM

Application Version : 3.9.1008

Core Rules Database Version : 3333
Trace Rules Database Version: 1334

Scan type : Complete Scan
Total Scan Time : 06:33:09

Memory items scanned : 648
Memory threats detected : 0
Registry items scanned : 7704
Registry threats detected : 0
File items scanned : 361878
File threats detected : 144

Adware.Tracking Cookie
C:\Users\tpham\AppData\Roaming\Microsoft\Windows\Cookies\tpham@atdmt[2].txt
C:\Users\tpham\AppData\Roaming\Microsoft\Windows\Cookies\tpham@ads.techguy[1].txt
C:\Users\tpham\AppData\Roaming\Microsoft\Windows\Cookies\tpham@www.googleadservices[4].txt
C:\Users\tpham\AppData\Roaming\Microsoft\Windows\Cookies\tpham@www.googleadservices[3].txt
C:\Users\tpham\AppData\Roaming\Microsoft\Windows\Cookies\tpham@www.googleadservices[1].txt
C:\Users\tpham\AppData\Roaming\Microsoft\Windows\Cookies\tpham@mediaplex[2].txt
C:\Users\tpham\AppData\Roaming\Microsoft\Windows\Cookies\tpham@media.adrevolver[3].txt
C:\Users\tpham\AppData\Roaming\Microsoft\Windows\Cookies\tpham@adrevolver[2].txt
C:\Users\tpham\AppData\Roaming\Microsoft\Windows\Cookies\tpham@server.iad.liveperson[1].txt
C:\Users\tpham\AppData\Roaming\Microsoft\Windows\Cookies\tpham@www.googleadservices[5].txt
C:\Users\tpham\AppData\Roaming\Microsoft\Windows\Cookies\tpham@media.adrevolver[2].txt
C:\Users\tpham\AppData\Roaming\Microsoft\Windows\Cookies\tpham@doubleclick[1].txt
C:\Users\tpham\AppData\Roaming\Microsoft\Windows\Cookies\tpham@server.iad.liveperson[3].txt
C:\Users\tpham\AppData\Roaming\Microsoft\Windows\Cookies\tpham@www.googleadservices[2].txt
C:\Users\tpham\AppData\Roaming\Microsoft\Windows\Cookies\tpham@clickbank[1].txt
C:\Users\tpham\AppData\Roaming\Microsoft\Windows\Cookies\tpham@fastclick[2].txt
C:\Users\tpham\AppData\Roaming\Microsoft\Windows\Cookies\tpham@tribalfusion[1].txt
C:\Documents and Settings\tpham\AppData\Roaming\Microsoft\Windows\Cookies\Low\tpham@adlegend[1].txt
C:\Documents and Settings\tpham\AppData\Roaming\Microsoft\Windows\Cookies\Low\tpham@adopt.specificclick[1].txt
C:\Documents and Settings\tpham\AppData\Roaming\Microsoft\Windows\Cookies\Low\tpham@media.adrevolver[1].txt
C:\Documents and Settings\tpham\AppData\Roaming\Microsoft\Windows\Cookies\Low\tpham@media.adrevolver[2].txt
C:\Documents and Settings\tpham\AppData\Roaming\Microsoft\Windows\Cookies\Low\tpham@qksrv[2].txt
C:\Documents and Settings\tpham\AppData\Roaming\Microsoft\Windows\Cookies\Low\tpham@revsci[2].txt
C:\Documents and Settings\tpham\AppData\Roaming\Microsoft\Windows\Cookies\Low\tpham@specificclick[2].txt
C:\Documents and Settings\tpham\AppData\Roaming\Microsoft\Windows\Cookies\tpham@adrevolver[2].txt
C:\Documents and Settings\tpham\AppData\Roaming\Microsoft\Windows\Cookies\tpham@ads.techguy[1].txt
C:\Documents and Settings\tpham\AppData\Roaming\Microsoft\Windows\Cookies\tpham@atdmt[2].txt
C:\Documents and Settings\tpham\AppData\Roaming\Microsoft\Windows\Cookies\tpham@clickbank[1].txt
C:\Documents and Settings\tpham\AppData\Roaming\Microsoft\Windows\Cookies\tpham@doubleclick[1].txt
C:\Documents and Settings\tpham\AppData\Roaming\Microsoft\Windows\Cookies\tpham@fastclick[2].txt
C:\Documents and Settings\tpham\AppData\Roaming\Microsoft\Windows\Cookies\tpham@media.adrevolver[2].txt
C:\Documents and Settings\tpham\AppData\Roaming\Microsoft\Windows\Cookies\tpham@media.adrevolver[3].txt
C:\Documents and Settings\tpham\AppData\Roaming\Microsoft\Windows\Cookies\tpham@mediaplex[2].txt
C:\Documents and Settings\tpham\AppData\Roaming\Microsoft\Windows\Cookies\tpham@server.iad.liveperson[1].txt
C:\Documents and Settings\tpham\AppData\Roaming\Microsoft\Windows\Cookies\tpham@server.iad.liveperson[3].txt
C:\Documents and Settings\tpham\AppData\Roaming\Microsoft\Windows\Cookies\tpham@tribalfusion[1].txt
C:\Documents and Settings\tpham\AppData\Roaming\Microsoft\Windows\Cookies\tpham@www.googleadservices[1].txt
C:\Documents and Settings\tpham\AppData\Roaming\Microsoft\Windows\Cookies\tpham@www.googleadservices[2].txt
C:\Documents and Settings\tpham\AppData\Roaming\Microsoft\Windows\Cookies\tpham@www.googleadservices[3].txt
C:\Documents and Settings\tpham\AppData\Roaming\Microsoft\Windows\Cookies\tpham@www.googleadservices[4].txt
C:\Documents and Settings\tpham\AppData\Roaming\Microsoft\Windows\Cookies\tpham@www.googleadservices[5].txt
C:\Documents and Settings\tpham\Application Data\Microsoft\Windows\Cookies\Low\tpham@adlegend[1].txt
C:\Documents and Settings\tpham\Application Data\Microsoft\Windows\Cookies\Low\tpham@adopt.specificclick[1].txt
C:\Documents and Settings\tpham\Application Data\Microsoft\Windows\Cookies\Low\tpham@media.adrevolver[1].txt
C:\Documents and Settings\tpham\Application Data\Microsoft\Windows\Cookies\Low\tpham@media.adrevolver[2].txt
C:\Documents and Settings\tpham\Application Data\Microsoft\Windows\Cookies\Low\tpham@qksrv[2].txt
C:\Documents and Settings\tpham\Application Data\Microsoft\Windows\Cookies\Low\tpham@revsci[2].txt
C:\Documents and Settings\tpham\Application Data\Microsoft\Windows\Cookies\Low\tpham@specificclick[2].txt
C:\Documents and Settings\tpham\Application Data\Microsoft\Windows\Cookies\tpham@adrevolver[2].txt
C:\Documents and Settings\tpham\Application Data\Microsoft\Windows\Cookies\tpham@ads.techguy[1].txt
C:\Documents and Settings\tpham\Application Data\Microsoft\Windows\Cookies\tpham@atdmt[2].txt
C:\Documents and Settings\tpham\Application Data\Microsoft\Windows\Cookies\tpham@clickbank[1].txt
C:\Documents and Settings\tpham\Application Data\Microsoft\Windows\Cookies\tpham@doubleclick[1].txt
C:\Documents and Settings\tpham\Application Data\Microsoft\Windows\Cookies\tpham@fastclick[2].txt
C:\Documents and Settings\tpham\Application Data\Microsoft\Windows\Cookies\tpham@media.adrevolver[2].txt
C:\Documents and Settings\tpham\Application Data\Microsoft\Windows\Cookies\tpham@media.adrevolver[3].txt
C:\Documents and Settings\tpham\Application Data\Microsoft\Windows\Cookies\tpham@mediaplex[2].txt
C:\Documents and Settings\tpham\Application Data\Microsoft\Windows\Cookies\tpham@server.iad.liveperson[1].txt
C:\Documents and Settings\tpham\Application Data\Microsoft\Windows\Cookies\tpham@server.iad.liveperson[3].txt
C:\Documents and Settings\tpham\Application Data\Microsoft\Windows\Cookies\tpham@tribalfusion[1].txt
C:\Documents and Settings\tpham\Application Data\Microsoft\Windows\Cookies\tpham@www.googleadservices[1].txt
C:\Documents and Settings\tpham\Application Data\Microsoft\Windows\Cookies\tpham@www.googleadservices[2].txt
C:\Documents and Settings\tpham\Application Data\Microsoft\Windows\Cookies\tpham@www.googleadservices[3].txt
C:\Documents and Settings\tpham\Application Data\Microsoft\Windows\Cookies\tpham@www.googleadservices[4].txt
C:\Documents and Settings\tpham\Application Data\Microsoft\Windows\Cookies\tpham@www.googleadservices[5].txt
C:\Documents and Settings\tpham\Cookies\Low\tpham@adlegend[1].txt
C:\Documents and Settings\tpham\Cookies\Low\tpham@adopt.specificclick[1].txt
C:\Documents and Settings\tpham\Cookies\Low\tpham@media.adrevolver[1].txt
C:\Documents and Settings\tpham\Cookies\Low\tpham@media.adrevolver[2].txt
C:\Documents and Settings\tpham\Cookies\Low\tpham@qksrv[2].txt
C:\Documents and Settings\tpham\Cookies\Low\tpham@revsci[2].txt
C:\Documents and Settings\tpham\Cookies\Low\tpham@specificclick[2].txt
C:\Documents and Settings\tpham\Cookies\tpham@adrevolver[2].txt
C:\Documents and Settings\tpham\Cookies\tpham@ads.techguy[1].txt
C:\Documents and Settings\tpham\Cookies\tpham@atdmt[2].txt
C:\Documents and Settings\tpham\Cookies\tpham@clickbank[1].txt
C:\Documents and Settings\tpham\Cookies\tpham@doubleclick[1].txt
C:\Documents and Settings\tpham\Cookies\tpham@fastclick[2].txt
C:\Documents and Settings\tpham\Cookies\tpham@media.adrevolver[2].txt
C:\Documents and Settings\tpham\Cookies\tpham@media.adrevolver[3].txt
C:\Documents and Settings\tpham\Cookies\tpham@mediaplex[2].txt
C:\Documents and Settings\tpham\Cookies\tpham@server.iad.liveperson[1].txt
C:\Documents and Settings\tpham\Cookies\tpham@server.iad.liveperson[3].txt
C:\Documents and Settings\tpham\Cookies\tpham@tribalfusion[1].txt
C:\Documents and Settings\tpham\Cookies\tpham@www.googleadservices[1].txt
C:\Documents and Settings\tpham\Cookies\tpham@www.googleadservices[2].txt
C:\Documents and Settings\tpham\Cookies\tpham@www.googleadservices[3].txt
C:\Documents and Settings\tpham\Cookies\tpham@www.googleadservices[4].txt
C:\Documents and Settings\tpham\Cookies\tpham@www.googleadservices[5].txt
C:\Users\tpham\AppData\Roaming\Microsoft\Windows\Cookies\Low\tpham@adlegend[1].txt
C:\Users\tpham\AppData\Roaming\Microsoft\Windows\Cookies\Low\tpham@adopt.specificclick[1].txt
C:\Users\tpham\AppData\Roaming\Microsoft\Windows\Cookies\Low\tpham@media.adrevolver[1].txt
C:\Users\tpham\AppData\Roaming\Microsoft\Windows\Cookies\Low\tpham@media.adrevolver[2].txt
C:\Users\tpham\AppData\Roaming\Microsoft\Windows\Cookies\Low\tpham@qksrv[2].txt
C:\Users\tpham\AppData\Roaming\Microsoft\Windows\Cookies\Low\tpham@revsci[2].txt
C:\Users\tpham\AppData\Roaming\Microsoft\Windows\Cookies\Low\tpham@specificclick[2].txt
C:\Users\tpham\Application Data\Microsoft\Windows\Cookies\Low\tpham@adlegend[1].txt
C:\Users\tpham\Application Data\Microsoft\Windows\Cookies\Low\tpham@adopt.specificclick[1].txt
C:\Users\tpham\Application Data\Microsoft\Windows\Cookies\Low\tpham@media.adrevolver[1].txt
C:\Users\tpham\Application Data\Microsoft\Windows\Cookies\Low\tpham@media.adrevolver[2].txt
C:\Users\tpham\Application Data\Microsoft\Windows\Cookies\Low\tpham@qksrv[2].txt
C:\Users\tpham\Application Data\Microsoft\Windows\Cookies\Low\tpham@revsci[2].txt
C:\Users\tpham\Application Data\Microsoft\Windows\Cookies\Low\tpham@specificclick[2].txt
C:\Users\tpham\Application Data\Microsoft\Windows\Cookies\tpham@adrevolver[2].txt
C:\Users\tpham\Application Data\Microsoft\Windows\Cookies\tpham@ads.techguy[1].txt
C:\Users\tpham\Application Data\Microsoft\Windows\Cookies\tpham@atdmt[2].txt
C:\Users\tpham\Application Data\Microsoft\Windows\Cookies\tpham@clickbank[1].txt
C:\Users\tpham\Application Data\Microsoft\Windows\Cookies\tpham@doubleclick[1].txt
C:\Users\tpham\Application Data\Microsoft\Windows\Cookies\tpham@fastclick[2].txt
C:\Users\tpham\Application Data\Microsoft\Windows\Cookies\tpham@media.adrevolver[2].txt
C:\Users\tpham\Application Data\Microsoft\Windows\Cookies\tpham@media.adrevolver[3].txt
C:\Users\tpham\Application Data\Microsoft\Windows\Cookies\tpham@mediaplex[2].txt
C:\Users\tpham\Application Data\Microsoft\Windows\Cookies\tpham@server.iad.liveperson[1].txt
C:\Users\tpham\Application Data\Microsoft\Windows\Cookies\tpham@server.iad.liveperson[3].txt
C:\Users\tpham\Application Data\Microsoft\Windows\Cookies\tpham@tribalfusion[1].txt
C:\Users\tpham\Application Data\Microsoft\Windows\Cookies\tpham@www.googleadservices[1].txt
C:\Users\tpham\Application Data\Microsoft\Windows\Cookies\tpham@www.googleadservices[2].txt
C:\Users\tpham\Application Data\Microsoft\Windows\Cookies\tpham@www.googleadservices[3].txt
C:\Users\tpham\Application Data\Microsoft\Windows\Cookies\tpham@www.googleadservices[4].txt
C:\Users\tpham\Application Data\Microsoft\Windows\Cookies\tpham@www.googleadservices[5].txt
C:\Users\tpham\Cookies\Low\tpham@adlegend[1].txt
C:\Users\tpham\Cookies\Low\tpham@adopt.specificclick[1].txt
C:\Users\tpham\Cookies\Low\tpham@media.adrevolver[1].txt
C:\Users\tpham\Cookies\Low\tpham@media.adrevolver[2].txt
C:\Users\tpham\Cookies\Low\tpham@qksrv[2].txt
C:\Users\tpham\Cookies\Low\tpham@revsci[2].txt
C:\Users\tpham\Cookies\Low\tpham@specificclick[2].txt
C:\Users\tpham\Cookies\tpham@adrevolver[2].txt
C:\Users\tpham\Cookies\tpham@ads.techguy[1].txt
C:\Users\tpham\Cookies\tpham@atdmt[2].txt
C:\Users\tpham\Cookies\tpham@clickbank[1].txt
C:\Users\tpham\Cookies\tpham@doubleclick[1].txt
C:\Users\tpham\Cookies\tpham@fastclick[2].txt
C:\Users\tpham\Cookies\tpham@media.adrevolver[2].txt
C:\Users\tpham\Cookies\tpham@media.adrevolver[3].txt
C:\Users\tpham\Cookies\tpham@mediaplex[2].txt
C:\Users\tpham\Cookies\tpham@server.iad.liveperson[1].txt
C:\Users\tpham\Cookies\tpham@server.iad.liveperson[3].txt
C:\Users\tpham\Cookies\tpham@tribalfusion[1].txt
C:\Users\tpham\Cookies\tpham@www.googleadservices[1].txt
C:\Users\tpham\Cookies\tpham@www.googleadservices[2].txt
C:\Users\tpham\Cookies\tpham@www.googleadservices[3].txt
C:\Users\tpham\Cookies\tpham@www.googleadservices[4].txt
C:\Users\tpham\Cookies\tpham@www.googleadservices[5].txt

#7 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,949 posts

Posted 30 October 2007 - 03:22 PM

Can you please post a fresh HJT log, Thanks.....MrC

#8 tpham

tpham

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 30 October 2007 - 09:19 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:13:18 PM, on 10/30/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16546)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\tpham\Desktop\HijackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe"
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG ANTI-SPYWARE] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [00TCRDMAIN] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: pinger - Unknown owner - C:\Toshiba\IVP\ISM\pinger.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 8028 bytes

#9 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,949 posts

Posted 31 October 2007 - 05:13 PM

Looks Good and should be running OK now.

If you have any questions - please post back

I'll leave you with........

Some Preventive Maintenance:

Some of the programs you may have run create backups of what was deleted - you can safely delete them now: (delete folders in blue) You can also delete/uninstall the programs themselves.

C:\!KillBox (KillBox)
C:\VundoFix Backups (VundoFix)
C:\QooBox (ComboFix)
C:\SDFix\backups\backups.zip (SDFix)
C:\avenger\backup.zip (Avenger)

If you used AVG Anti-Spyware and/or SuperAntiSpyware...........

Open up SuperAntiSpyware > Preferences > General and Start-up > Start-up Options > Uncheck > Start SAS when Windows Starts.
"SAS free" provides no real time protection so there's no need for it to be running, I suggest you keep the program and update regularly - you can use it to scan for malware. It's an excellent program. When you want to start it - just double click on the SAS icon.

AVG Anti-Spyware will provide 30 days of real time protection and then after that you can use it to scan for malware - you'll have to manually update it first.


------------------Must have or do:-----------------

Now that you're clean: <----Important Step!!!!
Delete your system restore files and create a new restore point (XP only):

Note: This will remove all previous Restore Points!

1. Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer,

2. Turn on System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UnCheck Turn off System Restore.
Click Apply, and then click OK.

Visit Windows Update and install all the lastest critical updates.

Install these two free programs, they sit in the backround and protect your system from spy and adware being installed on your system, also from your browser being hijacked.

SpywareBlaster Check for updates weekly.

SpywareGuard

IE-SPYAD
Puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
or try the new ZonedOut

Blocking Unwanted Parasites with a Hosts File
Direct Download - MVPS HOSTS <==> MVPS HOSTS Tutorial

Need a free anti virus?
AVG*free
Avast Free
AntiVirŪ PersonalEdition Classic
-->Check for updates - daily<---

How about a firewall? The front door to your computer.
Windows firewall is not suffient...install a better one.
Comodo Free Firewall
ZoneAlarm*free
Other free firewalls

Keep those temp files off your system use
ATF Cleaner - hit "select all" then just uncheck "cookies" (uncheck cookies is optional - leave it checked if you want to delete all cookies) then "empty selected"
or
CCleaner
Uncheck "Cookies" under "Internet Explorer".
That will clear out all the temp files on the system.

IMPORTANT!!
Keep your Sun Java up-to-date JRE Version 6 Update 3<--newest version
Delete ALL old versions from add/remove programs if listed first!
Check HERE

Keep the registry backed up - use ERUNT
Print this out and save it
ERUNT Tutorial

Starter Manage you startup programs and services.

----------Free malware removal programs:----------

AVG Anti-Spyware<---VERY GOOD! (XP and 2K only)
SUPERAntiSpyware (free edition)<---Excellent!
AVG Anti-Rootkit Free Edition Run it!!
SpyBot
AD-Aware
CW-Shredder

Please consider using FireFox instead of Internet Explorer. A more secure browser! Easy to make the change!
FireFox Tutorial


Pop-up stoppers:
GoogleToolBar
Pop-upStopperFree

Disable "Windows Messenger Service" XP - 2K (stops pop-up ads -etc):
Shoot The Messenger

Anti-Rootkit Software - Detection, Removal & Protection

Reduce Online Fraud

Slow Computer - Check Here

Don't open e-mail attachments without first scanning them with an up-to-date anti virus program, even after doing that I would be very careful. Don't click on any executables in e-mails or any other links that you're not sure of.
Don't believe e-mails from your bank, financial institution, etc asking for personal informations - they're most likely fraudulent no matter how authentic they look.
Watch your surfing habits, don't click on or download anything you're not sure of. Don't install a program that hasn't been recommended by a reputable organization.

Good luck and thanks for using the forum - MrC

#10 tpham

tpham

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 31 October 2007 - 06:43 PM

I really appreciate all your help! I was wondering if you could figure out why my computer automatically restarts or shuts off without any command. I don't know if it was because of the previous problems. Thank you again!

#11 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,949 posts

Posted 31 October 2007 - 07:14 PM

I really appreciate all your help! I was wondering if you could figure out why my computerVista computer automatically restarts or shuts off without any command. I don't know if it was because of the previous problems. Thank you again!


No I don't think so...you really didn't have that much on the system, just a bunch of cookies and this file and folder:
C:\Windows\system32\IntelVideoDivX.dll
C:\Program Files\IE Defender

-------------------------

Unfortunately I don't use Vista and not familiar with it.

But here's some links including ours to ask for help:

http://forums.whatth...ndows_f119.html
http://www.annoyance.../forum/winvista
http://www.bleepingc...ms/forum72.html
http://www.windowsbbs.com/

I'll keep the post open until you get the problem solved, so please let me know how you make out, MrC

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·