Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93112 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] savetheinformation problem

Started by qoosghoune , Nov 14 2007 02:57 PM

  • This topic is locked This topic is locked
14 replies to this topic

#1 qoosghoune

qoosghoune

    Authentic Member

  • Authentic Member
  • PipPip
  • 32 posts

Posted 14 November 2007 - 02:57 PM

i have a savetheinformation problem. some internet explorer pages are opening and "spyware found" messages are occuring constantly and there is this yellow triangle flashing.

used vundofix but didn't help (finds a few things, deletes them but reoccurs again). tried combofix but it didn't help too. besides i can't see my system32 folder after that!

here is my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 22:55:26, on 14.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Daemon\daemon.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\NOD32\nod32kui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\AirTies\ADSL Hizmet Programı\AirTies_util3.exe
C:\Program Files\Collins\exe\L-Express.exe
C:\Program Files\Collins\exe\lexibase.exe
C:\WINDOWS\system32\Ctsvccda.exe
C:\Program Files\NOD32\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\tlntsvr.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Virtual cd Hide\virtual-cd-hide.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\ACDSYS~1\ACDSEE~1\ACDSee.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\scanner.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\Acrobat Reader\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\cspxtvmn.dll
O2 - BHO: {b63359bb-bb40-48db-4334-9a2a75fe408f} - {f804ef57-a2a9-4334-bd84-04bbbb95336b} - C:\WINDOWS\system32\derrymtt.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\cspxtvmn.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\Daemon\daemon.exe" -lang 1033 -lock
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\NOD32\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [nod32upd] rundll32 "C:\Program Files\NOD32\fc_upd.dll",NOD32Ioctl
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [cc7b536c] rundll32.exe "C:\WINDOWS\system32\vuusclby.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: AirTies ADSL Hizmet Programı.lnk = ?
O4 - Global Startup: Lexibase Express.lnk = ?
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Mobil Sık Kullanılanı Oluştur - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Mobil Sık Kullanılanı Oluştur... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: cspxtvmn - C:\WINDOWS\SYSTEM32\cspxtvmn.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\Ctsvccda.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\NOD32\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

    Advertisements

Register to Remove

#2 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 20 November 2007 - 11:28 AM

Hello and welcome to the forum.

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.


(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time.


Next:

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#3 qoosghoune

qoosghoune

    Authentic Member

  • Authentic Member
  • PipPip
  • 32 posts

Posted 21 November 2007 - 01:01 PM

VundoFix V6.6.2

Checking Java version...

Java version is 1.5.0.10

Scan started at 20:49:26 21.11.2007

Listing files found while scanning....

C:\windows\system32\cspxtvmn.dll
C:\windows\system32\cspxtvmn.dllbox

Beginning removal...

Attempting to delete C:\windows\system32\cspxtvmn.dll
C:\windows\system32\cspxtvmn.dll Has been deleted!

Attempting to delete C:\windows\system32\cspxtvmn.dllbox
C:\windows\system32\cspxtvmn.dllbox Has been deleted!

Performing Repairs to the registry.
Done!

-----------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 21:00:30, on 21.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Ctsvccda.exe
C:\Program Files\NOD32\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\tlntsvr.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Daemon\daemon.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\NOD32\nod32kui.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\AirTies\ADSL Hizmet Programı\AirTies_util3.exe
C:\Program Files\Collins\exe\L-Express.exe
C:\Program Files\Collins\exe\lexibase.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\Acrobat Reader\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: {b63359bb-bb40-48db-4334-9a2a75fe408f} - {f804ef57-a2a9-4334-bd84-04bbbb95336b} - C:\WINDOWS\system32\derrymtt.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\Daemon\daemon.exe" -lang 1033 -lock
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\NOD32\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [nod32upd] rundll32 "C:\Program Files\NOD32\fc_upd.dll",NOD32Ioctl
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [cc7b536c] rundll32.exe "C:\WINDOWS\system32\vuusclby.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: AirTies ADSL Hizmet Programı.lnk = ?
O4 - Global Startup: Lexibase Express.lnk = ?
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Mobil Sık Kullanılanı Oluştur - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Mobil Sık Kullanılanı Oluştur... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\Ctsvccda.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\NOD32\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

#4 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 21 November 2007 - 01:03 PM

Download ComboFix from Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you, combofix.txt. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick while its running. That may cause it to stall

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#5 qoosghoune

qoosghoune

    Authentic Member

  • Authentic Member
  • PipPip
  • 32 posts

Posted 22 November 2007 - 04:13 PM

ComboFix 07-11-19.3 - Administrator 2007-11-23 0:09:06.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1254.1.1033.18.1586 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix-1.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Administrator\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Administrator\Favorites\Online Security Guide.lnk
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk

.
((((((((((((((((((((((((( Files Created from 2007-10-22 to 2007-11-22 )))))))))))))))))))))))))))))))
.

2007-11-23 00:05 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-11-13 20:44 <DIR> d-------- C:\Documents and Settings\Administrator\DoctorWeb
2007-11-13 18:40 80,448 --a------ C:\WINDOWS\system32\derrymtt.dll
2007-11-13 18:30 <DIR> d-------- C:\VundoFix Backups
2007-11-13 11:11 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-11-13 11:11 5,387 --a------ C:\WINDOWS\system32\jupdate-1.6.0_03-b05.log
2007-11-13 11:03 218,112 --a------ C:\Program Files\scanner.exe
2007-11-13 03:02 144,480 --a------ C:\WINDOWS\system32\syvqjqxt.dll
2007-11-13 02:59 1,217,871 ---hs---- C:\WINDOWS\system32\yblcsuuv.ini
2007-11-13 02:59 89,664 --a------ C:\WINDOWS\system32\vuusclby.dll
2007-11-13 02:56 71,232 --a------ C:\WINDOWS\system32\tlcstxrc.exe
2007-11-12 03:02 846,832 ---hs---- C:\WINDOWS\system32\outdordx.ini
2007-11-12 03:02 88,128 --------- C:\WINDOWS\system32\xdrodtuo.dll
2007-11-12 02:56 71,232 --a------ C:\WINDOWS\system32\hivqofgr.exe
2007-11-11 02:58 949,783 ---hs---- C:\WINDOWS\system32\mbxpbokk.tmp
2007-11-11 02:58 881,684 ---hs---- C:\WINDOWS\system32\kcdeaxul.ini
2007-11-11 02:58 71,232 --a------ C:\WINDOWS\system32\bhxvmyld.exe
2007-11-10 02:58 949,783 ---hs---- C:\WINDOWS\system32\mbxpbokk.ini
2007-11-10 02:55 71,232 --a------ C:\WINDOWS\system32\ersvsvfx.exe
2007-11-10 02:11 990,714 ---hs---- C:\WINDOWS\system32\mfdbccoa.ini
2007-11-08 16:29 981,499 ---hs---- C:\WINDOWS\system32\diaosdrx.ini
2007-11-07 23:05 480,599 ---hs---- C:\WINDOWS\system32\uramwlyt.ini
2007-11-07 23:02 71,232 --a------ C:\WINDOWS\system32\msykklfy.exe
2007-11-06 11:02 512,909 ---hs---- C:\WINDOWS\system32\qokshgsw.ini
2007-11-06 00:37 180,224 --a------ C:\WINDOWS\system32\Ijl11.dll
2007-11-06 00:37 124,688 --a------ C:\WINDOWS\system32\MSWINSCK.OCX
2007-11-06 00:37 53,248 --a------ C:\WINDOWS\system32\KMON.OCX
2007-11-06 00:37 24,626 --a------ C:\WINDOWS\system32\scrrntr.dll
2007-11-06 00:37 19,456 --a------ C:\WINDOWS\system32\KTKBDHK3.DLL
2007-11-06 00:37 52 --a------ C:\WINDOWS\system\ACD2.CMD
2007-11-06 00:37 52 --a------ C:\WINDOWS\system\ACD.CMD
2007-11-05 19:31 554,640 ---hs---- C:\WINDOWS\system32\guticybl.ini
2007-11-04 19:30 554,391 ---hs---- C:\WINDOWS\system32\nhvodbjp.ini
2007-11-03 19:26 554,271 ---hs---- C:\WINDOWS\system32\fbeixnns.ini
2007-11-02 19:30 577,093 ---hs---- C:\WINDOWS\system32\vndekxsv.ini
2007-11-01 19:22 576,973 ---hs---- C:\WINDOWS\system32\qrdvcsoc.ini
2007-10-31 19:26 575,080 ---hs---- C:\WINDOWS\system32\xfjchfla.ini
2007-10-30 19:29 577,687 ---hs---- C:\WINDOWS\system32\sqhuueou.ini
2007-10-29 12:53 580,349 ---hs---- C:\WINDOWS\system32\lcenqiat.ini
2007-10-28 12:51 478,265 ---hs---- C:\WINDOWS\system32\suquuljk.ini
2007-10-27 16:56 36,864 --a------ C:\Documents and Settings\Administrator\winlogo.exe
2007-10-27 16:56 269 --a------ C:\Documents and Settings\Administrator\8941.bat
2007-10-27 16:39 32,764 --a------ C:\WINDOWS\tsitra1000140.exe
2007-10-27 16:39 269 --a------ C:\Documents and Settings\Administrator\8553.bat
2007-10-27 11:18 484,362 ---hs---- C:\WINDOWS\system32\rewgomud.ini
2007-10-27 11:11 269 --a------ C:\Documents and Settings\Administrator\5012.bat
2007-10-26 19:53 32,764 --a------ C:\WINDOWS\tsitra1000137.exe
2007-10-26 19:50 <DIR> d--hs---- C:\Documents and Settings\Administrator\Complete

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-22 13:15 --------- d-----w C:\Program Files\MSN Messenger
2007-11-14 20:55 7,709 ----a-w C:\Program Files\hijackthis.log
2007-11-13 09:11 --------- d-----w C:\Program Files\Java
2007-11-13 09:00 17 ----a-w C:\Program Files\s_t_i_n_g_e_r.opt
2007-11-09 10:36 --------- d-----w C:\Program Files\Ad-Aware SE Personal
2007-11-04 00:04 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Creative
2007-11-03 23:52 --------- d-----w C:\Program Files\GetRight
2007-10-28 18:29 --------- d-----w C:\Program Files\PokerStars
2007-10-27 17:23 --------- d-----w C:\Program Files\LimeWire
2007-10-14 11:50 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Bioshock
2007-10-14 11:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-10 16:18 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2007-10-06 14:48 --------- d-----w C:\Documents and Settings\Administrator\Application Data\funkitron
2007-10-06 14:44 --------- d-----w C:\Program Files\ReflexiveArcade
2007-10-06 14:44 --------- d-----w C:\Program Files\Poker Superstars II
2007-09-24 19:56 48,928 ----a-w C:\WINDOWS\system32\drivers\Tetris.sys
2007-09-24 19:47 162,432 ----a-w C:\WINDOWS\system32\drivers\ithsgt.sys
2007-09-24 19:47 12,032 ----a-w C:\WINDOWS\system32\drivers\lilsgt.sys
2007-09-23 13:41 --------- d-----w C:\Program Files\Google
2007-09-16 23:10 356,352 ----a-w C:\WINDOWS\system32\nvusmb.exe
2007-09-16 23:10 356,352 ----a-w C:\WINDOWS\system32\nvunrm.exe
2007-09-16 23:10 356,352 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2007-09-16 23:10 356,352 ----a-w C:\WINDOWS\system32\nvuide.exe
2007-09-16 23:10 356,352 ----a-w C:\WINDOWS\system32\nvudisp.exe
2007-09-16 22:07 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-09-16 22:07 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-09-16 22:07 8,491,008 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-09-16 22:07 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-09-16 22:07 6,746,112 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-09-16 22:07 6,344,704 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-09-16 22:07 5,783,040 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-09-16 22:07 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-09-16 22:07 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-09-16 22:07 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-09-16 22:07 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-09-16 22:07 364,544 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-09-16 22:07 36,864 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-09-16 22:07 36,864 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-09-16 22:07 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-09-16 22:07 3,551,232 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-09-16 22:07 3,334,144 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-09-16 22:07 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-09-16 22:07 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-09-16 22:07 2,371,584 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-09-16 22:07 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-09-16 22:07 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-09-16 22:07 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-09-16 22:07 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-09-16 22:07 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-09-16 22:07 1,478,656 ----a-w C:\WINDOWS\system32\nview.dll
2007-09-16 22:07 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-09-16 22:07 1,150,976 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-09-16 22:07 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
2007-09-10 20:33 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2006-09-25 10:45 24,192 ----a-w C:\Documents and Settings\Administrator\usbsermptxp.sys
2006-09-25 10:45 22,768 ----a-w C:\Documents and Settings\Administrator\usbsermpt.sys
2005-11-06 01:03 1,232,903 ----a-w C:\Program Files\s_t_i_n_g_e_r.exe
2002-10-26 14:21 245,248 ----a-w C:\Program Files\AutostartExplorer.exe
.

((((((((((((((((((((((((((((( snapshot@2007-11-13_20.38.32.67 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-29 16:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-11-08 14:59:01 136,704 ----a-w C:\WINDOWS\catchme.exe
- 2006-12-19 21:52:18 8,453,632 -c--a-w C:\WINDOWS\system32\dllcache\shell32.dll
+ 2007-10-26 03:36:51 8,454,656 -c--a-w C:\WINDOWS\system32\dllcache\shell32.dll
- 2007-09-28 05:19:39 18,089,592 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2007-11-02 07:12:57 18,238,072 ----a-w C:\WINDOWS\system32\MRT.exe
- 2006-12-19 21:52:18 8,453,632 ----a-w C:\WINDOWS\system32\shell32.dll
+ 2007-10-26 03:36:51 8,454,656 ----a-w C:\WINDOWS\system32\shell32.dll
- 2007-08-21 10:20:02 115,712 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2007-10-29 10:26:53 115,712 ----a-w C:\WINDOWS\system32\xpsp3res.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f804ef57-a2a9-4334-bd84-04bbbb95336b}]
2007-11-13 18:40 80448 --a------ C:\WINDOWS\system32\derrymtt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2005-01-19 14:49]
"Start WingMan Profiler"="" []
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 17:23]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 11:50 C:\WINDOWS\LOGI_MWX.EXE]
"DAEMON Tools-1033"="C:\Program Files\Daemon\daemon.exe" [2004-08-22 16:05]
"CTHelper"="CTHELPER.EXE" [2003-08-28 10:45 C:\WINDOWS\system32\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 00:00]
"Jet Detection"="C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 00:00]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-09-17 00:07 C:\WINDOWS\system32\nwiz.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 05:03]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 05:03]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"nod32kui"="C:\Program Files\NOD32\nod32kui.exe" [2007-05-20 13:42]
"nod32upd"="C:\Program Files\NOD32\fc_upd.dll" [2007-05-26 20:52]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\system32\rundll32.exe]
"cc7b536c"="C:\WINDOWS\system32\vuusclby.dll" [2007-11-13 02:59]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:56]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AirTies ADSL Hizmet Program.lnk - C:\Program Files\AirTies\ADSL Hizmet Program\AirTies_util3.exe [2006-05-03 19:44:20]
Lexibase Express.lnk - C:\Program Files\Collins\exe\L-Express.exe [2007-03-06 20:10:47]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWindowsUpdate"= 0 (0x0)
"NoRecentDocsMenu"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoSMMyPictures"= 1 (0x1)
"NoStartMenuMyMusic"= 1 (0x1)
"NoRecentDocsHistory"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"NoInstrumentation"= 1 (0x1)
"NoSimpleStartMenu"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoSMMyPictures"= 1 (0x1)
"NoStartMenuMyMusic"= 1 (0x1)
"NoRecentDocsHistory]"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"NoUserNameInStartMenu"= 0 (0x0)
"NoInstrumentation"= 1 (0x1)
"NoStartMenuPinnedList"= 0 (0x0)
"ForceStartMenuLogoff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
C:\Program Files\Ares\Ares.exe -h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAVPersonal50]
C:\Program Files\Kaspersky Anti-Virus Personal\kav.exe /minimize

R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);C:\WINDOWS\system32\drivers\sfdrv01a.sys
R2 ithsgt;ithsgt;C:\WINDOWS\system32\DRIVERS\ithsgt.sys
R2 lilsgt;lilsgt;C:\WINDOWS\system32\DRIVERS\lilsgt.sys
R3 Tetris;Tetris driver;C:\WINDOWS\system32\Drivers\Tetris.sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmFilter;Logitech WingMan HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys
S3 WmHidLo;Logitech WingMan USB Filter Driver;C:\WINDOWS\system32\drivers\WmHidLo.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b070a350-d5aa-11d9-b6f4-806d6172696f}]
\Shell\AutoRun\command - G:\ASUSACPI.exe

.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-23 00:10:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-23 0:10:46
C:\ComboFix ... 2007-11-23 00:10
.
--- E O F ---

#6 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 22 November 2007 - 09:39 PM

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\derrymtt.dll
C:\WINDOWS\system32\syvqjqxt.dll
C:\WINDOWS\system32\yblcsuuv.ini
C:\WINDOWS\system32\vuusclby.dll
C:\WINDOWS\system32\tlcstxrc.exe
C:\WINDOWS\system32\outdordx.ini
C:\WINDOWS\system32\xdrodtuo.dll
C:\WINDOWS\system32\hivqofgr.exe
C:\WINDOWS\system32\mbxpbokk.tmp
C:\WINDOWS\system32\kcdeaxul.ini
C:\WINDOWS\system32\bhxvmyld.exe
C:\WINDOWS\system32\mbxpbokk.ini
C:\WINDOWS\system32\ersvsvfx.exe
C:\WINDOWS\system32\mfdbccoa.ini
C:\WINDOWS\system32\diaosdrx.ini
C:\WINDOWS\system32\uramwlyt.ini
C:\WINDOWS\system32\msykklfy.exe
C:\WINDOWS\system32\qokshgsw.ini
C:\WINDOWS\system32\guticybl.ini
C:\WINDOWS\system32\nhvodbjp.ini
C:\WINDOWS\system32\fbeixnns.ini
C:\WINDOWS\system32\vndekxsv.ini
C:\WINDOWS\system32\qrdvcsoc.ini
C:\WINDOWS\system32\xfjchfla.ini
C:\WINDOWS\system32\sqhuueou.ini
C:\WINDOWS\system32\lcenqiat.ini
C:\WINDOWS\system32\suquuljk.ini
C:\Documents and Settings\Administrator\winlogo.exe
C:\Documents and Settings\Administrator\8941.bat
C:\WINDOWS\tsitra1000140.exe
C:\Documents and Settings\Administrator\8553.bat
C:\WINDOWS\system32\rewgomud.ini
C:\Documents and Settings\Administrator\5012.bat
C:\WINDOWS\tsitra1000137.exe
C:\WINDOWS\system32\vuusclby.dll

Folder::
C:\VundoFix Backups

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f804ef57-a2a9-4334-bd84-04bbbb95336b}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cc7b536c"=-


Save this as Save this as "CFScript"


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#7 qoosghoune

qoosghoune

    Authentic Member

  • Authentic Member
  • PipPip
  • 32 posts

Posted 23 November 2007 - 11:28 AM

ComboFix 07-11-19.3 - Administrator 2007-11-23 19:21:29.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1254.1.1033.18.1596 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix-1.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Documents and Settings\Administrator\5012.bat
C:\Documents and Settings\Administrator\8553.bat
C:\Documents and Settings\Administrator\8941.bat
C:\Documents and Settings\Administrator\winlogo.exe
C:\WINDOWS\system32\bhxvmyld.exe
C:\WINDOWS\system32\derrymtt.dll
C:\WINDOWS\system32\diaosdrx.ini
C:\WINDOWS\system32\ersvsvfx.exe
C:\WINDOWS\system32\fbeixnns.ini
C:\WINDOWS\system32\guticybl.ini
C:\WINDOWS\system32\hivqofgr.exe
C:\WINDOWS\system32\kcdeaxul.ini
C:\WINDOWS\system32\lcenqiat.ini
C:\WINDOWS\system32\mbxpbokk.ini
C:\WINDOWS\system32\mbxpbokk.tmp
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mfdbccoa.ini
C:\WINDOWS\system32\msykklfy.exe
C:\WINDOWS\system32\nhvodbjp.ini
C:\WINDOWS\system32\outdordx.ini
C:\WINDOWS\system32\qokshgsw.ini
C:\WINDOWS\system32\qrdvcsoc.ini
C:\WINDOWS\system32\rewgomud.ini
C:\WINDOWS\system32\sqhuueou.ini
C:\WINDOWS\system32\suquuljk.ini
C:\WINDOWS\system32\syvqjqxt.dll
C:\WINDOWS\system32\tlcstxrc.exe
C:\WINDOWS\system32\uramwlyt.ini
C:\WINDOWS\system32\vndekxsv.ini
C:\WINDOWS\system32\vuusclby.dll
C:\WINDOWS\system32\xdrodtuo.dll
C:\WINDOWS\system32\xfjchfla.ini
C:\WINDOWS\system32\yblcsuuv.ini
C:\WINDOWS\tsitra1000137.exe
C:\WINDOWS\tsitra1000140.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\5012.bat
C:\Documents and Settings\Administrator\8553.bat
C:\Documents and Settings\Administrator\8941.bat
C:\Documents and Settings\Administrator\winlogo.exe
C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\bmvmgdds.dll.bad
C:\VundoFix Backups\cspxtvmn.dll.bad
C:\VundoFix Backups\cspxtvmn.dllbox.bad
C:\VundoFix Backups\urqommm.dll.bad
C:\WINDOWS\system32\bhxvmyld.exe
C:\WINDOWS\system32\derrymtt.dll
C:\WINDOWS\system32\diaosdrx.ini
C:\WINDOWS\system32\ersvsvfx.exe
C:\WINDOWS\system32\fbeixnns.ini
C:\WINDOWS\system32\guticybl.ini
C:\WINDOWS\system32\hivqofgr.exe
C:\WINDOWS\system32\kcdeaxul.ini
C:\WINDOWS\system32\lcenqiat.ini
C:\WINDOWS\system32\mbxpbokk.ini
C:\WINDOWS\system32\mbxpbokk.tmp
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mfdbccoa.ini
C:\WINDOWS\system32\msykklfy.exe
C:\WINDOWS\system32\nhvodbjp.ini
C:\WINDOWS\system32\outdordx.ini
C:\WINDOWS\system32\qokshgsw.ini
C:\WINDOWS\system32\qrdvcsoc.ini
C:\WINDOWS\system32\rewgomud.ini
C:\WINDOWS\system32\sqhuueou.ini
C:\WINDOWS\system32\suquuljk.ini
C:\WINDOWS\system32\syvqjqxt.dll
C:\WINDOWS\system32\tlcstxrc.exe
C:\WINDOWS\system32\uramwlyt.ini
C:\WINDOWS\system32\vndekxsv.ini
C:\WINDOWS\system32\vuusclby.dll
C:\WINDOWS\system32\xdrodtuo.dll
C:\WINDOWS\system32\xfjchfla.ini
C:\WINDOWS\system32\yblcsuuv.ini
C:\WINDOWS\tsitra1000137.exe
C:\WINDOWS\tsitra1000140.exe

.
((((((((((((((((((((((((( Files Created from 2007-10-23 to 2007-11-23 )))))))))))))))))))))))))))))))
.

2007-11-13 20:44 <DIR> d-------- C:\Documents and Settings\Administrator\DoctorWeb
2007-11-13 11:03 218,112 --a------ C:\Program Files\scanner.exe
2007-11-06 00:37 52 --a------ C:\WINDOWS\system\ACD2.CMD
2007-11-06 00:37 52 --a------ C:\WINDOWS\system\ACD.CMD
2007-10-26 19:50 <DIR> d--hs---- C:\Documents and Settings\Administrator\Complete

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-22 13:15 --------- d-----w C:\Program Files\MSN Messenger
2007-11-14 20:55 7,709 ----a-w C:\Program Files\hijackthis.log
2007-11-13 09:11 --------- d-----w C:\Program Files\Java
2007-11-13 09:00 17 ----a-w C:\Program Files\s_t_i_n_g_e_r.opt
2007-11-09 10:36 --------- d-----w C:\Program Files\Ad-Aware SE Personal
2007-11-04 00:04 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Creative
2007-11-03 23:52 --------- d-----w C:\Program Files\GetRight
2007-10-28 18:29 --------- d-----w C:\Program Files\PokerStars
2007-10-27 17:23 --------- d-----w C:\Program Files\LimeWire
2007-10-14 11:50 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Bioshock
2007-10-14 11:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-10 16:18 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2007-10-06 14:48 --------- d-----w C:\Documents and Settings\Administrator\Application Data\funkitron
2007-10-06 14:44 --------- d-----w C:\Program Files\ReflexiveArcade
2007-10-06 14:44 --------- d-----w C:\Program Files\Poker Superstars II
2007-09-24 19:56 48,928 ----a-w C:\WINDOWS\system32\drivers\Tetris.sys
2007-09-24 19:47 162,432 ----a-w C:\WINDOWS\system32\drivers\ithsgt.sys
2007-09-24 19:47 12,032 ----a-w C:\WINDOWS\system32\drivers\lilsgt.sys
2007-09-23 13:41 --------- d-----w C:\Program Files\Google
2006-09-25 10:45 24,192 ----a-w C:\Documents and Settings\Administrator\usbsermptxp.sys
2006-09-25 10:45 22,768 ----a-w C:\Documents and Settings\Administrator\usbsermpt.sys
2005-11-06 01:03 1,232,903 ----a-w C:\Program Files\s_t_i_n_g_e_r.exe
2002-10-26 14:21 245,248 ----a-w C:\Program Files\AutostartExplorer.exe
.

((((((((((((((((((((((((((((( snapshot@2007-11-13_20.38.32.67 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-29 16:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-11-08 14:59:01 136,704 ----a-w C:\WINDOWS\catchme.exe
- 2006-12-19 21:52:18 8,453,632 -c--a-w C:\WINDOWS\system32\dllcache\shell32.dll
+ 2007-10-26 03:36:51 8,454,656 -c--a-w C:\WINDOWS\system32\dllcache\shell32.dll
- 2007-09-28 05:19:39 18,089,592 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2007-11-02 07:12:57 18,238,072 ----a-w C:\WINDOWS\system32\MRT.exe
- 2006-12-19 21:52:18 8,453,632 ----a-w C:\WINDOWS\system32\shell32.dll
+ 2007-10-26 03:36:51 8,454,656 ----a-w C:\WINDOWS\system32\shell32.dll
- 2007-08-21 10:20:02 115,712 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2007-10-29 10:26:53 115,712 ----a-w C:\WINDOWS\system32\xpsp3res.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2005-01-19 14:49]
"Start WingMan Profiler"="" []
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 17:23]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 11:50 C:\WINDOWS\LOGI_MWX.EXE]
"DAEMON Tools-1033"="C:\Program Files\Daemon\daemon.exe" [2004-08-22 16:05]
"CTHelper"="CTHELPER.EXE" [2003-08-28 10:45 C:\WINDOWS\system32\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 00:00]
"Jet Detection"="C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 00:00]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-09-17 00:07 C:\WINDOWS\system32\nwiz.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 05:03]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 05:03]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"nod32kui"="C:\Program Files\NOD32\nod32kui.exe" [2007-05-20 13:42]
"nod32upd"="C:\Program Files\NOD32\fc_upd.dll" [2007-05-26 20:52]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\system32\rundll32.exe]
"cc7b536c"="C:\WINDOWS\system32\vuusclby.dll" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:56]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AirTies ADSL Hizmet Program.lnk - C:\Program Files\AirTies\ADSL Hizmet Program\AirTies_util3.exe [2006-05-03 19:44:20]
Lexibase Express.lnk - C:\Program Files\Collins\exe\L-Express.exe [2007-03-06 20:10:47]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWindowsUpdate"= 0 (0x0)
"NoRecentDocsMenu"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoSMMyPictures"= 1 (0x1)
"NoStartMenuMyMusic"= 1 (0x1)
"NoRecentDocsHistory"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"NoInstrumentation"= 1 (0x1)
"NoSimpleStartMenu"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoSMMyPictures"= 1 (0x1)
"NoStartMenuMyMusic"= 1 (0x1)
"NoRecentDocsHistory]"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"NoUserNameInStartMenu"= 0 (0x0)
"NoInstrumentation"= 1 (0x1)
"NoStartMenuPinnedList"= 0 (0x0)
"ForceStartMenuLogoff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
C:\Program Files\Ares\Ares.exe -h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAVPersonal50]
C:\Program Files\Kaspersky Anti-Virus Personal\kav.exe /minimize

R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);C:\WINDOWS\system32\drivers\sfdrv01a.sys
R2 ithsgt;ithsgt;C:\WINDOWS\system32\DRIVERS\ithsgt.sys
R2 lilsgt;lilsgt;C:\WINDOWS\system32\DRIVERS\lilsgt.sys
R3 Tetris;Tetris driver;C:\WINDOWS\system32\Drivers\Tetris.sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmFilter;Logitech WingMan HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys
S3 WmHidLo;Logitech WingMan USB Filter Driver;C:\WINDOWS\system32\drivers\WmHidLo.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b070a350-d5aa-11d9-b6f4-806d6172696f}]
\Shell\AutoRun\command - G:\ASUSACPI.exe

.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-23 19:24:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-23 19:25:08 - machine was rebooted
C:\ComboFix ... 2007-11-23 19:25
C:\ComboFix2.txt ... 2007-11-23 00:10
.
--- E O F ---


-------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 19:25:48, on 23.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ctsvccda.exe
C:\Program Files\NOD32\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\tlntsvr.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Daemon\daemon.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\NOD32\nod32kui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\AirTies\ADSL Hizmet Programı\AirTies_util3.exe
C:\Program Files\Collins\exe\L-Express.exe
C:\Program Files\Collins\exe\lexibase.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\Acrobat Reader\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\Daemon\daemon.exe" -lang 1033 -lock
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\NOD32\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [nod32upd] rundll32 "C:\Program Files\NOD32\fc_upd.dll",NOD32Ioctl
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [cc7b536c] rundll32.exe "C:\WINDOWS\system32\vuusclby.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: AirTies ADSL Hizmet Programı.lnk = ?
O4 - Global Startup: Lexibase Express.lnk = ?
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Mobil Sık Kullanılanı Oluştur - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Mobil Sık Kullanılanı Oluştur... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\Ctsvccda.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\NOD32\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

#8 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 23 November 2007 - 11:41 AM

Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a checkmark/tick in the box on the left side on these:

O4 - HKLM\..\Run: [cc7b536c] rundll32.exe "C:\WINDOWS\system32\vuusclby.dll",b
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

Close ALL windows and browsers except HijackThis and click "Fix checked"

Delete this File if listed:
C:\WINDOWS\system32\vuusclby.dll

Empty Recycle Bin

Reboot and "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#9 qoosghoune

qoosghoune

    Authentic Member

  • Authentic Member
  • PipPip
  • 32 posts

Posted 23 November 2007 - 12:36 PM

since my first post, the problems seemed to be less occured day by day. in the last two days no explorer pages opened and there weren't any yellow signals at the bottom. it looks ok now, except i still can't see the system32 folder. (it's there of course, i can open it with "run" or with command prompt, but it doesn't appear in folder list and when i copied it to another folder, that folder also became invisible!)


Logfile of HijackThis v1.99.1
Scan saved at 20:21:16, on 23.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Daemon\daemon.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\NOD32\nod32kui.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\AirTies\ADSL Hizmet Programı\AirTies_util3.exe
C:\Program Files\Collins\exe\L-Express.exe
C:\Program Files\Collins\exe\lexibase.exe
C:\WINDOWS\system32\Ctsvccda.exe
C:\Program Files\NOD32\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\tlntsvr.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\Acrobat Reader\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\Daemon\daemon.exe" -lang 1033 -lock
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\NOD32\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [nod32upd] rundll32 "C:\Program Files\NOD32\fc_upd.dll",NOD32Ioctl
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: AirTies ADSL Hizmet Programı.lnk = ?
O4 - Global Startup: Lexibase Express.lnk = ?
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Mobil Sık Kullanılanı Oluştur - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Mobil Sık Kullanılanı Oluştur... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\Ctsvccda.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\NOD32\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

#10 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 23 November 2007 - 12:53 PM

except i still can't see the system32 folder. (it's there of course, i can open it with "run" or with command prompt, but it doesn't appear in folder list and when i copied it to another folder, that folder also became invisible!)

You copied the System32 folder to another folder?

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#11 qoosghoune

qoosghoune

    Authentic Member

  • Authentic Member
  • PipPip
  • 32 posts

Posted 23 November 2007 - 01:07 PM

i copied the contents of system32 to another folder in another partition of my harddisk, because i'd decided to format my system partition. after installing windows again, some programs wouldn't work because of missing dll files. i would find the missing file from there.

#12 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 23 November 2007 - 01:18 PM

Right Click on the folders / properties and uncheck "Hidden

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#13 qoosghoune

qoosghoune

    Authentic Member

  • Authentic Member
  • PipPip
  • 32 posts

Posted 23 November 2007 - 01:30 PM

i can't change it.

#14 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 23 November 2007 - 01:36 PM

As long as it's working and you know where it's at I think we should leave it alone.


Good job :thumbup:

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

    • Posted Image
  • If shown the disclaimer, Select "2"


Here's my usual all clean post

Log looks good :D


You need to create a new Clean restore point.

Note: This will remove all previous Restore Points

Click Start Menu > Run > copy and paste

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it (something you'll remember) and click Create, when the confirmation screen shows the restore point has been created click Close.

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Check "Hide file extensions for known file types."
Under the "Hidden files" folder, Uncheck "Show hidden files and folders."
Check "Hide protected operating system files."
Click Apply, and then click OK.

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week
    (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.
    Without a firewall your computer is succeptible to being hacked and taken over.
    I am very serious about this and see it happen almost every day with my clients.
    Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
    This will ensure your computer has always the latest security updates available installed on your computer.
    If there are new updates to install, install them immediately, reboot your computer, and revisit the site
    until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.
    This will provide realtime spyware & hijacker protection on your computer alongside your virus protection.
    You should also scan your computer with this program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
  • Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer
    settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

    Using IE-SPYAD to help block unwanted sites and activities

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly.
    Without regular updates you WILL NOT be protected when new malicious programs are released.

Only run one Anti-Virus and Firewall program.

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#15 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 23 November 2007 - 02:52 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·