1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: It Keeps Coming Back

Discussion in 'Virus & Other Malware Removal' started by phredp, Jan 10, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. phredp

    phredp Thread Starter

    Joined:
    Jan 10, 2008
    Messages:
    3
    Please help! I have some kind of virus that keeps popping up IE windows on loans, zipcodez, and other crap. I've run Combofix (latest version), ATF Cleaner, dss.exe, Smitfraud, Virtumundo, and several anti-virus programs. Kapersky found several Win32.downloader viruses and another program found PurityScan, Win32.KillAV.dll, and something about Outerinfo. They deleted the alleged viruses but when I reboot, its back and the unwanted windows pop up. I've disabled sytem restore and tried running several of the programs in Safe mode and even went into msconfig to diable the startup items. I give up at this point!
    Here is my latest HijackThis log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:35:06 PM, on 1/10/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)
    Boot mode: Normal

    Running processes:
    C:\windows\System32\smss.exe
    C:\windows\System32\winlogon.exe
    C:\windows\system32\services.exe
    C:\windows\system32\lsass.exe
    C:\windows\system32\svchost.exe
    C:\windows\System32\svchost.exe
    C:\windows\Explorer.EXE
    C:\windows\system32\ctfmon.exe
    C:\windows\system32\spoolsv.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
    C:\windows\System32\svchost.exe
    C:\windows\System32\svchost.exe
    C:\windows\System32\svchost.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.netaddress.com/tpl/Door/Login?Domain=usa.net
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
    O2 - BHO: Watch for Browser Events - {42A7CE31-CEE7-4CCE-A060-A44A7E52E062} - C:\PROGRA~1\KEYBOA~1\kie.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {6996CC44-CA9F-4A11-9C55-0583E1169E0D} - C:\Program Files\Ahead\homepyceC:\windows\system32\usmvt3\gyreo83122.exe.dll (file missing)
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll (file missing)
    O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
    O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
    O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
    O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://*.turbotax.com
    O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) -
    O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) -
    O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.199/central/02030106/cccabs/CleverContent.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1405/ftp.coupons.com/v7/brix6ie.cab
    O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} -
    O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
    O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -
    O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KX-HCM10 Control) - http://66.149.60.199:8629/kxhcm10.ocx
    O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) -
    O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} -
    O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} -
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {A609CB6E-FEB5-47C3-966C-1B916842BD01} (Nlopflash Class) - http://poker.milbestlight.com/poker/PokerCreations.cab
    O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
    O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775F} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlabsli.cab
    O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
    O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -
    O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} (Util Class) - https://isupport4.hp.com/motivedocs/linklauncher/MotUtil.cab
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/sj/en/check/qdiagh.cab?326
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\windows\System32\nvsvc32.exe

    --
    End of file - 10213 bytes
     
  2. phredp

    phredp Thread Starter

    Joined:
    Jan 10, 2008
    Messages:
    3
    Here is the Combofix log:
    ComboFix 08-01-09.2 - Owner 2008-01-10 16:47:32.7 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.681 [GMT -6:00]
    Running from: E:\ComboFix.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\temp\tn3
    C:\windows\system32\drivers\core.cache.dsk . . . . failed to delete

    .
    ((((((((((((((((((((((((( Files Created from 2007-12-10 to 2008-01-10 )))))))))))))))))))))))))))))))
    .

    2008-01-10 16:54 . 2008-01-10 16:54 <DIR> d-------- C:\Temp\tn3
    2008-01-10 12:00 . 2008-01-10 12:00 <DIR> d-------- C:\Program Files\Trend Micro
    2008-01-09 21:39 . 2008-01-10 16:53 932 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
    2008-01-09 16:34 . 2008-01-09 16:34 <DIR> d-------- C:\Deckard
    2008-01-09 11:51 . 2008-01-10 16:54 7,037,216 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
    2008-01-09 11:51 . 2008-01-10 16:54 133,664 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
    2008-01-09 11:51 . 2008-01-10 16:53 95,300 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
    2008-01-09 11:51 . 2008-01-10 16:53 13,604 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
    2008-01-09 11:49 . 2008-01-09 11:49 <DIR> d-------- C:\Program Files\Kaspersky Lab
    2008-01-09 11:49 . 2008-01-10 16:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2008-01-09 11:48 . 2008-01-09 11:48 <DIR> d-------- C:\KAV
    2008-01-08 16:47 . 2008-01-09 06:23 <DIR> d-------- C:\Program Files\RogueRemover FREE
    2008-01-08 12:34 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2008-01-07 18:33 . 2008-01-07 18:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
    2008-01-07 18:27 . 2008-01-09 22:31 <DIR> d-------- C:\Program Files\a-squared Free
    2008-01-07 18:24 . 2008-01-08 12:58 <DIR> d-------- C:\Program Files\Enigma Software Group
    2008-01-07 18:22 . 2008-01-08 16:10 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
    2008-01-07 06:35 . 2008-01-07 06:35 <DIR> d-------- C:\Documents and Settings\Owner\DoctorWeb
    2008-01-06 21:28 . 2008-01-09 17:38 1,242 --a------ C:\WINDOWS\system32\tmp.reg
    2008-01-06 16:20 . 2007-10-09 20:36 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
    2008-01-06 16:04 . 2008-01-06 16:04 <DIR> d-------- C:\WINDOWS\system32\winz7
    2008-01-06 16:04 . 2008-01-06 19:28 <DIR> d-------- C:\WINDOWS\system32\usmvt3
    2008-01-06 16:04 . 2008-01-06 16:04 <DIR> d-------- C:\WINDOWS\system32\oobe3
    2008-01-06 16:04 . 2008-01-06 16:04 <DIR> d-------- C:\WINDOWS\system32\comp2
    2008-01-06 16:04 . 2008-01-06 16:04 <DIR> d-------- C:\WINDOWS\system32\cache3
    2008-01-06 16:04 . 2007-12-11 13:14 151,552 --a------ C:\WINDOWS\system32\rushqayi.exe
    2008-01-06 16:04 . 2007-12-11 13:14 151,552 --a------ C:\WINDOWS\system32\bkmoopob.exe
    2008-01-06 16:04 . 2007-12-13 12:25 139,264 --a------ C:\WINDOWS\system32\mobjchku.exe
    2008-01-06 16:04 . 2008-01-06 16:04 86,016 --a------ C:\WINDOWS\system32\drivers\viaidee.sys
    2008-01-06 16:03 . 2008-01-09 16:33 <DIR> d-------- C:\WINDOWS\system32\ardCo01
    2007-12-30 19:30 . 2004-11-02 09:04 57,806 --a------ C:\WINDOWS\system32\igfx.hlp
    2007-12-14 17:01 . 2008-01-03 21:42 <DIR> d-------- C:\Program Files\ESPN
    2007-12-13 18:40 . 2007-12-13 18:40 <DIR> d-------- C:\Program Files\AnVir Task Manager
    2007-12-13 14:07 . 2007-12-13 14:07 3,856 --a------ C:\WINDOWS\crmtemp1.dat

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-01-10 22:09 --------- d-----w C:\Program Files\Keyboard Express 3
    2008-01-10 05:11 --------- d-----w C:\Program Files\Google
    2008-01-10 02:33 --------- d-----w C:\Program Files\Common Files\Real
    2008-01-08 02:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-01-08 02:24 --------- d-----w C:\Program Files\Coupons
    2007-12-04 14:56 93,264 ----a-w C:\windows\system32\drivers\aswmon.sys
    2007-12-04 14:55 94,544 ----a-w C:\windows\system32\drivers\aswmon2.sys
    2007-12-04 14:53 23,152 ----a-w C:\windows\system32\drivers\aswRdr.sys
    2007-12-04 14:51 42,912 ----a-w C:\windows\system32\drivers\aswTdi.sys
    2007-12-04 14:49 26,624 ----a-w C:\windows\system32\drivers\aavmker4.sys
    2007-11-20 02:53 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
    2007-11-13 10:25 20,480 ----a-w C:\windows\system32\drivers\secdrv.sys
    2007-10-11 23:09 164 ----a-w C:\install.dat
    2005-09-10 22:26 155,808 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
    2003-03-27 05:50 0 ----a-w C:\Documents and Settings\Owner\psp.exe
    2004-06-07 22:51 32 --sha-w C:\windows\{67E6958A-C0CD-4569-9BDE-8E8ACC4EBC3E}.dat
    2004-06-07 22:51 32 --sha-w C:\windows\{935B295C-3F47-46F0-A059-535C738EB8A5}.dat
    2004-06-07 22:53 32 --sha-w C:\windows\{A3358B5E-7578-4E1C-B97A-FE9B3A6D6B57}.dat
    2004-06-07 22:55 32 --sha-w C:\windows\{E00CD1D6-4D17-494D-9898-8DD45E61631D}.dat
    2004-06-07 22:51 32 --sha-w C:\windows\{E9BAEA32-77B9-42F1-BD34-CEB1C11B22FE}.dat
    2004-06-07 22:51 32 --sha-w C:\windows\system32\{475A9358-FD46-40E1-A177-15F859636038}.dat
    2004-06-07 22:55 32 --sha-w C:\windows\system32\{6869CE72-D209-41E4-8881-0DB331C276AD}.dat
    2004-06-07 22:53 32 --sha-w C:\windows\system32\{6B5FBBC4-4162-498E-AF43-F27E329A0ECD}.dat
    2004-06-07 22:51 32 --sha-w C:\windows\system32\{9FC94A9C-9D85-4960-A9EF-EBE237E64BFF}.dat
    2004-06-07 22:51 32 --sha-w C:\windows\system32\{EE8DA68D-043C-4984-8F78-C52ABF1BD6BC}.dat
    .

    ((((((((((((((((((((((((((((( [email protected]_12.54.43.90 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2000-08-31 14:00:00 163,328 ----a-w C:\windows\erdnt\Hiv-backup\ERDNT.EXE
    + 2008-01-09 22:47:55 1,417,216 ----a-w C:\windows\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
    + 2008-01-09 22:47:55 8,192 ----a-w C:\windows\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
    + 2008-01-09 22:47:56 1,413,120 ----a-w C:\windows\erdnt\Hiv-backup\Users\00000003\ntuser.dat
    + 2008-01-09 22:47:56 8,192 ----a-w C:\windows\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
    + 2008-01-09 22:47:56 9,777,152 ----a-w C:\windows\erdnt\Hiv-backup\Users\00000005\ntuser.dat
    + 2008-01-09 22:47:56 307,200 ----a-w C:\windows\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
    - 2006-08-17 12:28:27 721,920 ----a-w C:\windows\system32\dllcache\lsasrv.dll
    + 2007-11-07 09:26:56 721,920 ----a-w C:\windows\system32\dllcache\lsasrv.dll
    - 2006-04-20 12:18:35 360,576 ----a-w C:\windows\system32\dllcache\tcpip.sys
    + 2007-10-30 16:53:32 360,832 ----a-w C:\windows\system32\dllcache\tcpip.sys
    + 2008-01-09 17:51:56 194,320 ----a-w C:\windows\system32\drivers\klif.sys
    - 2006-04-20 12:18:35 360,576 ----a-w C:\windows\system32\drivers\tcpip.sys
    + 2007-10-30 16:53:32 360,832 ----a-w C:\windows\system32\drivers\tcpip.sys
    - 2006-08-17 12:28:27 721,920 ----a-w C:\windows\system32\lsasrv.dll
    + 2007-11-07 09:26:56 721,920 ----a-w C:\windows\system32\lsasrv.dll
    - 2007-12-02 23:00:05 18,684,536 ----a-w C:\windows\system32\MRT.exe
    + 2008-01-02 18:21:36 17,642,616 ----a-w C:\windows\system32\MRT.exe
    - 2006-01-09 15:36:06 40,960 ----a-w C:\windows\system32\swsc.exe
    + 2000-08-31 14:00:00 136,704 ----a-w C:\windows\system32\swsc.exe
    - 2006-12-01 11:20:32 79,360 ----a-w C:\windows\system32\swxcacls.exe
    + 2000-08-31 14:00:00 212,480 ----a-w C:\windows\system32\swxcacls.exe
    .
    ((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    ----a-w 180,269 2006-01-07 05:29:48 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

    ----a-w 401,491 2004-02-03 21:42:54 C:\Program Files\Microsoft ActiveSync\bak\WCESCOMM.EXE

    ----a-w 98,304 2005-07-28 01:28:32 C:\Program Files\QuickTime\bak\qttask.exe

    ----a-w 160,568 2007-08-05 21:22:02 C:\Program Files\Siber Systems\AI RoboForm\bak\RoboTaskBarIcon.exe
    ----a-w 118,784 2007-11-07 12:04:57 C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe

    ----a-w 100,056 2006-07-30 14:50:38 C:\Program Files\SymNetDrv\bak\SNDMon.exe

    ----a-w 15,360 2004-08-04 07:56:48 C:\WINDOWS\system32\bak\ctfmon.exe
    ----a-w 15,360 2004-08-04 07:56:48 C:\WINDOWS\system32\ctfmon.exe

    ----a-w 126,976 2004-11-02 14:59:42 C:\WINDOWS\system32\bak\hkcmd.exe

    ----a-w 155,648 2004-11-02 15:03:44 C:\WINDOWS\system32\bak\igfxtray.exe

    ----a-w 188,416 2002-12-10 00:19:20 C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb07.exe

    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6996CC44-CA9F-4A11-9C55-0583E1169E0D}]
    C:\Program Files\Ahead\homepyceC:\windows\system32\usmvt3\gyreo83122.exe.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\windows\system32\ctfmon.exe" [2004-08-04 01:56 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe" [2007-11-19 14:40 231952]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [ ]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-03-13 12:11 233472]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
    backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
    backup=C:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
    backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
    backup=C:\windows\pss\Adobe Gamma.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=C:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^iksystray.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\iksystray.lnk
    backup=C:\WINDOWS\pss\iksystray.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Keyboard Express 3.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Keyboard Express 3.lnk
    backup=C:\windows\pss\Keyboard Express 3.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR WPN111 Smart Wizard.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NETGEAR WPN111 Smart Wizard.lnk
    backup=C:\windows\pss\NETGEAR WPN111 Smart Wizard.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
    backup=C:\windows\pss\Windows Desktop Search.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^HotSync Manager.lnk]
    path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\HotSync Manager.lnk
    backup=C:\WINDOWS\pss\HotSync Manager.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a-squared]
    C:\Program Files\a-squared Anti-Malware\a2guard.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcctMgr]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acme.PCHButton]
    --a------ 2002-10-17 20:45 159744 C:\PROGRA~1\HPINST~1\plugin\bin\pchbutton.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
    --a------ 2006-01-12 20:52 483328 C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
    --a------ 2004-09-07 13:47 57344 C:\WINDOWS\Alcxmntr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnVir Task Manager]
    --a------ 2007-12-05 18:08 976896 C:\Program Files\AnVir Task Manager\AnVir.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
    --a------ 2007-12-04 07:00 79224 C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BROWSE~1]
    C:\PROGRA~1\TEXTHE~1\BROWSE~1.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
    --a------ 2002-06-18 01:11 69632 c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    --a------ 2004-08-04 01:56 15360 C:\windows\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDBitSet]
    --------- 2002-05-29 13:49 200704 C:\Program Files\HP CD-DVD\Umbrella\DVDBitSet.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDTray]
    --------- 2003-07-23 09:41 65536 C:\Program Files\HP DVD\Umbrella\DVDTray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
    --a------ 2007-01-01 15:22 3739648 C:\Program Files\Google\Google Talk\googletalk.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
    C:\WINDOWS\system32\hkcmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
    C:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hpppta]
    --a------ 2000-12-05 12:02 86016 C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppta.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
    --a------ 1998-05-07 18:04 52736 c:\windows\system\hpsysdrv.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
    C:\WINDOWS\system32\igfxtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
    --a------ 2005-02-02 15:44 61440 C:\HP\KBD\KBD.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mozilla Quick Launch]
    --a------ 2003-06-24 11:09 568096 C:\Program Files\Netscape\Netscape\Netscp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsgCenterExe]
    --a------ 2006-01-06 23:29 69688 C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    --a------ 2004-10-13 10:24 1694208 C:\Program Files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
    --a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    --a------ 2001-07-09 10:50 155648 C:\windows\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
    --a------ 2002-10-01 01:39 548933 C:\WINDOWS\system32\nview.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    --a------ 2002-10-01 01:39 372736 C:\WINDOWS\system32\nwiz.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRINT DATA SENDER]
    C:\Program Files\PRINT DATA SENDER\hpscschd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    C:\Program Files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
    --a------ 2002-09-13 23:42 212992 C:\WINDOWS\SMINST\RECGUARD.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
    --a------ 2007-11-07 06:04 118784 C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
    C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
    --a------ 2002-04-17 19:42 69632 c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite]
    C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
    C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
    C:\Program Files\VERITAS Software\Update Manager\sgtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    --a------ 2003-11-19 17:48 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
    --a------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AdobeUpdateManager.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
    --a------ 2007-02-13 12:29 35328 C:\Program Files\Winamp\Winampa.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "ERSvc"=2 (0x2)
    "mnmsrvc"=3 (0x3)
    "IntelliKeys USB Service"=2 (0x2)
    "Fax"=2 (0x2)
    "Symantec Core LC"=2 (0x2)
    "NProtectService"=2 (0x2)
    "gusvc"=3 (0x3)
    "ccSetMgr"=2 (0x2)
    "ccPwdSvc"=3 (0x3)
    "ccEvtMgr"=2 (0x2)
    "Adobe LM Service"=3 (0x3)
    "MDM"=2 (0x2)
    "avast! Web Scanner"=3 (0x3)
    "avast! Mail Scanner"=3 (0x3)
    "avast! Antivirus"=2 (0x2)
    "aswUpdSv"=2 (0x2)
    "a2free"=2 (0x2)

    R1 viaidee;viaidee;C:\windows\system32\drivers\viaidee.sys [2008-01-06 16:04]
    R3 usbprint;Microsoft USB PRINTER Class;C:\windows\system32\DRIVERS\usbprint.sys [2004-08-04 00:01]
    S2 IkFirm;IntelliKeys Firmware Download Driver (IkFirm.sys);C:\windows\system32\Drivers\IkFirm.sys [2003-07-11 11:43]
    S3 ATHFMWDL;NETGEAR WPN111 Bootloader driver;C:\windows\system32\Drivers\athwpn.sys [2004-10-14 17:24]
    S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\windows\system32\DNINDIS5.SYS [2003-07-24 11:10]
    S3 GVCplDrv;GVCplDrv;C:\windows\system32\drivers\GVCplDrv.sys [2004-05-02 02:47]
    S3 P2150FXP;Polaroid USB Filter Driver (FILTER);C:\windows\system32\DRIVERS\P2150FXP.SYS [2002-07-30 04:23]
    S3 PCDRDRV;Pcdr Helper Driver;C:\PROGRA~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys []
    S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;C:\windows\system32\DRIVERS\WPN111.sys [2005-01-07 09:07]
    S4 IntelliKeys USB Service;IntelliKeys USB Service;C:\ITOOLS\INTELL~2\private\ikusbsvc.exe []

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-01-10 22:57:00 C:\windows\Tasks\Symantec NetDetect.job"
    - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-01-10 16:54:25
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    C:\windows\TEMP

    scan completed successfully
    hidden files: 1

    **************************************************************************
    .
    Completion time: 2008-01-10 16:57:50 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-01-10 22:57:46
    ComboFix2.txt 2008-01-09 23:08:34
    ComboFix3.txt 2008-01-09 22:59:38
    ComboFix4.txt 2008-01-08 22:56:29
    ComboFix5.txt 2008-01-08 22:44:16
    .
    2008-01-09 12:15:10 --- E O F ---


    The URLs of the unwanted windows are zedo.com and popunder.paypopup.com
     
  3. phredp

    phredp Thread Starter

    Joined:
    Jan 10, 2008
    Messages:
    3
    Resolved!

    Wound up having to go into System Volume Information folder (Safe Mode), changing access rights and locating one of the restore folders (RP6 and RP8). Inside that, I cut and pasted in a new folder on my desktop all .exe and .dll files created on or after last Wednesday when the virus first appeared. I only cut those files that did not give legit company information Ran AFT after that along with SuperAntiSpyware, cleaned up all files that were flagged and rebooted.
    I wouldn't recommend this procedure since you could really screw up your system but it was a last ditch effort for me and never got a response on this forum. Took about four days to figure this one out cuz it just kept coming back.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/670452