|
Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs |
![]() |
|
Topic Tools |
#1
|
|||
|
|||
help needed-Virus related
Im in desprate need of some advice to get rid of a virus or a useful link/tool to get help!!
I recieved a link via skype 2 nights ago thinking its was pictures from my friend..i clicked the link!! needless to say..Im now the new proud owner of a WORM_STRATION LY that is causing havoc on my machine! Im currently running PC cillan and have Windows defender but its not helping. As pc cillan quarantines the folder,it just pops back up again..and there is a folder that cant be quarantined (pc cillan says to manually delete the file but,of cos', It wont let me delete the file(found in my Windows System32 folder) I absolutely cannot reformat my machine(i can but i dont want to) and its really going slow!!!taking ages to load pages! And of cos, i keep getting the pc cillan pop ups literally every 2 secs kwim? I have googled this worm but havent been able to find anything really helpful to this particular virus! I would really appreciate any useful help! (LOL..and in laymans terms so that i can understand!) This is what PC cillan has to say: Action taken: The Quarantine action was unsuccessful. Manually delete the file if you are sure that it is not needed. . Incident name: C:\WINDOWS\SYSTEM32\nv4_icm3.dll Detection name: WORM_STRATION.LY User name: Shirley PLEASE<PLEASE HELP!!! Oh and want to add..im running windows XP pro!!(and ive just updated so have the virus removal tool thing!!...which didnt pick it up when i ran a scan!!!) Thanks in advance and im quite desperate!!! I'm at my wits end!!! |
#2
|
|||
|
|||
Hi,
Please go here and download ComboScan to your Desktop. Close all open programs and windows and doubleclick on ComboScan.exe to run it and follow the prompts. When the scan is complete, a file will open (C:\ComboScan.txt). A folder (C:\ComboScan) will also open. Inside it will be two text files, ComboScan.txt and Supplementary.txt. Please copy the contents of each file in your next reply to this topic. Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe access. |
#3
|
|||
|
|||
Ok..thanks for responding!! I have done everything in my power to remove this virus (incl. reporting it to PC cillan who have added a section on how to remove it which i followed but its still on my pc) I have gone in to the register log place and removed the key it put there but its still here and i cant delete it!!
here is the logs! ComboScan v20070226.18 run by Shirley on 2007-03-03 at 14:07:14 Supplementary logfile - please post this as an attachment with your post. -------------------------------------------------------------------------------- -- System Information ----------------------------------------------------------- Microsoft Windows XP Professional (build 2600) SP 2.0 Architecture: X86; Language: English CPU 0: AMD Athlon(tm) 64 Processor 3000+ Percentage of Memory in Use: 54% Physical Memory (total/avail): 511.48 MiB / 234.04 MiB Pagefile Memory (total/avail): 1246.79 MiB / 877.18 MiB Virtual Memory (total/avail): 2047.88 MiB / 1994.99 MiB A: is Removable (No Media) C: is Fixed (NTFS) - 37.27 GiB total, 17.57 GiB free. D: is Fixed (NTFS) - 76.68 GiB total, 67.49 GiB free. F: is CDROM (No Media) -- Security Center -------------------------------------------------------------- AUOptions is scheduled to auto-install. Windows Internal Firewall is disabled. FirstRunDisabled is set. FW: Trend Micro PC-cillin Internet Security (Firewall) v14 (Trend Micro, Inc.) Disabled AV: Trend Micro PC-cillin Internet Security 2006 v14.10.1041 (Trend Micro, Inc.) -- Environment Variables -------------------------------------------------------- ALLUSERSPROFILE=C:\Documents and Settings\All Users.WINDOWS APPDATA=C:\Documents and Settings\Shirley.SHIRLEY-9FA4B83\Application Data CLIENTNAME=Console CommonProgramFiles=C:\Program Files\Common Files COMPUTERNAME=SHIRLEY ComSpec=C:\WINDOWS\system32\cmd.exe FP_NO_HOST_CHECK=NO HOMEDRIVE=C: HOMEPATH=\Documents and Settings\Shirley.SHIRLEY-9FA4B83 LOGONSERVER=\\SHIRLEY NUMBER_OF_PROCESSORS=1 OS=Windows_NT Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\Sys tem32\Wbem;C:\Program Files\Common Files\Adobe\AGL PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WS F;.WSH PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 15 Model 47 Stepping 0, AuthenticAMD PROCESSOR_LEVEL=15 PROCESSOR_REVISION=2f00 ProgramFiles=C:\Program Files PROMPT=$P$G SESSIONNAME=Console SystemDrive=C: SystemRoot=C:\WINDOWS TEMP=C:\DOCUME~1\SHIRLE~1.SHI\LOCALS~1\Temp TMP=C:\DOCUME~1\SHIRLE~1.SHI\LOCALS~1\Temp USERDOMAIN=SHIRLEY USERNAME=Shirley USERPROFILE=C:\Documents and Settings\Shirley.SHIRLEY-9FA4B83 windir=C:\WINDOWS -- User Profiles ---------------------------------------------------------------- Shirley.SHIRLEY-9FA4B83 (admin) Administrator (new local, admin) -- Add/Remove Programs ---------------------------------------------------------- --> C:\Program Files\Installshield Installation Information\{08082022-2a50-4196-8196-a6f86d6e8f12}\QBReplace.exe {08082022-2a50-4196-8196-a6f86d6e8f12}#{01288593-26bb-4b3a-a04e-0a4ed28cc937} --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001} Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39} Adobe Flash Player 9 --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001} Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D} Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A80000000002} Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001} AirPlus G --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\I Driver.exe /M{0EA44599-1E9D-4517-A088-9588A9FAB211} /l1033 ANIO Service --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B5CE976-C7A9-4E38-A7F3-6C8EF025DD8E}\Setup.exe" ANIWZCS2 Service --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4C590030-7469-453E-8589-D15DA9D03F52}\Setup.exe" ArcSoft PhotoStudio 5.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{85309D89-7BE9-4094-BB17-24999C6118FC}\Setup.exe" -l0x9 Artisan DVD/DivX Player --> "C:\Program Files\ArtisanDVDPlayer\unins000.exe" Canon PIXMA iP1500 --> C:\WINDOWS\system32\CNMCP5y.exe "-PRINTERNAMECanon PIXMA iP1500" "-HELPERDLLC:\BJPrinter\CNMWINDOWS\Canon PIXMA iP1500 Installer\Inst2\cnmis.dll" "-RCDLLC:\BJPrinter\CNMWINDOWS\Canon PIXMA iP1500 Installer\Inst2\cnmi0409.dll" Canon ScanGear Starter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{18A5DFF2-8A95-49F3-873F-743CB5549F3D}\SETUP.EXE" -l0x9 anything Canon Utilities PhotoStitch 3.1 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{874E44F3-B9A7-4AA1-B4BA-83E5684ED9C6} CSI-Dark Motives --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\ 50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8DEE4C35-1C60-413E-9630-77A0222D5C45}\setup.exe" -l0x9 -removeonly CSI-Miami --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\ 50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3D30AB17-69E4-4F0F-9CF8-BED11CF8716F}\setup.exe" -l0x9 -removeonly CSI --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\ 50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6D7B631E-52DB-4A33-88EF-4FA0195EDDB1}\setup.exe" -l0x9 -removeonly DVD Solution --> "C:\Program Files\Uninstall_CDS.exe" EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDAT E.EXE /R Free Download Manager 2.1 --> "D:\Free Download Manager\unins000.exe" Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll" HijackThis 1.99.1 --> C:\Downloads\hijackthis\HijackThis.exe /uninstall IrfanView (remove only) --> E:\IrfanView\iv_uninstall.exe JPOS Point Of Sale --> MsiExec.exe /I{857F909E-E8AC-4757-A728-1A6836C304E8} MEC Quotation System --> MsiExec.exe /I{1F346684-C0C8-43F6-9FBD-AF8C7761B7AC} Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spu ninst.exe" Microsoft Office XP Media Content --> MsiExec.exe /I{90300409-6000-11D3-8CFE-0050048383C9} Microsoft Office XP Professional --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0050048383C9} Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spunin st.exe" Multimedia Launcher --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe" -uninstall Nero OEM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL NVIDIA Drivers --> C:\WINDOWS\system32\NVUNINST.EXE UninstallGUI QuickBooks Pro Edition 2004 --> C:\Program Files\Installshield Installation Information\{2b02f822-a9b9-458c-80e5-3ea8c0de8471}\QBReplace.exe {2b02f822-a9b9-458c-80e5-3ea8c0de8471}#{2B02F82E-A9B9-458C-80E5-3EA8C0DE8471} QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\ 50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x9 -removeonly ScanSoft OmniPage SE 4.0 --> MsiExec.exe /I{C1E693A4-B1D5-4DCD-B68D-2087835B7184} Skype 2.5 --> "C:\Program Files\Skype\Phone\unins000.exe" Trend Micro PC-cillin Internet Security 2006 --> MsiExec.exe /X{EA8C73AA-3D75-44C9-87A2-8E945FC5FEE6} VNC Free Edition 4.1.1 --> "C:\Program Files\RealVNC\VNC4\unins000.exe" Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401} Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spunin st.exe" WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe -- End of ComboScan: finished at 2007-03-03 at 14:07:58 ------------------------- |
#4
|
|||
|
|||
I have to post it in 2 sections..(the results for the other scan)
ComboScan v20070226.18 run by Shirley on 2007-03-03 at 14:07:14 Computer is in Normal Mode. -------------------------------------------------------------------------------- Successfully created restore point. Performed disk cleanup. -- HijackThis (run as Shirley.exe) ---------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 02:07:32 PM, on 2007/03/03 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\system32\Rundll32.exe C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\D-Link\AirPlus G\AirGCFG.exe C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe C:\Program Files\Windows Defender\MSASCui.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe C:\Program Files\Skype\Phone\Skype.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wscntfy.exe D:\FREEDO~1\fdm.exe C:\Documents and Settings\Shirley.SHIRLEY-9FA4B83\Desktop\comboscan.exe C:\DOWNLO~1\HIJACK~1\Shirley.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - D:\Free Download Manager\iefdmcks.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe" O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe O8 - Extra context menu item: Download all with Free Download Manager - file://D:\Free Download Manager\dlall.htm O8 - Extra context menu item: Download selected with Free Download Manager - file://D:\Free Download Manager\dlselected.htm O8 - Extra context menu item: Download with Free Download Manager - file://D:\Free Download Manager\dllink.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O17 - HKLM\System\CCS\Services\Tcpip\..\{391B8506-3D70-47A3-AC3D-F5676947F736}: NameServer = 196.46.70.1 196.30.31.193 O20 - Winlogon Notify: drmvndde - C:\WINDOWS\system32\drmvndde.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe -- HijackThis Fixed Entries (C:\DOWNLO~1\HIJACK~1\backups\) --------------------- backup-20070303-092254-429 O20 - Winlogon Notify: drmvndde - C:\WINDOWS\system32\drmvndde.dll backup-20070303-094757-472 O20 - Winlogon Notify: drmvndde - C:\WINDOWS\system32\drmvndde.dll -- File Associations ------------------------------------------------------------ .bat - batfile - "%1" %* .chm - chm.file - "C:\WINDOWS\hh.exe" %1 .cmd - cmdfile - "%1" %* .com - comfile - "%1" %* .exe - exefile - "%1" %* .hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1 .inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1 .ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1 .js - JSFile - %SystemRoot%\System32\WScript.exe "%1" %* .lnk - lnkfile - {00021401-0000-0000-C000-000000000046} .pif - piffile - "%1" %* .reg - regfile - regedit.exe "%1" .scr - scrfile - "%1" /S .txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1 .vbs - VBSFile - %SystemRoot%\System32\WScript.exe "%1" %* -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------- 3S ALCXWDM (Service for Realtek AC97 Audio (WDM)) - C:\WINDOWS\SYSTEM32\DRIVERS\ALCXWDM.SYS 2R ANIO (ANIO Service) - C:\WINDOWS\SYSTEM32\ANIO.sys 3R ctsfm2k (Creative SoundFont Management Device Driver) - C:\WINDOWS\SYSTEM32\DRIVERS\ctsfm2k.sys 3R hidusb (Microsoft HID Class Driver) - C:\WINDOWS\SYSTEM32\DRIVERS\hidusb.sys 1R kbdhid (Keyboard HID Driver) - C:\WINDOWS\SYSTEM32\DRIVERS\kbdhid.sys 3R nv - C:\WINDOWS\SYSTEM32\DRIVERS\nv4_mini.sys 0R nvatabus - C:\WINDOWS\SYSTEM32\DRIVERS\nvatabus.sys 3R NVENETFD (NVIDIA nForce Networking Controller Driver) - C:\WINDOWS\SYSTEM32\DRIVERS\NVENETFD.sys 3R nvnetbus (NVIDIA Network Bus Enumerator) - C:\WINDOWS\SYSTEM32\DRIVERS\nvnetbus.sys 0R nv_agp (NVIDIA nForce AGP Bus Filter) - C:\WINDOWS\SYSTEM32\DRIVERS\nv_agp.SYS 3R ossrv (Creative OS Services Driver) - C:\WINDOWS\SYSTEM32\DRIVERS\ctoss2k.sys 3R P17 (Sound Blaster Live! 24-bit) - C:\WINDOWS\SYSTEM32\DRIVERS\P17.sys 3S RT61 (D-Link Wireless Driver) - C:\WINDOWS\SYSTEM32\DRIVERS\rt61.sys 2R Tmfilter - C:\WINDOWS\SYSTEM32\DRIVERS\tmxpflt.sys 2R Tmpreflt - C:\WINDOWS\SYSTEM32\DRIVERS\tmpreflt.sys 1R tmtdi (Trend Micro TDI Driver) - C:\WINDOWS\SYSTEM32\DRIVERS\tmtdi.sys 2R tm_cfw (Common Firewall Driver) - C:\WINDOWS\SYSTEM32\DRIVERS\TM_CFW.sys 3R usbccgp (Microsoft USB Generic Parent Driver) - C:\WINDOWS\SYSTEM32\DRIVERS\usbccgp.sys 3R usbehci (Microsoft USB 2.0 Enhanced Host Controller Miniport Driver) - C:\WINDOWS\SYSTEM32\DRIVERS\usbehci.sys 3R usbohci (Microsoft USB Open Host Controller Miniport Driver) - C:\WINDOWS\SYSTEM32\DRIVERS\usbohci.sys 3R usbprint (Microsoft USB PRINTER Class) - C:\WINDOWS\SYSTEM32\DRIVERS\usbprint.sys 3R usbscan (USB Scanner Driver) - C:\WINDOWS\SYSTEM32\DRIVERS\usbscan.sys 3S USBSTOR (USB Mass Storage Driver) - C:\WINDOWS\SYSTEM32\DRIVERS\USBSTOR.SYS 2R Vsapint - C:\WINDOWS\SYSTEM32\DRIVERS\VsapiNT.sys 3S WudfPf (Windows Driver Foundation - User-mode Driver Framework Platform Driver) - C:\WINDOWS\SYSTEM32\DRIVERS\WudfPf.sys 3S WudfRd (Windows Driver Foundation - User-mode Driver Framework Reflector) - C:\WINDOWS\SYSTEM32\DRIVERS\WudfRd.sys -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- 3S Adobe LM Service - "C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe" 2S ANIWZCSdService (ANIWZCSd Service) - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe 3S gusvc (Google Updater Service) - "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe" 2R LightScribeService (LightScribeService Direct Disc Labeling Service) - "C:\Program Files\Common Files\LightScribe\LSSrvc.exe" 2R NVSvc (NVIDIA Display Driver Service) - C:\WINDOWS\system32\nvsvc32.exe 2R PcCtlCom (Trend Micro Central Control Component) - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe 2R Tmntsrv (Trend Micro Real-time Service) - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe 2R TmPfw (Trend Micro Personal Firewall) - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe 2R tmproxy (Trend Micro Proxy Service) - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe 2R WinDefend (Windows Defender) - "C:\Program Files\Windows Defender\MsMpEng.exe" -- Scheduled Tasks -------------------------------------------------------------- 2007-03-03 11:31:24 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job<MPSCHE~1.JOB> |
#5
|
|||
|
|||
CONT>
-- Files created between 2007-02-03 and 2007-03-03 ------------------------------ 2007-03-03 11:19:40 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT 2007-02-28 07:47:26 0 d-------- C:\Program Files\Windows Defender<WIFD1F~1> 2007-02-27 19:15:30 0 --a------ C:\WINDOWS\odfvf.dat 2007-02-27 19:14:56 143360 --a------ C:\WINDOWS\system32\drmvndde.dll 2007-02-27 17:53:37 0 d-------- C:\Documents and Settings\Shirley.SHIRLEY-9FA4B83\Application Data\Canon 2007-02-27 17:52:59 0 d-------- C:\Documents and Settings\Shirley.SHIRLEY-9FA4B83\Application Data\ArcSoft 2007-02-27 17:44:23 0 d-------- C:\Documents and Settings\Shirley.SHIRLEY-9FA4B83\Application Data\ScanSoft 2007-02-27 17:44:09 0 d-------- C:\Program Files\Common Files\ScanSoft Shared<SCANSO~1> 2007-02-27 17:44:09 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\ScanSoft 2007-02-27 17:43:12 0 d-------- C:\Program Files\ScanSoft 2007-02-27 17:33:08 212480 --a------ C:\WINDOWS\PCDLIB32.DLL 2007-02-27 17:33:07 0 d-------- C:\Program Files\ArcSoft 2007-02-27 17:30:49 57344 --a------ C:\WINDOWS\system32\CNQU110.DLL 2007-02-27 17:30:49 352256 --a------ C:\WINDOWS\system32\CNQL1213.DLL 2007-02-27 17:30:49 0 d--h----- C:\CanoScan 2007-02-26 08:42:21 0 d-------- C:\Documents<DOCUME~2> 2007-02-18 01:35:34 0 d-------- C:\WINDOWS\ie7updates<IE7UPD~1> 2007-02-15 10:20:09 0 d-------- C:\Program Files\RealVNC 2007-02-05 08:26:51 27376 --a------ C:\Documents and Settings\Shirley.SHIRLEY-9FA4B83\Application Data\GDIPFONTCACHEV1.DAT<GDIPFO~1.DAT> 2007-02-03 12:37:01 86016 --a------ C:\WINDOWS\unvise32qt.exe<UNVISE~1.EXE> 2007-02-03 12:35:39 0 d-------- C:\WINDOWS\system32\QuickTime<QUICKT~1> 2007-02-03 12:35:37 0 d-------- C:\Program Files\QuickTime<QUICKT~1> 2007-02-03 12:34:45 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\QuickTime<QUICKT~1> -- Find3M Report ---------------------------------------------------------------- 2007-03-03 14:05:55 0 d-------- C:\Documents and Settings\Shirley.SHIRLEY-9FA4B83\Application Data\Free Download Manager<FREEDO~1> 2007-03-03 13:53:23 0 d-------- C:\Documents and Settings\Shirley.SHIRLEY-9FA4B83\Application Data\Skype 2007-02-28 07:55:08 0 d-------- C:\Program Files\EPSON 2007-02-27 17:33:06 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1> 2007-02-20 19:48:20 144896 --a------ C:\SkypeSetup.exe<SKYPES~1.EXE> 2007-02-19 08:35:42 0 d---s---- C:\Documents and Settings\Shirley.SHIRLEY-9FA4B83\Application Data\Microsoft<MICROS~1> 2007-01-31 16:06:34 0 d-------- C:\Documents and Settings\Shirley.SHIRLEY-9FA4B83\Application Data\WinRAR 2007-01-30 10:09:24 0 d-------- C:\Documents and Settings\Shirley.SHIRLEY-9FA4B83\Application Data\Adobe 2007-01-30 10:08:57 0 d-------- C:\Program Files\Common Files\Adobe 2007-01-29 15:44:12 0 d-------- C:\Program Files\Skype 2007-01-29 15:40:42 0 d-------- C:\Program Files\Windows Media Connect 2<WINDOW~4> 2007-01-29 10:58:06 60416 -----n--- C:\WINDOWS\system32\tzchange.exe 2007-01-29 10:57:03 0 d-------- C:\Program Files\MEC Quotation System<MECQUO~1> 2007-01-28 00:33:03 0 d-------- C:\Program Files\ArtisanDVDPlayer<ARTISA~1> 2007-01-28 00:29:18 0 d-------- C:\Program Files\Action DVD Player<ACTION~1> 2007-01-27 15:51:50 0 d-------- C:\Program Files\Ubisoft 2007-01-27 15:31:19 0 d-------- C:\Program Files\Realtek AC97<REALTE~1> 2007-01-26 12:30:07 0 d-------- C:\Program Files\Google 2007-01-25 08:02:17 0 d-------- C:\Program Files\ANI 2007-01-25 08:02:01 0 d-------- C:\Program Files\D-Link 2007-01-22 13:00:20 0 d-------- C:\Program Files\Trend Micro<TRENDM~1> 2007-01-21 18:51:47 0 d-------- C:\Program Files\Creative 2007-01-21 17:05:03 0 d-------- C:\Documents and Settings\Shirley.SHIRLEY-9FA4B83\Application Data\Macromedia<MACROM~1> 2007-01-20 19:03:12 0 d-------- C:\Documents and Settings\Shirley.SHIRLEY-9FA4B83\Application Data\Google 2007-01-20 16:26:49 0 d-------- C:\Program Files\Messenger<MESSEN~1> 2007-01-20 16:07:50 0 d-------- C:\Program Files\Common Files\AnswerWorks 4.0<ANSWER~1.0> 2007-01-19 11:26:29 0 d-------- C:\Program Files\NF3_CK8S 2007-01-18 18:05:32 62 --ahs---- C:\Documents and Settings\Shirley.SHIRLEY-9FA4B83\Application Data\desktop.ini 2007-01-18 17:29:48 0 d-------- C:\Program Files\Common Files\LightScribe<LIGHTS~1> 2007-01-18 17:25:01 0 d-------- C:\Program Files\CyberLink DVD Solution<CYBERL~1> 2007-01-18 17:05:55 0 d-------- C:\Documents and Settings\Shirley.SHIRLEY-9FA4B83\Application Data\Identities<IDENTI~1> 2007-01-18 16:53:20 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat<EMPTYR~1.DAT> 2007-01-12 09:27:42 232960 --a------ C:\WINDOWS\system32\webcheck.dll 2007-01-12 09:27:42 51712 -----n--- C:\WINDOWS\system32\msfeedsbs.dll<MSFEED~1.DLL> 2007-01-12 09:27:42 458752 -----n--- C:\WINDOWS\system32\msfeeds.dll 2007-01-12 09:27:42 6054400 -----n--- C:\WINDOWS\system32\ieframe.dll 2007-01-08 19:04:54 105984 --a------ C:\WINDOWS\system32\url.dll 2007-01-08 19:04:08 102400 --a------ C:\WINDOWS\system32\occache.dll 2007-01-08 19:02:04 266752 --a------ C:\WINDOWS\system32\iertutil.dll 2007-01-08 19:02:04 44544 --a------ C:\WINDOWS\system32\iernonce.dll 2007-01-08 19:02:02 384000 --a------ C:\WINDOWS\system32\iedkcs32.dll 2007-01-08 19:02:02 383488 -----n--- C:\WINDOWS\system32\ieapfltr.dll 2007-01-08 19:02:02 161792 --a------ C:\WINDOWS\system32\ieakui.dll 2007-01-08 19:02:02 230400 --a------ C:\WINDOWS\system32\ieaksie.dll 2007-01-08 19:02:02 153088 --a------ C:\WINDOWS\system32\ieakeng.dll 2007-01-08 19:01:14 17408 --a------ C:\WINDOWS\system32\corpol.dll 2007-01-08 19:00:48 124928 --a------ C:\WINDOWS\system32\advpack.dll 2007-01-08 18:08:14 56832 --a------ C:\WINDOWS\system32\ie4uinit.exe 2007-01-08 18:08:10 13824 --a------ C:\WINDOWS\system32\ieudinit.exe 2007-01-08 09:34:47 0 d-------- C:\Program Files\Windows Live Toolbar<WI81E8~1> 2006-12-19 23:52:18 134656 --a------ C:\WINDOWS\system32\shsvcs.dll 2006-12-19 20:16:47 333824 --a------ C:\WINDOWS\system32\wiaservc.dll -- Registry Dump ---------------------------------------------------------------- [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run] "CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.ex e" "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background" "swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.546 2\\GoogleToolbarNotifier.exe" "PowerBar"="\"C:\\Program Files\\CyberLink DVD Solution\\Multimedia Launcher\\PowerBar.exe\" /AtBootTime" "Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized" [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run] "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup" "nwiz"="nwiz.exe /install" "NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit" "NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroChec k.exe" "P17Helper"="Rundll32 P17.dll,P17Helper" "pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security 2006\\pccguide.exe\"" "ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE ~1\\ISUSPM.exe -startup" "ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start" "D-Link AirPlus G"="C:\\Program Files\\D-Link\\AirPlus G\\AirGCFG.exe" "ANIWZCS2Service"="C:\\Program Files\\ANI\\ANIWZCS2 Service\\WZCSLDR2.exe" "SoundMan"="SOUNDMAN.EXE" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "SSBkgdUpdate"="\"C:\\Program Files\\Common Files\\Scansoft Shared\\SSBkgdUpdate\\SSBkgdupdate.exe\" -Embedding -boot" "OpwareSE4"="\"C:\\Program Files\\ScanSoft\\OmniPageSE4.0\\OpwareSE4.exe\"" "Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide" [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shellexecutehooks] "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook" [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\shellserviceobjectdelayload] "WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" [HKEY_USERS\.default\software\microsoft\windows\cur rentversion\run] "CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EX E" [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run] "CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EX E" HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\drmvndde [HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnph ost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0 [HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\MountPoints2\{f80a5b52-a70b-11db-baa5-806d6172696f}] Shell\AutoRun\command E:\Autorun.exe -- End of ComboScan: finished at 2007-03-03 at 14:07:58 ------------------------- Thanks a million for the response and any help is much appreciated! |
#6
|
|||
|
|||
Hi,
I just saw that you posted in several forums.... ![]() ------ Download the attached file and save it to your C:\ drive. When saved it the file path should be C:\Yourfile.txt ---------- Download and unzip Avenger to your desktop. Check Load Script from File and then click the folder Icon on the right side of that section. Then browse to C:\Yourfile.txt and click open to load it. Then click the “green light” icon. This will begin execution of the script currently in memory. After you have clicked on the “green light” to begin execution of a script, The Avenger will set itself up to run the next time you reboot your computer, and then will prompt you to restart immediately. After your system restarts, a log file should open with the results of Avenger’s actions. This log file is located at C:\avenger.txt. The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backups.zip. After the reboot, Open hijackthis (see below), scan and place a check mark next to any of the following that remain. Then click the "Fix Checked" button. O20 - Winlogon Notify: drmvndde - C:\WINDOWS\system32\drmvndde.dll ---- HijackThis : Download HijackThis 1.99.1 from: HERE. Create a new folder only for HijackThis (Example : C:\HJT).But don't let it on your desktop or in a temp folder! Unzip it to this folder. Click "Scan", after click "Save Log". Save the log, and copy/paste it into your response to this thread. ------- Run again a scan with PcCillin and let me know the results. |
#7
|
|||
|
|||
I know...but please understand im desperate for help and i just googled pc help forums and posted everywhere waiting for the first response..im am trying everything everyone recommends but as its going now..3 days later..i have no success!! It looks like i might have to just reformat my machine..the file i managed to delete this morning..nv4_icm3.dll is back!
![]() Ok..will follow your instructions and get back to you!! Thanks a million for responding! |
#8
|
|||
|
|||
This is the message i recieved when i checked marked the files in hijack this:
An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: nv4_icm3.dll) Error #5 - Invalid procedure call or argument Please email me at merijn@spywareinfo.com, reporting the following: * What you were trying to fix when the error occurred, if applicable * How you can reproduce the error * A complete HijackThis scan log, if possible Windows version: Windows NT 5.01.2600 MSIE version: 7.0.5730.11 HijackThis version: 1.99.1 Here is my log: Logfile of HijackThis v1.99.1 Scan saved at 04:28:31 PM, on 2007/03/03 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\system32\Rundll32.exe C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\D-Link\AirPlus G\AirGCFG.exe C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe C:\Program Files\Skype\Phone\Skype.exe C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe C:\WINDOWS\system32\msiexec.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe D:\FREEDO~1\fdm.exe C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - D:\Free Download Manager\iefdmcks.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe" O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe O8 - Extra context menu item: Download all with Free Download Manager - file://D:\Free Download Manager\dlall.htm O8 - Extra context menu item: Download selected with Free Download Manager - file://D:\Free Download Manager\dlselected.htm O8 - Extra context menu item: Download with Free Download Manager - file://D:\Free Download Manager\dllink.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O17 - HKLM\System\CCS\Services\Tcpip\..\{391B8506-3D70-47A3-AC3D-F5676947F736}: NameServer = 196.46.70.1 196.30.31.193 O20 - AppInit_DLLs: nv4_icm3.dll O20 - Winlogon Notify: drmvndde - C:\WINDOWS\system32\drmvndde.dll (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe ![]() ![]() ![]() |
#9
|
|||
|
|||
Quick question...must i delete the files from Avenger???
Im running the pc cillan scan and it has detected the files in avenger now??? Will post the log here as soon as its done??? |
#10
|
|||
|
|||
This error appears with the AppInit_DLLs, no problem. And we'll delete the avenger backups at the end.
Post the C:\avenger.txt file and a new HijackThis log (after a reboot) when everything is finished. |
#11
|
|||
|
|||
Ok..here is the log from PC cillan..
Real-time Protection File WORM_STRATION.LY C:\WINDOWS\SYSTEM32\NV4_ICM3.DLL Quarantine Fail Real-time Protection File WORM_STRATION.LY C:\WINDOWS\SYSTEM32\NV4_ICM3.DLL Quarantine Fail Real-time Protection File WORM_STRATION.LY C:\WINDOWS\system32\drmvndde.dll Quarantine Fail Real-time Protection File WORM_STRATION.LY C:\WINDOWS\SYSTEM32\NV4_ICM3.DLL Quarantine Fail Manual Scan File WORM_STRATION.LY avenger\drmvndde.dll (C:\avenger\backup.zip) Quarantine Fail Manual Scan File WORM_STRATION.LY avenger\nv4_icm3.dll (C:\avenger\backup.zip) Quarantine Fail Manual Scan File --- C:\avenger\backup.zip Quarantine Success Manual Scan File WORM_STRATION.LY C:\WINDOWS\SYSTEM32\kbdfnmmk.exe Quarantine Success Manual Scan File WORM_STRATION.LY C:\WINDOWS\SYSTEM32\vsutxpob.dll Quarantine Success Ok..going to reboot and will post the avenger and do another hijack after that!! BTW..should my System restore be on or off????? |
#12
|
|||
|
|||
Let the system restore on. We'll clean it at the end.
|
#13
|
|||
|
|||
Here is the avenger log:
Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Service s\ouppgxde ******************* Script file located at: \??\C:\epaywuyw.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: File C:\WINDOWS\system32\drmvndde.dll deleted successfully. File C:\WINDOWS\SYSTEM32\nv4_icm3.dll deleted successfully. Completed script processing. ******************* Finished! Terminate. Here is the hijack log that ive just done. Logfile of HijackThis v1.99.1 Scan saved at 05:51:06 PM, on 2007/03/03 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\system32\Rundll32.exe C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\D-Link\AirPlus G\AirGCFG.exe C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Messenger\msmsgs.exe C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe C:\Program Files\Skype\Phone\Skype.exe C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\msiexec.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - D:\Free Download Manager\iefdmcks.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe" O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe O8 - Extra context menu item: Download all with Free Download Manager - file://D:\Free Download Manager\dlall.htm O8 - Extra context menu item: Download selected with Free Download Manager - file://D:\Free Download Manager\dlselected.htm O8 - Extra context menu item: Download with Free Download Manager - file://D:\Free Download Manager\dllink.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O17 - HKLM\System\CCS\Services\Tcpip\..\{391B8506-3D70-47A3-AC3D-F5676947F736}: NameServer = 196.46.70.1 196.30.31.193 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe Please tell me its looking good...or even a bit better than before?? *begs with tears in eyes and on hands and knees* ![]() |
#14
|
|||
|
|||
The bad files are not present anymore. So, that's better.
![]() Reboot and post this other log, please : Download SilentRunners.vbs. Run it. It generates a log, wait that the scan is complete (there is a popup at the end). Copy/paste it here, please. (If your antivirus queries the script, allow it to run. It's not malicious.) |
#15
|
|||
|
|||
Ok..heres the log!!!
"Silent Runners.vbs", revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run \ {++} "CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS] "MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS] "swg" = "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe" ["Google Inc."] "PowerBar" = ""C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime" ["Cyberlink, Corp."] "Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."] HKLM\Software\Microsoft\Windows\CurrentVersion\Run \ {++} "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS] "nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"] "NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS] "NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"] "P17Helper" = "Rundll32 P17.dll,P17Helper" [MS] "pccguide.exe" = ""C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"" ["Trend Micro Incorporated."] "ISUSPM Startup" = "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM .exe -startup" ["InstallShield Software Corporation"] "ISUSScheduler" = ""C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start" ["InstallShield Software Corporation"] "D-Link AirPlus G" = "C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" ["D-Link"] "ANIWZCS2Service" = "C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" ["Alpha Networks Inc."] "SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."] "QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."] "SSBkgdUpdate" = ""C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot" ["Nuance Communications, Inc."] "OpwareSE4" = ""C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"" ["ScanSoft, Inc."] "Windows Defender" = ""C:\Program Files\Windows Defender\MSASCui.exe" -hide" [MS] "!AVG Anti-Spyware" = ""C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["Anti-Malware Development a.s."] HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\ {02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided) -> {HKLM...CLSID} = "Yahoo! Toolbar Helper" \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll" [file not found] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper" \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided) -> {HKLM...CLSID} = "Google Toolbar Helper" \InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."] {CC59E0F9-7E43-44FA-9FAA-8377850BF205}\(Default) = (no title provided) -> {HKLM...CLSID} = "FDMIECookiesBHO Class" \InProcServer32\(Default) = "D:\Free Download Manager\iefdmcks.dll" [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension" -> {HKLM...CLSID} = "Display Panning CPL Extension" \InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."] "{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band" -> {HKLM...CLSID} = "History Band" \InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS] "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class" -> {HKLM...CLSID} = "DesktopContext Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"] "{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper" -> {HKLM...CLSID} = "NVIDIA CPL Extension" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {HKLM...CLSID} = "Desktop Explorer" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu" -> {HKLM...CLSID} = "nView Desktop Context Menu" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {HKLM...CLSID} = "Outlook File Icon Extension" \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS] "{48F45200-91E6-11CE-8A4F-0080C81A28D4}" = "TMD Shell Extension" -> {HKLM...CLSID} = "TMD Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Trend Micro\Internet Security 2006\Tmdshell.dll" ["Trend Micro Incorporated."] "{771A9DA0-731A-11CE-993C-00AA004ADB6C}" = "VBPropSheet" -> {HKLM...CLSID} = "VBPropSheet" \InProcServer32\(Default) = "C:\Program Files\Trend Micro\Internet Security 2006\VBProp.dll" ["Trend Micro Incorporated."] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks\ <<!>> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook" -> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook" \InProcServer32\(Default) = "C:\PROGRA~1\WIFD1F~1\MpShHook.dll" [MS] <<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5" -> {HKLM...CLSID} = "CShellExecuteHookImpl Object" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."] HKLM\Software\Microsoft\Windows\CurrentVersion\She llServiceObjectDelayLoad\ "WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" -> {HKLM...CLSID} = "WPDShServiceObj Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandler s\ {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] HKLM\Software\Classes\*\shellex\ContextMenuHandler s\ AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}" -> {HKLM...CLSID} = "CContextScan Object" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\ AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}" -> {HKLM...CLSID} = "CContextScan Object" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\ WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\ "DisableRegistryTools" = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|System| Prevent access to registry editing tools} HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\ "shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\WINDOWS\web\wallpaper\Bliss.bmp" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\WINDOWS\web\wallpaper\Bliss.bmp" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS] Startup items in "Shirley" & "All Users" startup folders: --------------------------------------------------------- C:\Documents and Settings\Shirley.SHIRLEY-9FA4B83\Start Menu\Programs\Startup "Adobe Gamma" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."] C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup "Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"] "Adobe Reader Synchronizer" -> shortcut to: "C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe" [null data] "Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS] "QuickBooks Update Agent" -> shortcut to: "C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe" ["Intuit, Inc."] Enabled Scheduled Tasks: ------------------------ "MP Scheduled Scan" -> launches: "C:\Program Files\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" -> {HKLM...CLSID} = "&Google" \InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."] "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" -> {HKLM...CLSID} = "Yahoo! Toolbar" \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll" [file not found] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided) -> {HKLM...CLSID} = "&Google" \InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."] "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided) -> {HKLM...CLSID} = "Yahoo! Toolbar" \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll" [file not found] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {E2E2DD38-D088-4134-82B7-F2BA38496583}\ "MenuText" = "@xpsp3res.dll,-20001" "Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["Anti-Malware Development a.s."] LightScribeService Direct Disc Labeling Service, LightScribeService, ""C:\Program Files\Common Files\LightScribe\LSSrvc.exe"" ["Hewlett-Packard Company"] NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"] Trend Micro Central Control Component, PcCtlCom, "C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe" ["Trend Micro Incorporated."] Trend Micro Personal Firewall, TmPfw, "C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe" ["Trend Micro Inc."] Trend Micro Proxy Service, tmproxy, "C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe" ["Trend Micro Inc."] Trend Micro Real-time Service, Tmntsrv, "C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe" ["Trend Micro Incorporated."] Windows Defender, WinDefend, ""C:\Program Files\Windows Defender\MsMpEng.exe"" [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monito rs\ Canon BJ Language Monitor PIXMA iP1500\Driver = "CNMLM5y.DLL" ["CANON INC."] ---------- <<!>>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer "No" at the first message box and "Yes" at the second message box. ---------- (total run time: 44 seconds, including 18 seconds for message boxes) |
![]() |
Bookmarks |
«
Previous Topic
|
Next Topic
»
|
|
![]() |
||||
Topic | Topic Starter | Forum | Replies | Last Post |
help with virus and related | timmyaung | Malware Removal | 1 | July 1st, 2008 03:13 AM |
Virus Heat related pop ups | Jackal403 | Malware Removal | 1 | April 22nd, 2008 03:53 AM |
AOL/AIM related trojan/virus | Rookie2788 | Malware Removal | 31 | October 10th, 2006 02:25 PM |
lsass.exe (not quite related to the virus) | sleepytoes | Windows NT, 2000, 2003, 2008, 2012 | 4 | May 5th, 2004 12:56 AM |
URGENT HELP NEEDED [BootDisc Related] | TiggyKay | Windows ME | 4 | August 15th, 2003 01:48 PM |
All times are GMT +1. The time now is 09:33 PM.