1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Unable to remove Virus

Discussion in 'Malware and Virus Removal Archive' started by zippy101, 2008/02/14.

  1. 2008/02/14
    zippy101

    zippy101 Inactive Thread Starter

    Joined:
    2008/02/14
    Messages:
    2
    Likes Received:
    0
    Hi all, my first post on the forums and could do with a bit of help.

    Im trying to fix a machine for a friend but I'm completely at a loss now as everything I've tried has no effect at removing the problem.

    Deleted all temp, prefetch, local settings\temp, recycle bin etc,
    then created a new Live UBCD4win disk with the latest virus/malware defs but that did not help.
    I've tried connecting the infected disk to another machine and ran SpybotS&D, Ad-Aware v7, Dr.web cureit & tried the vundofix(thats what i thought it was), but the problem is still there.

    I read the sticky at the top of the forum and downloaded HJT & DSS and here is the log.

    -----------------------------------------------------------------------

    Deckard's System Scanner v20071014.68
    Run by Greg Singleton on 2008-02-14 20:20:42
    Computer is in Normal Mode.
    --------------------------------------------------------------------------------

    Total Physical Memory: 480 MiB (512 MiB recommended).


    -- HijackThis (run as Greg Singleton.exe) --------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 20:20:51, on 14/02/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\COMODO\Firewall\cmdagent.exe
    C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\VM_STI.EXE
    C:\Program Files\COMODO\Firewall\cfp.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Comodo\Comodo AntiVirus\Cavaud.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Documents and Settings\Greg Singleton\Desktop\dss.exe
    C:\DOCUME~1\GREGSI~1\Desktop\GREGSI~1.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\eiitsrtt.dll
    O2 - BHO: CmjBrowserHelperObject Object - {AC41D38F-B56D-40AD-94E0-B493D130C959} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: {1879465b-0846-bda8-0864-f8f1343ee4dc} - {cd4ee343-1f8f-4680-8adb-6480b5649781} - C:\WINDOWS\system32\rjmshtpl.dll (file missing)
    O2 - BHO: (no name) - {D2FD15B0-50C2-4537-A23D-BA96D59D464B} - C:\WINDOWS\system32\awvvt.dll
    O2 - BHO: (no name) - {E041DF67-DB16-4403-8747-DFCA9319200C} - C:\WINDOWS\system32\sstqr.dll (file missing)
    O2 - BHO: Zango /fleok=1D8A83A5C2E5177A9EA4692A1FBB39BFE4976E26CAEDA120180A196D6093 - {E1BACF55-35E1-4E47-9247-2D48660E5545} - C:\Program Files\Zango\bin\10.1.181.0\HostIE.dll (file missing)
    O2 - BHO: (no name) - {E534C5C6-7E2A-4AA4-940B-440E3F0F1DF2} - C:\WINDOWS\system32\ddcyv.dll (file missing)
    O2 - BHO: (no name) - {F4982BAB-80E9-4838-A2A0-95D30F348161} - C:\WINDOWS\system32\nnnmnnk.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Zango - {E1BACF55-35E1-4E47-9247-2D48660E5545} - C:\Program Files\Zango\bin\10.1.181.0\HostIE.dll (file missing)
    O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE Philips SPC 200NC PC Camera
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
    O4 - HKLM\..\Run: [cnfgCav] "C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe "
    O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: VTAgentReboot.exe
    O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = C:\WINDOWS\system32\mshta.exe
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Send to Mindjet MindManager - {531B9DC0-D8EE-4c76-A6EE-6C1E50569655} - C:\Program Files\Mindjet\MindManager 6\Mm6InternetExplorer.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/cabs/ascstubie.cab
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/webplayer/stage6/windows/AutoDLDivXWebPlayerInstaller.cab
    O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
    O20 - Winlogon Notify: eiitsrtt - C:\WINDOWS\SYSTEM32\eiitsrtt.dll
    O20 - Winlogon Notify: hveqolnw - hveqolnw.dll (file missing)
    O20 - Winlogon Notify: monln - C:\WINDOWS\SYSTEM32\monln.dll
    O20 - Winlogon Notify: nnnmnnk - C:\WINDOWS\SYSTEM32\nnnmnnk.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
    O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Comodo Inc. - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe

    --
    End of file - 7575 bytes

    -- Files created between 2008-01-14 and 2008-02-14 -----------------------------

    2008-02-14 18:50:59 259264 --ahs---- C:\WINDOWS\system32\tvvwa.ini2
    2008-02-14 18:49:00 0 d-------- C:\WINDOWS\system32\New Folder
    2008-02-14 18:03:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-02-14 17:37:24 163904 --a------ C:\WINDOWS\system32\eiitsrtt.dll
    2008-02-14 17:13:17 331264 --a------ C:\WINDOWS\system32\awvvt.dll
    2008-02-14 17:10:37 0 d-------- C:\Program Files\Lavasoft
    2008-02-14 17:10:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-02-14 17:09:50 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-02-13 23:48:37 73728 --a------ C:\WINDOWS\system32\CavEmLSP.dll <Not Verified; COMODO; Comodo AntiVirus.>
    2008-02-13 23:47:13 102400 --a------ C:\WINDOWS\system32\drivers\cavasm.sys <Not Verified; Comodo Inc.; Comodo Anti-Viruspyware>
    2008-02-13 23:45:40 216576 --a------ C:\WINDOWS\system32\monln.dll <Not Verified; Comodo Inc.; Comodo Anti-Viruspyware>
    2008-02-13 23:17:19 88128 --a------ C:\WINDOWS\system32\khuyolof.dll
    2008-02-13 23:13:39 98368 --a------ C:\WINDOWS\system32\gyjldvgm.dll
    2008-02-13 22:59:38 0 d-------- C:\Documents and Settings\Greg Singleton\Application Data\Comodo
    2008-02-13 22:59:36 0 d-------- C:\Program Files\COMODO
    2008-02-13 22:59:36 0 d-------- C:\Documents and Settings\All Users\Application Data\comodo
    2008-02-13 22:37:28 0 d-------- C:\Program Files\Panda Security
    2008-02-07 08:01:59 41472 --a------ C:\WINDOWS\system32\rqrqnkl.dll
    2008-02-07 07:36:57 41472 --a------ C:\WINDOWS\system32\qommmlj.dll
    2008-02-07 07:11:55 41472 --a------ C:\WINDOWS\system32\awtsspn.dll
    2008-02-07 07:07:34 41472 --a------ C:\WINDOWS\system32\awtrstu.dll
    2008-02-06 20:08:42 26624 --a------ C:\WINDOWS\system32\vtustut.dll
    2008-02-06 19:00:38 26624 --a------ C:\WINDOWS\system32\nnnlljk.dll
    2008-02-06 13:22:19 26624 --a------ C:\WINDOWS\system32\ljjgfed.dll
    2008-02-06 13:10:41 26624 --a------ C:\WINDOWS\system32\byxxwur.dll
    2008-02-06 13:08:19 26624 --a------ C:\WINDOWS\system32\mljijgd.dll
    2008-02-06 06:45:41 26624 --a------ C:\WINDOWS\system32\wvutuvt.dll
    2008-02-06 06:33:58 26624 --a------ C:\WINDOWS\system32\khfdbxw.dll
    2008-02-06 06:22:18 26624 --a------ C:\WINDOWS\system32\opnnomn.dll
    2008-02-06 06:10:38 26624 --a------ C:\WINDOWS\system32\vtursst.dll
    2008-02-06 05:58:58 26624 --a------ C:\WINDOWS\system32\ddcdaba.dll
    2008-02-06 05:47:18 26624 --a------ C:\WINDOWS\system32\urqqonk.dll
    2008-02-06 05:35:38 26624 --a------ C:\WINDOWS\system32\byxwwvt.dll
    2008-02-06 05:30:21 26624 --a------ C:\WINDOWS\system32\cbxvstr.dll
    2008-02-04 19:36:15 39424 --a------ C:\WINDOWS\system32\fccccyw.dll
    2008-02-02 15:59:31 39424 --a------ C:\WINDOWS\system32\ssqrrqr.dll
    2008-02-02 11:36:07 39424 --a------ C:\WINDOWS\system32\fccbbbb.dll
    2008-01-26 20:39:08 39424 --a------ C:\WINDOWS\system32\tuvsrqo.dll
    2008-01-26 20:36:30 39424 --a------ C:\WINDOWS\system32\mljjgec.dll
    2008-01-26 17:35:53 39424 --a------ C:\WINDOWS\system32\ljjgfge.dll
    2008-01-26 16:16:32 39424 --a------ C:\WINDOWS\system32\fccbxwx.dll
    2008-01-25 20:57:12 39424 --a------ C:\WINDOWS\system32\urqqnkl.dll
    2008-01-25 16:04:22 281228 --ahs---- C:\WINDOWS\system32\vycdd.ini2
    2008-01-25 15:37:06 39424 --a------ C:\WINDOWS\system32\khfcyvt.dll
    2008-01-25 15:21:19 0 d-------- C:\WINDOWS\network diagnostic
    2008-01-25 14:59:09 39424 --a------ C:\WINDOWS\system32\nnnmnnk.dll
    2008-01-25 02:08:17 81408 -r-hs---- C:\WINDOWS\system32\rpgsvc.exe
    2008-01-20 03:53:52 0 d-------- C:\Program Files\DivX


    -- Find3M Report ---------------------------------------------------------------

    2007-12-22 14:09:56 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll


    -- Registry Dump ---------------------------------------------------------------

    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
    14/02/2008 17:37 163904 --a------ C:\WINDOWS\system32\eiitsrtt.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cd4ee343-1f8f-4680-8adb-6480b5649781}]
    C:\WINDOWS\system32\rjmshtpl.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D2FD15B0-50C2-4537-A23D-BA96D59D464B}]
    14/02/2008 17:13 331264 --a------ C:\WINDOWS\system32\awvvt.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E041DF67-DB16-4403-8747-DFCA9319200C}]
    C:\WINDOWS\system32\sstqr.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E1BACF55-35E1-4E47-9247-2D48660E5545}]
    C:\Program Files\Zango\bin\10.1.181.0\HostIE.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E534C5C6-7E2A-4AA4-940B-440E3F0F1DF2}]
    C:\WINDOWS\system32\ddcyv.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F4982BAB-80E9-4838-A2A0-95D30F348161}]
    25/01/2008 14:59 39424 --a------ C:\WINDOWS\system32\nnnmnnk.dll

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
    "{E1BACF55-35E1-4E47-9247-2D48660E5545} "= C:\Program Files\Zango\bin\10.1.181.0\HostIE.dll [ ]

    [-HKEY_CLASSES_ROOT\CLSID\{E1BACF55-35E1-4E47-9247-2D48660E5545}]
    [HKEY_CLASSES_ROOT\HostIE.Bho.1]
    [HKEY_CLASSES_ROOT\TypeLib\{087C4054-0A2B-4F35-B0DB-BED3E21650F4}]
    [HKEY_CLASSES_ROOT\HostIE.Bho]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BigDogPath "= "C:\WINDOWS\VM_STI.exe" [09/06/2004 15:37]
    "COMODO Firewall Pro "= "C:\Program Files\COMODO\Firewall\cfp.exe" [13/02/2008 22:59]
    "cnfgCav "= "C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe" [13/02/2008 23:45]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MsnMsgr "= "C:\Program Files\MSN Messenger\MsnMsgr.exe" [19/01/2007 12:54]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
    "RegisterDropHandler "=C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    VTAgentReboot.exe [07/10/2001 12:11:30]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{F4982BAB-80E9-4838-A2A0-95D30F348161} "= C:\WINDOWS\system32\nnnmnnk.dll [25/01/2008 14:59 39424]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\eiitsrtt]
    eiitsrtt.dll 14/02/2008 17:37 163904 C:\WINDOWS\system32\eiitsrtt.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hveqolnw]
    hveqolnw.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\monln]
    monln.dll 13/02/2008 23:45 216576 C:\WINDOWS\system32\monln.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnmnnk]
    nnnmnnk.dll 25/01/2008 14:59 39424 C:\WINDOWS\system32\nnnmnnk.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "appinit_dlls "= C:\WINDOWS\system32\guard32.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages "= msv1_0 C:\WINDOWS\system32\awvvt.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @= "Service "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
    backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
    backup=C:\WINDOWS\pss\Service Manager.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TabUserW.exe.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TabUserW.exe.lnk
    backup=C:\WINDOWS\pss\TabUserW.exe.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^TrayMin200.exe.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TrayMin200.exe.lnk
    backup=C:\WINDOWS\pss\TrayMin200.exe.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Utility Tray.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Utility Tray.lnk
    backup=C:\WINDOWS\pss\Utility Tray.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VTAgentReboot.exe]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VTAgentReboot.exe
    backup=C:\WINDOWS\pss\VTAgentReboot.exeCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Greg Singleton^Start Menu^Programs^Startup^reminder-ScanSoft Product Registration.lnk]
    path=C:\Documents and Settings\Greg Singleton\Start Menu\Programs\Startup\reminder-ScanSoft Product Registration.lnk
    backup=C:\WINDOWS\pss\reminder-ScanSoft Product Registration.lnkStartup


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\320d18a1]
    rundll32.exe "C:\WINDOWS\system32\pjhhhsoy.dll ",b

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
    "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath]
    C:\WINDOWS\VM_STI.EXE Philips SPC 200NC PC Camera

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM313e2b3d]
    Rundll32.exe "C:\WINDOWS\system32\nunfoffx.dll ",s

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
    "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    C:\WINDOWS\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eRecoveryService]
    C:\Acer\Empowering Technology\eRecovery\Monitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
    "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
    "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
    C:\Program Files\Scansoft\PaperPort\IndexSearch.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InstantAccess]
    C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp]
    Alaunch

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMReminderService]
    C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
    C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV CfgWiz]
    "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    C:\WINDOWS\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntiMUI]
    C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvGraphicsInterface]
    C:\DOCUME~1\GREGSI~1\LOCALS~1\Temp\05.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneTouch Monitor]
    "C:\Program Files\Xerox One Touch\OneTouchMon.exe "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pdfSaver3]


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
    C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
    C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    "C:\Program Files\QuickTime\qttask.exe" -atboottime

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegisterDropHandler]
    C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
    C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Remote Access Monitor]
    rpgsvc.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
    "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSPower]
    Rundll32.exe SiSPower.dll,ModeAgent

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
    SOUNDMAN.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
    C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherDPA]
    "C:\Program Files\Zango\bin\10.1.181.0\Weather.exe" -auto

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "usnjsvc "=3 (0x3)
    "TabletService "=2 (0x2)
    "SQLAgent$MICROSOFTSMLBIZ "=3 (0x3)
    "SPBBCSvc "=2 (0x2)
    "SNDSrvc "=2 (0x2)
    "SBService "=2 (0x2)
    "SAVScan "=3 (0x3)
    "ose "=3 (0x3)
    "NPFMntor "=2 (0x2)
    "navapsvc "=2 (0x2)
    "MSSQLServerADHelper "=3 (0x3)
    "MSSQL$MICROSOFTSMLBIZ "=2 (0x2)
    "LiveUpdate "=3 (0x3)
    "IDriverT "=3 (0x3)
    "gusvc "=3 (0x3)
    "ccSetMgr "=2 (0x2)
    "ccPwdSvc "=3 (0x3)
    "ccEvtMgr "=2 (0x2)
    "Brother XP spl Service "=2 (0x2)
    "Automatic LiveUpdate Scheduler "=2 (0x2)
    "Adobe LM Service "=3 (0x3)
    "MSControlService "=3 (0x3)


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{082b1d46-8ba0-11dc-a8f4-00142ad3f91d}]
    AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe ie.vbs

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{358a6078-7408-11dc-a89a-00142ad3f91d}]
    AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f9135b6-a4dd-11dc-a963-00142ad3f91d}]
    AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dde1d606-80f0-11dc-a8cc-00142ad3f91d}]
    AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs


    -- End of Deckard's System Scanner: finished at 2008-02-14 20:21:53 ------------

    Any help or advise would be greatly appreciated as this has been driving me nuts.

    Thanks
     
    zippy101,
    #1
  2. 2008/02/15
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Welcome to WindowsBBS zippy101 :)

    Download ComboFix by sUBs from here, saving the file to your desktop.

    It's best disable realtime protection applications as they sometime interfere with the tool. Check this link for your applicable programs.

    • Close all open programs and windows
    • Double click combofix.exe and follow the prompts.
    • It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall
     
    noahdfear,
    #2


  3. to hide this advert.

  4. 2008/02/16
    zippy101

    zippy101 Inactive Thread Starter

    Joined:
    2008/02/14
    Messages:
    2
    Likes Received:
    0
    Thanks noahdfear, I worked my way through the HJT log and removed all the bad registry entries & files. the computer is running perfectly now..

    HJT is my new best friend.. :)

    cheers
     
    zippy101,
    #3
  5. 2008/02/16
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    There's much more to do than what you would have seen in a HijackThis log. I recommend you follow my previous instructions ........ up to you however. ;)
     
    noahdfear,
    #4

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...