Inactive [InActive] Redirect/jump issues again plus a lil' something extra

Hi all!

Yesterday I seem to have picked up a particularly nasty jump/redirect virus (I guess it's not really a virus though).

It's effecting yahoo,google, random links (such a HJ this, hence no log to start) and also playing with my browser lagging it to hell and back..
Apart from those issue this computer is rebooting and Opera is "not responding" properly at all.


And just to make this one extra special for you (since i'm sure your getting sick of the redirect issue) I have a prior virus effecting the system.ini, Im not sure of it name yet it is the one which removes all icons/start bar on start up and will not allow you to access priority items on the system... I was dealing with it by hitting ctrl alt del every time I logged on and getting in that way....


Now with the combination of these two issue I finally have decided to burden you fine folk with this issue.


Thankyou for any help in advance.

 

Hi LfntDbt
Welcome to Windowsbbs.

Lets start off this way.

Download Malwarebytes' Anti-Malware (MBAM) from here or here and save the file to your desktop.

Double click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select 'Perform Quick Scan', then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note below)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Post the entire report in your next reply along with a fresh HijackThis log.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


Now this.

• Download RSIT by random/random and save it to your desktop.
• Double click RSIT.exe to start the tool and click Continue at the disclaimer.
• When the scan completes it will open a log named log.txt maximized, and a log named info.txt minimized.
• Please post the contents of the log.txt here in your next reply.

Please post the MBAM log and the log.txt from RSIT.

Thanks
Geri

 

Sorry Geri for not replying. The virus has blocked Hotmail threw my browser and my password for BBS for in there. Just managed to get it back via a different browser... Neither of those links you suggested are available. blocked I guess. I did manage to get a copy of HJ this so here is that log. Thankyou for your assistance as I can still not resolve this after 2 weeks...



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:50:06 PM, on 9/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Venturi\Configurator\ventcfg.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Unwired\UwSCT.exe
C:\Program Files\Multimedia Mouse Driver\MouseDrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Venturi\Client\ventc.exe
C:\Program Files\Venturi\squid\ventcsquid.exe
C:\Program Files\Venturi\squid\ventcdnsserver.exe
C:\Program Files\Venturi\squid\ventcdnsserver.exe
C:\Program Files\Venturi\squid\ventcdnsserver.exe
C:\Program Files\Venturi\squid\ventcdnsserver.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Venturi\squid\ventcdnsserver.exe
C:\Program Files\Venturi\squid\ventcdnsserver.exe
C:\Program Files\Venturi\squid\ventcunlinkd.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Virus scanners\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [Venturi Configurator] C:\Program Files\Venturi\Configurator\ventcfg.exe -nomsgbox
O4 - HKLM\..\Run: [WireLessMouse] C:\Program Files\Multimedia Mouse Driver\StartAutorun.exe MouseDrv.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Unwired Launchpad.lnk = C:\Program Files\Unwired\UwSCT.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Venturi Client (VenturiClient) - Venturi Wireless - C:\Program Files\Venturi\Client\ventc.exe

--
End of file - 2324 bytes

 

Hi
OK, please do this.

1. Click noahdfear's Rename ComboFix.
2. If it launches a file download dialog for download_file.exe from noahdfear.net, click Run.
3. download_file.vbs file should appear on the desktop, and shortly there-after a renamed copy of ComboFix.
4. Please note that the vbs file is recognized by some security programs as a Trojan-Downloader.JS and may try to block it. I assure you, the file is safe. So please allow it.
5. If successful, double click the renamed ComboFix and follow the prompts.

Please post the Combofix log.

Thanks
Geri

 

Nice work on the re-name, worked perfectly.
Didn't run in Opera but no probs through FireFox.
That's nulled the Google re-direct and aesthetically system is restored. Only thing I can pick up on is Hotmail.com, is still not functioning through Opera. But if that is it, I can live with it.

System is running approx 5 times faster, my connection to the net is only showing "my" tranfers as apposed to massive amounts of incoming and outgoing tranfers that weren't mine. It was tranferring approx 40 kb/s of data whilst I had no tranfers active or programs operating.

Here's the results.



ComboFix 08-09-27.06 - all 2008-09-29 9:45:23.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.712 [GMT 10:00]
Running from: C:\Documents and Settings\all\Desktop\FomboCix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\all\My Documents\My Documents.url
C:\Documents and Settings\all\My Documents\My Music\My Music.url
C:\Documents and Settings\all\My Documents\My Pictures\My Pictures.url
C:\WINDOWS\BM33b5f60f.txt
C:\WINDOWS\BM33b5f60f.xml
C:\WINDOWS\efwl.exe
C:\WINDOWS\mqgldfvo.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\834668
C:\WINDOWS\system32\akulgbsj.ini
C:\WINDOWS\system32\cqnpefch.ini
C:\WINDOWS\system32\drivers\tdssserv.sys
C:\WINDOWS\system32\efgliuyi.ini
C:\WINDOWS\system32\felaopia.ini
C:\WINDOWS\system32\hkwaxrok.ini
C:\WINDOWS\system32\hrnegdcq.ini
C:\WINDOWS\system32\nyniilgi.ini
C:\WINDOWS\system32\phxdpobm.ini
C:\WINDOWS\system32\QXGjmUvw.ini
C:\WINDOWS\system32\rcdpkpar.ini
C:\WINDOWS\system32\TDSSadw.dll
C:\WINDOWS\system32\tdssinit.dll
C:\WINDOWS\system32\tdssl.dll
C:\WINDOWS\system32\TDSSlog.dll
C:\WINDOWS\system32\tdssmain.dll
C:\WINDOWS\system32\tdssserf.dll
C:\WINDOWS\system32\tdssservers.dat
C:\WINDOWS\system32\utmogqpt.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV
-------\Service_TDSSserv


((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-28 )))))))))))))))))))))))))))))))
.

2008-09-24 19:03 . 2008-09-24 19:03 <DIR> d---s---- C:\Documents and Settings\all\UserData
2008-09-22 15:21 . 2008-09-22 15:34 <DIR> d-------- C:\Virus scanners
2008-09-20 18:56 . 2008-06-13 23:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-09-20 18:56 . 2008-06-13 23:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-09-19 18:57 . 2008-09-19 19:06 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-09-18 21:59 . 2008-09-18 23:06 568,712 --ahs---- C:\WINDOWS\system32\QXGjmUvw.ini2
2008-09-18 19:14 . 2008-09-15 01:50 166,912 --a------ C:\WINDOWS\system32\MicroAV.cpl
2008-09-18 11:45 . 2008-09-18 11:45 <DIR> d-------- C:\Program Files\Opera
2008-08-31 18:38 . 2006-03-13 16:50 87,824 -ra------ C:\WINDOWS\system32\drivers\w300mgmt.sys
2008-08-31 18:38 . 2006-03-13 16:50 85,696 -ra------ C:\WINDOWS\system32\drivers\w300obex.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-28 13:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-09-28 13:10 --------- d-----w C:\Documents and Settings\all\Application Data\AVGTOOLBAR
2008-09-25 00:39 --------- d-----w C:\Program Files\Unwired
2008-09-22 12:29 --------- d-----w C:\Program Files\Starcraft
2008-09-22 11:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-22 11:07 --------- d-----w C:\Program Files\3D Canvas 7
2008-09-22 06:17 --------- d-----w C:\Documents and Settings\all\Application Data\skypePM
2008-08-21 13:31 --------- d-----w C:\Documents and Settings\Sarah\Application Data\Teleca
2008-08-21 08:56 --------- d-----w C:\Documents and Settings\all\Application Data\Teleca
2008-08-21 08:53 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2008-08-21 08:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Teleca
2008-08-21 08:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2008-08-21 08:52 --------- d-----w C:\Program Files\Sony Ericsson
2008-08-06 12:10 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-08-06 12:10 --------- d--h--r C:\Documents and Settings\all\Application Data\SecuROM
2008-07-29 09:33 --------- d-----w C:\Program Files\LEGO Software
2008-07-29 09:32 --------- d-----w C:\Program Files\National Instruments
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-03-08 10:17 382,352 ----a-w C:\Program Files\jre-6u5-windows-i586-p-iftw.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware "= "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-13 1510640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Venturi Configurator "= "C:\Program Files\Venturi\Configurator\ventcfg.exe" [2008-01-21 963976]
"WireLessMouse "= "C:\Program Files\Multimedia Mouse Driver\StartAutorun.exe" [2005-11-30 94208]
"Sony Ericsson PC Suite "= "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 159744]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Unwired Launchpad.lnk - C:\Program Files\Unwired\UwSCT.exe [2007-01-12 200704]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\Unwired\\UwWiz.exe "=
"C:\\Program Files\\NavDiag\\Navini Diagnostics.exe "=
"C:\\Program Files\\Starcraft\\StarCraft.exe "=
"C:\\Program Files\\Venturi\\squid\\ventcsquid.exe "=
"C:\\Program Files\\Venturi\\squid\\ventcdnsserver.exe "=
"C:\\Program Files\\Venturi\\Configurator\\ventcfg.exe "=
"C:\\Program Files\\Venturi\\Configurator\\VClientUpdate.exe "=
"C:\\Program Files\\Venturi\\Client\\VentC.exe "=
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe "=
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe "=
"C:\\Program Files\\Messenger\\msmsgs.exe "=
"C:\\Program Files\\Opera\\Opera.exe "=
"C:\\WINDOWS\\system32\\mmc.exe "=

R2 VenturiClient;Venturi Client;C:\Program Files\Venturi\Client\ventc.exe [2008-01-21 2487648]
R3 vwinter;Venturi Wireless Intercepter;C:\WINDOWS\system32\drivers\vwinter.sys [2007-04-30 47392]
R3 vwredir;Venturi Wireless Redirector;C:\WINDOWS\system32\drivers\vwredir.sys [2007-04-30 85792]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;C:\WINDOWS\system32\DRIVERS\fantom.sys [2006-03-10 39424]
S3 UCharger;Usb Charger Driver;C:\WINDOWS\system32\Drivers\UCharger.sys [2007-05-15 13765]
S3 w300bus;Sony Ericsson W300 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\w300bus.sys [2006-03-13 60800]
S3 w300mdfl;Sony Ericsson W300 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w300mdfl.sys [2006-03-13 9264]
S3 w300mdm;Sony Ericsson W300 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\w300mdm.sys [2006-03-13 96352]
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\w300mgmt.sys [2006-03-13 87824]
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\w300obex.sys [2006-03-13 85696]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-EleFunAnimatedWallpaper - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\all\Application Data\Mozilla\Firefox\Profiles\8ggpsz02.default\
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-29 09:50:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Multimedia Mouse Driver\MouseDrv.exe
C:\Program Files\Venturi\squid\ventcsquid.exe
C:\Program Files\Venturi\squid\ventcdnsserver.exe
C:\Program Files\Venturi\squid\ventcdnsserver.exe
C:\Program Files\Venturi\squid\ventcdnsserver.exe
C:\Program Files\Venturi\squid\ventcdnsserver.exe
C:\Program Files\Venturi\squid\ventcdnsserver.exe
C:\Program Files\Venturi\squid\ventcdnsserver.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Venturi\squid\ventcunlinkd.exe
.
**************************************************************************
.
Completion time: 2008-09-29 9:56:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-28 23:54:57

Pre-Run: 28,744,331,264 bytes free
Post-Run: 28,824,346,624 bytes free

155 --- E O F --- 2008-09-21 07:37:56

 

Hi
OK good.

Please download and run MBAM as instructed above and RSIT.

Please post the MBAM log and the RSIT log.txt

Thanks
Geri

 

Malwarebytes' Anti-Malware 1.28
Database version: 1221
Windows 5.1.2600 Service Pack 2

9/29/2008 10:49:41 AM
mbam-log-2008-09-29 (10-49-41).txt

Scan type: Quick Scan
Objects scanned: 42285
Time elapsed: 3 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 6
Registry Data Items Infected: 4
Folders Infected: 6
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\fqbewlna.bkdq (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MicroAV (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\searchmigrateddefaulturl (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\searchmigrateddefaulturl (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Trojan.Zlob) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.securewebinfo.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.safetyincludes.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.securemanaging.com (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Hijack.Search) -> Bad: (http://internetsearchservice.com/search?q=%s) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.Search) -> Bad: (http://internetsearchservice.com/search?q={searchTerms}) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.Search) -> Bad: (http://internetsearchservice.com/search?q={searchTerms}) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId (Trojan.FakeAlert) -> Bad: (VIRUS ALERT!) Good: (55274-648-4627907-23553) -> Quarantined and deleted successfully.

Folders Infected:
C:\WinSecureAv (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\WinSecureAv\AVQuar (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SalesMon (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SalesMon\Data (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\all\Application Data\WinSecureAv (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Documents and Settings\all\Application Data\WinSecureAv\Logs (Rogue.WinSecureAv) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\MicroAV.cpl (Rogue.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\all\Application Data\WinSecureAv\Logs\threats.log (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Documents and Settings\all\Application Data\WinSecureAv\Logs\update.log (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\all\Desktop\Micro Antivirus 2009.lnk (Rogue.XPertAntivirus) -> Quarantined and deleted successfully.




Logfile of random's system information tool 1.02 (written by random/random)
Run by all at 2008-09-29 10:53:39
Microsoft Windows XP Professional Service Pack 2
System drive C: has 28 GB (70%) free of 39 GB
Total RAM: 991 MB (73% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:53:44 AM, on 9/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Venturi\Configurator\ventcfg.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Unwired\UwSCT.exe
C:\Program Files\Multimedia Mouse Driver\MouseDrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Venturi\Client\ventc.exe
C:\Program Files\Venturi\squid\ventcsquid.exe
C:\Program Files\Venturi\squid\ventcdnsserver.exe
C:\Program Files\Venturi\squid\ventcdnsserver.exe
C:\Program Files\Venturi\squid\ventcdnsserver.exe
C:\Program Files\Venturi\squid\ventcdnsserver.exe
C:\Program Files\Venturi\squid\ventcdnsserver.exe
C:\Program Files\Venturi\squid\ventcdnsserver.exe
C:\Program Files\Venturi\squid\ventcunlinkd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\all\Desktop\RSIT.exe
C:\Virus scanners\Trend Micro\HijackThis\all.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [Venturi Configurator] C:\Program Files\Venturi\Configurator\ventcfg.exe -nomsgbox
O4 - HKLM\..\Run: [WireLessMouse] C:\Program Files\Multimedia Mouse Driver\StartAutorun.exe MouseDrv.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Unwired Launchpad.lnk = C:\Program Files\Unwired\UwSCT.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Venturi Client (VenturiClient) - Venturi Wireless - C:\Program Files\Venturi\Client\ventc.exe

--
End of file - 2698 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Venturi Configurator "=C:\Program Files\Venturi\Configurator\ventcfg.exe [2008-01-21 963976]
"WireLessMouse "=C:\Program Files\Multimedia Mouse Driver\StartAutorun.exe [2005-11-30 94208]
"Sony Ericsson PC Suite "=C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe [2005-10-26 159744]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware "=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2008-05-13 1510640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Unwired Launchpad.lnk - C:\Program Files\Unwired\UwSCT.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-08-11 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername "=0
"legalnoticecaption "=
"legalnoticetext "=
"shutdownwithoutlogon "=1
"undockwithoutlogon "=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives "=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun "=
"NoDrives "=
"NoDriveAutoRun "=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\Program Files\Unwired\UwWiz.exe "= "C:\Program Files\Unwired\UwWiz.exe:*:Enabled:Connection Assistant "
"C:\Program Files\NavDiag\Navini Diagnostics.exe "= "C:\Program Files\NavDiag\Navini Diagnostics.exe:*:Enabled:LaunchAnywhere GUI "
"C:\Program Files\Starcraft\StarCraft.exe "= "C:\Program Files\Starcraft\StarCraft.exe:*:Enabled:Starcraft "
"C:\Program Files\Venturi\squid\ventcsquid.exe "= "C:\Program Files\Venturi\squid\ventcsquid.exe:*:Enabled:ventcsquid "
"C:\Program Files\Venturi\squid\ventcdnsserver.exe "= "C:\Program Files\Venturi\squid\ventcdnsserver.exe:*:Enabled:ventcdnsserver "
"C:\Program Files\Venturi\Configurator\ventcfg.exe "= "C:\Program Files\Venturi\Configurator\ventcfg.exe:*:Enabled:ventcfg "
"C:\Program Files\Venturi\Configurator\VClientUpdate.exe "= "C:\Program Files\Venturi\Configurator\VClientUpdate.exe:*:Enabled:VClientUpdate.exe "
"C:\Program Files\Venturi\Client\VentC.exe "= "C:\Program Files\Venturi\Client\VentC.exe:*:Enabled:VentC.exe "
"C:\Program Files\Microsoft Games\Age of Empires III\age3.exe "= "C:\Program Files\Microsoft Games\Age of Empires III\age3.exe:*:Enabled:Age of Empires III "
"C:\Program Files\Microsoft Games\Age of Empires III\age3x.exe "= "C:\Program Files\Microsoft Games\Age of Empires III\age3x.exe:*:Enabled:Age of Empires III - The WarChiefs "
"C:\Program Files\Messenger\msmsgs.exe "= "C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger "
"C:\Program Files\Opera\Opera.exe "= "C:\Program Files\Opera\Opera.exe:*:Enabled:Opera Internet Browser "
"C:\WINDOWS\system32\mmc.exe "= "C:\WINDOWS\system32\mmc.exe:*isabled:Microsoft Management Console "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\Program Files\Venturi\squid\ventcsquid.exe "= "C:\Program Files\Venturi\squid\ventcsquid.exe:*:Enabled:ventcsquid "
"C:\Program Files\Venturi\squid\ventcdnsserver.exe "= "C:\Program Files\Venturi\squid\ventcdnsserver.exe:*:Enabled:ventcdnsserver "
"C:\Program Files\Venturi\Configurator\ventcfg.exe "= "C:\Program Files\Venturi\Configurator\ventcfg.exe:*:Enabled:ventcfg "
"C:\Program Files\Venturi\Configurator\VClientUpdate.exe "= "C:\Program Files\Venturi\Configurator\VClientUpdate.exe:*:Enabled:VClientUpdate.exe "
"C:\Program Files\Venturi\Client\VentC.exe "= "C:\Program Files\Venturi\Client\VentC.exe:*:Enabled:VentC.exe "

======List of files/folders created in the last 1 months======

2008-09-29 10:53:39 ----D---- C:\rsit
2008-09-29 10:49:41 ----D---- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-09-29 10:38:12 ----D---- C:\Documents and Settings\all\Application Data\Malwarebytes
2008-09-29 10:38:09 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-29 10:38:09 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-29 10:23:22 ----SHD---- C:\RECYCLER
2008-09-29 09:56:03 ----D---- C:\WINDOWS\temp
2008-09-29 09:56:01 ----A---- C:\ComboFix.txt
2008-09-29 09:44:44 ----D---- C:\WINDOWS\erdnt
2008-09-29 09:44:26 ----A---- C:\WINDOWS\zip.exe
2008-09-29 09:44:26 ----A---- C:\WINDOWS\VFind.exe
2008-09-29 09:44:26 ----A---- C:\WINDOWS\swxcacls.exe
2008-09-29 09:44:26 ----A---- C:\WINDOWS\SWSC.exe
2008-09-29 09:44:26 ----A---- C:\WINDOWS\swreg.exe
2008-09-29 09:44:26 ----A---- C:\WINDOWS\sed.exe
2008-09-29 09:44:26 ----A---- C:\WINDOWS\Nircmd.exe
2008-09-29 09:44:26 ----A---- C:\WINDOWS\grep.exe
2008-09-29 09:44:26 ----A---- C:\WINDOWS\fdsv.exe
2008-09-29 09:42:23 ----D---- C:\Qoobox
2008-09-24 19:46:34 ----D---- C:\Program Files\Mozilla Firefox
2008-09-22 15:21:14 ----D---- C:\Virus scanners
2008-09-21 17:36:09 ----A---- C:\WINDOWS\system32\MRT.exe
2008-09-20 22:01:24 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2008-09-20 22:01:04 ----HDC---- C:\WINDOWS\$NtUninstallKB953838$
2008-09-20 22:00:44 ----HDC---- C:\WINDOWS\$NtUninstallKB950749$
2008-09-20 09:02:41 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2008-09-19 23:13:20 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2008-09-19 23:13:15 ----HDC---- C:\WINDOWS\$NtUninstallKB953839$
2008-09-19 23:13:07 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2008-09-19 23:13:00 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2008-09-19 23:12:54 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2008-09-19 23:12:49 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2008-09-19 23:12:42 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2008-09-19 23:12:34 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2008-09-19 23:12:24 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2008-09-19 22:01:04 ----HDC---- C:\WINDOWS\$NtUninstallKB951072-v2$
2008-09-19 18:57:34 ----D---- C:\WINDOWS\system32\CatRoot_bak
2008-09-18 22:02:09 ----A---- C:\WINDOWS\system32\3ba501ed-.txt
2008-09-18 21:59:10 ----ASH---- C:\WINDOWS\system32\QXGjmUvw.ini2
2008-09-18 11:45:54 ----D---- C:\Documents and Settings\all\Application Data\Opera
2008-09-18 11:45:46 ----D---- C:\Program Files\Opera

======List of files/folders modified in the last 1 months======

2008-09-29 10:52:27 ----D---- C:\WINDOWS\system32\drivers
2008-09-29 10:52:27 ----D---- C:\WINDOWS
2008-09-29 10:51:50 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-09-29 10:49:40 ----D---- C:\WINDOWS\system32
2008-09-29 10:38:09 ----RD---- C:\Program Files
2008-09-29 09:54:18 ----D---- C:\WINDOWS\system32\CatRoot2
2008-09-29 09:50:00 ----A---- C:\WINDOWS\system.ini
2008-09-29 09:48:33 ----D---- C:\WINDOWS\system32\config
2008-09-29 09:47:25 ----D---- C:\Program Files\Common Files
2008-09-29 09:47:24 ----D---- C:\WINDOWS\AppPatch
2008-09-29 09:45:21 ----D---- C:\WINDOWS\Prefetch
2008-09-28 23:11:18 ----SD---- C:\Documents and Settings\all\Application Data\Microsoft
2008-09-28 23:11:17 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2008-09-28 23:10:58 ----D---- C:\Documents and Settings\all\Application Data\AVGTOOLBAR
2008-09-25 10:39:29 ----D---- C:\Program Files\Unwired
2008-09-24 19:48:22 ----D---- C:\Documents and Settings\all\Application Data\Mozilla
2008-09-23 13:48:10 ----D---- C:\WINDOWS\Registration
2008-09-22 22:29:51 ----D---- C:\Program Files\Starcraft
2008-09-22 22:08:58 ----D---- C:\Program Files\Online Services
2008-09-22 21:10:42 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-09-22 21:09:37 ----HD---- C:\Program Files\InstallShield Installation Information
2008-09-22 21:09:17 ----SHD---- C:\WINDOWS\Installer
2008-09-22 21:07:30 ----D---- C:\Program Files\3D Canvas 7
2008-09-22 16:17:40 ----D---- C:\Documents and Settings\all\Application Data\skypePM
2008-09-22 12:02:23 ----D---- C:\WINDOWS\Help
2008-09-21 17:36:10 ----D---- C:\WINDOWS\Debug
2008-09-21 16:52:21 ----HD---- C:\WINDOWS\inf
2008-09-21 16:51:54 ----HD---- C:\WINDOWS\$hf_mig$
2008-09-21 16:49:16 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-09-20 22:01:27 ----A---- C:\WINDOWS\imsins.BAK
2008-09-20 22:01:12 ----D---- C:\Program Files\Internet Explorer
2008-09-20 09:02:44 ----D---- C:\Program Files\Messenger
2008-09-19 23:12:26 ----D---- C:\WINDOWS\WinSxS
2008-09-19 19:06:05 ----D---- C:\WINDOWS\system32\CatRoot
2008-09-18 22:24:15 ----A---- C:\WINDOWS\ntbtlog.txt

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\system32\DRIVERS\amdk7.sys [2004-08-04 37376]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-03 14848]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R3 DNE;Deterministic Network Enhancer Miniport; C:\WINDOWS\system32\DRIVERS\dne2000.sys [2007-11-07 128144]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2002-01-15 870029]
R3 nvax;Service for NVIDIA® nForce(TM) Audio Enumerator; C:\WINDOWS\system32\drivers\nvax.sys [2002-04-12 13056]
R3 NVENET;NVIDIA nForce MCP Networking Adapter Driver; C:\WINDOWS\system32\DRIVERS\NVENET.sys [2001-12-08 94208]
R3 nvnforce;Service for NVIDIA® nForce(TM) Audio; C:\WINDOWS\system32\drivers\nvapu.sys [2002-04-12 192384]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-03 17024]
R3 vwinter;Venturi Wireless Intercepter; \??\C:\WINDOWS\system32\drivers\vwinter.sys []
R3 vwredir;Venturi Wireless Redirector; \??\C:\WINDOWS\system32\drivers\vwredir.sys []
S3 catchme;catchme; \??\C:\FomboCix\catchme.sys []
S3 FANTOM;LEGO MINDSTORMS NXT Driver; C:\WINDOWS\system32\DRIVERS\fantom.sys [2006-03-10 39424]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 UCharger;Usb Charger Driver; C:\WINDOWS\System32\Drivers\UCharger.sys [2007-05-15 13765]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 w300bus;Sony Ericsson W300 Driver driver (WDM); C:\WINDOWS\system32\DRIVERS\w300bus.sys [2006-03-13 60800]
S3 w300mdfl;Sony Ericsson W300 USB WMC Modem Filter; C:\WINDOWS\system32\DRIVERS\w300mdfl.sys [2006-03-13 9264]
S3 w300mdm;Sony Ericsson W300 USB WMC Modem Driver; C:\WINDOWS\system32\DRIVERS\w300mdm.sys [2006-03-13 96352]
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM); C:\WINDOWS\system32\DRIVERS\w300mgmt.sys [2006-03-13 87824]
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface; C:\WINDOWS\system32\DRIVERS\w300obex.sys [2006-03-13 85696]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [1782-01-19 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 NVSvc;NVIDIA Driver Helper Service; C:\WINDOWS\system32\nvsvc32.exe [2002-01-15 57344]
R2 VenturiClient;Venturi Client; C:\Program Files\Venturi\Client\ventc.exe [2008-01-21 2487648]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]

-----------------EOF-----------------

 

Hi
OK that's looking good.

I would like a couple files scanned. Please do this.

• Please go to Jotti's malware scan
  
• Copy and paste the following file path into *the * "File to upload & scan "box on the top of the page: one at a time
  
  • C:\WINDOWS\system32\3ba501ed-.txt
    C:\WINDOWS\system32\QXGjmUvw.ini2
• Click on the submit button
  
• Please post the results in your next reply.

Thanks
Geri

 

C:\WINDOWS\system32\3ba501ed-.txt

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file




C:\WINDOWS\system32\QXGjmUvw.ini2

File: QXGjmUvw.ini2
Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 093ce0bf18b3fc4a4d8336987279a030
Packers detected: -

Scanner results
Scan taken on 29 Sep 2008 02:34:47 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
G DATA Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

 

Hi
Using Windows Explorer (to get there right-click your Start button and go to "Explore "), please delete these files (if present):

C:\WINDOWS\system32\3ba501ed-.txt


Now do this please.

Download ATF Cleaner by Atribune and save it to your Desktop.
This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Now lets get a on line scan.

Please do an online scan with Kaspersky WebScanner

Click on “Accept” If your pop –up blocker blocks any windows from opening.

Click Run on the window that opens.
Windows Vista users you must open the web browser using the Run as Administrator command.

• The program will launch and then begin downloading the latest definition files:
• Under Scan on the left side.Click on My Computer
• This will start the program and scan your system.
• Click the “Scan Report” On the left side.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As button, and in the Browse dialog box, type a name for the scan report file that you want to create and select its type Text file. Click OK to save the file.:
• Save the text file to your desktop.
• Copy and paste that information in your next post.

Please post the Kaspersky results.

Thanks
Geri