|
| ||
| Infected with Hoax.Win32.Renos.vaoz. Please Help!! Hi there, This is my first post and I have already found this post extremely helpful. It's made a tough situation a lot easier. I bought a brand new PC last week and was online last night. Everything was going fantastically. The PC was running slickly and I was being extra careful in what programs I was installing. Anyway, whilst browsing last night I was struck by a huge virus/malware "hijack" which threw my PC into a tailspin. Have never encountered anything like this before. While over the last 24 hours I have tried a number of the fixes suggested - ATF Cleaner, ComboFix, Malwarebytes, DSS (which won't run) and HiJackThis. I have also used CCleaner, Registry Mechanic, Rogue Remover - I still haven't nailed it. You could say it's overkill! The edge has certainly been taken off the virus, but the PC is now running quite sluggishly. This is a huge disappointment, naturally. I have used my pre-installed software, BitDefender 2008, and then downloaded and used AVG anti-virus. Below I have included ALL my scans, in the hope that some kind soul will be able to help me. It would be most appreciated and I would be happy to donate to the forum. I have also used the online "free scan" version of Kaspersky. Most of the programs report that the system is clean, but Kaspersky's online scan reported the following: Wednesday, July 23, 2008 Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Wednesday, July 23, 2008 21:51:10 Records in database: 999411 Scan settings Scan using the following database extended Scan archives yes Scan mail databases yes Scan area Critical Areas C:\Documents and Settings\All Users\Start Menu\Programs\Startup C:\Documents and Settings\Paul\Start Menu\Programs\Startup C:\Program Files C:\WINDOWS Scan statistics Files scanned 53731 Threat name 2 Infected objects 3 Suspicious objects 0 Duration of the scan 00:38:03 File name Threat name Threats count C:\WINDOWS\system32\IEDFix.C.exe Infected: Hoax.Win32.Renos.vaoz 1 C:\WINDOWS\system32\IEDFix.exe Infected: Hoax.Win32.Renos.vaoz 1 C:\WINDOWS\system32\Tools\Restart.exe Infected: not-a-virus:RiskTool.Win32.Reboot.j 1 The selected area was scanned. ----------------------------------------------------------------- ComboFix 08-07-22.4 - Paul 2008-07-23 11:27:30.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2360 [GMT 1:00] Running from: C:\Documents and Settings\Paul\Desktop\ComboFix.exe * Created a new restore point * Resident AV is active WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat C:\Documents and Settings\Jenna\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML C:\Documents and Settings\Paul\Application Data\inst.exe C:\Documents and Settings\Paul\Favorites\Error Cleaner.url C:\Documents and Settings\Paul\Favorites\Privacy Protector.url C:\Documents and Settings\Paul\Favorites\Spyware&Malware Protection.url C:\WINDOWS\system32\erpyiciv.dll C:\WINDOWS\system32\iifeBspN.dll C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\opnnmJyA.dll C:\WINDOWS\system32\qrBacfii.ini C:\WINDOWS\system32\qrBacfii.ini2 C:\WINDOWS\system32\viciypre.ini ----- BITS: Possible infected sites ----- http://au.download.windowsupdaj+|Cv+@J:NGD_DQ{zcxLJS@a,D$@! . ((((((((((((((((((((((((( Files Created from 2008-06-23 to 2008-07-23 ))))))))))))))))))))))))))))))) . 2008-07-23 03:41 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-07-23 03:40 . 2008-07-23 03:41 <DIR> d-------- C:\Program Files\Java 2008-07-23 03:40 . 2008-07-23 03:40 <DIR> d-------- C:\Program Files\Common Files\Java 2008-07-23 03:03 . 2008-07-23 03:54 3,986 --a------ C:\WINDOWS\system32\tmp.reg 2008-07-23 03:02 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe 2008-07-23 03:02 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2008-07-23 03:02 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe 2008-07-23 03:02 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe 2008-07-23 03:02 . 2008-07-02 13:33 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe 2008-07-23 03:02 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS\system32\404Fix.exe 2008-07-23 03:02 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe 2008-07-23 03:02 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2008-07-23 03:02 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe 2008-07-23 02:35 . 2008-07-23 11:01 <DIR> d--h----- C:\$AVG8.VAULT$ 2008-07-23 02:33 . 2008-07-23 02:35 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg 2008-07-23 02:33 . 2008-07-23 02:33 <DIR> d-------- C:\Program Files\AVG 2008-07-23 02:33 . 2008-07-23 02:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8 2008-07-23 02:33 . 2008-07-23 02:33 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys 2008-07-23 02:33 . 2008-07-23 02:33 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys 2008-07-23 02:33 . 2008-07-23 02:33 12,936 --a------ C:\WINDOWS\system32\drivers\avgrkx86.sys 2008-07-23 02:33 . 2008-07-23 02:33 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll 2008-07-23 02:07 . 2008-07-23 02:08 <DIR> d-------- C:\Program Files\RogueRemover FREE 2008-07-23 01:42 . 2008-07-23 01:42 <DIR> d-------- C:\Program Files\Enigma Software Group 2008-07-23 01:39 . 2008-07-23 01:39 323,648 --a------ C:\WINDOWS\system32\iifcaBrq.dll 2008-07-22 20:09 . 1999-10-11 02:00 41,984 --------- C:\WINDOWS\Ctregrun.exe 2008-07-22 20:08 . 2008-07-22 22:08 <DIR> d-------- C:\Program Files\Audible 2008-07-22 20:08 . 2008-07-22 20:08 417,792 --a------ C:\WINDOWS\system32\awrdscdc.ax 2008-07-22 20:07 . 2008-07-22 20:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Creative 2008-07-22 20:05 . 2008-07-22 20:05 <DIR> d-------- C:\Documents and Settings\Paul\Application Data\Apple Computer 2008-07-22 02:53 . 2008-07-22 22:05 <DIR> d-------- C:\Documents and Settings\Paul\Application Data\Creative 2008-07-22 02:48 . 2008-07-22 02:49 <DIR> d--h----- C:\Program Files\Creative Installation Information 2008-07-22 02:48 . 2008-07-22 20:09 <DIR> d-------- C:\Program Files\Creative 2008-07-22 02:48 . 2008-07-22 02:48 <DIR> d-------- C:\Program Files\Common Files\Creative 2008-07-22 02:48 . 1999-12-13 01:01 44,032 --a------ C:\WINDOWS\system32\CTSVCCDA.EXE 2008-07-22 02:48 . 1999-11-18 01:00 25,088 --a------ C:\WINDOWS\system32\CTSVCCTL.EXE 2008-07-22 00:20 . 2008-07-22 01:26 <DIR> d-------- C:\Program Files\Arachnophilia 2008-07-21 23:33 . 2008-07-21 23:33 78 --a------ C:\WINDOWS\Numerical 2008-07-21 22:00 . 2008-07-21 22:00 76 --a------ C:\WINDOWS\Spatial 2008-07-20 02:04 . 2008-07-20 02:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet 2008-07-20 01:58 . 2008-07-20 01:58 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared 2008-07-20 01:57 . 2008-04-07 05:38 45,392 -ra------ C:\WINDOWS\system32\AdobePDF.dll 2008-07-20 01:57 . 2008-04-07 05:38 22,872 -ra------ C:\WINDOWS\system32\AdobePDFUI.dll 2008-07-20 01:53 . 2008-07-20 01:58 <DIR> d-------- C:\Program Files\Common Files\Adobe 2008-07-20 00:38 . 2008-07-20 00:46 <DIR> d-------- C:\Program Files\Yahoo! 2008-07-20 00:37 . 2008-07-20 00:38 <DIR> d-------- C:\Program Files\CCleaner 2008-07-19 21:19 . 2008-07-22 17:53 <DIR> d-------- C:\Documents and Settings\Paul\Application Data\CopyToDvd 2008-07-19 21:01 . 2008-07-19 21:01 <DIR> d-------- C:\Program Files\Windows Media Connect 2 2008-07-19 21:00 . 2008-07-19 21:10 <DIR> d-------- C:\WINDOWS\system32\LogFiles 2008-07-19 21:00 . 2008-07-22 02:09 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF 2008-07-19 20:51 . 2008-07-22 23:44 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-07-19 20:51 . 2008-07-19 20:51 1,409 --a------ C:\WINDOWS\QTFont.for 2008-07-19 18:12 . 2008-07-19 21:07 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-07-19 18:12 . 2008-07-19 21:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-07-19 12:04 . 2008-07-19 12:04 <DIR> d-------- C:\Program Files\dvd43 2008-07-19 12:04 . 2008-07-19 12:04 18,816 --a------ C:\WINDOWS\system32\drivers\dvd43llh.sys 2008-07-19 11:55 . 2008-07-19 11:55 <DIR> d-------- C:\Documents and Settings\Paul\Application Data\DivX 2008-07-19 11:14 . 2008-07-21 23:32 74 --a------ C:\WINDOWS\Logic 2008-07-19 03:13 . 2008-07-19 03:13 82 --a------ C:\WINDOWS\Getting Started.htm 2008-07-19 03:13 . 2008-07-21 22:00 75 --a------ C:\WINDOWS\Verbal 2008-07-19 03:13 . 2008-07-21 23:41 75 --a------ C:\WINDOWS\Memory 2008-07-19 02:29 . 2008-07-19 03:11 76 --a------ C:\WINDOWS\1 2008-07-19 02:27 . 2008-07-19 03:05 <DIR> d-------- C:\WINDOWS\system32\Brain Trainer 2008-07-19 02:27 . 2008-07-19 02:27 <DIR> d-------- C:\Program Files\Mindscape 2008-07-19 02:19 . 2008-07-19 02:19 <DIR> d-------- C:\Program Files\PowerISO 2008-07-19 01:11 . 2008-07-19 01:11 <DIR> d-------- C:\Program Files\Brain Spa 2008-07-19 01:11 . 2008-07-19 01:11 <DIR> d-------- C:\Documents and Settings\Paul\Application Data\Ubisoft 2008-07-19 00:09 . 2008-07-21 21:59 729 --a------ C:\WINDOWS\0 2008-07-19 00:09 . 2008-07-21 21:59 73 --a------ C:\WINDOWS\Times New Roman 2008-07-18 23:31 . 2008-07-18 23:31 <DIR> d-------- C:\Program Files\Common Files\CyberLink 2008-07-18 23:30 . 2001-08-17 22:43 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll 2008-07-18 23:28 . 2008-07-18 23:28 <DIR> d-------- C:\Documents and Settings\Paul\Application Data\CyberLink 2008-07-18 23:13 . 2008-07-18 23:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink 2008-07-18 23:08 . 2008-07-18 23:08 31 --a------ C:\WINDOWS\papp.ini 2008-07-18 22:38 . 2008-07-18 22:38 32 --a------ C:\WINDOWS\PracticalTest.ini 2008-07-18 21:59 . 2008-07-18 21:59 <DIR> d-------- C:\Program Files\Absolute Media Software 2008-07-18 01:17 . 2008-07-18 01:17 <DIR> d-------- C:\Documents and Settings\Jenna\Application Data\Ahead 2008-07-18 01:16 . 2008-07-18 01:16 <DIR> d-------- C:\Documents and Settings\Jenna\Application Data\DivX 2008-07-18 01:11 . 2008-07-18 01:11 <DIR> d-------- C:\Documents and Settings\Jenna\Application Data\BitDefender 2008-07-18 01:11 . 2008-07-23 03:58 <DIR> d-------- C:\Documents and Settings\Jenna 2008-07-18 01:06 . 2008-07-18 01:06 <DIR> d-------- C:\Program Files\Moss Bay Software 2008-07-18 00:48 . 2008-07-18 00:48 <DIR> d-------- C:\Documents and Settings\Paul\Application Data\Systweak 2008-07-18 00:38 . 2008-07-18 00:38 <DIR> d-------- C:\Documents and Settings\Paul\Downloads 2008-07-18 00:37 . 2008-07-18 00:37 <DIR> d-------- C:\Program Files\NewsLeecher 2008-07-18 00:37 . 2008-07-18 01:07 <DIR> d-------- C:\Documents and Settings\Paul\Application Data\NewsLeecher 2008-07-18 00:30 . 2008-07-18 00:30 <DIR> d-------- C:\Program Files\SmartSound Software 2008-07-18 00:30 . 2008-07-19 01:33 <DIR> d-------- C:\Program Files\DivX 2008-07-18 00:30 . 2008-07-18 00:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SmartSound Software Inc 2008-07-18 00:28 . 2008-07-18 00:44 <DIR> d-------- C:\Program Files\Neuro-Programmer 2 Professional 2008-07-18 00:27 . 2008-07-18 23:19 <DIR> d-------- C:\Program Files\Cyberlink 2008-07-18 00:26 . 2008-07-18 00:26 <DIR> d-------- C:\Program Files\QuickTime 2008-07-18 00:24 . 2008-07-18 00:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer 2008-07-18 00:23 . 2008-07-18 00:23 <DIR> d-------- C:\MyWorks 2008-07-17 23:28 . 2008-07-17 23:28 <DIR> d-------- C:\Program Files\Driving Test Success 2006-2007 2008-07-17 23:28 . 2008-07-18 23:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Driving Test Success 2008-07-17 23:24 . 2008-07-17 23:24 <DIR> d-------- C:\{3B07D847-8077-4242-91C7-DFA3CE5113E0} 2008-07-17 23:23 . 2008-07-17 23:24 <DIR> d-------- C:\MWASPI 2008-07-17 23:23 . 2008-07-17 23:23 133 --a------ C:\WINDOWS\msfsetup.ini 2008-07-17 23:20 . 2008-07-17 23:20 <DIR> d-------- C:\Program Files\PIXELA 2008-07-17 23:20 . 2008-07-17 23:20 <DIR> d-------- C:\Program Files\Caplio Software 2008-07-17 23:13 . 2008-07-17 23:15 <DIR> d-------- C:\Program Files\WinAVI Video Converter 2008-07-17 22:58 . 2008-07-17 22:58 <DIR> d-------- C:\Program Files\XviD 2008-07-17 22:58 . 2008-07-19 11:58 <DIR> d-------- C:\Program Files\AoA DVD Ripper 2008-07-17 22:58 . 2006-08-23 22:08 1,839,104 --a------ C:\WINDOWS\system32\avcodec-51.dll 2008-07-17 22:57 . 2008-07-19 21:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\1Click DVD Copy Pro 2008-07-17 22:56 . 2008-07-17 22:56 <DIR> d-------- C:\Program Files\LG Software Innovations 2008-07-17 22:53 . 2008-07-17 22:53 0 --a------ C:\WINDOWS\nsreg.dat 2008-07-17 22:50 . 2008-07-17 22:50 <DIR> d-------- C:\Program Files\VSO 2008-07-17 22:50 . 2008-07-22 17:53 <DIR> d-------- C:\Documents and Settings\Paul\Application Data\Vso 2008-07-17 22:50 . 2008-07-17 22:50 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys 2008-07-17 22:50 . 2008-07-17 22:50 47,360 --a------ C:\Documents and Settings\Paul\Application Data\pcouffin.sys 2008-07-17 22:38 . 2008-07-23 04:47 69 --a------ C:\WINDOWS\NeroDigital.ini 2008-07-17 22:31 . 2008-07-17 22:31 <DIR> d--h----- C:\Documents and Settings\All Users\Application Data\CanonBJ 2008-07-17 22:31 . 2005-08-25 21:00 140,288 --a------ C:\WINDOWS\system32\CNMLM7L.DLL 2008-07-17 22:31 . 2008-04-14 00:17 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys 2008-07-17 22:31 . 2008-04-14 00:17 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys 2008-07-17 22:31 . 2005-08-25 21:00 8,704 --a------ C:\WINDOWS\system32\CNMVS7L.DLL 2008-07-17 22:30 . 2008-04-14 00:15 32,128 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys 2008-07-17 22:30 . 2008-04-14 00:15 32,128 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys 2008-07-17 22:30 . 2008-04-14 00:15 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys 2008-07-17 22:30 . 2008-04-14 00:15 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys 2008-07-17 22:20 . 2008-07-17 22:20 <DIR> d-------- C:\Program Files\ScanSoft 2008-07-17 22:20 . 2008-07-17 22:20 <DIR> d-------- C:\Program Files\Common Files\ScanSoft Shared 2008-07-17 22:20 . 2008-07-17 22:20 <DIR> d-------- C:\Documents and Settings\Paul\Application Data\ScanSoft 2008-07-17 22:20 . 2008-07-17 22:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SSScanWizard 2008-07-17 22:20 . 2008-07-17 22:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SSScanAppDataDir . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-22 20:37 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-07-17 21:17 --------- d-----w C:\Program Files\Common Files\InstallShield 2008-07-14 16:52 --------- d-----w C:\Program Files\VIA 2008-07-14 16:42 --------- d-----w C:\Program Files\microsoft frontpage 2008-06-18 17:52 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe 2008-06-11 22:43 111,992 ----a-w C:\WINDOWS\system32\acaptuser32.dll 2008-06-11 00:07 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe 2008-06-11 00:07 43,528 ----a-w C:\WINDOWS\system32\drivers\PxHelp20.sys 2008-06-11 00:07 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll 2008-06-11 00:07 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll 2008-06-11 00:07 120,056 ----a-w C:\WINDOWS\system32\pxcpyi64.exe 2008-06-11 00:07 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe 2008-06-11 00:04 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll 2008-06-11 00:04 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll 2008-05-22 22:18 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll 2008-05-09 10:53 90,112 ----a-w C:\WINDOWS\system32\wshext.dll 2008-05-09 10:53 430,080 ----a-w C:\WINDOWS\system32\vbscript.dll 2008-05-09 10:53 180,224 ----a-w C:\WINDOWS\system32\scrobj.dll 2008-05-09 10:53 172,032 ----a-w C:\WINDOWS\system32\scrrun.dll 2008-05-08 11:24 155,648 ----a-w C:\WINDOWS\system32\wscript.exe 2008-05-07 09:07 135,168 ----a-w C:\WINDOWS\system32\cscript.exe 2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll 2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02319437-08C3-4EE5-8DD3-BFAB00582FD1}] 2008-07-23 01:39 323648 --a------ C:\WINDOWS\system32\iifcaBrq.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-07-17 22:04 160592] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 13:00 15360] "Creative MediaSource Go"="C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe" [2006-11-09 10:19 204800] "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288] "CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-09-28 20:09 700416] "RegistryMechanic"="C:\Program Files\Registry Mechanic\RegMech.exe" [2008-07-08 16:41 2828184] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "HDAudDeck"="C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe" [2007-06-29 10:51 811008] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 14:01 13529088] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 14:01 86016] "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136] "BitDefender Antiphishing Helper"="C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 15:46 61440] "BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [2008-07-15 15:26 360448] "OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 11:00 49152] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-07-18 00:26 282624] "RemoteControl8"="C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-20 20:23 83240] "PDVD8LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 11:36 50472] "BDRegion"="C:\Program Files\Cyberlink\Shared Files\brs.exe" [2008-05-19 15:24 91432] "PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-07-07 08:34 167936] "dvd43"="C:\Program Files\dvd43\dvd43_tray.exe" [2008-04-09 10:00 826880] "Adobe Acrobat Speed Launcher"="C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 02:25 37232] "Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 22:43 640376] "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-23 02:33 1232152] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784] "nwiz"="nwiz.exe" [2008-05-16 14:01 1630208 C:\WINDOWS\system32\nwiz.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 13:00 15360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=acaptuser32.dll,avgrsstx.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\iifcaBrq [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Vuze\\Azureus.exe"= "C:\\WINDOWS\\system32\\ftp.exe"= "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-07-23 02:33] R0 ViBus;ViBus;C:\WINDOWS\system32\DRIVERS\ViBus.sys [2007-03-26 08:26] R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2007-03-29 04:36] R0 ViPrt;VIA SATA IDE Device Driver;C:\WINDOWS\system32\DRIVERS\ViPrt.sys [2007-03-26 08:26] R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-23 02:33] R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};C:\Program Files\CyberLink\PowerDVD8\000.fcl [2008-05-15 12:07] R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-23 02:33] R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-23 02:33] R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\WINDOWS\system32\DRIVERS\bdfndisf.sys [2008-01-25 15:40] S3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2007-04-17 04:58] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] bdx REG_MULTI_SZ scan . - - - - ORPHANS REMOVED - - - - HKLM-Run-08ef696d - C:\WINDOWS\system32\erpyiciv.dll SSODL-kvxqmtre-{3C5E1F15-D12B-449E-BEB3-A800FE6FC549} - (no file) SSODL-evgratsm-{2280B776-3099-4352-B500-399D6E8B90C5} - (no file) Notify-ddcBSMgG - ddcBSMgG.dll . ------- Supplementary Scan ------- . R0 -: HKCU-Main,Start Page = www.google.com O8 -: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 -: Append to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html O8 -: Convert Link Target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 -: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html O8 -: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O8 -: Easy-WebPrint Add To Print List - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 -: Easy-WebPrint High Speed Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 -: Easy-WebPrint Preview - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 -: Easy-WebPrint Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O8 -: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O8 -: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O8 -: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-23 11:31:44 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\WINDOWS\system32\qrBacfii.ini 347 bytes C:\WINDOWS\system32\qrBacfii.ini2 347 bytes scan completed successfully hidden files: 2 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}] "ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD8\000.fcl" . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\explorer.exe -> C:\WINDOWS\system32\iifcaBrq.dll . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\CTSVCCDA.EXE C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Cyberlink\Shared files\RichVideo.exe C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe C:\Program Files\Windows Media Player\wmpnetwk.exe C:\PROGRA~1\AVG\AVG8\avgam.exe C:\Program Files\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe . ************************************************************************** . Completion time: 2008-07-23 11:34:38 - machine was rebooted ComboFix-quarantined-files.txt 2008-07-23 10:34:31 Pre-Run: 469,266,309,120 bytes free Post-Run: 469,409,398,784 bytes free 302 --- E O F --- 2008-07-20 01:21:19 ------------------------------------------------------------------ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 00:11, on 24/07/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Cyberlink\Shared files\RichVideo.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe C:\PROGRA~1\AVG\AVG8\avgam.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe C:\Program Files\Cyberlink\Shared Files\brs.exe C:\Program Files\PowerISO\PWRISOVM.EXE C:\Program Files\dvd43\dvd43_tray.exe C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe C:\Program Files\Registry Mechanic\RegMech.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Paul\Desktop\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1 O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe" O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe" O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Creative MediaSource Go] "C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe" /SCB O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1216127127671 O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: acaptuser32.dll,avgrsstx.dll, O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe -- End of file - 11869 bytes ------------------------------------------------ Malwarebytes' Anti-Malware 1.22 Database version: 972 Windows 5.1.2600 Service Pack 3 20:50:01 23/07/2008 mbam-log-7-23-2008 (20-50-01).txt Scan type: Quick Scan Objects scanned: 41295 Time elapsed: 1 minute(s), 42 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 6 Registry Values Infected: 0 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 5 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\system32\iifcaBrq.dll (Trojan.Vundo) -> Unloaded module successfully. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8251d0ac-739b-4ef4-91cf-38f2b4ad4182} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{8251d0ac-739b-4ef4-91cf-38f2b4ad4182} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\qndsfmao.bvqe (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\qndsfmao.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\iifcabrq -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\iifcabrq -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\iifcaBrq.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\qrBacfii.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\qrBacfii.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\BM0bdc5af1.xml (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\BM0bdc5af1.txt (Trojan.Vundo) -> Quarantined and deleted successfully. I hope someone will be able to assist me here. I am at a loss... |
| ||
| Re: Infected with Hoax.Win32.Renos.vaoz. Please Help!! I managed to get the problem resolved. It was quite painstaking, but I'll summarize the other things I did to fix the problem. - Visited Jotti (http://virusscan.jotti.org/) to find out which AV programs picked up the virus - Only about 4 AV Progs detected the virus - I uninstalled BitDefender and downloaded Kaspersky Internet Security after doing the free online scan. - I ran the program and managed to delete the viruses. - I ran Registry Mechanic again to get rid of any remnants of the old AVs. - I ran ScanDisk to make sure all system errors were resolved Kaspersky deleted the viruses with little fuss, but also picked up some security vulnerabilities. Most of these related to the QuickTime program. I didn't install this! It's a new PC, so it may have been pre-installed. I just uninstalled QuickTime, rather than doing an update. If you have QuickTime and don't use it, just uninstall all traces of it from your PC. It seems to be the cause of this virus to some degree. Moreover, it's not an essential program... The PC is as good as new again and I'm taking active steps to prevent anything like this happening again. It was, in a word, hellish. |
| ||
| Re: Infected with Hoax.Win32.Renos.vaoz. Please Help!! I'm having a similar problem. The Microsoft Malicious Software on-line tool found Wind32/Renos and seems to have removed the self-install program so I don't get the annoying pop-up balloon, but I can't access virus related websites nor can I run ComboFix, SpyBot or Registry Mechanic. They launch and I see them in the process window but nothing appears on the screen. I also can't create a restore point. I've tried running with minimal services and no start-up items with the same results. Chuck |
| ||
| Re: Infected with Hoax.Win32.Renos.vaoz. Please Help!! Hello, First of all a word of caution to ALL reading this thread, ComboFix is not a general purpose cleaning tool and should not be as such. ComboFix should only be used when asked by someone experienced in the use of this tool. Using this tool without supervision can cause problems with your computer. That is why Combofix is NOT listed in our Read me before posting a request for assistance sticky. It also says that one of the tools the poster tried to use was Quote:
Quote:
The detective work here was pretty good, using Jotti. Essentially smitfraudfix usually removes this. Not certain about MBA-M. Sounds like poster knew how to proceed but do want to caution ALL please don't be using Combofix unless directed to do so as it can do damage to a computer with a problem which does not require it's use. I would recommend that poster should REMOVE combofix from the machine since it is such a specialized tool AND updates are issued for it on a fairly regular basis. This stand alone program itself cannot be updated but requires an entirely new copy if a person is instructed to run it. To uninstall ComboFix.exe And all Backups of files that it deleted * Click START then RUN * Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there. When shown the disclaimer, Select "2" Now all of this noted cpwhite, you need to begin your OWN thread, stating all the problems you are having, steps you have attempted to remove the problem and also post any logs you may have. This thread is nearly 6 months old and one should ALWAYS begin his own thread. Create your own thread with all necessary info and we will be most happy to provide help and assistance. Judy |
| All times are GMT -4. The time now is 11:58 am. |
Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC