|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
10-03-2007, 10:17 PM
|
#1 (permalink) |
|
Registered User
Join Date: Oct 2007
Posts: 7
OS: windows xp sp 2
|
constant popups and browser hijacking (vundo?) vtsts.dll awtqpqr.dll ststv.ini
Hi there, Recently my computer has been suffering from constant pop up annoyances and browser re-directing problems, the problem first came to light a couple of days ago when I first noticed the pop-ups appearing and redirecting me to ads for winantivirus2007, system doctor etc. Also sometimes when this happens I get an error message stating there has been a visual c runtime error; upon pressing ok in the error dialogue box my explorer, task bar etc. refreshes. Before finding my way here I tried vundofix and its search function came up with a number of files (maybe 8 or so) the program said it was able to clean some of them but it was not able to delete vtsts.dll, awtqpqr.dll and ststv.ini which are residing in my windows/system32 folder. I have followed the steps pointed out and would appreciate very much someone helping me out with this
here are my logs as follows : Activescan : HTML Code:
Incident Status Location Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\awtqpqr.dll Adware:adware/block-checker Not disinfected Windows Registry Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\phill\Cookies\phill@adtech[1].txt Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\phill\Cookies\phill@atdmt[2].txt Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\phill\Cookies\phill@doubleclick[2].txt Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\phill\Cookies\phill@drivecleaner[1].txt Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\phill\Cookies\phill@errorsafe[2].txt Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\phill\Cookies\phill@stats.drivecleaner[1].txt Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\phill\Cookies\phill@stats1.reliablestats[2].txt Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\phill\Cookies\phill@statse.webtrendslive[2].txt Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\phill\Cookies\phill@systemdoctor[1].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\phill\Cookies\phill@tribalfusion[2].txt Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\phill\Cookies\phill@winantispyware[1].txt Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\phill\Cookies\phill@winantivirus[1].txt Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\phill\Cookies\phill@www.drivecleaner[2].txt Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\phill\Cookies\phill@www.errorsafe[1].txt Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\phill\Local Settings\Temp\Cookies\phill@247realmedia[1].txt Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\phill\Local Settings\Temp\Cookies\phill@ad.yieldmanager[2].txt Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\phill\Local Settings\Temp\Cookies\phill@adrevolver[1].txt Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\phill\Local Settings\Temp\Cookies\phill@adrevolver[2].txt Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\phill\Local Settings\Temp\Cookies\phill@adtech[2].txt Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\phill\Local Settings\Temp\Cookies\phill@advertising[1].txt Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\phill\Local Settings\Temp\Cookies\phill@anm.co[1].txt Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\phill\Local Settings\Temp\Cookies\phill@atdmt[2].txt Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\phill\Local Settings\Temp\Cookies\phill@bs.serving-sys[1].txt Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\phill\Local Settings\Temp\Cookies\phill@doubleclick[2].txt Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\phill\Local Settings\Temp\Cookies\phill@mediaplex[1].txt Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\phill\Local Settings\Temp\Cookies\phill@questionmarket[1].txt Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\phill\Local Settings\Temp\Cookies\phill@serving-sys[1].txt Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\phill\Local Settings\Temp\Cookies\phill@statcounter[2].txt Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\phill\Local Settings\Temp\Cookies\phill@statse.webtrendslive[2].txt Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\phill\Local Settings\Temp\Cookies\phill@tradedoubler[1].txt Potentially unwanted tool:Application/DriveCleaner Not disinfected C:\Documents and Settings\phill\Local Settings\Temporary Internet Files\Content.IE5\P33ZO3NZ\installdrivecleanerstart[1].cab Virus:Generic Malware Disinfected C:\Torrents\BrainWaves generator\Bwgen\Bwgen_Crack.exe Virus:Generic Malware Not disinfected C:\Torrents\BrainWaves generator\Bwgen.rar[Bwgen\Bwgen_Crack.exe] Hacktool:HackTool/EvID Not disinfected C:\Torrents\EvID4226Patch223d-en.zip[EvID4226Patch.exe] Hacktool:HackTool/EvID Not disinfected C:\Torrents\New Folder\EvID4226Patch.exe Virus:Generic Trojan Disinfected C:\Torrents\O&O Defrag 10 Professional\o&o.defrag.v10.0.build.1634.patch-MCCJ.exe Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\awtqpqr.dll.bad Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\tuvstqp.dll.bad HTML Code:
-- System Restore --------------------------------------------------------------
System Restore is disabled; attempting to re-enable...success.
-- Last 1 Restore Point(s) --
1: 2007-10-04 03:25:17 UTC - RP1 - System Checkpoint
Backed up registry hives.
Performed disk cleanup.
[color=red]System Drive C: has 5.9 GiB (less than 15%) free.[/color]
-- HijackThis (run as phill.exe) -----------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:27:40, on 04/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Torrents\dss.exe
C:\Torrents\phill.exe
C:\WINDOWS\explorer.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {B64115FD-1395-49E8-BFBA-61E74C29E9C1} - C:\WINDOWS\system32\vtsts.dll
O2 - BHO: (no name) - {C3352FCD-CFE5-4F35-831A-19C68DDB7CF4} - C:\WINDOWS\system32\awtqpqr.dll
O4 - HKLM\..\Run: [amd_dc_opt] "C:\Program Files\AMD\amd_dc_opt\amd_dc_opt.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - file://F:\setup\RiffLick.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: awtqpqr - C:\WINDOWS\SYSTEM32\awtqpqr.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: M-Audio CMIDI Installer (MA_CMIDI_InstallerService) - Unknown owner - C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (file missing)
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
--
End of file - 6764 bytes
-- File Associations -----------------------------------------------------------
All associations okay.
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R1 cdrbsdrv - c:\windows\system32\drivers\cdrbsdrv.sys <Not Verified; B.H.A Corporation; B's Recorder GOLD>
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R2 aslm75 - c:\windows\system32\drivers\aslm75.sys
R2 LF30FS - c:\program files\everstrike software\lock folder xp 3.6\lf30xp.sys
R3 AmdTools (AMD Special Tools Driver) - c:\windows\system32\drivers\amdtools.sys <Not Verified; AMD, Inc.; Special Tools Driver>
R3 CLEDX (Team H2O CLEDX service) - c:\windows\system32\drivers\cledx.sys <Not Verified; Team H2O; CLEDX>
R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
R3 US428 (US428 Driver) - c:\windows\system32\drivers\us428.sys <Not Verified; Frontier Design Group, LLC; TASCAM US-428>
R3 Us428WdmService (US428 Wdm Audio) - c:\windows\system32\drivers\us428wdm.sys <Not Verified; Frontier Design Group, LLC; TASCAM US-428>
S3 KORGUMDS (KORG USB-MIDI Driver for Windows XP) - c:\windows\system32\drivers\korgumds.sys <Not Verified; KORG Inc.; KORG USB-MIDI Driver for Windows XP>
S3 MA_CMIDI (%EVOL_USB.SvcDesc%) - c:\windows\system32\drivers\ma_cmidi.sys <Not Verified; M-Audio; M-Audio USB MIDI Keyboard Interface>
S3 US428DL (US428 Firmware Downloader) - c:\windows\system32\drivers\us428dl.sys <Not Verified; Frontier Design Group; TASCAM US-428>
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
R2 bgsvcgen (B's Recorder GOLD Library General Service) - "c:\windows\system32\bgsvcgen.exe" <Not Verified; B.H.A Corporation; B's Recorder GOLD9>
R2 MA_CMIDI_InstallerService (M-Audio CMIDI Installer) - c:\program files\m-audio ma_cmidi\ma_cmidi_inst.exe <Not Verified; ; MA_CMIDI USB MIDI Installer Service>
S2 StarWindService (StarWind iSCSI Service) - c:\program files\alcohol soft\alcohol 120\starwind\starwindservice.exe (file missing)
-- Device Manager: Disabled ----------------------------------------------------
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: RAID Controller
Device ID: PCI\VEN_1106&DEV_3149&SUBSYS_80ED1043&REV_80\3&267A616A&0&78
Manufacturer:
Name: RAID Controller
PNP Device ID: PCI\VEN_1106&DEV_3149&SUBSYS_80ED1043&REV_80\3&267A616A&0&78
Service:
-- Scheduled Tasks -------------------------------------------------------------
2007-10-04 03:00:00 488 --a------ C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job
-- Files created between 2007-09-04 and 2007-10-04 -----------------------------
2007-10-04 03:54:47 0 d-------- C:\Program Files\SpywareBlaster
2007-10-03 18:50:36 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-10-03 17:42:43 0 d-------- C:\Program Files\Windows File Explorer
2007-10-03 17:15:26 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-10-03 17:15:20 0 d-------- C:\Program Files\Security Task Manager
2007-10-03 16:34:37 0 d-------- C:\VundoFix Backups
2007-10-02 18:08:20 0 d-------- C:\Program Files\Lavasoft
2007-10-02 18:08:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-02 15:19:02 0 d-------- C:\Program Files\Spyware Doctor
2007-10-02 15:19:02 0 d-------- C:\Documents and Settings\phill\Application Data\PC Tools
2007-10-02 15:16:16 86016 --a------ C:\WINDOWS\unvise32.exe <Not Verified; MindVision Software; Installer VISE>
2007-10-02 14:52:40 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2007-10-01 13:16:23 0 d-------- C:\Program Files\Alwil Software
2007-10-01 09:06:18 87104 --a------ C:\WINDOWS\system32\bqvbjouv.dll
2007-10-01 00:37:54 0 d-------- C:\Documents and Settings\phill\Application Data\LEAPS
2007-10-01 00:34:48 0 d-------- C:\Documents and Settings\phill\Application Data\Pegasys Inc
2007-10-01 00:30:51 56976 --a------ C:\WINDOWS\system32\GenSvcInst.exe <Not Verified; B.H.A Corporation; B's Recorder GOLD9>
2007-10-01 00:30:51 33408 --a------ C:\WINDOWS\system32\drivers\CDRBSDRV.SYS <Not Verified; B.H.A Corporation; B's Recorder GOLD>
2007-10-01 00:30:51 122512 --a------ C:\WINDOWS\system32\bgsvcgen.exe <Not Verified; B.H.A Corporation; B's Recorder GOLD9>
2007-10-01 00:29:59 0 d-------- C:\Program Files\Pegasys Inc
2007-09-30 20:58:25 244832 -----n--- C:\WINDOWS\system32\vtsts.dll
2007-09-30 20:46:09 0 d---s---- C:\Documents and Settings\Administrator\UserData
2007-09-30 20:45:40 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2007-09-30 20:43:57 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-09-30 20:43:57 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-09-30 20:43:57 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-09-30 20:43:57 0 d--h----- C:\Documents and Settings\Administrator\Recent
2007-09-30 20:43:57 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-09-30 20:43:57 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-09-30 20:43:57 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-09-30 20:43:57 0 d-------- C:\Documents and Settings\Administrator\My Documents
2007-09-30 20:43:57 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-09-30 20:43:57 0 d-------- C:\Documents and Settings\Administrator\Favorites
2007-09-30 20:43:57 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-09-30 20:43:57 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2007-09-30 20:43:57 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-09-30 20:43:57 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-09-30 20:43:43 0 d-------- C:\WINDOWS\CSC
2007-09-30 20:42:25 44054 -----n--- C:\WINDOWS\system32\awtqpqr.dll
2007-09-30 20:42:23 341 --a------ C:\WINDOWS\retadpu1000520.exe
2007-09-30 18:52:03 0 d-------- C:\WINDOWS\system32\LogFiles
2007-09-30 18:52:03 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2007-09-30 18:51:36 0 d-------- C:\01ea9a70862e2fa3db78
2007-09-30 18:38:18 0 d-------- C:\Documents and Settings\phill\Application Data\Media Player Classic
2007-09-30 17:59:17 14994264 --a------ C:\WINDOWS\2.exe
2007-09-30 17:18:12 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-30 17:18:12 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-09-30 00:44:20 101888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2007-09-30 00:27:21 0 d-------- C:\Documents and Settings\phill\Application Data\SpywareBot
2007-09-29 23:48:20 0 d-------- C:\ConverterOutput
2007-09-29 23:47:14 262144 --a------ C:\WINDOWS\system32\TomsMoComp_ff.dll
2007-09-29 23:47:14 395776 --a------ C:\WINDOWS\system32\libmplayer.dll
2007-09-29 23:47:14 112640 --a------ C:\WINDOWS\system32\libmpeg2_ff.dll
2007-09-29 23:47:14 2255360 --a------ C:\WINDOWS\system32\libavcodec.dll
2007-09-29 23:47:13 0 d-------- C:\Program Files\Cucusoft
2007-09-23 20:55:26 0 d-------- C:\Program Files\Sonnox
2007-09-21 16:40:03 0 dr-h----- C:\Documents and Settings\phill\Application Data\SecuROM
2007-09-21 16:28:56 0 d-------- C:\Program Files\Sierra Entertainment
2007-09-21 14:19:18 0 d-------- C:\Program Files\Universal Extractor
2007-09-20 13:31:26 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-09-19 20:34:11 0 d-------- C:\Documents and Settings\phill\Application Data\Google
2007-09-19 20:33:12 0 d-------- C:\Program Files\Google
2007-09-19 20:33:12 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2007-09-19 11:32:09 0 d-------- C:\Program Files\MegaSpoof
2007-09-18 17:16:13 0 d-------- C:\Program Files\Power Tab Software
2007-09-17 19:23:00 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-09-17 19:23:00 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-09-17 19:22:58 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-09-17 19:22:58 739840 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2007-09-16 16:35:02 0 d-------- C:\Program Files\Bit Che
2007-09-09 22:24:55 0 d-------- C:\Program Files\Guitar Scales Method
2007-09-09 03:12:54 0 d-------- C:\Documents and Settings\phill\Application Data\ATTNaturalVoices
-- Find3M Report ---------------------------------------------------------------
2007-10-03 20:19:14 0 d-------- C:\Program Files\M-Audio MA_CMIDI
2007-10-02 18:22:39 0 d-------- C:\Documents and Settings\phill\Application Data\uTorrent
2007-10-02 18:07:41 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-01 16:42:19 112 --a------ C:\WINDOWS\system32\msvcsv60.dll
2007-10-01 16:42:19 112 --a------ C:\WINDOWS\msocreg32.dat
2007-09-30 21:00:30 0 d-------- C:\Program Files\VideoLAN
2007-09-30 20:30:57 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-09-30 20:29:09 0 d-------- C:\Documents and Settings\phill\Application Data\DivX
2007-09-30 20:19:33 0 d-------- C:\Program Files\DivX
2007-09-30 18:53:32 0 d-------- C:\Program Files\Windows Media Connect 2
2007-09-30 18:06:22 0 d-------- C:\Program Files\MSN Messenger
2007-09-30 17:59:55 0 d-------- C:\Program Files\XviD
2007-09-25 18:01:57 0 d-------- C:\Program Files\KONAMI
2007-09-20 12:20:43 0 d-------- C:\Program Files\Windows Live Safety Center
2007-09-15 07:56:11 304160 --a------ C:\StiImg.dat
2007-09-03 18:03:19 0 d-------- C:\Program Files\Ableton
2007-09-03 18:01:03 4636532 --a------ C:\WINDOWS\system32\TmpA2134906
2007-08-29 18:59:10 73 --a------ C:\WINDOWS\system32\ssprs.dll
2007-08-29 18:59:10 205 --a------ C:\WINDOWS\system32\lsprst7.dll
2007-08-21 01:26:52 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-08-21 01:26:52 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-08-19 16:06:02 0 d-------- C:\Program Files\db-audioware
2007-08-15 23:33:14 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-08-15 23:30:26 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-08-15 19:06:08 0 d-------- C:\Documents and Settings\phill\Application Data\SopCast
2007-08-15 19:02:57 0 d-------- C:\Program Files\SopCast
2007-08-15 14:46:43 0 d-------- C:\Program Files\MSXML 6.0
2007-08-15 14:29:52 0 d-------- C:\Program Files\TVAnts
2007-08-11 16:27:51 0 d-------- C:\Program Files\Common Files\Adobe
2007-08-09 19:30:01 0 d-------- C:\Program Files\Arturia
2007-08-04 01:14:38 0 d-------- C:\Program Files\Bome's Midi Translator
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B64115FD-1395-49E8-BFBA-61E74C29E9C1}]
30/09/2007 20:58 244832 --------- C:\WINDOWS\system32\vtsts.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C3352FCD-CFE5-4F35-831A-19C68DDB7CF4}]
30/09/2007 20:42 44054 --------- C:\WINDOWS\system32\awtqpqr.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"amd_dc_opt"="C:\Program Files\AMD\amd_dc_opt\amd_dc_opt.exe" [28/06/2006 16:42]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [25/09/2006 10:12]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [14/09/2006 21:09]
"H2O"="C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [23/10/2005 01:00]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/09/2006 16:57]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [23/12/2006 07:36]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [14/03/2007 03:43]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" []
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [09/09/2006 10:16]
"LFAgent"="" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/05/2007 03:06]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [06/09/2007 11:06]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [03/08/2004 23:56]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [02/11/2006 14:43]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [21/07/2007 16:56:19]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{C3352FCD-CFE5-4F35-831A-19C68DDB7CF4}"= C:\WINDOWS\system32\awtqpqr.dll [30/09/2007 20:42 44054]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqpqr]
awtqpqr.dll 30/09/2007 20:42 44054 C:\WINDOWS\system32\awtqpqr.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\system32\\vtsts
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"
-- End of Deckard's System Scanner: finished at 2007-10-04 04:29:07 ------------
Last edited by caldo; 10-03-2007 at 10:18 PM. |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
10-03-2007, 10:50 PM
|
#2 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,348
OS: N/A
|
Re: constant popups and browser hijacking (vundo?) vtsts.dll awtqpqr.dll ststv.ini
1. Download & Save this file to Desktop -> http://download.bleepingcomputer.com...a/ComboFix.exe
2. Double click on combofix.exe & follow the prompts. 3. When finished, it shall produce a log for you. Post that & a fresh Hijackthis log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
__________________
Question - what have you done for the community today? |
|
|
|
|
10-03-2007, 11:45 PM
|
#3 (permalink) |
|
Registered User
Join Date: Oct 2007
Posts: 7
OS: windows xp sp 2
|
Re: constant popups and browser hijacking (vundo?) vtsts.dll awtqpqr.dll ststv.ini
Hi Subs, Thanks for your reply, your help is much appreciated. I have carried out the steps you asked. I must catch up on some well needed sleep right now but I look forward to your reply and also to tackling this refreshed
 Here are the logs : Combofix log ComboFix 07-10-04.5 - phill 2007-10-04 6  08.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1547 [GMT 1:00] Running from: C:\Torrents\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\check_LSA7.txt C:\WINDOWS\2.exe C:\WINDOWS\cookies.ini C:\WINDOWS\retadpu1000520.exe C:\WINDOWS\system32\awtqpqr.dll C:\WINDOWS\system32\ststv.ini C:\WINDOWS\system32\vtsts.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_DOMAINSERVICE -------\LEGACY_NPF ((((((((((((((((((((((((( Files Created from 2007-09-04 to 2007-10-04 ))))))))))))))))))))))))))))))) . 2007-10-04 06:02 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-10-04 04:24 <DIR> d-------- C:\Deckard 2007-10-04 03:54 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-10-03 18:50 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-10-03 17:42 <DIR> d-------- C:\Program Files\Windows File Explorer 2007-10-03 17:15 <DIR> d-------- C:\Program Files\Security Task Manager 2007-10-03 17:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan 2007-10-03 16:34 <DIR> d-------- C:\VundoFix Backups 2007-10-02 18:29 6,058,496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll 2007-10-02 18:29 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll 2007-10-02 18:29 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll 2007-10-02 18:29 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll 2007-10-02 18:29 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll 2007-10-02 18:29 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat 2007-10-02 18:29 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe 2007-10-02 18:08 <DIR> d-------- C:\Program Files\Lavasoft 2007-10-02 18:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2007-10-02 15:19 83,536 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys 2007-10-02 15:19 59,984 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys 2007-10-02 15:19 52,304 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys 2007-10-02 15:19 39,248 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys 2007-10-02 15:19 26,064 --a------ C:\WINDOWS\system32\drivers\kcom.sys 2007-10-02 15:19 <DIR> d-------- C:\Program Files\Spyware Doctor 2007-10-02 15:19 <DIR> d-------- C:\Documents and Settings\phill\Application Data\PC Tools 2007-10-02 15:16 86,016 --a------ C:\WINDOWS\unvise32.exe 2007-10-02 14:44 3,584 -----c--- C:\WINDOWS\system32\dllcache\WgaLogon.dll 2007-10-02 14:44 12,800 -----c--- C:\WINDOWS\system32\dllcache\WgaTray.exe 2007-10-01 16:34 <DIR> d-------- C:\Temp\gateway 2007-10-01 13:16 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr 2007-10-01 13:16 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys 2007-10-01 13:16 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys 2007-10-01 13:16 801,144 --a------ C:\WINDOWS\system32\aswBoot.exe 2007-10-01 13:16 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys 2007-10-01 13:16 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys 2007-10-01 13:16 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys 2007-10-01 13:16 <DIR> d-------- C:\Program Files\Alwil Software 2007-10-01 09:06 87,104 --a------ C:\WINDOWS\system32\bqvbjouv.dll 2007-10-01 00:37 <DIR> d-------- C:\Documents and Settings\phill\Application Data\LEAPS 2007-10-01 00:34 <DIR> d-------- C:\Documents and Settings\phill\Application Data\Pegasys Inc 2007-10-01 00:30 56,976 --a------ C:\WINDOWS\system32\GenSvcInst.exe 2007-10-01 00:30 33,408 --a------ C:\WINDOWS\system32\drivers\CDRBSDRV.SYS 2007-10-01 00:30 122,512 --a------ C:\WINDOWS\system32\bgsvcgen.exe 2007-10-01 00:29 <DIR> d-------- C:\Program Files\Pegasys Inc 2007-09-30 20:46 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData 2007-09-30 18:52 <DIR> d-------- C:\WINDOWS\system32\LogFiles 2007-09-30 18:52 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF 2007-09-30 18:51 <DIR> d-------- C:\01ea9a70862e2fa3db78 2007-09-30 18:38 <DIR> d-------- C:\Documents and Settings\phill\Application Data\Media Player Classic 2007-09-30 17:18 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab 2007-09-30 17:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2007-09-30 00:44 512,688 --a------ C:\WINDOWS\system32\XceedCry.dll 2007-09-30 00:44 423,784 --a------ C:\WINDOWS\system32\XceedBkp.dll 2007-09-30 00:44 101,888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL 2007-09-30 00:37 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll 2007-09-30 00:27 <DIR> d-------- C:\Documents and Settings\phill\Application Data\SpywareBot 2007-09-29 23:48 <DIR> d-------- C:\ConverterOutput 2007-09-29 23:47 395,776 --a------ C:\WINDOWS\system32\libmplayer.dll 2007-09-29 23:47 262,144 --a------ C:\WINDOWS\system32\TomsMoComp_ff.dll 2007-09-29 23:47 2,255,360 --a------ C:\WINDOWS\system32\libavcodec.dll 2007-09-29 23:47 112,640 --a------ C:\WINDOWS\system32\libmpeg2_ff.dll 2007-09-29 23:47 <DIR> d-------- C:\Program Files\Cucusoft 2007-09-23 20:55 <DIR> d-------- C:\Program Files\Sonnox 2007-09-21 16:40 <DIR> dr-h----- C:\Documents and Settings\phill\Application Data\SecuROM 2007-09-21 16:28 <DIR> d-------- C:\Program Files\Sierra Entertainment 2007-09-21 14:19 <DIR> d-------- C:\Program Files\Universal Extractor 2007-09-20 13:31 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2 2007-09-19 20:34 <DIR> d-------- C:\Documents and Settings\phill\Application Data\Google 2007-09-19 20:33 <DIR> d-------- C:\Program Files\Google 2007-09-19 20:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google 2007-09-19 11:32 <DIR> d-------- C:\Program Files\MegaSpoof 2007-09-18 17:16 <DIR> d-------- C:\Program Files\Power Tab Software 2007-09-17 19:23 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll 2007-09-17 19:23 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll 2007-09-17 19:22 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll 2007-09-17 19:22 739,840 --a------ C:\WINDOWS\system32\DivX.dll 2007-09-16 16:35 <DIR> d-------- C:\Program Files\Bit Che 2007-09-12 00:14 156,992 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe 2007-09-09 22:24 <DIR> d-------- C:\Program Files\Guitar Scales Method 2007-09-09 03:12 <DIR> d-------- C:\Documents and Settings\phill\Application Data\ATTNaturalVoices . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-10-03 20:19 --------- d-------- C:\Program Files\M-Audio MA_CMIDI 2007-10-02 18:22 --------- d-------- C:\Documents and Settings\phill\Application Data\uTorrent 2007-10-02 18:07 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-10-02 14:06 --------- d-------- C:\Documents and Settings\All Users\Application Data\Kontiki 2007-09-30 21:00 --------- d-------- C:\Program Files\VideoLAN 2007-09-30 20:30 --------- d--h----- C:\Program Files\InstallShield Installation Information 2007-09-30 20:29 --------- d-------- C:\Documents and Settings\phill\Application Data\DivX 2007-09-30 20:19 --------- d-------- C:\Program Files\DivX 2007-09-30 18:53 --------- d-------- C:\Program Files\Windows Media Connect 2 2007-09-30 18:06 --------- d-------- C:\Program Files\MSN Messenger 2007-09-30 17:59 --------- d-------- C:\Program Files\XviD 2007-09-25 18:01 --------- d-------- C:\Program Files\KONAMI 2007-09-20 12:20 --------- d-------- C:\Program Files\Windows Live Safety Center 2007-09-03 18:03 --------- d-------- C:\Program Files\Ableton 2007-08-19 16:06 --------- d-------- C:\Program Files\db-audioware 2007-08-15 23:33 43528 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys 2007-08-15 19:06 --------- d-------- C:\Documents and Settings\phill\Application Data\SopCast 2007-08-15 19:02 --------- d-------- C:\Program Files\SopCast 2007-08-15 14:46 --------- d-------- C:\Program Files\MSXML 6.0 2007-08-15 14:43 360576 --a------ C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL 2007-08-15 14:43 360576 --a------ C:\WINDOWS\system32\drivers\TCPIP.SYS 2007-08-15 14:29 --------- d-------- C:\Program Files\TVAnts 2007-08-09 19:30 --------- d-------- C:\Program Files\Arturia 2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys 2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys 2007-08-04 01:14 --------- d-------- C:\Program Files\Bome's Midi Translator 2007-03-26 22:15 87608 --a------ C:\Documents and Settings\phill\Application Data\ezpinst.exe 2007-03-26 22:15 47360 --a------ C:\Documents and Settings\phill\Application Data\pcouffin.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "amd_dc_opt"="C:\Program Files\AMD\amd_dc_opt\amd_dc_opt.exe" [2006-06-28 16:42] "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 10:12] "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-09-14 21:09] "H2O"="C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [2005-10-23 01:00] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 16:57] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-12-23 07:36] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43] "ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [] "PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2006-09-09 10:16] "LFAgent"="" [] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 11:06] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56] "BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [] "SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-11-02 14:43] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice" R2 LF30FS;LF30FS;\??\C:\Program Files\Everstrike Software\Lock Folder XP 3.6\LF30XP.sys R3 AmdTools;AMD Special Tools Driver;C:\WINDOWS\system32\DRIVERS\AmdTools.sys R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys R3 US428;US428 Driver;C:\WINDOWS\system32\Drivers\US428.sys R3 Us428WdmService;US428 Wdm Audio;C:\WINDOWS\system32\Drivers\US428Wdm.sys S3 KORGUMDS;KORG USB-MIDI Driver for Windows XP;C:\WINDOWS\system32\Drivers\KORGUMDS.SYS S3 MA_CMIDI;%EVOL_USB.SvcDesc%;C:\WINDOWS\system32\drivers\ma_cmidi.sys S3 PAC207;Trust WB-1400T Webcam;C:\WINDOWS\system32\DRIVERS\pfc027.sys S3 US428DL;US428 Firmware Downloader;C:\WINDOWS\system32\Drivers\US428DL.sys . Contents of the 'Scheduled Tasks' folder "2007-10-04 02:00:00 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job" - C:\Program Files\SpywareBot\SpywareBot.exe . ************************************************************************** catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-04 06:24:33 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-10-04 6:25:47 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-10-04 06:25 . --- E O F --- Hijack This log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 06:29:31, on 04/10/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\bgsvcgen.exe C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe C:\WINDOWS\System32\PAStiSvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Torrents\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O4 - HKLM\..\Run: [amd_dc_opt] "C:\Program Files\AMD\amd_dc_opt\amd_dc_opt.exe" O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - file://F:\setup\RiffLick.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: M-Audio CMIDI Installer (MA_CMIDI_InstallerService) - Unknown owner - C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (file missing) O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe -- End of file - 6412 bytes Last edited by sUBs; 10-03-2007 at 11:48 PM. |
|
|
|
|
10-03-2007, 11:54 PM
|
#4 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,348
OS: N/A
|
Re: constant popups and browser hijacking (vundo?) vtsts.dll awtqpqr.dll ststv.ini
Go to Start > Control Panel > Add or Remove Programs and uninstall the following programs:
--------------- Open notepad and copy/paste the text in the quotebox below into it: Code:
http://www.techsupportforum.com/security-center/hijackthis-log-help/185739-constant-popups-browser-hijacking-vundo-vtsts-dll-awtqpqr-dll-ststv-ini.html Collect:: C:\WINDOWS\system32\bqvbjouv.dll File:: C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job Folder:: C:\VundoFix Backups C:\Documents and Settings\phill\Application Data\SpywareBot C:\Program Files\SpywareBot  Refering to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply. Additonally, ComboFix will generate a zipped file on your Desktop, called [4]Submit@Date_Time.zip Please submit this file before proceeding to the next step. --------------- Click here perform an online scan >> Online Scanner --------------- In your next post, please include fresh logs from:
__________________
Question - what have you done for the community today? |
|
|
|
|
10-04-2007, 05:00 PM
|
#5 (permalink) |
|
Registered User
Join Date: Oct 2007
Posts: 7
OS: windows xp sp 2
|
Re: constant popups and browser hijacking (vundo?) vtsts.dll awtqpqr.dll ststv.ini
hi again subs, I managed to carry out all that you asked with no problems. My system seems to be alot more stable now. The popups have stopped and I haven't had the runtime error occur since I ran combofix. Here are the logs you requested and thanks again for your effort.
hijack this log : Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 06:29:31, on 04/10/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\bgsvcgen.exe C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe C:\WINDOWS\System32\PAStiSvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Torrents\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O4 - HKLM\..\Run: [amd_dc_opt] "C:\Program Files\AMD\amd_dc_opt\amd_dc_opt.exe" O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - file://F:\setup\RiffLick.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: M-Audio CMIDI Installer (MA_CMIDI_InstallerService) - Unknown owner - C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (file missing) O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe -- End of file - 6412 bytes combofix log : ComboFix 07-10-04.5 - phill 2007-10-04 14:20:57.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1620 [GMT 1:00] Running from: C:\Torrents\ComboFix.exe Command switches used :: C:\Torrents\CFScript.txt * Created a new restore point FILE:: C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\phill\Application Data\SpywareBot C:\Documents and Settings\phill\Application Data\SpywareBot\Log\2007 Sep 30 - 12_27_23 AM_281.log C:\Documents and Settings\phill\Application Data\SpywareBot\Log\2007 Sep 30 - 12_27_25 AM_109.log C:\Documents and Settings\phill\Application Data\SpywareBot\rs.dat C:\Documents and Settings\phill\Application Data\SpywareBot\Settings\CustomScan.stg C:\Documents and Settings\phill\Application Data\SpywareBot\Settings\IgnoreList.stg C:\Documents and Settings\phill\Application Data\SpywareBot\Settings\ScanInfo.stg C:\Documents and Settings\phill\Application Data\SpywareBot\Settings\ScanResults.stg C:\Documents and Settings\phill\Application Data\SpywareBot\Settings\SelectedFolders.stg C:\Documents and Settings\phill\Application Data\SpywareBot\Settings\Settings.stg C:\VundoFix Backups C:\VundoFix Backups\awtqpqr.dll.bad C:\VundoFix Backups\fqukiuhv.ini.bad C:\VundoFix Backups\ststv.bak1.bad C:\VundoFix Backups\ststv.bak2.bad C:\VundoFix Backups\ststv.ini.bad C:\VundoFix Backups\tuvstqp.dll.bad C:\VundoFix Backups\vhuikuqf.dll.bad C:\VundoFix Backups\vtsts.dll.bad C:\WINDOWS\system32\bqvbjouv.dll C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job . ((((((((((((((((((((((((( Files Created from 2007-09-04 to 2007-10-04 ))))))))))))))))))))))))))))))) . 2007-10-04 06:02 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-10-04 04:24 <DIR> d-------- C:\Deckard 2007-10-04 03:54 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-10-03 18:50 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-10-03 17:42 <DIR> d-------- C:\Program Files\Windows File Explorer 2007-10-03 17:15 <DIR> d-------- C:\Program Files\Security Task Manager 2007-10-03 17:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan 2007-10-02 18:29 6,058,496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll 2007-10-02 18:29 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll 2007-10-02 18:29 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll 2007-10-02 18:29 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll 2007-10-02 18:29 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll 2007-10-02 18:29 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat 2007-10-02 18:29 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe 2007-10-02 18:08 <DIR> d-------- C:\Program Files\Lavasoft 2007-10-02 18:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2007-10-02 15:16 86,016 --a------ C:\WINDOWS\unvise32.exe 2007-10-02 14:44 3,584 -----c--- C:\WINDOWS\system32\dllcache\WgaLogon.dll 2007-10-02 14:44 12,800 -----c--- C:\WINDOWS\system32\dllcache\WgaTray.exe 2007-10-01 16:34 <DIR> d-------- C:\Temp\gateway 2007-10-01 13:16 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr 2007-10-01 13:16 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys 2007-10-01 13:16 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys 2007-10-01 13:16 801,144 --a------ C:\WINDOWS\system32\aswBoot.exe 2007-10-01 13:16 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys 2007-10-01 13:16 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys 2007-10-01 13:16 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys 2007-10-01 13:16 <DIR> d-------- C:\Program Files\Alwil Software 2007-10-01 00:37 <DIR> d-------- C:\Documents and Settings\phill\Application Data\LEAPS 2007-10-01 00:34 <DIR> d-------- C:\Documents and Settings\phill\Application Data\Pegasys Inc 2007-10-01 00:30 56,976 --a------ C:\WINDOWS\system32\GenSvcInst.exe 2007-10-01 00:30 33,408 --a------ C:\WINDOWS\system32\drivers\CDRBSDRV.SYS 2007-10-01 00:30 122,512 --a------ C:\WINDOWS\system32\bgsvcgen.exe 2007-10-01 00:29 <DIR> d-------- C:\Program Files\Pegasys Inc 2007-09-30 20:46 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData 2007-09-30 18:52 <DIR> d-------- C:\WINDOWS\system32\LogFiles 2007-09-30 18:52 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF 2007-09-30 18:51 <DIR> d-------- C:\01ea9a70862e2fa3db78 2007-09-30 18:38 <DIR> d-------- C:\Documents and Settings\phill\Application Data\Media Player Classic 2007-09-30 17:18 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab 2007-09-30 17:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2007-09-30 00:44 512,688 --a------ C:\WINDOWS\system32\XceedCry.dll 2007-09-30 00:44 423,784 --a------ C:\WINDOWS\system32\XceedBkp.dll 2007-09-30 00:44 101,888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL 2007-09-30 00:37 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll 2007-09-29 23:48 <DIR> d-------- C:\ConverterOutput 2007-09-29 23:47 395,776 --a------ C:\WINDOWS\system32\libmplayer.dll 2007-09-29 23:47 262,144 --a------ C:\WINDOWS\system32\TomsMoComp_ff.dll 2007-09-29 23:47 2,255,360 --a------ C:\WINDOWS\system32\libavcodec.dll 2007-09-29 23:47 112,640 --a------ C:\WINDOWS\system32\libmpeg2_ff.dll 2007-09-29 23:47 <DIR> d-------- C:\Program Files\Cucusoft 2007-09-23 20:55 <DIR> d-------- C:\Program Files\Sonnox 2007-09-21 16:40 <DIR> dr-h----- C:\Documents and Settings\phill\Application Data\SecuROM 2007-09-21 16:28 <DIR> d-------- C:\Program Files\Sierra Entertainment 2007-09-21 14:19 <DIR> d-------- C:\Program Files\Universal Extractor 2007-09-20 13:31 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2 2007-09-19 20:34 <DIR> d-------- C:\Documents and Settings\phill\Application Data\Google 2007-09-19 20:33 <DIR> d-------- C:\Program Files\Google 2007-09-19 20:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google 2007-09-19 11:32 <DIR> d-------- C:\Program Files\MegaSpoof 2007-09-18 17:16 <DIR> d-------- C:\Program Files\Power Tab Software 2007-09-17 19:23 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll 2007-09-17 19:23 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll 2007-09-17 19:22 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll 2007-09-17 19:22 739,840 --a------ C:\WINDOWS\system32\DivX.dll 2007-09-16 16:35 <DIR> d-------- C:\Program Files\Bit Che 2007-09-12 00:14 156,992 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe 2007-09-09 22:24 <DIR> d-------- C:\Program Files\Guitar Scales Method 2007-09-09 03:12 <DIR> d-------- C:\Documents and Settings\phill\Application Data\ATTNaturalVoices . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-10-04 14:14 --------- d-------- C:\Program Files\WiliSoft Video Splitter 2007-10-04 14:10 --------- d-------- C:\Program Files\Bulent's Screen Recorder 2007-10-03 20:19 --------- d-------- C:\Program Files\M-Audio MA_CMIDI 2007-10-02 18:22 --------- d-------- C:\Documents and Settings\phill\Application Data\uTorrent 2007-10-02 18:07 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-10-02 14:06 --------- d-------- C:\Documents and Settings\All Users\Application Data\Kontiki 2007-09-30 21:00 --------- d-------- C:\Program Files\VideoLAN 2007-09-30 20:30 --------- d--h----- C:\Program Files\InstallShield Installation Information 2007-09-30 20:29 --------- d-------- C:\Documents and Settings\phill\Application Data\DivX 2007-09-30 20:19 --------- d-------- C:\Program Files\DivX 2007-09-30 18:53 --------- d-------- C:\Program Files\Windows Media Connect 2 2007-09-30 18:06 --------- d-------- C:\Program Files\MSN Messenger 2007-09-30 17:59 --------- d-------- C:\Program Files\XviD 2007-09-25 18:01 --------- d-------- C:\Program Files\KONAMI 2007-09-20 12:20 --------- d-------- C:\Program Files\Windows Live Safety Center 2007-09-03 18:03 --------- d-------- C:\Program Files\Ableton 2007-08-19 16:06 --------- d-------- C:\Program Files\db-audioware 2007-08-15 23:33 43528 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys 2007-08-15 19:06 --------- d-------- C:\Documents and Settings\phill\Application Data\SopCast 2007-08-15 19:02 --------- d-------- C:\Program Files\SopCast 2007-08-15 14:46 --------- d-------- C:\Program Files\MSXML 6.0 2007-08-15 14:43 360576 --a------ C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL 2007-08-15 14:43 360576 --a------ C:\WINDOWS\system32\drivers\TCPIP.SYS 2007-08-15 14:29 --------- d-------- C:\Program Files\TVAnts 2007-08-09 19:30 --------- d-------- C:\Program Files\Arturia 2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys 2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys 2007-08-04 01:14 --------- d-------- C:\Program Files\Bome's Midi Translator 2007-03-26 22:15 87608 --a------ C:\Documents and Settings\phill\Application Data\ezpinst.exe 2007-03-26 22:15 47360 --a------ C:\Documents and Settings\phill\Application Data\pcouffin.sys . ((((((((((((((((((((((((((((( snapshot@2007-10-04_ 6.25.22.59 ))))))))))))))))))))))))))))))))))))))))) . ----atw 16,384 2007-10-04 13:25:24 C:\WINDOWS\Temp\Perflib_Perfdata_6e0.dat . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "amd_dc_opt"="C:\Program Files\AMD\amd_dc_opt\amd_dc_opt.exe" [2006-06-28 16:42] "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 10:12] "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-09-14 21:09] "H2O"="C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe" [2005-10-23 01:00] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 16:57] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-12-23 07:36] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43] "ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [] "PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2006-09-09 10:16] "LFAgent"="" [] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 11:06] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56] "BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [] "SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-11-02 14:43] R2 LF30FS;LF30FS;\??\C:\Program Files\Everstrike Software\Lock Folder XP 3.6\LF30XP.sys R3 AmdTools;AMD Special Tools Driver;C:\WINDOWS\system32\DRIVERS\AmdTools.sys R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys R3 US428;US428 Driver;C:\WINDOWS\system32\Drivers\US428.sys R3 Us428WdmService;US428 Wdm Audio;C:\WINDOWS\system32\Drivers\US428Wdm.sys S3 KORGUMDS;KORG USB-MIDI Driver for Windows XP;C:\WINDOWS\system32\Drivers\KORGUMDS.SYS S3 MA_CMIDI;%EVOL_USB.SvcDesc%;C:\WINDOWS\system32\drivers\ma_cmidi.sys S3 PAC207;Trust WB-1400T Webcam;C:\WINDOWS\system32\DRIVERS\pfc027.sys S3 US428DL;US428 Firmware Downloader;C:\WINDOWS\system32\Drivers\US428DL.sys . ************************************************************************** catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-04 14:25:45 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-10-04 14:27:09 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-10-04 14:26 C:\ComboFix2.txt ... 2007-10-04 06:25 . --- E O F --- kaspersky log : ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Thursday, October 04, 2007 11:44:39 PM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.93.1 Kaspersky Anti-Virus database last update: 4/10/2007 Kaspersky Anti-Virus database records: 427385 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ F:\ G:\ H:\ Scan Statistics: Total number of scanned objects: 209702 Number of viruses found: 6 Number of infected objects: 15 Number of suspicious objects: 0 Duration of the scan process: 01:55:46 Infected Object Name / Virus Name / Last Action C:\Deckard\System Scanner\backup\DOCUME~1\phill\LOCALS~1\Temp\GUQF296\vh.exe Infected: Virus.Win32.Virut.t skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\phill\Cookies\index.dat Object is locked skipped C:\Documents and Settings\phill\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped C:\Documents and Settings\phill\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\phill\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\phill\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\phill\Local Settings\History\History.IE5\MSHist012007100420071005\index.dat Object is locked skipped C:\Documents and Settings\phill\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\phill\NTUSER.DAT Object is locked skipped C:\Documents and Settings\phill\ntuser.dat.LOG Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped C:\qoobox\Quarantine\C\VundoFix Backups\awtqpqr.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\qoobox\Quarantine\C\VundoFix Backups\tuvstqp.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\qoobox\Quarantine\catchme2007-10-04_ 62426.45.zip/awtqpqr.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\qoobox\Quarantine\catchme2007-10-04_ 62426.45.zip ZIP: infected - 1 skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{D49955B6-217B-40E0-B6FD-EFC5FBD07E71}\RP2\A0000031.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped C:\System Volume Information\_restore{D49955B6-217B-40E0-B6FD-EFC5FBD07E71}\RP5\change.log Object is locked skipped C:\Torrents\BulletProofSoft.BPS.Spyware.Adware.Remover.v9.3.0.6.WinALL.RETAIL-ARN\setup.exe/data0003 Infected: not-a-virus:FraudTool.Win32.BPSSpywareRemover.a skipped C:\Torrents\BulletProofSoft.BPS.Spyware.Adware.Remover.v9.3.0.6.WinALL.RETAIL-ARN\setup.exe Inno: infected - 1 skipped C:\Torrents\Sonic Reality Sonik Capsules\SampleLab Drum Fundamentals Multiformat\CD1.rar Object is locked skipped C:\Torrents\Sonic Reality Sonik Capsules\SampleLab Drum Fundamentals Multiformat\CD2.rar Object is locked skipped C:\Torrents\Sonic Reality Sonik Capsules\SampleLab Drum Fundamentals Multiformat\CD3.rar Object is locked skipped C:\Torrents\Sonic Reality Sonik Capsules\SampleLab Drum Fundamentals Multiformat\cobalt.nfo Object is locked skipped C:\Torrents\Sonic Reality Sonik Capsules\SampleLab Drum Fundamentals Multiformat\SBG.nfo Object is locked skipped C:\Torrents\Windows vo0XP\vo0xp.rar/vo0xp.iso/$OEM$/$$/system32/cmdow.exe Infected: not-a-virus:RiskTool.Win32.HideWindows skipped C:\Torrents\Windows vo0XP\vo0xp.rar/vo0xp.iso/AUTO/001SYS32.exe/data.rar/pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.e skipped C:\Torrents\Windows vo0XP\vo0xp.rar/vo0xp.iso/AUTO/001SYS32.exe/data.rar Infected: not-a-virus:RiskTool.Win32.PsKill.e skipped C:\Torrents\Windows vo0XP\vo0xp.rar/vo0xp.iso/AUTO/001SYS32.exe Infected: not-a-virus:RiskTool.Win32.PsKill.e skipped C:\Torrents\Windows vo0XP\vo0xp.rar/vo0xp.iso Infected: not-a-virus:RiskTool.Win32.PsKill.e skipped C:\Torrents\Windows vo0XP\vo0xp.rar RAR: infected - 5 skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\EventCache\{1C5DCAEB-DD72-439D-AB73-5324668999DE}.bin Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\Internet.evt Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\perfs.exe Infected: Trojan-Downloader.Win32.Agent.drw skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\Temp\Perflib_Perfdata_6e0.dat Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped D:\System Volume Information\_restore{D49955B6-217B-40E0-B6FD-EFC5FBD07E71}\RP5\change.log Object is locked skipped Scan process completed. Last edited by sUBs; 10-04-2007 at 05:04 PM. |
|
|
|
|
10-04-2007, 05:05 PM
|
#6 (permalink) |
|
Registered User
Join Date: Oct 2007
Posts: 7
OS: windows xp sp 2
|
Re: constant popups and browser hijacking (vundo?) vtsts.dll awtqpqr.dll ststv.ini
Sorry, I forgot to mention that I searched in my add remove programs list for the spybot program you mentioned but could not find anything relating to that program. I also went through everything else in there but did not notice anything suspicious
|
|
|
|
|
10-04-2007, 05:06 PM
|
#7 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,348
OS: N/A
|
Re: constant popups and browser hijacking (vundo?) vtsts.dll awtqpqr.dll ststv.ini
Please upload this file:
C:\WINDOWS\system32\perfs.exe to this website: http://www.bleepingcomputer.com/subm....php?channel=4 Kindly include a link to this topic in the message.
__________________
Question - what have you done for the community today? |
|
|
|
|
10-05-2007, 06:19 AM
|
#9 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,348
OS: N/A
|
Re: constant popups and browser hijacking (vundo?) vtsts.dll awtqpqr.dll ststv.ini
Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:
Code:
@echo off if exist "%temp%\log.txt" del "%temp%\log.txt" for %%g in ( "C:\Torrents\BulletProofSoft.BPS.Spyware.Adware.Remover.v9.3.0.6.WinALL.RETAIL-ARN\setup.exe" "C:\WINDOWS\system32\perfs.exe" ) do ( del /a/f %%g >nul 2>&1 if exist %%g echo.%%~g>>"%temp%\log.txt" ) for %%g in ( "%systemdrive%\VundoFix Backups" %systemdrive%\Deckard %systemdrive%\Qoobox ) do ( rd /s/q %%g >nul 2>&1 if exist %%g echo.%%~g>>"%temp%\log.txt" ) if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt" ) else echo.Deleted Successfully !! nircmd wait 7000 del %0 It should look like this:  Double click on fix.bat & allow it to run Post back to tell me what it says
__________________
Question - what have you done for the community today? |
|
|
|
|
10-05-2007, 07:16 AM
|
#11 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 24,348
OS: N/A
|
Re: constant popups and browser hijacking (vundo?) vtsts.dll awtqpqr.dll ststv.ini
Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:
Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released. Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html After doing all these, your system will be optimised against future threats. It's okay to delete the Hijack This folder in a couple weeks if everything is working okay. Have a safe & happy computing day.  Kindly respond to this thread once more so we can mark this thread as resolved.
__________________
Question - what have you done for the community today? |
|
|
|
|
10-05-2007, 09:38 AM
|
#12 (permalink) |
|
Registered User
Join Date: Oct 2007
Posts: 7
OS: windows xp sp 2
|
Re: constant popups and browser hijacking (vundo?) vtsts.dll awtqpqr.dll ststv.ini
Just completing those final steps now. Its good to feel clean again
 Thanks ever so much for all your time and effort subs.
|
|
|
|
| Thread Tools | |
|
|
