win antivirus

Viruses and worms
1

Hi there,

had been using the free version avast for a while, when my isp offered me a programe they recommended, i accepted because of “win antivirus”, basically this had taken over my computer, at least i’m pretty sure it was them, using the offered antivirus software seemed okay for a while but then it was worse than ever, every document and most webpages now have the phrase software, install and many others highlighted as a hyperlink which goes to - you guessed it - bloody “win antivirus”.

reinstalled avast and it got rid of heaps of viruses which the other had let through! but now the “win antivirus” is back

please, is there any way i can get rid of this?

thank you steve

2

Use RogueRemover from www.malwarebytes.org.
Are you really sure that it was your ISP which recommend this rogue program?
If so, I’ll change the ISP…

3

I think he means win antivirus has/had infected his system and his isp adviced him to use (most likely) macafee or norton (which are both crap).

stevenkaz, please have a look at [url-www.ache.nl]ache.nl[/url] and follow the instructions there to clean your systm properly

4

thanks for that guys,
used the ‘ccleaner’ at ‘ache’, got rid of tons of stuff, still getting the crap comong thru’ but a lot less.

thank you for your help

Steve

5

What are you still getting? We should get rid of it all so it doesn’t get worse.

6

still getting banners from ‘winantivirus’, and sometimes the comp keeps opening new tabs continuously about 2 every second, am using ie7

really appreciate this thank you

7

Spybot Search & Destroy

http://en.wikipedia.org/wiki/WinFixer#Removal

8

Did you follow what I’ve posted it reply #1 before?

9

Vundo might be responsible for this.

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix’s window while its running. That may cause it to stall.

Click here to download HJTsetup.exe

[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

10

Hi guys,
yep, followed all up to now thank you. below are logs from combo fix and hijack,
thank you Steve

ComboFix 07-08-14.4 - “OURS” 2007-08-18 23:09:55.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.661 [GMT 9.5:30]

  • Created a new restore point

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\OURS\APPLIC~1\tmp113.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmp12.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmp121.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmp122.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmp13B.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmp13C.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmp15.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmp16.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmp171.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmp196.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmp197.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmp1A0.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmp1B.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmp1FA.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmp2.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmp215.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmp250.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmp251.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmp29A.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmp2B.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmp2B1.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmp2BA.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmp2D.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmp2E.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmp30E.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmp31.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmp319.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmp34.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmp371.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmp398.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmp486.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmp4C.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmp4F0.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmp5.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmp54.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmp55.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmp550.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmp5AE.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmp6.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmp61.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmp73.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmp78.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmp88.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmp8BB.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmp8F.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmp9.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmp9827.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmpB.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmpB6.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmpC7.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmpD6.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmpDE.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmpE1.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmpE2.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmpE3.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmpE9E5.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmpEA6A.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmpF.tmp.exe
C:\DOCUME~1\OURS\APPLIC~1\tmpF5.tmp.exe
C:\WINDOWS\awwvsq.dll
C:\WINDOWS\cbbbcf.ini
C:\WINDOWS\cfhihk.ini
C:\WINDOWS\ddggjl.ini
C:\WINDOWS\dgfhkj.ini
C:\WINDOWS\efcaax.dll
C:\WINDOWS\efcawx.dll
C:\WINDOWS\efcday.dll
C:\WINDOWS\efeggh.ini
C:\WINDOWS\ehiknn.ini
C:\WINDOWS\fcbbbc.dll
C:\WINDOWS\hggefe.dll
C:\WINDOWS\hhgfii.ini
C:\WINDOWS\iifghh.dll
C:\WINDOWS\jkhfgd.dll
C:\WINDOWS\jkjghe.dll
C:\WINDOWS\khigfg.dll
C:\WINDOWS\khihfc.dll
C:\WINDOWS\ljggdd.dll
C:\WINDOWS\nmorqr.ini
C:\WINDOWS\nnkihe.dll
C:\WINDOWS\nnolkj.dll
C:\WINDOWS\oqrrru.ini
C:\WINDOWS\qonlki.dll
C:\WINDOWS\rqpnlm.dll
C:\WINDOWS\rqppqo.dll
C:\WINDOWS\rqromn.dll
C:\WINDOWS\sruutv.ini
C:\WINDOWS\svutvw.ini
C:\WINDOWS\system32\dn320d180e.dat
C:\WINDOWS\system32\msc2gt.dll
C:\WINDOWS\system32\tmp122.tmp.dll
C:\WINDOWS\system32\tmp13.tmp.dll
C:\WINDOWS\system32\tmp13B.tmp.dll
C:\WINDOWS\system32\tmp15.tmp.dll
C:\WINDOWS\system32\tmp16.tmp.dll
C:\WINDOWS\system32\tmp171.tmp.dll
C:\WINDOWS\system32\tmp197.tmp.dll
C:\WINDOWS\system32\tmp1A0.tmp.dll
C:\WINDOWS\system32\tmp1FA.tmp.dll
C:\WINDOWS\system32\tmp251.tmp.dll
C:\WINDOWS\system32\tmp29A.tmp.dll
C:\WINDOWS\system32\tmp2E.tmp.dll
C:\WINDOWS\system32\tmp31.tmp.dll
C:\WINDOWS\system32\tmp319.tmp.dll
C:\WINDOWS\system32\tmp33.tmp.dll
C:\WINDOWS\system32\tmp34.tmp.dll
C:\WINDOWS\system32\tmp359.tmp.dll
C:\WINDOWS\system32\tmp372.tmp.dll
C:\WINDOWS\system32\tmp399.tmp.dll
C:\WINDOWS\system32\tmp44.tmp.dll
C:\WINDOWS\system32\tmp5.tmp.dll
C:\WINDOWS\system32\tmp54.tmp.dll
C:\WINDOWS\system32\tmp55.tmp.dll
C:\WINDOWS\system32\tmp550.tmp.dll
C:\WINDOWS\system32\tmp5D.tmp.dll
C:\WINDOWS\system32\tmp6.tmp.dll
C:\WINDOWS\system32\tmp6D.tmp.dll
C:\WINDOWS\system32\tmp73.tmp.dll
C:\WINDOWS\system32\tmp8F.tmp.dll
C:\WINDOWS\system32\tmp9.tmp.dll
C:\WINDOWS\system32\tmp9827.tmp.dll
C:\WINDOWS\system32\tmpA94.tmp.dll
C:\WINDOWS\system32\tmpB.tmp.dll
C:\WINDOWS\system32\tmpC5.tmp.dll
C:\WINDOWS\system32\tmpCD.tmp.dll
C:\WINDOWS\system32\tmpE1.tmp.dll
C:\WINDOWS\system32\tmpE2.tmp.dll
C:\WINDOWS\system32\tmpE5.tmp.dll
C:\WINDOWS\system32\tmpE9E5.tmp.dll
C:\WINDOWS\urrrqo.dll
C:\WINDOWS\vtuurs.dll
C:\WINDOWS\wvtuvs.dll
C:\WINDOWS\xaacfe.ini
C:\WINDOWS\xwacfe.ini
C:\WINDOWS\yadcfe.ini
C:\WINDOWS\yaxurq.dll

11

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_DOMAINSERVICE
-------\DomainService

((((((((((((((((((((((((( Files Created from 2007-07-18 to 2007-08-18 )))))))))))))))))))))))))))))))

2007-08-18 23:04 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-17 16:09 d-------- C:\Program Files\CCleaner
2007-08-15 11:03 d-------- C:\Program Files\MSXML 6.0
2007-08-15 11:01 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-08-14 13:53 95,608 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-08-14 13:53 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-08-14 13:53 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-08-14 13:53 783,224 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-08-14 13:53 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-08-14 13:53 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-08-14 13:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-08-14 13:53 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2007-08-13 20:07 d–hs---- C:\FOUND.002
2007-08-12 13:16 d-------- C:\DOCUME~1\OURS\APPLIC~1\Template
2007-08-02 14:21 d-------- C:\Program Files\The Creative Assembly
2007-07-22 11:33 d-------- C:\etax2007

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-02 14:33 163644 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-07-19 16:30 3583488 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-16 16:02 --------- d-------- C:\Program Files\Reference Assemblies
2007-07-16 16:02 --------- d-------- C:\Program Files\MSBuild
2007-07-13 09:01 765952 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
2007-07-12 22:53 --------- d-------- C:\DOCUME~1\OURS\APPLIC~1\F-Secure
2007-07-12 22:19 --------- d-------- C:\Program Files\Optus Internet Security Suite
2007-07-09 20:35 --------- d-------- C:\Program Files\SmartFTP Client
2007-07-09 20:35 --------- d-------- C:\DOCUME~1\OURS\APPLIC~1\SmartFTP
2007-07-09 07:59 --------- d-------- C:\Program Files\HyperVRE
2007-07-03 15:54 --------- d-------- C:\Program Files\SEUCDaS
2007-06-29 14:17 --------- d-------- C:\Program Files\NicheSponder
2007-06-28 00:05 823808 --a------ C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-28 00:05 232960 --a------ C:\WINDOWS\system32\dllcache\webcheck.dll
2007-06-28 00:04 671232 --a------ C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-28 00:04 6058496 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-06-28 00:04 52224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-06-28 00:04 477696 --a------ C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-28 00:04 459264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-06-28 00:04 44544 --a------ C:\WINDOWS\system32\dllcache\iernonce.dll
2007-06-28 00:04 384512 --a------ C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-06-28 00:04 383488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-06-28 00:04 27648 --a------ C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-28 00:04 267776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-06-28 00:04 230400 --a------ C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-06-28 00:04 193024 --a------ C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-28 00:04 153088 --a------ C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-06-28 00:04 132608 --a------ C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-28 00:04 124928 --a------ C:\WINDOWS\system32\dllcache\advpack.dll
2007-06-28 00:04 1152000 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-28 00:04 105984 --a------ C:\WINDOWS\system32\dllcache\url.dll
2007-06-28 00:04 102400 --a------ C:\WINDOWS\system32\dllcache\occache.dll
2007-06-27 19:48 --------- d-------- C:\Program Files\Salehoo Alert
2007-06-27 17:57 63488 --a------ C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-06-27 17:57 625152 --a------ C:\WINDOWS\system32\dllcache\iexplore.exe
2007-06-27 17:57 13824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-06-27 16:30 161792 --a------ C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-27 14:59 --------- d-------- C:\DOCUME~1\OURS\APPLIC~1\SlySoft
2007-06-27 14:55 --------- d-------- C:\Program Files\Elaborate Bytes
2007-06-27 14:53 --------- d-------- C:\Program Files\SlySoft
2007-06-27 14:29 --------- d-------- C:\DOCUME~1\OURS\APPLIC~1\CyberLink
2007-06-26 23:56 --------- d-------- C:\Program Files\Enigma Software Group
2007-06-26 22:39 --------- d-------- C:\Program Files\Common Files\Ahead
2007-06-26 22:39 --------- d-------- C:\Program Files\Ahead
2007-06-26 22:37 --------- d-------- C:\Program Files\CyberLink DVD Solution
2007-06-26 22:37 --------- d-------- C:\Program Files\CyberLink
2007-06-26 15:38 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 15:38 1104896 --a------ C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-22 23:24 99904 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys
2007-06-21 06:38 93128 --a------ C:\WINDOWS\system32\ElbyCDIO.dll
2007-06-19 23:01 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 23:01 282112 --a------ C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-18 23:02 --------- d-------- C:\Program Files\WordToWebPage
2007-06-13 19:53 1033216 --a------ C:\WINDOWS\system32\dllcache\explorer.exe
2007-06-13 19:53 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-11 23:51 10834944 --a------ C:\WINDOWS\system32\dllcache\wmp.dll
2007-06-04 13:45 73216 --a------ C:\WINDOWS\ST6UNST.EXE
2007-06-04 13:45 274432 --------- C:\WINDOWS\Setup1.exe
2007-06-02 23:07 37027 --a------ C:\WINDOWS\atmoUn.exe
2004-03-11 13:27 40960 --a------ C:\Program Files\Uninstall_CDS.exe

12

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“AGRSMMSG”=“AGRSMMSG.exe” [2004-06-29 09:06 C:\WINDOWS\AGRSMMSG.exe]
“SoundMan”=“SOUNDMAN.EXE” [2004-05-14 15:47 C:\WINDOWS\SOUNDMAN.EXE]
“Aspire Schedule”=“C:\Program Files\Aspire\WFTVFM\WFWIZ.exe” [2004-05-03 15:11]
“WinFast Schedule”=“C:\Program Files\Aspire\WFTVFM\WFWIZ.exe” [2004-05-03 15:11]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe” [2007-07-12 04:00]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2007-04-27 09:41]
“FinePrint Dispatcher v5”=“C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe” [2007-04-20 14:28]
“RemoteControl”=“C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe” [2003-12-08 17:35]
“Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2007-05-11 03:06]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-07-28 07:33]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 05:00]
“PowerBar”=“”
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-04-04 15:35]

[HKEY_USERS.default\software\microsoft\windows\currentversion\runonce]
“RunNarrator”=Narrator.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-03-22 11:30:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
“appinit_dlls”=c:\windows\system32\vtsqqqo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AspireService]
C:\Program Files\Acer\Acer eMode Management\AspireService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
“C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe” /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DTVRemote]
“C:\Program Files\LifeView DTV\RemoteControl.exe”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
“C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
“C:\Program Files\iTunes\iTunesHelper.exe”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\L06ZXLRD_2125796]
“C:\Program Files\Microsoft Student\Microsoft Student DVD 2006\EDICT.EXE” -m

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\L06ZXLRD_60680406]
“C:\Program Files\Microsoft Student\Microsoft Student DVD 2006\EDICT.EXE” -m

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaSync]
C:\Program Files\Acer\Acer eConsole\MediaSync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter]
C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Success Programmer Special Edition]
C:\Program Files\Success Programmer Special Edition\Success Programmer Special Edition.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViralShock]
C:\Program Files\ViralShock\ViralShock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
“Ati HotKey Poller”=2 (0x2)

R3 ovt519;D-Link VGA Webcam;C:\WINDOWS\system32\Drivers\ov519vid.sys
S3 FontCache6.0.5070.0;WinFX Font Cache 6.0.5070.0;C:\WINDOWS\Microsoft.NET\Windows\v6.0.5070\PresentationFontCache.exe
S3 NUVision;NUVision Video Service;C:\WINDOWS\system32\DRIVERS\nuvvid2.sys
S4 itcppss;Indigo Tcp Port Sharing Service;C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\IndigoListener.exe

Contents of the ‘Scheduled Tasks’ folder
2007-08-16 22:48:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-08-18 11:04:34 C:\WINDOWS\Tasks\User_Feed_Synchronization-{DF9AE4EA-1FAA-412E-8E06-5C076ED17214}.job

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-18 23:13:56
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes …

scanning hidden autostart entries …

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
PowerBar = ?p?s???p??|??A~??A~?|???C~J?C~?Kf???C~|???4?A~X???C~???C~???A~???Z?A~????A~???Kf??Kf???|Jf???|???W?D~0?A~????A~??A~???C~X???|???,@?@???E]B~???,@

scanning hidden files …

scan completed successfully
hidden files: 0

Completion time: 2007-08-18 23:14:58 - machine was rebooted
C:\ComboFix-quarantined-files.txt … 2007-08-18 23:14

--- E O F ---
13

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:16:19, on 18/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Acer\Acer eConsole\MediaServerService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Aspire\WFTVFM\WFWIZ.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Encarta Web Companion Helper Object - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [Aspire Schedule] C:\Program Files\Aspire\WFTVFM\WFWIZ.exe
O4 - HKLM..\Run: [WinFast Schedule] C:\Program Files\Aspire\WFTVFM\WFWIZ.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [FinePrint Dispatcher v5] “C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe” /source=HKLM
O4 - HKLM..\Run: [RemoteControl] “C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe”
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18..\RunOnce: [RunNarrator] Narrator.exe (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\RunOnce: [RunNarrator] Narrator.exe (User ‘Default user’)
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://GLOBAL.ACER.COM/
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F977E961-BC9E-4B91-ACF8-468E1CC224DD} (FixUpdate Class) - http://216.93.170.133:82/TqUpdate_Release.CAB
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: c:\windows\system32\vtsqqqo.dll
O23 - Service: Acer Media Server - Acer Inc. - C:\Program Files\Acer\Acer eConsole\MediaServerService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe


End of file - 7891 bytes

14

It looks like we’ve made some progress, but still a few things to take care of.

Please download the OTMoveIt http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe by OldTimer and save it to your desktop.

Now open HJT and click to Do a System Scan Only. When complete place a check next to this line

O20 - AppInit_DLLs: c:\windows\system32\vtsqqqo.dll

Then close all other windows, including your browser, and click Fix Checked.

Next, double-click OTMoveIt.exe to run it.
Copy the file path below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

c:\windows\system32\vtsqqqo.dll

Return to OTMoveIt, right click on the “Paste List of Files/Folders to be moved” window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

After completing all of the above, post a fresh ComboFix and HJT log (run in that order) and also a WinPFind3U log:

Download WinPFind3u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

[*]Close ALL OTHER PROGRAMS.
[*]Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
[*]Under Additional Scans click the checkboxes in front of the following items to select them:

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

.

If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.

Also upload C:\Program Files\ViralShock\ViralShock.exe to Virus Total and post the results of the scans. Is this a program you installed?

15

O20s are usually (not always) malicious and should be fixed.
Seems a trojan downloader: http://forums.techguy.org/malware-removal-hijackthis-logs/488866-solved-downloader-virus.html

16

hi guys,
done all you asked and yes viralshock is a program i did install, its a marketing tool albeit not very good but my loss eh?

here is all you asked for, up to now it seems to be going ok - fingers crossed:

OT Move it:

File/Folder c:\windows\system32\vtsqqqo.dll not found.

Created on 08/20/2007 07:59:50

Combo fix:

ComboFix 07-08-14.4 - “OURS” 2007-08-20 8:02:36.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.730 [GMT 9.5:30]

((((((((((((((((((((((((( Files Created from 2007-07-19 to 2007-08-19 )))))))))))))))))))))))))))))))

2007-08-18 23:16 d-------- C:\Program Files\Trend Micro
2007-08-18 23:04 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-17 16:09 d-------- C:\Program Files\CCleaner
2007-08-15 11:03 d-------- C:\Program Files\MSXML 6.0
2007-08-15 11:01 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-08-14 13:53 95,608 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-08-14 13:53 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-08-14 13:53 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-08-14 13:53 783,224 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-08-14 13:53 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-08-14 13:53 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-08-14 13:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-08-14 13:53 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2007-08-13 20:07 d–hs---- C:\FOUND.002
2007-08-12 13:16 d-------- C:\DOCUME~1\OURS\APPLIC~1\Template
2007-08-02 14:21 d-------- C:\Program Files\The Creative Assembly
2007-07-22 11:33 d-------- C:\etax2007

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-02 14:33 163644 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-07-19 16:30 3583488 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-16 16:02 --------- d-------- C:\Program Files\Reference Assemblies
2007-07-16 16:02 --------- d-------- C:\Program Files\MSBuild
2007-07-13 09:01 765952 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
2007-07-12 22:53 --------- d-------- C:\DOCUME~1\OURS\APPLIC~1\F-Secure
2007-07-12 22:19 --------- d-------- C:\Program Files\Optus Internet Security Suite
2007-07-09 20:35 --------- d-------- C:\Program Files\SmartFTP Client
2007-07-09 20:35 --------- d-------- C:\DOCUME~1\OURS\APPLIC~1\SmartFTP
2007-07-09 07:59 --------- d-------- C:\Program Files\HyperVRE
2007-07-03 15:54 --------- d-------- C:\Program Files\SEUCDaS
2007-06-29 14:17 --------- d-------- C:\Program Files\NicheSponder
2007-06-28 00:05 823808 --a------ C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-28 00:05 232960 --a------ C:\WINDOWS\system32\dllcache\webcheck.dll
2007-06-28 00:04 671232 --a------ C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-28 00:04 6058496 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-06-28 00:04 52224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-06-28 00:04 477696 --a------ C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-28 00:04 459264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-06-28 00:04 44544 --a------ C:\WINDOWS\system32\dllcache\iernonce.dll
2007-06-28 00:04 384512 --a------ C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-06-28 00:04 383488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-06-28 00:04 27648 --a------ C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-28 00:04 267776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-06-28 00:04 230400 --a------ C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-06-28 00:04 193024 --a------ C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-28 00:04 153088 --a------ C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-06-28 00:04 132608 --a------ C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-28 00:04 124928 --a------ C:\WINDOWS\system32\dllcache\advpack.dll
2007-06-28 00:04 1152000 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-28 00:04 105984 --a------ C:\WINDOWS\system32\dllcache\url.dll
2007-06-28 00:04 102400 --a------ C:\WINDOWS\system32\dllcache\occache.dll
2007-06-27 19:48 --------- d-------- C:\Program Files\Salehoo Alert
2007-06-27 17:57 63488 --a------ C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-06-27 17:57 625152 --a------ C:\WINDOWS\system32\dllcache\iexplore.exe
2007-06-27 17:57 13824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-06-27 16:30 161792 --a------ C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-27 14:59 --------- d-------- C:\DOCUME~1\OURS\APPLIC~1\SlySoft
2007-06-27 14:55 --------- d-------- C:\Program Files\Elaborate Bytes
2007-06-27 14:53 --------- d-------- C:\Program Files\SlySoft
2007-06-27 14:29 --------- d-------- C:\DOCUME~1\OURS\APPLIC~1\CyberLink
2007-06-26 23:56 --------- d-------- C:\Program Files\Enigma Software Group
2007-06-26 22:39 --------- d-------- C:\Program Files\Common Files\Ahead
2007-06-26 22:39 --------- d-------- C:\Program Files\Ahead
2007-06-26 22:37 --------- d-------- C:\Program Files\CyberLink DVD Solution
2007-06-26 22:37 --------- d-------- C:\Program Files\CyberLink
2007-06-26 15:38 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 15:38 1104896 --a------ C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-22 23:24 99904 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys
2007-06-21 06:38 93128 --a------ C:\WINDOWS\system32\ElbyCDIO.dll
2007-06-19 23:01 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 23:01 282112 --a------ C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-13 19:53 1033216 --a------ C:\WINDOWS\system32\dllcache\explorer.exe
2007-06-13 19:53 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-11 23:51 10834944 --a------ C:\WINDOWS\system32\dllcache\wmp.dll
2007-06-04 13:45 73216 --a------ C:\WINDOWS\ST6UNST.EXE
2007-06-04 13:45 274432 --------- C:\WINDOWS\Setup1.exe
2007-06-02 23:07 37027 --a------ C:\WINDOWS\atmoUn.exe
2004-03-11 13:27 40960 --a------ C:\Program Files\Uninstall_CDS.exe

17

Hi there,
it keeps telling me i have already posted this reply and i hadn’t so ive attached them instead

thank you Steve

18

I would not concider viralshock a good business program and it is most likely why you got infected. This program is an ad generator and list generator.

Just check the results of this Google search …

http://g.s.scandoo.com/search?hl=en&meta=on&q=viralshock

… and you will see what I mean. You do not need to visit any of these sites but just read the synopsis under several of the over 30 pages of results.

From the Prevx site …

The filename VIRALSHOCK.EXE was first seen on Jul 22 2007 in CHINA. The filename VIRALSHOCK.EXE refers to an executable program. It has file size of 409,400 bytes. This file has no vendor, product or version information specified in the file header.
19

Start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button.

[Files/Folders - Created Within 30 days] NY -> yycddd.ini -> %SystemRoot%\yycddd.ini NY -> ybdfii.ini -> %SystemRoot%\ybdfii.ini NY -> eghgjl.ini -> %SystemRoot%\eghgjl.ini NY -> ijikmp.ini -> %SystemRoot%\ijikmp.ini NY -> egiklm.ini -> %SystemRoot%\egiklm.ini NY -> wwxbeg.ini -> %SystemRoot%\wwxbeg.ini NY -> ppsrss.ini -> %SystemRoot%\ppsrss.ini [Files/Folders - Modified Within 30 days] NY -> setupapi.log.0.old -> %SystemRoot%\setupapi.log.0.old NY -> bacdeg.ini -> %SystemRoot%\bacdeg.ini

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with new ComboFix, HJT, and WinPFind3u scans (sorry, I know its a lot of work but you were pretty deeply infected).

Also let me know of any problems you encounter performing these steps or any continuing problems you are having with the computer.

In regard to viralshock.exe, the reason I question it is also the Prevx statement

The most common objects with the name of VIRALSHOCK.EXE are considered unsafe.
leaving the possibility that some processes by this name are OK. I would still like to see a Virus Total scan on this file. If its clean so be it; if its not stevenkaz will need to make a decision. I'm inclined to agree with CharleyO's assessment.
20

to ALL of you,
thank you very much indeed, it is really nice to know there are guys out there who just like to help others.

i have done all you asked and my computer has not (touch wood) been acting ‘independantly’ since.

once again, thank you
Steve :wink: :smiley: ;D :stuck_out_tongue: :-*