BIG boo boo, Hijackthis log included for your pleasure

Vizy

Vizy

New Member
Hey guys, yea its me. I recently had my uxtheme.dll file patched, which opened up a new world of underground themes and all. I was trying out a few different websites, then i came across one, which had a really cool theme. i downloaded it:
Then what do you know?? A virus warning came up with avg 2008 free edition. I deleted the file, and deleted the recyclebin, then what? I was bombarded with avg notifications. so then i went online to to go download hijackthis, but my internet was slowing down...fast.

I then did a search in google, 'hijackthis', and then i clicked a link...nothing. i tried everysingle link on the page, didn't work. I then clicked my bookmark for CF, that didn't work either. So i just typed in the address. That didn't work either. After that, i just disabled my wifi adapter, and i did a AVG scan. It came up with 1367 threats. It took out about a 1000 of them. then it asked for a restart.

I said, sure, then it restarted and then something wierd happened, it went to windows login screen. it never does that. just goes straight to my one and only account. so then i click my name and picture, or icon. Then it logs in, and logs out. I kept doing it and nothing happened. So i restarted the comp again, and again to no avail, i just hit safemode with networking.

That is where i am typing this right now, and here is my hijackthis log.

btw, idk if this is ismportant or not, but i ran hijackthis through safemode. the only way i could. if i'm skrewd, please tell me, i can just reformatt it. \
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:15:43 PM, on 7/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
F:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
F:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.bin
F:\Program Files\Mozilla Firefox\firefox.exe
J:\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - F:\Program Files\PeoplePC\Toolbar\ScamGrd.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - F:\Program Files\PeoplePC\Toolbar\ScamGrd.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - F:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - F:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - F:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - F:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
O2 - BHO: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - F:\Program Files\free-downloads.net\tbfree.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - F:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - F:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
O3 - Toolbar: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - F:\Program Files\free-downloads.net\tbfree.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] F:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "F:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe
O4 - Global Startup: Logitech SetPoint.lnk = F:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{D981FB76-12FD-4033-A60D-2C445FEB19BB}: NameServer = 192.168.1.1,4.2.2.2
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - F:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - F:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - F:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - F:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - F:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - F:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 6387 bytes
 
sorry about the spelling and stuff. Also, i just wanna say thanks to whoever reads this thread and offers a wee bit of advice.
 
Hey,

Pls download and run Combo Fix, i would post my code, but i don't have my document here, at school :P
 
i downloaded it from the bleeping computer website. I saved it. Ran it. And an error came up. apparently i'm missing the regedit.exe file from my windows dir....

Thanks alot cohen anyways. I really appreciate. i hope you're enjoying school. I'm gonna try to see if i can reformatt.
 
Ok i got back into my regular account. i was greeted with another pop up from avg. Here is another hijack this log, ran from the infected account:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:57:29 PM, on 7/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
F:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\RTHDCPL.EXE
F:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
F:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
F:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
F:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
F:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
F:\Program Files\Stardock\Object Desktop\DesktopX\DesktopX Builder.exe
F:\Program Files\Logitech\SetPoint\SetPoint.exe
F:\Program Files\Stardock\ObjectDock\ObjectDock.exe
F:\PROGRA~1\Stardock\OBJECT~2\DesktopX\dxwidget.exe
F:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
F:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Vishal\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT1098640
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - F:\Program Files\free-downloads.net\tbfree.dll
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - F:\Program Files\PeoplePC\Toolbar\ScamGrd.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - F:\Program Files\PeoplePC\Toolbar\ScamGrd.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - F:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - F:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - F:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - F:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
O2 - BHO: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - F:\Program Files\free-downloads.net\tbfree.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - F:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - F:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
O3 - Toolbar: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - F:\Program Files\free-downloads.net\tbfree.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] F:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "F:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Taskbar Shuffle] F:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "F:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [DesktopX] "F:\Program Files\Stardock\Object Desktop\DesktopX\DesktopX Builder.exe" -noui
O4 - HKCU\..\Run: [AlcoholAutomount] "F:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [TrueTransparency] "C:\Firefox Downloads\truetransparency-crystalxp.net-en-5139\TrueTransparency\TrueTransparency.exe"
O4 - HKUS\S-1-5-21-1123561945-854245398-839522115-1004\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" (User '?')
O4 - HKUS\S-1-5-21-1123561945-854245398-839522115-1004\..\Run: [Taskbar Shuffle] F:\Program Files\Taskbar Shuffle\taskbarshuffle.exe (User '?')
O4 - HKUS\S-1-5-21-1123561945-854245398-839522115-1004\..\Run: [Yahoo! Pager] "F:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (User '?')
O4 - HKUS\S-1-5-21-1123561945-854245398-839522115-1004\..\Run: [DesktopX] "F:\Program Files\Stardock\Object Desktop\DesktopX\DesktopX Builder.exe" -noui (User '?')
O4 - HKUS\S-1-5-21-1123561945-854245398-839522115-1004\..\Run: [AlcoholAutomount] "F:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount (User '?')
O4 - HKUS\S-1-5-21-1123561945-854245398-839522115-1004\..\Run: [TrueTransparency] "C:\Firefox Downloads\truetransparency-crystalxp.net-en-5139\TrueTransparency\TrueTransparency.exe" (User '?')
O4 - S-1-5-21-1123561945-854245398-839522115-1004 Startup: Fuzzy Friend.lnk = C:\Documents and Settings\Vishal\Local Settings\Temp\Temporary Directory 1 for fuzzy.zip\fuzzy.exe (User '?')
O4 - S-1-5-21-1123561945-854245398-839522115-1004 Startup: Stardock ObjectDock.lnk = F:\Program Files\Stardock\ObjectDock\ObjectDock.exe (User '?')
O4 - Startup: Fuzzy Friend.lnk = C:\Documents and Settings\Vishal\Local Settings\Temp\Temporary Directory 1 for fuzzy.zip\fuzzy.exe
O4 - Startup: Stardock ObjectDock.lnk = F:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Logitech SetPoint.lnk = F:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Display All Images with Full Quality - "res://F:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://F:\Program Files\NetZero\qsacc\appres.dll/227"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{D981FB76-12FD-4033-A60D-2C445FEB19BB}: NameServer = 192.168.1.1,4.2.2.2
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - F:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - F:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - F:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - F:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - F:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - F:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - Unknown owner - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe

--
End of file - 10297 bytes
 
Wow that pc is junked majorly. If it says you are missing "regedit" then the only way to get that back is a Repair Installation or a reformat.
 
Vizy93 said:
i downloaded it from the bleeping computer website. I saved it. Ran it. And an error came up. apparently i'm missing the regedit.exe file from my windows dir....

Thanks alot cohen anyways. I really appreciate. i hope you're enjoying school. I'm gonna try to see if i can reformatt.
Click to expand...

Yeah, i'm really loving school :P, not!

yeah, no problems,

well i'm not sure about the regedit file, can you do a repair installation and then try and run the combo fix log
 
That is just untrue. Regedit, Control Panel and Task Manager can get disabled by some Trojans. If you let me make a fix, I'll post it in the next reply.
 
I wouldnt format untill one of out mods ceewi or buzz have had a look, given that it seems they are the only ones who know what they are talking about.
 
apj101 said:
I wouldnt format untill one of out mods ceewi or buzz have had a look, given that it seems they are the only ones who know what they are talking about.
Click to expand...

Yes especially Buzz and his attempt to get rid of the Vundo notices using some RegCleaner :D
ceewi1 is a legend though...

I can say I know what I'm talking about. I don't know am I stupid or what, but I think I know a lot about helping other people ( cleaning viruses, mostly ). My only problem is that I didn't get a "license" to help people just because I was kicked from ALL universities for POSTING ON THIS FORUM.

Come on guys...if only ceewi1 is helping people on this forum, there would be a lot more unsolved cases...Taken that Buzz is not helping since I registered here.
 
GameMaster said:
Yes especially Buzz and his attempt to get rid of the Vundo notices using some RegCleaner :D
ceewi1 is a legend though...

Come on guys...if only ceewi1 is helping people on this forum, there would be a lot more unsolved cases...Taken that Buzz is not helping since I registered here.
Click to expand...

I agree,

No sure what a regcleaner does :confused:

ceewi1, is a legend,

people like me :P and other new starters, at least get the starting stuff of the thread going and ceewi1 / punk / gamemaster finished it off.
 
GameMaster said:
Yes especially Buzz and his attempt to get rid of the Vundo notices using some RegCleaner :D
Click to expand...
Buzz's approach to that thread had a great deal of merit. I'm sorry if you can't see the reasoning behind it, but frankly Buzz knows a lot more about this stuff than you do.

people like me :P and other new starters, at least get the starting stuff of the thread going and ceewi1 / punk / gamemaster finished it off.
Click to expand...
Reading through a 20 post thread to figure out what's been done since the first log usually takes a lot longer than just working the log from post 1. Also, ComboFix is not a one-size-fits-all anti-malware solution and needs to be used with care and only where appropriate.

Vizy93, while formatting will obviously resolve your problems, I am not yet convinced that it is necessary. If you have not yet formatted, please do the following:

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the Scan-tab, remove the mark at Heuristic analysis.
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
    check.gif
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif

    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new HijackThis log.
 
GameMaster said:
Yes especially Buzz and his attempt to get rid of the Vundo notices using some RegCleaner :D

I can say I know what I'm talking about. My only problem is that I didn't get a "license" to help people just because I was kicked from ALL universities for POSTING ON THIS FORUM.

Taken that Buzz is not helping since I registered here.
Click to expand...

Don't be a smartass. Buzz has been helping people here long before you registered. Getting kicked out of universities was due to your own incompetence, and violating rules. Don't blame it on this community.
 
ceewi1 said:
Vizy93, while formatting will obviously resolve your problems, I am not yet convinced that it is necessary. If you have not yet formatted, please do the following:

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the Scan-tab, remove the mark at Heuristic analysis.
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
    check.gif
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif

    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new HijackThis log.
Click to expand...

Ceewi, i really appreciate you helping me out, but i needed a reformat anyways so i just went ahead and did it.

My computer is ok now, but i am worried about my external drive, where i basically have EVERYTHING of any importance on.

I did some googling and i found that for the virus:

win32/gaelicum

that i had to use this:

http://www.grisoft.com/ww.virus-removal.ndi-93721

It asked me to download two files and save them to the same folder. so i did that, and i ran the program. All my drives were clean. but it didn't scan my external. So then i went to the command line:

Code: 
G:>rmgael H:

Then it scanned my external and said there were NO problems found. All my files seem to be ok... but i thought that the internetworm would've spread itself.

Is there ANY type of log that can show the status of my external??


Thanks alot ceewi
 
Oh and also,

please forgive me for making you waste your time by posting the cureit stuff. i still really appreciate it.

Sorry! :D
 
Not a problem. Gaelicum is a very dangerous file infector and a full format and reinstall is the best solution to it.

Even though regular anti-virus programs can't disinfect the files, they should be able to detect the virus and delete any infected files. I recommend running a full scan with your antivirus and/or use an online scanner such as BitDefender's to check the drive.
 
You must log in or register to reply here.
Back
Top