Sons computer was infected...still is sort of.

johnb35

johnb35

Administrator
Staff member
My son somehow got his computer infected and I've got it cleaned up for the most part. the only thing left is that there are the words "virus alert" to the right of the clock. i can't seem to get rid of it. Has anybody came across this before and how to get rid of it? Thanks. I've done combo fix, superantispyware and virus scan by AVG. Hijackthis log is clean as far as i can tell, not many items in it. If you need a pic of the screen let me know.
 
ComboFix 08-05-21.3 - John 2008-05-24 14:41:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.349 [GMT -5:00]
Running from: G:\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\John\Desktop\Privacy Protector.url
C:\Program Files\Google\googletoolbar1.dll
C:\Program Files\iSecurity
C:\Program Files\iSecurity\{A39F804A-4A63-4ff2-B201-23B0E2CC8474}\install.exe
C:\Program Files\iSecurity\axpdefender.bmp
C:\Program Files\iSecurity\axpdefender.ico
C:\Program Files\iSecurity\axpdefenderi.bmp
C:\Program Files\iSecurity\axpfixer.bmp
C:\Program Files\iSecurity\axpfixer.ico
C:\Program Files\iSecurity\axpfixeri.bmp
C:\Program Files\iSecurity\iSecurity.dat
C:\Program Files\iSecurity\systemdefender.bmp
C:\Program Files\iSecurity\systemdefender.ico
C:\Program Files\iSecurity\systemdefenderi.bmp
C:\Program Files\tmp0.exe
C:\Program Files\tmp1.exe
C:\Program Files\tmp2.exe
C:\WINDOWS\braviax.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\gnowmebk.dll
C:\WINDOWS\install.exe
C:\WINDOWS\resources\DrvCheck.dll
C:\WINDOWS\resources\VolumeAvp.dll
C:\WINDOWS\system32\158117
C:\WINDOWS\system32\818646\818646.dll
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\clbinit.dll
C:\WINDOWS\system32\ctfmona.exe
C:\WINDOWS\system32\drivers\wcS00.sys
C:\WINDOWS\system32\gmfgmklh.ini
C:\WINDOWS\system32\iifcDTjJ.dll
C:\WINDOWS\system32\ISECUR~1.CPL
C:\WINDOWS\system32\iSecurity.cpl
C:\WINDOWS\system32\JjTDcfii.ini
C:\WINDOWS\system32\JjTDcfii.ini2
C:\WINDOWS\system32\kdanl.exe
C:\WINDOWS\system32\kjmlRXyb.ini
C:\WINDOWS\system32\kjmlRXyb.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nvrsma.dll
C:\WINDOWS\system32\sotspxbq.ini
C:\WINDOWS\system32\xevvaurr.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CLBDRIVER
-------\Legacy_service.sys
-------\Legacy_WCS00
-------\Service_clbdriver
-------\Service_service.sys
-------\Service_wcS00


((((((((((((((((((((((((( Files Created from 2008-04-24 to 2008-05-24 )))))))))))))))))))))))))))))))
.

2008-05-24 14:34 . 2008-05-24 14:34 96,256 --a------ C:\as0lv2.exe
2008-05-24 14:33 . 2008-05-24 14:33 160,256 --a------ C:\WINDOWS\system32\blackster.scr
2008-05-24 14:32 . 2008-05-24 14:32 269,334 --a------ C:\WINDOWS\system32\ctfmonb.bmp
2008-05-24 14:32 . 2004-08-04 00:56 88,576 --a------ C:\WINDOWS\system32\bitsprx.dll
2008-05-24 14:32 . 2008-05-24 14:32 14,336 --a------ C:\WINDOWS\system32\WinCtrl32.dll
2008-05-24 14:32 . 2008-05-24 14:32 11,776 --a------ C:\p9wnle.exe
2008-05-24 13:50 . 2008-05-24 13:50 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-24 13:27 . 2008-05-24 13:27 <DIR> d-------- C:\Program Files\AVG
2008-05-24 13:27 . 2008-05-24 13:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-24 13:02 . 2008-05-24 13:02 206 --a------ C:\Documents and Settings\John\delself.bat
2008-05-24 13:00 . 2008-05-24 14:05 <DIR> d-------- C:\WINDOWS\system32\566828
2008-05-24 13:00 . 2008-05-24 13:54 <DIR> d-------- C:\Program Files\IE Extensions
2008-05-24 12:35 . 2008-05-24 12:38 251 --a------ C:\WINDOWS\wininit.ini
2008-05-24 12:13 . 2008-05-24 12:13 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-24 12:13 . 2008-05-24 12:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-24 12:10 . 2008-05-24 12:10 <DIR> d-------- C:\Documents and Settings\John\Application Data\TmpRecentIcons
2008-05-24 12:09 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-05-24 12:04 . 2008-05-24 12:06 <DIR> d---s---- C:\Documents and Settings\Administrator
2008-05-24 12:02 . 2008-05-24 12:15 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-24 12:02 . 2008-05-24 12:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-24 11:46 . 2008-05-24 11:46 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-05-24 11:46 . 2008-05-24 12:06 <DIR> d-------- C:\Program Files\AXPDefender
2008-05-24 07:49 . 2008-05-24 12:49 <DIR> d-------- C:\Documents and Settings\Tyler\Application Data\Sammsoft
2008-05-24 07:38 . 2008-05-24 07:38 91,136 --a------ C:\WINDOWS\system32\hlkmgfmg.dll
2008-05-24 07:35 . 2008-05-24 14:42 <DIR> d-------- C:\WINDOWS\system32\818646
2008-05-23 22:00 . 2008-05-23 13:50 139,264 --a------ C:\WINDOWS\eope.exe
2008-05-23 22:00 . 2008-05-23 22:00 29,312 --a------ C:\WINDOWS\system32\urqPfEuT.dll
2008-05-23 21:59 . 2008-05-23 21:59 93,696 --a------ C:\WINDOWS\system32\ntpl.bin
2008-05-23 21:59 . 2008-05-23 21:59 63,488 --a------ C:\WINDOWS\system32\ho.ln
2008-05-23 21:59 . 2008-05-23 21:59 28,672 --a------ C:\WINDOWS\system32\mn.n
2008-05-23 21:59 . 2008-05-23 21:59 28,672 --a------ C:\WINDOWS\system32\ko.o
2008-05-23 21:59 . 2008-05-23 21:59 28,672 --a------ C:\WINDOWS\system32\ccs.so
2008-05-23 21:59 . 2008-05-23 21:59 28,672 --a------ C:\WINDOWS\system32\bmf.cs
2008-05-23 21:59 . 2008-05-23 22:00 2 --a------ C:\1224679109
2008-05-23 19:56 . 2008-05-23 19:56 <DIR> d-------- C:\Program Files\GameTap
2008-05-23 19:56 . 2008-05-23 19:56 <DIR> d-------- C:\Documents and Settings\Tyler\Application Data\InstallShield
2008-05-23 19:56 . 2008-05-23 19:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GameTap
2008-05-17 21:56 . 2008-05-17 21:56 <DIR> d-------- C:\Program Files\Fun Web Products
2008-05-16 21:49 . 2008-05-16 21:49 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-16 21:43 . 2008-05-16 21:43 <DIR> d-------- C:\Documents and Settings\Tyler\Application Data\LuckieDIPS
2008-05-16 21:07 . 2008-03-19 18:26 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-05-16 21:07 . 2008-03-19 18:29 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-05-16 21:06 . 2008-05-16 21:19 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-05-13 19:02 . 2008-05-13 19:02 <DIR> d-------- C:\Documents and Settings\John\Application Data\Yahoo!
2008-05-04 10:50 . 2008-05-24 14:41 <DIR> d-------- C:\Program Files\Google
2008-05-03 20:40 . 2008-05-03 20:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-05-03 20:26 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-05-03 20:26 . 2004-08-03 23:07 59,264 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys
2008-05-03 19:13 . 2008-05-04 01:24 <DIR> d-------- C:\Program Files\PopCap Games
2008-05-03 19:13 . 2007-09-12 15:47 983,040 --a------ C:\WINDOWS\FeedingFrenzy.scr
2008-05-03 19:13 . 2008-05-04 12:43 70 --a------ C:\WINDOWS\popcinfot.dat
2008-05-03 19:13 . 2008-05-03 19:13 0 --a------ C:\WINDOWS\popcreg.dat
2008-05-03 17:39 . 2008-05-03 17:39 <DIR> d-------- C:\Documents and Settings\Tyler\Application Data\Yahoo!
2008-05-03 17:08 . 2008-05-03 17:08 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-03 17:07 . 2008-05-22 16:52 <DIR> d-------- C:\Program Files\Yahoo!
2008-05-03 17:07 . 2008-05-03 17:07 <DIR> d-------- C:\Program Files\Nick Arcade
2008-05-03 16:44 . 2008-05-03 16:44 <DIR> d-------- C:\Program Files\EA GAMES
2008-05-03 16:02 . 2008-05-03 16:02 <DIR> d---s---- C:\Program Files\Xfire
2008-05-03 16:02 . 2008-05-03 16:02 <DIR> d-------- C:\Documents and Settings\Tyler\Application Data\Xfire
2008-05-03 13:08 . 2008-05-03 13:08 <DIR> d-------- C:\Program Files\Playlogic
2008-05-03 12:58 . 2008-05-03 16:22 <DIR> d-------- C:\Program Files\Rockstar Games
2008-05-03 10:31 . 2008-05-03 13:01 <DIR> d-------- C:\Documents and Settings\Tyler\Contacts
2008-05-03 10:30 . 2008-05-03 10:30 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-05-03 10:26 . 2008-05-03 10:30 <DIR> d-------- C:\Program Files\Windows Live
2008-05-03 10:26 . 2008-05-03 10:30 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-03 10:26 . 2008-05-03 10:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-05-03 10:25 . 2008-05-03 10:25 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-05-03 10:25 . 2005-02-24 22:35 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-05-03 10:20 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-05-03 10:20 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-05-03 10:20 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-05-03 10:20 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-05-03 10:20 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-05-03 10:19 . 2008-05-16 21:31 <DIR> d-------- C:\Download
2008-05-03 10:19 . 2008-05-03 10:19 <DIR> d---s---- C:\Documents and Settings\Tyler\UserData
2008-05-03 09:59 . 2008-05-03 10:01 <DIR> d-------- C:\Program Files\Encore
2008-05-03 09:51 . 2008-05-24 13:53 <DIR> d-------- C:\Program Files\GameSpy Arcade
2008-05-03 09:50 . 2008-05-03 09:50 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-05-03 09:48 . 2008-05-03 09:48 <DIR> d-------- C:\Program Files\Microsoft Games
2008-05-03 09:42 . 2008-05-03 09:42 <DIR> dr-h----- C:\Documents and Settings\Tyler\Application Data\SecuROM
2008-05-02 22:06 . 2008-05-24 13:51 <DIR> d-------- C:\Documents and Settings\Tyler
2008-05-02 15:00 . 2001-08-17 08:59 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-24 02:59 577,024 ----a-w C:\WINDOWS\system32\user32.DLL
2008-05-24 00:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-03 21:02 --------- d-----w C:\Program Files\LucasArts
2008-05-03 01:52 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-05-03 01:52 --------- d--h--r C:\Documents and Settings\John\Application Data\SecuROM
2008-05-03 01:24 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-03 01:20 --------- d-----w C:\Program Files\ITE
2008-05-03 01:16 --------- d-----w C:\Program Files\Marvell
2008-05-03 01:08 --------- d-----w C:\Program Files\microsoft frontpage
.
C:\WINDOWS\system32\user32.dll ... is infected !! (additional data below)
577,024 2008-05-24 02:59:23 C:\WINDOWS\system32\user32.DLL
577,024 2008-05-24 02:59:23 C:\WINDOWS\system32\dllcache\user32.dll


------- Sigcheck -------

2008-05-23 21:59 577024 c0001364172405af6ed9ad32c5379d09 C:\WINDOWS\system32\user32.DLL
2008-05-23 21:59 577024 c0001364172405af6ed9ad32c5379d09 C:\WINDOWS\system32\dllcache\user32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{613e416f-bcb6-43ad-b0fc-df7b0d5a70bf}]
2008-05-23 22:00 29312 --a------ C:\WINDOWS\system32\urqPfEuT.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{96C7889D-E426-4491-9C25-27F9A7FC0442}]
2004-08-04 00:56 88576 --a------ C:\WINDOWS\system32\bitsprx.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoToolbarCustomize"= 1 (0x1)
"NoStartMenuMorePrograms"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{613E416F-BCB6-43AD-B0FC-DF7B0D5A70BF}"= C:\WINDOWS\system32\urqPfEuT.dll [2008-05-23 22:00 29312]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqpfeut]
urqPfEuT.dll 2008-05-23 22:00 29312 C:\WINDOWS\system32\urqPfEuT.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32]
WinCtrl32.dll 2008-05-24 14:32 14336 C:\WINDOWS\system32\WinCtrl32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^msn_0805_upd211731.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\msn_0805_upd211731.exe
backup=C:\WINDOWS\pss\msn_0805_upd211731.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAID Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RAID Manager.lnk
backup=C:\WINDOWS\pss\RAID Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\48ff1e6a]
--a------ 2008-05-24 07:38 91136 C:\WINDOWS\system32\hlkmgfmg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\antiviirus]
C:\Program Files\antiviirus.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoload]
C:\Documents and Settings\John\cftmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\windows]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\windows\system32]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\c:\windows\system32\kdanl.exe]
C:\WINDOWS\system32\kdanl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2004-03-17 16:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntuser]
C:\WINDOWS\system32\drivers\spools.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-12-05 01:41 8523776 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-12-05 01:41 81920 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\GameSpy Arcade\\Aphex.exe"=

R0 iteraid;ITERAID_Service_Install;C:\WINDOWS\system32\DRIVERS\iteraid.sys [2004-06-01 10:19]
R3 cmudax;C-Media High Definition Audio Interface;C:\WINDOWS\system32\drivers\cmudax.sys [2004-10-21 05:56]
S1 sywtdxaz;sywtdxaz;C:\WINDOWS\system32\sywtdxaz.sys []
S3 ICAM3NT5;Intel USB Video Camera III;C:\WINDOWS\system32\Drivers\Icam3.sys [2001-08-17 14:05]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\setup.exe /autorun
\Shell\directx\command - F:\DirectX\dxsetup.exe
\Shell\setup\command - F:\setup.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-24 14:44:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\urqPfEuT.dll
-> C:\WINDOWS\system32\WinCtrl32.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\nvsvc32.exe
.
**************************************************************************
.
Completion time: 2008-05-24 14:46:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-24 19:46:07

Pre-Run: 77,419,290,624 bytes free
Post-Run: 77,593,157,632 bytes free

260



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:51: VIRUS ALERT!, on 5/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.nvidia.com/
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1209828001812
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=21871
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3212 bytes
 
Hello!
Many, many infections remain.

Download Avenger, and unzip it to your desktop or somewhere you can find it. (Do not run it yet).

Note: This program is for use on Windows XP 32 bit systems only, and must be run from an Administrator account.

  • Open a Notepad file by clicking Start > Run and typing Notepad.exe in the box, click OK.
  • Click Format, and ensure Word Wrap is unchecked.
  • Copy and Paste the text in the box below into Notepad.
  • Now save the file as RemoveFiles.txt in a location where you can find it.

Files to delete:
C:\WINDOWS\system32\blackster.scr
C:\as0lv2.exe
C:\WINDOWS\system32\ctfmonb.bmp
C:\WINDOWS\system32\bitsprx
C:\WINDOWS\system32\WinCtrl32.dll
C:\p9wnle.exe
C:\Documents and Settings\John\delself.bat
C:\WINDOWS\system32\566828
C:\Documents and Settings\John\Application Data\TmpRecentIcons
C:\WINDOWS\system32\hlkmgfmg.dll
C:\WINDOWS\system32\818646
C:\WINDOWS\eope.exe
C:\WINDOWS\system32\urqPfEuT.dll
C:\WINDOWS\system32\ntpl.bin
C:\WINDOWS\system32\ho.ln
C:\WINDOWS\system32\mn.n
C:\WINDOWS\system32\ko.o
C:\WINDOWS\system32\ccs.so
C:\WINDOWS\system32\bmf.cs
C:\1224679109
C:\WINDOWS\popcinfot.dat
Click to expand...

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Start Avenger by double clicking on Avenger.exe.
  • Check Load script from file:
  • Click on the folder symbol below and to the right, and browse to RemoveFiles.txt.
  • Double click it to enter it into Avenger.
  • Click the green traffic light symbol.
  • You will be asked if you want to execute the script, answer Yes.
  • At this point you may get prompts from your protection systems, allow them please.
  • Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately.
  • Answer Yes, and allow your computer to re-boot.
  • Upon re-boot a command window will briefly appear on screen (this is normal).
  • A Notepad text file will be created C:\avenger.txt.
  • Copy and Paste it into your next post please.

After all that is done, please download user32.dll file. It should be in Windows so if it doesn't move there automatically,navigate to Windows and copy the file. Delete any user32.dll found there before doing it.
Empty your recycle bin and reboot your computer.

Is your system running fine now?

Please post an Avenger log as shown and tell us about the system ( any better ? )
 
i had to do a registry edit to fix the virus alert text by the clock. However I realized I have IE problem but will try doing a repair install of just IE. Here is your avenger log you requested.

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\blackster.scr" deleted successfully.

Error: file "C:\as0lv2.exe" not found!
Deletion of file "C:\as0lv2.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\ctfmonb.bmp" not found!
Deletion of file "C:\WINDOWS\system32\ctfmonb.bmp" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\bitsprx" not found!
Deletion of file "C:\WINDOWS\system32\bitsprx" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\WinCtrl32.dll" not found!
Deletion of file "C:\WINDOWS\system32\WinCtrl32.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\p9wnle.exe" not found!
Deletion of file "C:\p9wnle.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\Documents and Settings\John\delself.bat" deleted successfully.

Error: "C:\WINDOWS\system32\566828" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\566828" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory


Error: "C:\Documents and Settings\John\Application Data\TmpRecentIcons" is a folder, not a file!
Deletion of file "C:\Documents and Settings\John\Application Data\TmpRecentIcons" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory


Error: file "C:\WINDOWS\system32\hlkmgfmg.dll" not found!
Deletion of file "C:\WINDOWS\system32\hlkmgfmg.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: "C:\WINDOWS\system32\818646" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\818646" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

File "C:\WINDOWS\eope.exe" deleted successfully.

Error: file "C:\WINDOWS\system32\urqPfEuT.dll" not found!
Deletion of file "C:\WINDOWS\system32\urqPfEuT.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\system32\ntpl.bin" deleted successfully.
File "C:\WINDOWS\system32\ho.ln" deleted successfully.
File "C:\WINDOWS\system32\mn.n" deleted successfully.
File "C:\WINDOWS\system32\ko.o" deleted successfully.
File "C:\WINDOWS\system32\ccs.so" deleted successfully.
File "C:\WINDOWS\system32\bmf.cs" deleted successfully.
File "C:\1224679109" deleted successfully.
File "C:\WINDOWS\popcinfot.dat" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
 
Ok, everything seems to be running fine now. Even got IE problem fixed by creating a new account for myself. Only happened on mine and not my sons...

Thanks Gamemaster.
 
You must log in or register to reply here.
Back
Top