Win32/heur

View previous topic View next topic Go down

Win32/heur

Post by Frizzy on 3rd September 2009, 2:42 am

My computer is infected with the win32/heur virus. I have run both AVG virus scanner and malwarebytes anti-malware but am still infected. AVG says that a number of files infected are white listed and are critical files that can not be moved to the virus vault. I need help to remove completely this virus! Below is my hijackthis log. Thank you.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:02 PM, on 9/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\dldtcoms.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Dell V305\dldtmon.exe
C:\Program Files\Dell V305\dldtMsdMon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Stardock\CursorFX\CursorFX.exe
C:\Program Files\ObjectDock\ObjectDock.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox 3.5 Beta 4\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O1 - Hosts: in nk nI{FP pD2.16 DefaultIcon44E09`C:\WINDOWS\Installer\{00010409-78E1-11D2-B60F-006097C998E7}\accicons.exe,148AA5B lf` shel nk CP (
O1 - Hosts: z HTML Handlervkz "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1lf CLSI Defa@ HTML( shelnk .f@  shellnk hf`  editlf editnk Cĸ
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WebBlinds - {4F92B827-1E56-4E30-A978-A17A7861A606} - C:\Program Files\Object Desktop\WebBlinds\WebBlinds.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\Spyware Doctor\tools\iesdsg.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\Spyware Doctor\tools\iesdpb.dll
O2 - BHO: CBrowserInterface Object - {D7EEF1C5-B053-4a70-B378-3462074D3226} - C:\Program Files\PC Magazine Utilities\CookieCop\CookieHlpr.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [dldtmon.exe] "C:\Program Files\Dell V305\dldtmon.exe"
O4 - HKLM\..\Run: [dldtamon] "C:\Program Files\Dell V305\dldtamon.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [CursorFX] "C:\Program Files\Stardock\CursorFX\CursorFX.exe"
O4 - HKCU\..\Run: [WorkShelf] C:\Program Files\Winstep\workshelf.exe autostart
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - .DEFAULT User Startup: Gloss Mint Clock.lnk = C:\Program Files\Stardock\DesktopGadgets\Gloss Mint Clock\Gloss Mint Clock.exe (User 'Default user')
O4 - .DEFAULT User Startup: IconPackager.lnk = C:\Program Files\Object Desktop\IconPackager\IconPackager.exe (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\ObjectDock\ObjectDock.exe
O4 - Startup: stardock.lnk = C:\Program Files\Object Desktop\WindowBlinds\wbload.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\IncrediMail\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\Spyware Doctor\tools\iesdpb.dll
O9 - Extra button: (no name) - {578FC4E3-151E-456c-AF8E-B63061EFE228}} - (no file)
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - [You must be registered and logged in to see this link.]
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O22 - SharedTaskScheduler: FencesShellExt - {1984DD45-52CF-49cd-AB77-18F378FEA264} - C:\Program Files\Object Desktop\Fences\FencesMenu.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: dldtCATSCustConnectService - Unknown owner - C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\\dldtserv.exe
O23 - Service: dldt_device - - C:\WINDOWS\system32\dldtcoms.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\System32\imapi.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software - (no file)
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINDOWS\System32\MsPMSPSv.exe (file missing)

--
End of file - 10759 bytes

Frizzy
Novice
Novice

Posts Posts : 16
Joined Joined : 2009-09-03
Gender Gender : Male
OS OS : Windows XP Home SP3
Points Points : 26551
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/heur

Post by Belahzur on 3rd September 2009, 3:14 pm

Hello.

Download HostsXpert from [You must be registered and logged in to see this link.]

  • Unzip it and start the program.
  • If "Make writeable?" is shown in red at the top, click it to make writeable.
  • Press "Restore MS Hosts File"
  • OK the prompt.
  • Then click on "Make read only"
  • Exit HostXpert.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/heur

Post by Frizzy on 3rd September 2009, 7:46 pm

Thank you so much for agreeing to help. I did as you said above. As I already had Malwarebyte's anti-malware program installed I updated it and ran it as requested. Here is the results (I also include, after this result, the results from this morning when I ran it in which it did find something).

Malwarebytes' Anti-Malware 1.40
Database version: 2736
Windows 5.1.2600 Service Pack 3

9/3/2009 2:38:10 PM
mbam-log-2009-09-03 (14-38-10).txt

Scan type: Quick Scan
Objects scanned: 109470
Time elapsed: 5 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Malwarebytes' Anti-Malware 1.40
Database version: 2735
Windows 5.1.2600 Service Pack 3

9/3/2009 9:14:17 AM
mbam-log-2009-09-03 (09-14-17).txt

Scan type: Quick Scan
Objects scanned: 109382
Time elapsed: 5 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\registrywm (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\SYSTEM32\qtwm.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\sc.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Frizzy
Novice
Novice

Posts Posts : 16
Joined Joined : 2009-09-03
Gender Gender : Male
OS OS : Windows XP Home SP3
Points Points : 26551
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/heur

Post by Belahzur on 3rd September 2009, 10:35 pm


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt just yet.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/heur

Post by Frizzy on 4th September 2009, 6:35 pm

After turning off resident shield in my avg 8.5 I was able to run the program you requested I run. Here are the results:

DDS (Ver_09-07-30.01) - NTFSx86
Run by Aaron Joshua Gray at 5:47:21.03 on Fri 09/04/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.378 [GMT -5:00]

AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Trend Micro PC-cillin Internet Security 2006 *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
FW: Trend Micro PC-cillin Internet Security (Firewall) *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\dldtcoms.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\TUProgSt.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Dell V305\dldtmon.exe
C:\Program Files\Dell V305\dldtMsdMon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Stardock\CursorFX\CursorFX.exe
C:\Program Files\ObjectDock\ObjectDock.exe
C:\Program Files\Mozilla Firefox 3.5 Beta 4\firefox.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Documents and Settings\Aaron Joshua Gray\Desktop\dds.scr

============== Pseudo HJT Report ===============

uDefault_Page_URL = [You must be registered and logged in to see this link.]
uStart Page = about:blank
uSearch Page = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
uWindow Title = Microsoft Internet Explorer
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mWindow Title = Microsoft Internet Explorer
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant =
uCustomizeSearch =
mSearchAssistant = [You must be registered and logged in to see this link.]
mWinlogon: UIHost=c:\windows\system32\logonuiX.exe
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 7\SnagItBHO.dll
BHO: {0a87e45f-537a-40b4-b812-e2544c21a09f} - SpywareBlock Class
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: WebBlinds: {4f92b827-1e56-4e30-a978-a17a7861a606} - c:\program files\object desktop\webblinds\WebBlinds.dll
BHO: PCTools Site Guard: {5c8b2a36-3db1-42a4-a3cb-d426709bbfeb} - c:\progra~1\spyware doctor\tools\iesdsg.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: PCTools Browser Monitor: {b56a7d7d-6927-48c8-a975-17df180c71ac} - c:\progra~1\spyware doctor\tools\iesdpb.dll
BHO: CBrowserInterface Object: {d7eef1c5-b053-4a70-b378-3462074d3226} - c:\program files\pc magazine utilities\cookiecop\CookieHlpr.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 7\SnagItIEAddin.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
EB: {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - No File
uRun: [CursorFX] "c:\program files\stardock\cursorfx\CursorFX.exe"
mRun: [BootSkin Startup Jobs] "c:\program files\stardock\wincustomize\bootskin\BootSkin.exe" /StartupJobs
mRun: [diagent] "c:\program files\creative\sblive\diagnostics\diagent.exe" startup
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [dldtmon.exe] "c:\program files\dell v305\dldtmon.exe"
mRun: [dldtamon] "c:\program files\dell v305\dldtamon.exe"
mRun: [nwiz] nwiz.exe /install

Frizzy
Novice
Novice

Posts Posts : 16
Joined Joined : 2009-09-03
Gender Gender : Male
OS OS : Windows XP Home SP3
Points Points : 26551
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/heur

Post by Frizzy on 4th September 2009, 6:40 pm

here is another part:

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
dRun: [Spyware Doctor] "c:\program files\spyware doctor\swdoctor.exe" /Q
StartupFolder: c:\docume~1\aaronj~1\startm~1\programs\startup\stardock objectdock.lnk - c:\program files\objectdock\ObjectDock.exe
StartupFolder: c:\docume~1\aaronj~1\startm~1\programs\startup\stardock.lnk - c:\program files\object desktop\windowblinds\wbload.exe
uPolicies-explorer: NoThemesTab = 0 (0x0)
uPolicies-explorer: NoInstrumentation = 0 (0x0)
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoFileUrl = 0 (0x0)
uPolicies-explorer: NoSimpleStartMenu = 0 (0x0)
uPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
uPolicies-explorer: NoDFSTab = 0 (0x0)
uPolicies-explorer: NoSMConfigurePrograms = 0 (0x0)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
uPolicies-system: NoSecCPL = 0 (0x0)
uPolicies-system: NoConfigPage = 0 (0x0)
uPolicies-system: NoVirtMemPage = 0 (0x0)
uPolicies-system: NoDevMgrPage = 0 (0x0)
uPolicies-system: NoCommonGroups = 0 (0x0)
mPolicies-explorer: =
mPolicies-explorer: NoChangeAnimation = 0 (0x0)
mPolicies-explorer: NoSMConfigurePrograms = 0 (0x0)
mPolicies-explorer: NoStartMenuEjectPC = 0 (0x0)
mPolicies-explorer: NoRecentDocsNetHood = 0 (0x0)
mPolicies-explorer: DisableMyPicturesDirChange = 0 (0x0)
mPolicies-explorer: DisableMyMusicDirChange = 0 (0x0)
mPolicies-explorer: DisableFavoritesDirChange = 0 (0x0)
mPolicies-explorer: NoWindowsUpdate = 0 (0x0)
mPolicies-explorer: GreyMSIAds = 0 (0x0)
mPolicies-system: RunStartupscriptSync = 1 (0x1)
IE: &Add animation to IncrediMail Style Box - c:\progra~1\incredimail\bin\resources\WebMenuImg.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {578FC4E3-151E-456c-AF8E-B63061EFE228}}
IE: {6224f700-cba3-4071-b251-47cb894244cd}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - {A1EDC4A1-940F-48E0-8DFD-E38F1D501021} - c:\progra~1\spyware doctor\tools\iesdpb.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Trusted Zone: dellfix.com\pccheckup
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - [You must be registered and logged in to see this link.]
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - [You must be registered and logged in to see this link.]
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [You must be registered and logged in to see this link.]
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: MCPClient - c:\progra~1\common~1\stardock\mcpstub.dll
Notify: WBSrv - c:\progra~1\object~1\window~1\wbsrv.dll
SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - c:\progra~1\common~1\stardock\mcpcore.dll
SSODL: EnhancedDialog - {6D972050-A934-44D7-AC67-7C9E0B264220} - c:\program files\object desktop\enhanceddialog\enhdlginit.dll
SSODL: IconPackager Repair - {1799460C-0BC8-4865-B9DF-4A36CD703FF0} - c:\program files\object desktop\iconpackager\iprepair.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: FencesShlExt Class: {1984dd45-52cf-49cd-ab77-18f378fea264} - c:\program files\object desktop\fences\FencesMenu.dll
SEH: {EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - No File
SEH: {a5780613-492e-4a2a-a7fd-549610edf6cc} - No File
SEH: Microsoft AntiSpyware Service Hook: {9ef34ff2-3396-4527-9d27-04c8c1c67806} - Microsoft.AntiSpyware.ShellExecuteHook.1


Last edited by Frizzy on 4th September 2009, 6:42 pm; edited 1 time in total

Frizzy
Novice
Novice

Posts Posts : 16
Joined Joined : 2009-09-03
Gender Gender : Male
OS OS : Windows XP Home SP3
Points Points : 26551
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/heur

Post by Frizzy on 4th September 2009, 6:41 pm

and another:

================ FIREFOX ===================

FF - ProfilePath - c:\docume~1\aaronj~1\applic~1\mozilla\firefox\profiles\default.f1t\
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\documents and settings\aaron joshua gray\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google earth plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1439.6872\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox 3.5 beta 4\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox 3.5 beta 4\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 600000
FF - user.js: nglayout.initialpaint.delay - 600
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2008-4-4 12552]
R0 BootScreen;BootScreen;\SystemRoot\\SystemRoot\System32\drivers\vidstub.sys --> \SystemRoot\\SystemRoot\System32\drivers\vidstub.sys [?]
R0 gxc108b;gxc108b;c:\windows\system32\drivers\gxc108b.sys [2004-3-5 137216]
R0 gxc108p;gxc108p;c:\windows\system32\drivers\gxc108p.sys [2004-3-5 5248]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-4-4 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-4-4 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-4-4 108552]
R1 ikhfile;File Security Kernel Anti-Spyware Driver;c:\windows\system32\drivers\ikhfile.sys [2007-12-16 30592]
R1 ikhlayer;Kernel Anti-Spyware Driver;c:\windows\system32\drivers\ikhlayer.sys [2007-12-16 51072]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-9-1 483208]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-9 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-9 297752]
R2 dldt_device;dldt_device;c:\windows\system32\dldtcoms.exe -service --> c:\windows\system32\dldtcoms.exe -service [?]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-7-1 604416]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]
S2 dldtCATSCustConnectService;dldtCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\dldtserv.exe [2008-2-25 99568]
S2 gupdate1c9864c8a12fac;Google Update Service (gupdate1c9864c8a12fac); [x]
S2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [2005-9-26 190480]
S3 Dhaagss;Dhaagss;c:\windows\system32\drivers\NULL.SYS [2002-8-29 2944]
S3 FGUARD32;FGUARD32;c:\program files\winability\folder guard nt\FGuard32.sys [2003-4-16 71680]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-8-9 66056]

============== File Associations ===============

inffile="c:\program files\object desktop\object edit\oe.exe" "%1"

=============== Created Last 30 ================

2009-09-04 05:36 0 a------- c:\windows\sc.exe
2009-09-04 05:36 --d----- c:\program files\Protection System
2009-09-03 09:58 411,368 a------- c:\windows\system32\deploytk.dll
2009-09-03 09:58 73,728 a------- c:\windows\system32\javacpl.cpl
2009-09-03 09:49 --d----- C:\Sun
2009-09-02 19:57 0 a------- c:\windows\SC.INS
2009-09-02 11:33 --d----- c:\program files\CCleaner
2009-09-01 11:18 798,208 a------- c:\windows\system32\NextControls.ocx
2009-09-01 11:18 --d----- c:\program files\Winstep
2009-09-01 09:29 1,238,408 a------- c:\windows\system32\zpeng25.dll
2009-08-31 23:18 292 a------- C:\English.ini
2009-08-31 21:29 5,760,054 a------- c:\windows\Aaron Joshua Gray.bmp
2009-08-31 19:15 --d----- c:\windows\system32\wbem\Repository
2009-08-20 19:09 --d----- c:\program files\common files\Diskeeper Corporation
2009-08-20 19:08 --d----- c:\docume~1\alluse~1\applic~1\Diskeeper Corporation
2009-08-16 15:47 73,160 a---h--- c:\windows\system32\mlfcache.dat
2009-08-14 09:55 202,072 a----r-- c:\windows\system32\cpnprt2.cid
2009-08-14 09:55 --d----- c:\program files\Coupons
2009-08-12 08:54 12,288,054 a------- c:\windows\vladstudio_ladybug_and_chameleon_2560x1600.bmp
2009-08-12 08:54 1,440,054 a------- c:\windows\vladstudio_ladybug_and_chameleon_800x600.bmp
2009-08-12 08:54 6,912,054 a------- c:\windows\vladstudio_ladybug_and_chameleon_1920x1200.bmp
2009-08-12 08:54 5,292,054 a------- c:\windows\vladstudio_ladybug_and_chameleon_1680x1050.bmp
2009-08-08 20:35 6,912,054 a------- c:\windows\AMDGame1920.bmp
2009-08-08 20:35 5,292,054 a------- c:\windows\AMDGame1680.bmp
2009-08-08 20:35 5,760,054 a------- c:\windows\AMDGame1600.bmp
2009-08-08 20:35 3,932,214 a------- c:\windows\AMDGame1280.bmp
2009-08-08 20:35 2,359,350 a------- c:\windows\AMDGame1024.bmp
2009-08-07 22:29 --d----- c:\program files\STARWARS_TheBattleOfYavin_v11
2009-08-05 19:41 --d----- c:\program files\STARWARS_TheBattleOfEndor_v21
2009-08-05 19:15 --d----- c:\docume~1\aaronj~1\applic~1\smc
2009-08-05 19:09 --d----- c:\program files\Secret Maryo Chronicles

==================== Find3M ====================

2009-09-03 14:30 4,212 ac--h--- c:\windows\system32\zllictbl.dat
2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-28 18:57 14,336 a------- c:\windows\system32\svchost.exe
2009-07-28 09:38 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-28 09:38 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-07-01 19:57 604,416 a------- c:\windows\system32\TUProgSt.exe
2009-07-01 19:57 361,216 a------- c:\windows\system32\TuneUpDefragService.exe
2009-06-25 10:39 42,672 a------- c:\windows\system32\wbsys.dll
2009-06-20 16:56 80,803 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-04 17:22 61,224 a------- c:\documents and settings\aaron joshua gray\GoToAssistDownloadHelper.exe
2005-02-10 21:19 96,504 ac------ c:\docume~1\aaronj~1\applic~1\GDIPFONTCACHEV1.DAT
2004-09-25 03:05 209,275 ac------ c:\program files\INSTALL.LOG
2003-08-27 15:19 36,963 ac---r-- c:\program files\common files\SM1updtr.dll
2002-12-12 11:34 81,920 ac-sh--- c:\windows\eSellerateControl300.dll
2008-05-11 16:19 23 a--sh--- c:\windows\system32\eaceb6_z.dll
2007-07-04 16:56 1,682 ac-sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 5:48:33.25 ===============

Frizzy
Novice
Novice

Posts Posts : 16
Joined Joined : 2009-09-03
Gender Gender : Male
OS OS : Windows XP Home SP3
Points Points : 26551
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/heur

Post by Belahzur on 4th September 2009, 9:42 pm

Hello.

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTM.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :services
    BootScreen

    :files
    c:\windows\sc.exe
    c:\program files\Protection System
    c:\windows\system32\eaceb6_z.dll


  • Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/heur

Post by Frizzy on 4th September 2009, 10:52 pm

Here is the results from OTMoveIt:

========== SERVICES/DRIVERS ==========
Service\Driver BootScreen stopped successfully.
Service\Driver BootScreen deleted successfully.
========== FILES ==========
c:\windows\sc.exe moved successfully.
c:\program files\Protection System moved successfully.
LoadLibrary failed for c:\windows\system32\eaceb6_z.dll
c:\windows\system32\eaceb6_z.dll NOT unregistered.
c:\windows\system32\eaceb6_z.dll moved successfully.

OTM by OldTimer - Version 3.0.0.6 log created on 09042009_174407

The program also popped up a window that said the following:

The application or dll c:\windows\system32\eaceb6_z.dll is not a valid windows image. Please check this against your installation diskette.

Frizzy
Novice
Novice

Posts Posts : 16
Joined Joined : 2009-09-03
Gender Gender : Male
OS OS : Windows XP Home SP3
Points Points : 26551
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/heur

Post by Belahzur on 5th September 2009, 9:01 pm

Hello.

We can remove OTMoveIt now.

  • Please double-click OTM.exe to run it again.
  • Press the green CleanUp! button.
  • Press Yes cleanup process prompt, do the same for the reboot prompt.
How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/heur

Post by Frizzy on 5th September 2009, 9:23 pm

I did as you asked and then tried to run some of the programs I have. One is Startup Manager from Cnet.com. It will not open. I get a window that says the file has been corrupted and to reinstall. It will not reinstall and I get an AVG resident shield alert that states c:\WINDOWS\system32\ctfmon.exe is infected with win32/heur virus but is white listed and can not be moved or healed. Then I decided to try thru windows add/remove programs in control panel. It will not open and states that "windows cannot find c:\windows\system32\rundll.32.exe". I then went to resident shield and find it there in the virus vault but it is listed as infected with the win32/heur virus. There is also a number of other window files in the virus vault as well. What to do now?Sad tearing


Last edited by Frizzy on 5th September 2009, 9:24 pm; edited 1 time in total (Reason for editing : did not mean to smile!)

Frizzy
Novice
Novice

Posts Posts : 16
Joined Joined : 2009-09-03
Gender Gender : Male
OS OS : Windows XP Home SP3
Points Points : 26551
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/heur

Post by Frizzy on 5th September 2009, 10:53 pm

Also upon reboot I got a message from avg that states that c:\windows\system32\alg.exe is infected with the virus and cannot be moved or healed because it is white listed as a critical file.

Frizzy
Novice
Novice

Posts Posts : 16
Joined Joined : 2009-09-03
Gender Gender : Male
OS OS : Windows XP Home SP3
Points Points : 26551
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/heur

Post by Belahzur on 6th September 2009, 6:29 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/heur

Post by Frizzy on 6th September 2009, 6:57 pm

I did as instructed but the program would not run. I get the following message:

ALERT! It is not safe to continue.
The contents of the combofix package has been compromised. Please download a fresh copy from [You must be registered and logged in to see this link.]
Note: You may be infected with a file patching virus "Virut".

Frizzy
Novice
Novice

Posts Posts : 16
Joined Joined : 2009-09-03
Gender Gender : Male
OS OS : Windows XP Home SP3
Points Points : 26551
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/heur

Post by Origin on 6th September 2009, 10:12 pm

Try to download this version:

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to svchost as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on svchost.exe.
  • Follow the prompts. NOTE:
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31503
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/heur

Post by Frizzy on 6th September 2009, 10:49 pm

Bring it on I did as you requested and the same thing happened as before. I got the same message and when I click ok the message disappears as well as the program icon on the desktop. This may be off the wall but could my zone alarm pro firewall be interfering? I get many alerts while the program is trying to load and run, all of which I answer yes to allow the program to function. One of which says pce.exe is trying to do something. I only mention it in case there is no pce.exe in combofix.

Frizzy
Novice
Novice

Posts Posts : 16
Joined Joined : 2009-09-03
Gender Gender : Male
OS OS : Windows XP Home SP3
Points Points : 26551
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/heur

Post by Origin on 6th September 2009, 10:53 pm

Lets try to run ComboFix in safe mode shall we:

Please do the following in Safe Mode with Networking: as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press your Enter key.

Note: With some computers if you press and hold a key as the computer is booting you will get a stuck key message. If this occurs, instead of pressing and holding the "F8 key", tap the "F8 key" continuously until you get the startup menu.) Once in the start up menu, select "Safe Mode with Networking", then do the following instructions:

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to svchost as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on svchost.exe.
  • Follow the prompts. NOTE:
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31503
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/heur

Post by Frizzy on 6th September 2009, 11:49 pm

I tried running it in safe mode and got the same results as before.

Frizzy
Novice
Novice

Posts Posts : 16
Joined Joined : 2009-09-03
Gender Gender : Male
OS OS : Windows XP Home SP3
Points Points : 26551
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/heur

Post by rbach5784 on 7th September 2009, 2:42 pm

I have this same thing going on with my computer Sad tearing

rbach5784
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-09-07
OS OS : Windows XP SP3
Points Points : 26499
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/heur

Post by Frizzy on 7th September 2009, 4:07 pm

?

Frizzy
Novice
Novice

Posts Posts : 16
Joined Joined : 2009-09-03
Gender Gender : Male
OS OS : Windows XP Home SP3
Points Points : 26551
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/heur

Post by rbach5784 on 7th September 2009, 4:25 pm

I tryed the combo fix thing in safe and normal too and it does the same this for me! its not safe

rbach5784
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-09-07
OS OS : Windows XP SP3
Points Points : 26499
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/heur

Post by Belahzur on 7th September 2009, 8:26 pm

Hello.
I would say it's end of the line, multiple legit system files are patched.

I'm afraid I have bad news.

Your system is infected with a polymorphic file infector called Virut. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a format and clean install, or destructive recovery if you have an OEM recovery partition, is the best way to clean the infection and it is the best and safest way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.

Also, avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.

Recent variants also modify htm, html, asp and php files.

Do not back up to another machine, as it may become compromised. Burn to DVD/CD, or to an external drive which has nothing else on it, and which you can format should it happen to become infected from the backups.


For more information, please see [You must be registered and logged in to see this link.]

Instructions how to format and reinstall Windows can be found [You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/heur

Post by Frizzy on 7th September 2009, 8:53 pm

I was afraid of that. In fact I have been writing down all the license and serial numbers to my programs in case it lead to this, and moving online all important letters or emails.

I want to thank you so much for all you tried to do. I will definitely spread the word concerning your site and as soon as I find a job I will be donating to your site.

Frizzy
Novice
Novice

Posts Posts : 16
Joined Joined : 2009-09-03
Gender Gender : Male
OS OS : Windows XP Home SP3
Points Points : 26551
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/heur

Post by rbach5784 on 7th September 2009, 9:29 pm

Then that sux is there a way to get another windows xp home disc mine was stolen and i have Know way of doing a fresh install my computer was built by me Sad tearing

rbach5784
Novice
Novice

Posts Posts : 7
Joined Joined : 2009-09-07
OS OS : Windows XP SP3
Points Points : 26499
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/heur

Post by Belahzur on 7th September 2009, 11:11 pm

Sorry, we can't really help any further. Your machine has a nasty infection which can't be fixed.

You will need to buy an XP disc, that's if you can get your hands on one. MS are selling Vista now, they are trying to kill XP off. Sad tearing


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum