Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Bad dll file that I cannot kill

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Bad dll file that I cannot kill

Unread postby DrPostman » November 10th, 2007, 6:42 pm

Tried all the suggestions and ran them. Nothing seems to be able to
delete the problem. Any help on eliminating these would be appreciated.

Here is the HijackThis log. I have to go to work but I'll check back in
about 9 hours. Thanks again in advance.

Logfile of HijackThis v1.99.1
Scan saved at 4:38:01 PM, on 11/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Speaking Clock\SpClock.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trendmicro.com/hc_intro/default.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: (no name) - {2B3CF38E-7433-46B3-9C04-DEA9E0EFD98A} - C:\WINDOWS\system32\tuvwvwt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [WinPatrol] "C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] "C:\Program Files\Google\Gmail Notifier\gnotify.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\RunOnce: [srePostpone] rundll32.exe c:\windows\system32\zonelabs\srescan.dll,DoSpecialAction
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [Speaking Clock Lite] C:\Program Files\Speaking Clock\SpClock.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NaturalColorLoad.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.memphiszoo.org
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {A364AF35-0CDF-41E8-8F3B-E0E55E15EBA1} (Zenturi Active Programs Control) - http://www.programchecker.com/dll/nixon.cab
O20 - Winlogon Notify: awtrstt - awtrstt.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ssttr - C:\WINDOWS\system32\ssttr.dll (file missing)
O20 - Winlogon Notify: tuvwvwt - C:\WINDOWS\SYSTEM32\tuvwvwt.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

````````````````````````````````````````````````````````````````

And the startup file log:

StartupList report, 11/10/2007, 4:36:50 PM
StartupList version: 1.52.2
Started from : C:\Program Files\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Speaking Clock\SpClock.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
NaturalColorLoad.lnk = ?

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

IntelMeM = "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
ISUSPM Startup = "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
WinPatrol = "C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe"
{0228e555-4f9c-4e35-a3ec-b109a192b4c2} = "C:\Program Files\Google\Gmail Notifier\gnotify.exe"
ISUSPM = "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
Windows Defender = "C:\Program Files\Windows Defender\MSASCui.exe" -hide
ZoneAlarm Client = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
AVG7_CC = C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
SunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
THGuard = "C:\Program Files\TrojanHunter 5.0\THGuard.exe"

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

srePostpone = rundll32.exe c:\windows\system32\zonelabs\srescan.dll,DoSpecialAction

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

SpybotSD TeaTimer = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Speaking Clock Lite = C:\Program Files\Speaking Clock\SpClock.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\sstext3d.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\WINDOWS\system32\tuvwvwt.dll - {2B3CF38E-7433-46B3-9C04-DEA9E0EFD98A}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

MP Scheduled Scan.job

--------------------------------------------------

Enumerating Download Program Files:

[Trend Micro ActiveX Scan Agent 6.6]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\Housecall_ActiveX.dll
CODEBASE = http://housecall65.trendmicro.com/house ... hcImpl.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/ ... mv9VCM.CAB

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoftware.com/activescan ... asinst.cab

[Zenturi Active Programs Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\sasatl.dll
CODEBASE = http://www.programchecker.com/dll/nixon.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash8.ocx
CODEBASE = http://fpdownload.macromedia.com/get/fl ... wflash.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\WINDOWS\system32\ZoneLabs\spyware.dat.zlbak||C:\BLSInfo\infoinst.exe|C:\Program Files\TrojanHunter 5.0\Quarantine\c2jE6cj.dat|F:\New Downloaded Programs\Older\wrar351.exe|C:\Program Files\TrojanHunter 5.0\Quarantine\kDaE3UER.dat|C:\WINDOWS\temp\ZLT0785a.TMP||C:\WINDOWS\temp\ZLT07864.TMP||C:\Documents and Settings\Jamie\Local Settings\temp\~DFB7AD.tmp||C:\Documents and Settings\Jamie\Local Settings\temp\~DFDA57.tmp||C:\Documents and Settings\Jamie\Local Settings\temp\~DFB7AD.tmp||C:\Documents and Settings\Jamie\Local Settings\temp\~DFDA57.tmp||C:\Documents and Settings\Jamie\Local Settings\Temporary Internet Files\content.ie5\index.dat||C:\Documents and Settings\Jamie\cookies\index.dat||C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\content.ie5\index.dat||C:\Documents and Settings\LocalService\cookies\index.dat


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
End of report, 7,467 bytes
Report generated in 0.203 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
DrPostman
Regular Member
 
Posts: 41
Joined: November 10th, 2007, 7:01 am
Advertisement
Register to Remove

Unread postby ndmmxiaomayi » November 11th, 2007, 12:36 am

Hi DrPostman. :)

Step 1

We need to disable several protection programs before continuing as they may interfere with the fixes. They will be re-enabled once your computer is clean.

Winpatrol

  1. Right click on the Scotty Dog near the clock and select Options.... A window will open.
  2. Select the Options tab.
  3. Uncheck (untick) this box: Automatically run Winpatrol when computer starts.
  4. Close the Winpatrol window.
  5. Right click on the Scotty Dog again and select Exit Program.

Teatimer

  1. If you have version 1.5, right click the Spybot Icon in the system tray near the clock (looks like a blue/white calendar with a padlock symbol).
  2. Click once on Resident Protection, then right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  3. Go to Start > All Programs > Spybot - Search & Destroy > Spybot Search & Destroy.
  4. Click on Mode > Advanced Mode. When it prompts you, click Yes.
  5. On the left hand side, click on Tools.
  6. Check (tick) this box if it is not yet ticked: Resident.
  7. You will notice that Resident is now added under Tools. Click on Resident.
  8. Uncheck (untick) this box: Resident "TeaTimer" (Protection of over-all system settings) active.
  9. Exit Spybot Search & Destroy.
  10. Restart your computer for the changes to take effect.

  1. If you have version 1.4, go to Start > All Programs > Spybot - Search & Destroy > Spybot Search & Destroy.
  2. Click on Mode > Advanced Mode. When it prompts you, click Yes.
  3. On the left hand side, click on Tools.
  4. Check (tick) this box if it is not yet ticked: Resident.
  5. You will notice that Resident is now added under Tools. Click on Resident.
  6. Uncheck (untick) this box: Resident "TeaTimer" (Protection of over-all system settings) active.
  7. Exit Spybot Search & Destroy.
  8. Restart your computer for the changes to take effect.

Windows Defender

  1. Go to Start > All Programs > Windows Defender.
  2. Click on Tools at the top.
  3. Under Settings, click on Options.
  4. Under Automatic scanning, uncheck (untick) Automatically scan my computer (recommended) box.
  5. Under Real-time protection options, uncheck (untick) Use real-time protection (recommended) box.
  6. Click on the Save button at the bottom right hand corner.

Trojan Hunter

  1. Right click on TrojanHunter icon in the system tray (next to the clock) and select Settings.
  2. Uncheck (untick) all the boxes.
  3. Click Unload. Click OK when it prompts you.

Step 2

Please download Combofix from Tech Support Forum. Save it to your desktop.

Double click to run it. Follow the prompts. Once done, it will reboot and a log will be produced. Please post that log and a new HijackThis log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.

Step 3

  1. Open HijackThis.
  2. Click on Open the Misc Tools section.
  3. Look under System tools.
  4. Click on the Open Uninstall Manager... button.
  5. Click on the Save list... button.
  6. It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt.
  7. Notepad will open. Please copy and paste the contents of this log in your next reply.

In your next reply, please post:

  1. Combofix log (C:\Combofix.txt)
  2. The Uninstall list
  3. A new HijackThis log
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Unread postby DrPostman » November 11th, 2007, 5:30 am

Well, I followed the instructions to the letter, and ended up getting the
blue screen of death after I was notified that the computer would reboot.
One other thing, throughout the process I was constantly getting permission
requests from ZoneAlarm, which I gave. When it rebooted I also got
two virus alarms from AVG. Anyway, I will follow any further suggestions
and hope for the best. Here is what you wanted me to post:

Combofix log:

ComboFix 07-11-08.1 - Jamie 2007-11-11 2:51:06.1 - NTFSx86
Running from: C:\Documents and Settings\Jamie\Desktop\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\Yazzle1848OinUninstaller.exe
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\drivers\sfsync02.sys
F:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SFSYNC02
-------\sfsync02


((((((((((((((((((((((((( Files Created from 2007-10-11 to 2007-11-11 )))))))))))))))))))))))))))))))
.

2007-11-11 02:47 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-10 06:47 <DIR> d-------- C:\Documents and Settings\Jamie\Application Data\TrojanHunter
2007-11-10 05:14 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2007-11-10 03:11 36,864 --------- C:\WINDOWS\system32\tuvwvwt.dll
2007-11-09 01:02 208,996 --a------ C:\WINDOWS\system32\MuteHook.dll
2007-11-09 01:00 208,997 --a------ C:\WINDOWS\system32\MyCfHook.dll
2007-11-06 23:16 <DIR> d-------- C:\Program Files\VirtualDJ
2007-11-06 06:52 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-10-26 19:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-10-23 00:30 <DIR> d-------- C:\Program Files\Crocodile 2.0
2007-10-20 15:58 <DIR> d-------- C:\Program Files\SuperWebcam
2007-10-20 15:57 31,872 --a------ C:\WINDOWS\system32\drivers\superwebcam.sys
2007-10-18 00:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Zylom
2007-10-18 00:25 <DIR> d-------- C:\users
2007-10-18 00:25 <DIR> d-------- C:\My Games
2007-10-18 00:22 <DIR> d-------- C:\Program Files\RealArcade
2007-10-11 19:19 <DIR> d-------- C:\Program Files\MTV Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-11 08:02 --------- d-----w C:\Documents and Settings\Jamie\Application Data\SiteAdvisor
2007-11-11 06:32 --------- d-----w C:\Program Files\Kermit
2007-11-10 16:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-11-10 09:57 --------- d-----w C:\Documents and Settings\Jamie\Application Data\AVG7
2007-11-10 09:45 --------- d-----w C:\Documents and Settings\Jamie\Application Data\Registry Booster
2007-11-10 09:04 --------- d-----w C:\Program Files\PeerGuardian2
2007-11-10 09:04 --------- d-----w C:\Documents and Settings\Jamie\Application Data\uTorrent
2007-11-08 12:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-30 04:29 --------- d-----w C:\Program Files\Google
2007-10-29 22:10 --------- d-----w C:\Documents and Settings\Jamie\Application Data\Camfrog
2007-10-27 01:44 --------- d-----w C:\Program Files\WebcamMax
2007-10-27 01:38 --------- d-----w C:\Program Files\RSSoft
2007-10-22 05:23 --------- d-----w C:\Program Files\Camfrog DJ
2007-10-20 21:58 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-11 15:56 --------- d-----w C:\Program Files\Game Elements PC Recoil Pad
2007-10-06 01:00 --------- d-----w C:\Documents and Settings\Jamie\Application Data\Webcammax
2007-09-27 20:18 --------- d-----w C:\Program Files\Java
2007-09-20 07:46 --------- d-----w C:\Program Files\ICE
2007-09-18 22:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-09-14 01:11 --------- d-----w C:\Documents and Settings\Jamie\Application Data\MySpace
2007-09-14 01:10 --------- d-----w C:\Program Files\MySpace
2007-08-22 13:12 96,256 ------w C:\WINDOWS\system32\dllcache\inseng.dll
2007-08-22 13:12 658,944 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-22 13:12 615,424 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-22 13:12 55,808 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-22 13:12 532,480 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-22 13:12 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-08-22 13:12 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-22 13:12 39,424 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-08-22 13:12 357,888 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-08-22 13:12 3,058,176 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-22 13:12 251,392 ------w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-08-22 13:12 205,312 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-22 13:12 16,384 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-22 13:12 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-08-22 13:12 146,432 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-22 13:12 1,494,528 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-08-22 13:12 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
2007-08-22 13:12 1,022,976 ------w C:\WINDOWS\system32\dllcache\browseui.dll
2007-08-21 10:30 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-03-09 11:11:11 1,185,077 --sh--w C:\WINDOWS\system32\rttss.bak1
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2B3CF38E-7433-46B3-9C04-DEA9E0EFD98A}]
2007-11-10 03:11 36864 --------- C:\WINDOWS\system32\tuvwvwt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 19:12]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 16:34]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 15:48]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 16:34]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-08 23:02]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-24 06:05]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Speaking Clock Lite"="C:\Program Files\Speaking Clock\SpClock.exe" [2003-03-02 10:15]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
NaturalColorLoad.lnk - C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe [2006-02-22 22:15:49]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{2B3CF38E-7433-46B3-9C04-DEA9E0EFD98A}"= C:\WINDOWS\system32\tuvwvwt.dll [2007-11-10 03:11 36864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtrstt]
awtrstt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssttr]
C:\WINDOWS\system32\ssttr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvwvwt]
tuvwvwt.dll 2007-11-10 03:11 36864 C:\WINDOWS\system32\tuvwvwt.dll

R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;C:\WINDOWS\system32\DRIVERS\ManyCam.sys
R3 PAC207;PC Camer@;C:\WINDOWS\system32\DRIVERS\PFC027.SYS
R3 SUPERWEBCAM;SuperWebcam, WDM Virtual Video Capture Device;C:\WINDOWS\system32\DRIVERS\superwebcam.sys
S3 gkmixern;gkmixern;\??\C:\DOCUME~1\Jamie\LOCALS~1\Temp\gkmixern.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-11 09:08:46 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-11 03:07:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-11 3:13:27 - machine was rebooted
.
--- E O F ---

Uninstall list:

µTorrent
ACDSee 7.0 PowerPack
Aces High II
Ad-Aware SE Personal
Adobe Reader 7.0.9
Adobe Stock Photos 1.0
Age of Sail II
AVG 7.5
Bazooka Scanner
Bejeweled 2 Deluxe
Belarc Advisor 7.0
BellSouth FastAccess DSL Help Center
Broadcom Management Programs
Camfrog DJ
CCleaner (remove only)
CO2 Saver
Crocodile 2.0
DAEMON Tools
DawnOfWar
Dell Driver Reset Tool
Dell Media Experience
Dell Picture Studio v3.0
Dell Support 3.1
Demolition Racer
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
Dragons Abode
EA downloader
EA SPORTS online 2007
Express Burn Uninstall
Express Rip Uninstall
Fire Ice Scopes OpenGL Plug-in (remove only)
Foxit Reader
Google Earth
Google Gmail Notifier
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Video Player
GT Interactive - Driver
GTA2
HijackThis 1.99.1
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB926239)
HPS Campaign Waterloo
HPS Tsushima
Ice Camfrog Extension
Intel(R) 537EP V9x DF PCI Modem
Intel(R) Extreme Graphics Driver
Internet Explorer Default Page
IrisAPE 1.0
IsoBuster 1.9.1
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Jasc Paint Shop Photo Album 5
Jasc Paint Shop Pro Studio, Dell Editon
Jasc Paint Shop Pro Studio.01 , Dell Edition 1.0.1.1 Patch
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 2
Java(TM) SE Runtime Environment 6 Update 1
Kermit
Learn2 Player (Uninstall Only)
Lizardtech DjVu Control
Lottso! de Luxe
Macromedia Flash Player
Macromedia Flash Player 8
Macromedia Shockwave Player
Madden NFL 07
ManyCam 2.1 (remove only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Combat Flight Simulator 2
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Miss Piggy
Modem Event Monitor
Monopoly 3
Monopoly by Parker Brothers
Mozilla Firefox (2.0.0.9)
MrRobot 1.05
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Multilingual Speaking Clock 2.5
Musicmatch® Jukebox
MySpaceIM
Natural Color
Nero 7 Ultra Edition
neroxml
Neverwinter Nights Platinum Edition
Opera 9.23
PC CIF Camer@
PeerGuardian 2.0
PGIII Scorched Earth
PhoTags Express
Photo Click
PowerDVD 5.5
QuickTime
RarZilla Free Unrar 1.00
RealArcade
RealPlayer
RecordPad Sound Recorder Uninstall
Red Ace Squadron
Rhapsody Player Engine
SBNews: News Robot v 10.2
Security Task Manager 1.7e
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Serious Sam: The First Encounter
Serious Sam: The Second Encounter
Spybot - Search & Destroy 1.4
Starscape V1.5c
Steel Panthers World At War v8.20
Super Webcam
The Operational Art of War III
The Operational Art of War: Century of Warfare
TrojanHunter 5.0
Uniblue Registry Booster
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
VideoLAN VLC media player 0.8.5
Viewpoint Media Player
Virtual DJ - Atomix Productions
Vongo
War Plan Orange
WavePad Uninstall
WD Diagnostics
WebCyberCoach 3.2 Dell
WinAce Archiver
Winamp (remove only)
WinAVI Video Converter
Windows Defender
Windows Installer 3.1 (KB893803)
Windows Installer Clean Up
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
WinPatrol
WinPatrol 2007 Restore/Remove First
WinPatrol 2007 Step 2
WinRAR archiver
WinSPMBT
WinSPWW2 Ver 1.1B Upgrade
WinSPWW2v1 DL Edition
WinZip
Yahtzee Download Edition
ZoneAlarm Pro

HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 3:28:11 AM, on 11/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Speaking Clock\SpClock.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trendmicro.com/hc_intro/default.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: (no name) - {2B3CF38E-7433-46B3-9C04-DEA9E0EFD98A} - C:\WINDOWS\system32\tuvwvwt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] "C:\Program Files\Google\Gmail Notifier\gnotify.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [Speaking Clock Lite] C:\Program Files\Speaking Clock\SpClock.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NaturalColorLoad.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.memphiszoo.org
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {A364AF35-0CDF-41E8-8F3B-E0E55E15EBA1} (Zenturi Active Programs Control) - http://www.programchecker.com/dll/nixon.cab
O20 - Winlogon Notify: awtrstt - awtrstt.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ssttr - C:\WINDOWS\system32\ssttr.dll (file missing)
O20 - Winlogon Notify: tuvwvwt - C:\WINDOWS\SYSTEM32\tuvwvwt.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
DrPostman
Regular Member
 
Posts: 41
Joined: November 10th, 2007, 7:01 am

Unread postby ndmmxiaomayi » November 11th, 2007, 5:50 am

Hi DrPostman,

Sorry to hear that. :(

When did you get the Blue Screen of Death?
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Unread postby DrPostman » November 11th, 2007, 5:56 am

Just as combofix was about to reboot. I unplugged the computer and then
turned it back on, and the process continued. Should I do all those steps
all over again? And what to do with the permission notices I get from
ZoneAlarm?

Thanks again for the help.

Jamie
DrPostman
Regular Member
 
Posts: 41
Joined: November 10th, 2007, 7:01 am

Unread postby ndmmxiaomayi » November 11th, 2007, 6:02 am

Please hold on for a while. I'll ask the developer of Combofix before moving on.
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Unread postby DrPostman » November 11th, 2007, 6:04 am

Thanks, I'll be up for a few hours and I'll keep checking back.
DrPostman
Regular Member
 
Posts: 41
Joined: November 10th, 2007, 7:01 am

Re: Bad dll file that I cannot kill

Unread postby DrPostman » November 11th, 2007, 6:16 pm

Any luck yet? AVG found that bad dll file today, but I'm not sure if it got
moved to the virus vault since my computer had slowed to a crawl and
I had to reboot after telling it to move it there. I'm about to run AVG
again.

I have to go to work, so I will check back in about 9 hours.

Thanks again.

Jamie
DrPostman
Regular Member
 
Posts: 41
Joined: November 10th, 2007, 7:01 am

Re: Bad dll file that I cannot kill

Unread postby ndmmxiaomayi » November 11th, 2007, 8:34 pm

Hi DrPostman,

Sorry for the wait. The developer has not replied yet. Please hang on.
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: Bad dll file that I cannot kill

Unread postby DrPostman » November 12th, 2007, 4:56 am

Update. AVG got the dll file and it's in the virus vault. Now I get this for the HijackThis line:
O2 - BHO: (no name) - {2B3CF38E-7433-46B3-9C04-DEA9E0EFD98A} - C:\WINDOWS\system32\tuvwvwt.dll (file missing)
So, I'm guessing that if I delete it from the vault it will go away for good?

I'll keep standing by for the developer too. Thanks for helping me with this. It
seems that you've already been a good deal of help so far.

Jamie
DrPostman
Regular Member
 
Posts: 41
Joined: November 10th, 2007, 7:01 am

Re: Bad dll file that I cannot kill

Unread postby ndmmxiaomayi » November 12th, 2007, 8:56 am

Hi Jamie. :)

Step 1

Please open Notepad and copy and paste the following in the Code box into Notepad:

Code: Select all
File::
C:\WINDOWS\system32\tuvwvwt.dll
C:\WINDOWS\system32\rttss.bak1

Registry::
[-HKEY_LOCAL_MACHINE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2B3CF38E-7433-46B3-9C04-DEA9E0EFD98A}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{2B3CF38E-7433-46B3-9C04-DEA9E0EFD98A}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtrstt]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssttr]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvwvwt]


Click on File > Save As....

In the File Name box, copy and paste in CFScript.txt. Do not change the file name.

Click Save.

Referring to the picture below, drag CFScript into Combofix.

Image

Combofix will start running. Please post back the Combofix log in your next reply.

Step 2

Please go to Virus Total or Jotti and upload C:\WINDOWS\system32\MuteHook.dll for scanning.

For Virus Total

  1. Please copy and paste C:\WINDOWS\system32\MuteHook.dll in the text box next to the Browse button.
  2. Click on Send File.

For Jotti

  1. Please copy and paste C:\WINDOWS\system32\MuteHook.dll in the text box next to the Browse button.
  2. Click on Submit.

Repeat for this file: C:\WINDOWS\system32\MyCfHook.dll

In your next reply, please post:

  1. Combofix log (C:\Combofix.txt)
  2. Virus Total or Jotti's scan results of the 2 files
  3. A new HijackThis log
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: Bad dll file that I cannot kill

Unread postby DrPostman » November 12th, 2007, 9:54 am

Ok, here we go:

Combofix log:

ComboFix 07-11-08.1 - Jamie 2007-11-12 7:07:34.2 - NTFSx86
Running from: C:\Documents and Settings\Jamie\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jamie\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\rttss.bak1
C:\WINDOWS\system32\tuvwvwt.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\rttss.bak1

.
((((((((((((((((((((((((( Files Created from 2007-10-12 to 2007-11-12 )))))))))))))))))))))))))))))))
.

2007-11-11 02:47 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-10 06:47 <DIR> d-------- C:\Documents and Settings\Jamie\Application Data\TrojanHunter
2007-11-10 05:14 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2007-11-09 01:02 208,996 --a------ C:\WINDOWS\system32\MuteHook.dll
2007-11-09 01:00 208,997 --a------ C:\WINDOWS\system32\MyCfHook.dll
2007-11-06 23:16 <DIR> d-------- C:\Program Files\VirtualDJ
2007-11-06 06:52 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-10-26 19:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-10-23 00:30 <DIR> d-------- C:\Program Files\Crocodile 2.0
2007-10-20 15:58 <DIR> d-------- C:\Program Files\SuperWebcam
2007-10-20 15:57 31,872 --a------ C:\WINDOWS\system32\drivers\superwebcam.sys
2007-10-18 00:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Zylom
2007-10-18 00:25 <DIR> d-------- C:\users
2007-10-18 00:25 <DIR> d-------- C:\My Games
2007-10-18 00:22 <DIR> d-------- C:\Program Files\RealArcade

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-12 12:51 --------- d-----w C:\Documents and Settings\Jamie\Application Data\SiteAdvisor
2007-11-11 22:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-11-11 12:28 --------- d-----w C:\Program Files\PeerGuardian2
2007-11-11 06:32 --------- d-----w C:\Program Files\Kermit
2007-11-10 09:57 --------- d-----w C:\Documents and Settings\Jamie\Application Data\AVG7
2007-11-10 09:45 --------- d-----w C:\Documents and Settings\Jamie\Application Data\Registry Booster
2007-11-10 09:04 --------- d-----w C:\Documents and Settings\Jamie\Application Data\uTorrent
2007-11-08 12:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-30 04:29 --------- d-----w C:\Program Files\Google
2007-10-29 22:10 --------- d-----w C:\Documents and Settings\Jamie\Application Data\Camfrog
2007-10-27 01:44 --------- d-----w C:\Program Files\WebcamMax
2007-10-27 01:38 --------- d-----w C:\Program Files\RSSoft
2007-10-22 05:23 --------- d-----w C:\Program Files\Camfrog DJ
2007-10-20 21:58 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-12 01:19 --------- d-----w C:\Program Files\MTV Networks
2007-10-11 15:56 --------- d-----w C:\Program Files\Game Elements PC Recoil Pad
2007-10-06 01:00 --------- d-----w C:\Documents and Settings\Jamie\Application Data\Webcammax
2007-09-27 20:18 --------- d-----w C:\Program Files\Java
2007-09-20 07:46 --------- d-----w C:\Program Files\ICE
2007-09-18 22:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-09-14 01:11 --------- d-----w C:\Documents and Settings\Jamie\Application Data\MySpace
2007-09-14 01:10 --------- d-----w C:\Program Files\MySpace
2007-08-22 13:12 96,256 ------w C:\WINDOWS\system32\dllcache\inseng.dll
2007-08-22 13:12 658,944 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-22 13:12 615,424 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-22 13:12 55,808 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-22 13:12 532,480 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-22 13:12 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-08-22 13:12 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-22 13:12 39,424 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-08-22 13:12 357,888 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-08-22 13:12 3,058,176 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-22 13:12 251,392 ------w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-08-22 13:12 205,312 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-22 13:12 16,384 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-22 13:12 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-08-22 13:12 146,432 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-22 13:12 1,494,528 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-08-22 13:12 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
2007-08-22 13:12 1,022,976 ------w C:\WINDOWS\system32\dllcache\browseui.dll
2007-08-21 10:30 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
.

((((((((((((((((((((((((((((( snapshot@2007-11-11_ 3.08.56.28 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-11 08:19:14 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
+ 2007-11-12 07:30:16 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 19:12]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 16:34]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 15:48]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 16:34]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-08 23:02]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-24 06:05]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Speaking Clock Lite"="C:\Program Files\Speaking Clock\SpClock.exe" [2003-03-02 10:15]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
NaturalColorLoad.lnk - C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe [2006-02-22 22:15:49]

R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;C:\WINDOWS\system32\DRIVERS\ManyCam.sys
R3 PAC207;PC Camer@;C:\WINDOWS\system32\DRIVERS\PFC027.SYS
R3 SUPERWEBCAM;SuperWebcam, WDM Virtual Video Capture Device;C:\WINDOWS\system32\DRIVERS\superwebcam.sys
S3 gkmixern;gkmixern;\??\C:\DOCUME~1\Jamie\LOCALS~1\Temp\gkmixern.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-11 22:10:44 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-12 07:12:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-12 7:14:04
C:\ComboFix2.txt ... 2007-11-11 03:13
.
--- E O F ---

============================================================================
Virus Total results:
File MuteHook.dll received on 11.12.2007 14:24:24 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/32 (0%)
Additional information
File size: 208996 bytes
MD5: 9e649ade6b670813d78fddd283911433
SHA1: 345c38ef080a395ab3d3f3400a26d9076c3e721b

File MyCfHook.dll received on 11.12.2007 14:43:23 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/32 (0%)
Additional information
File size: 208997 bytes
MD5: e7dad9f25fc84e2c0d86e79f55179528
SHA1: 13c9207a5e63a4dda32ec4bb586279c6e08eff64
==================================================================

HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 7:53:10 AM, on 11/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Speaking Clock\SpClock.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trendmicro.com/hc_intro/default.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] "C:\Program Files\Google\Gmail Notifier\gnotify.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [Speaking Clock Lite] C:\Program Files\Speaking Clock\SpClock.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NaturalColorLoad.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.memphiszoo.org
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {A364AF35-0CDF-41E8-8F3B-E0E55E15EBA1} (Zenturi Active Programs Control) - http://www.programchecker.com/dll/nixon.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



Thanks again. Off to bed for me. I'll check back again in 7 hours.

Jamie
DrPostman
Regular Member
 
Posts: 41
Joined: November 10th, 2007, 7:01 am

Re: Bad dll file that I cannot kill

Unread postby ndmmxiaomayi » November 12th, 2007, 1:20 pm

Hi Jamie. :)

  1. Please download the latest version of Icesword from here.
  2. Right click on IceSword122en.zip and select Extract All....
  3. Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  4. Click on the Browse button. Click on Desktop. Then click OK.
  5. Check (tick) the Show extracted files box.
  6. Create a new folder on your desktop (right click on desktop, select New > Folder), name it Bad.
  7. Double click on Icesword.exe to run it.
  8. Click on File on the left hand side.
  9. Click on the + sign next to C drive to expand it.
  10. Click on the + sign next to WINDOWS to expand it.
  11. Click on the + sign next to System32 to expand it.
  12. Click on System32 to select it. Make sure the System32 folder is highlighted. An image is below for your reference.

    http://xs218.xs.to/xs218/07333/icesword.PNG
  13. On your right hand side, right click on MuteHook.dll and select Copy to....
  14. Navigate to the Bad folder created in Step 6. In the File Name field, copy and paste in MuteHook.dll.
  15. Click Save.

Repeat Steps 9 to 14 for this file as well: C:\WINDOWS\system32\MyCfHook.dll

Note: Do not use the same file name as used in Step 13 when copying the files. This will overwrite the previous file. Use the bolded file name for each of the file.

Please upload these files to Virus Total or Jotti again for a scan.

The file paths are:

1. C:\Documents and Settings\Jamie\Desktop\Bad\MuteHook.dll
2. C:\Documents and Settings\Jamie\Desktop\Bad\MyCfHook.dll

In your next reply, please post:

  1. The scan results of the 2 files from the Bad folder
  2. A new HijackThis log
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Re: Bad dll file that I cannot kill

Unread postby DrPostman » November 13th, 2007, 4:57 am

Here we go with the latest.

VirusTotal results:
File MuteHook.dll received on 11.13.2007 09:39:35 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/32 (0%)
Additional information
File size: 208996 bytes
MD5: 9e649ade6b670813d78fddd283911433
SHA1: 345c38ef080a395ab3d3f3400a26d9076c3e721b

File MyCfHook.dll received on 11.13.2007 09:45:09 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/31 (0%)
Additional information
File size: 208997 bytes
MD5: e7dad9f25fc84e2c0d86e79f55179528
SHA1: 13c9207a5e63a4dda32ec4bb586279c6e08eff64
=====================================================

HijackThis result:

Logfile of HijackThis v1.99.1
Scan saved at 2:56:37 AM, on 11/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Speaking Clock\SpClock.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trendmicro.com/hc_intro/default.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] "C:\Program Files\Google\Gmail Notifier\gnotify.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [Speaking Clock Lite] C:\Program Files\Speaking Clock\SpClock.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NaturalColorLoad.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.memphiszoo.org
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {A364AF35-0CDF-41E8-8F3B-E0E55E15EBA1} (Zenturi Active Programs Control) - http://www.programchecker.com/dll/nixon.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


It seems like things are clear now. AVG didn't find any viruses during it's
scan today. Am I ok now?

Jamie
DrPostman
Regular Member
 
Posts: 41
Joined: November 10th, 2007, 7:01 am

Re: Bad dll file that I cannot kill

Unread postby DrPostman » November 14th, 2007, 6:55 am

Not to hurry things but it's been a little while since I
replied with the last request. Any thoughts on how
my system looks now?

Jamie
DrPostman
Regular Member
 
Posts: 41
Joined: November 10th, 2007, 7:01 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 301 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware