# Trojan Virus help



## Nozza (Mar 1, 2006)

Peeps, 

Managed to get a few trojans on the PC last night, which made it all run crappy, so I have done Virus Check, and used Spybot to get rid of everything, the only problem now is that I have two RUNDLL errors when loading up the PC, one is Error loading qtru.ifo, and the other is C:\WINDOWS\uyasizeb.dll, both saying the specified module could not be found. I realise they both relate to the Trojans, but how do I get rid of them?

Thanks in advance

Noz


----------



## kings.. (Aug 28, 2007)

what antivirus do you use??


----------



## nick-a6 (Jun 9, 2007)

They will be the remains on the trojan virus

start>run>msconfig>startup
Untick the files you have listed from the startup, click apply reboot job sorted.

Although generaly I say wipe a PC if its had a virus


----------



## Matt197 (Dec 27, 2006)

Spybot is not the best tool for the job anymore, get your self a copy of Malwarebytes from HERE and make sure once it's installed to update it.

Once you have removed what is left with Malwarebytes then download HijackThis from HERE

Now you have installed HijackThis, run the program and click on "Do a system scan and save a log file" once it has done a scan it will pop up notepad with a log, copy and past the whole log into your reply.


----------



## Nozza (Mar 1, 2006)

cheers for the reply all, I've got a 1tb hard drive so I'm just going to back up the important stuff and then reformat the hdd and start again, my PC is really slow now (using the laptop now) so think it best to start again.

I use Mcafee, for what it's worth lol


Matt, if my PC lets me I'll do what you say and post on here.


----------



## Blazebro (May 18, 2007)

Get a copy of Kaspersky Internet Security 2010 and it will kill everything. it's a bit heavy on RAM (if you have 1gig+ it'll be fine), but it works, simple. Cheapest place atm is Amazon where it's about £20 for a year. Small price to pay imo.


----------



## ardandy (Aug 18, 2006)

NOD32 here!

If you want a free Anti-V Microsoft Essentials is very good for nothing as well.


----------



## Nozza (Mar 1, 2006)

This is what I ended up with, the only prob now is that IE takes a long time to load up, but no more DLL errors.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:48:53, on 04/02/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: Shell=explorer.exe rundll32.exe qtru.lfo gynfhtv
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: BBC iPlayer Desktop.lnk = C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O16 - DPF: Garmin Communicator Plug-In - https://my.garmin.com/static/m/cab/2.8.1/GarminAxControl.CAB
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553550000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
O23 - Service: Google Update Service (gupdate1c98c16d15483c) (gupdate1c98c16d15483c) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 11038 bytes


----------



## Matt197 (Dec 27, 2006)

Good news is it looks like we can get your system back up and running with out having to format your computer, its up to you what route you chose but I will go through the process of removing the remainder of the infection anyway.

*STEP 1*
Disable and Close all anti-spyware, anti-malware antivirus real-time protection and make sure you have nothing open.

*STEP 2*
Download the following programs:

ComboFix
CCleaner

*STEP 3*

Confirm *STEP 1* has been followed and open and run ComboFix.exe

A command prompt will then open, it may ask you to install Microsoft Recovery Console click yes and it will download it for you, follow the instruction.

While ComboFux is running it will restart your computer automatically so just leave it to do its thing, it will take around 15min to complete.

*STEP 4*

Once ComboFix has finished it will show a log file, copy and past this into your reply *along with a new HijackThis report*.

*STEP 5*

Install and run CCleaner, make sure when you install CCleaner that you do not install the yahoo toolbar (unless you want to)


----------



## Nozza (Mar 1, 2006)

Thanks Matt:

ComboFix 10-02-03.08 - Administrator 04/02/2010 19:23:54.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2943.2319 [GMT 0:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\inst.exe
c:\documents and settings\Administrator\Local Settings\Application Data\{7E4BCC4C-BD3B-427A-BAB1-1DD70C54625E}
c:\documents and settings\Administrator\Local Settings\Application Data\{7E4BCC4C-BD3B-427A-BAB1-1DD70C54625E}\chrome.manifest
c:\documents and settings\Administrator\Local Settings\Application Data\{7E4BCC4C-BD3B-427A-BAB1-1DD70C54625E}\chrome\content\_cfg.js
c:\documents and settings\Administrator\Local Settings\Application Data\{7E4BCC4C-BD3B-427A-BAB1-1DD70C54625E}\chrome\content\overlay.xul
c:\documents and settings\Administrator\Local Settings\Application Data\{7E4BCC4C-BD3B-427A-BAB1-1DD70C54625E}\install.rdf
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-01-04 to 2010-02-04 )))))))))))))))))))))))))))))))
.

2010-02-04 15:48 . 2010-02-04 15:48	--------	d-----w-	c:\program files\Trend Micro
2010-02-04 15:00 . 2010-02-04 15:00	--------	d-----w-	c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-02-04 15:00 . 2010-01-07 16:07	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-04 15:00 . 2010-02-04 15:00	--------	d-----w-	c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-04 15:00 . 2010-02-04 15:00	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2010-02-04 15:00 . 2010-01-07 16:07	19160	----a-w-	c:\windows\system32\drivers\mbam.sys
2010-02-03 23:21 . 2010-02-03 23:36	--------	d-----w-	c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-03 23:21 . 2010-02-03 23:23	--------	d-----w-	c:\program files\Spybot - Search & Destroy
2010-02-03 21:44 . 2010-02-03 21:44	--------	d-----w-	c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-02-03 21:44 . 2010-02-03 21:44	--------	d-----w-	c:\documents and settings\Administrator\Application Data\Yahoo!
2010-02-03 21:43 . 2010-02-03 21:44	--------	d-----w-	c:\program files\Yahoo!
2010-02-03 21:43 . 2010-02-03 21:44	--------	d-----w-	c:\program files\CCleaner
2010-02-03 20:56 . 2010-02-03 20:56	--------	d-----w-	c:\documents and settings\Administrator\Application Data\ErrorWiz
2010-02-03 20:31 . 2010-02-03 20:31	0	----a-w-	c:\windows\Inotesofihutafuz.bin
2010-02-03 20:31 . 2010-02-03 23:01	120	----a-w-	c:\windows\Hkaqisuzoger.dat
2010-02-03 16:06 . 2010-02-03 23:04	--------	d-----w-	c:\documents and settings\All Users\Application Data\DriverScanner
2010-02-03 16:06 . 2010-02-03 23:04	--------	d-----w-	c:\documents and settings\Administrator\Application Data\Uniblue
2010-02-03 08:11 . 2010-02-03 08:11	--------	d-----w-	c:\program files\ImTOO
2010-02-03 08:03 . 2010-02-03 08:04	--------	d-----w-	c:\documents and settings\All Users\Application Data\Solid MP4 Video Converter
2010-02-01 20:32 . 2010-02-01 20:32	--------	d-----w-	c:\documents and settings\Administrator\Application Data\AVS4YOU
2010-02-01 20:32 . 2010-02-01 20:32	--------	d-----w-	c:\documents and settings\All Users\Application Data\AVS4YOU
2010-02-01 20:31 . 2010-02-01 20:31	--------	d-----w-	c:\program files\Common Files\AVSMedia
2010-02-01 20:31 . 2010-02-01 20:32	--------	d-----w-	c:\program files\AVS4YOU
2010-02-01 20:31 . 2007-02-27 18:36	974848	----a-w-	c:\windows\system32\mfc70.dll
2010-02-01 20:31 . 2007-02-27 18:36	487424	----a-w-	c:\windows\system32\msvcp70.dll
2010-02-01 20:31 . 2007-02-27 18:36	344064	----a-w-	c:\windows\system32\msvcr70.dll
2010-02-01 20:31 . 2007-02-27 18:36	1700352	----a-w-	c:\windows\system32\GdiPlus.dll
2010-02-01 20:31 . 2007-02-27 18:36	24576	----a-w-	c:\windows\system32\msxml3a.dll
2010-01-31 20:26 . 2010-01-31 20:37	--------	d-----w-	c:\documents and settings\Administrator\Local Settings\Application Data\Canon Easy-PhotoPrint EX
2010-01-27 09:31 . 2010-01-27 09:31	--------	d-----w-	c:\program files\Common Files\Java
2010-01-27 09:31 . 2010-01-27 09:31	503808	----a-w-	c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4b4521a0-n\msvcp71.dll
2010-01-27 09:31 . 2010-01-27 09:31	348160	----a-w-	c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4b4521a0-n\msvcr71.dll
2010-01-27 09:31 . 2010-01-27 09:31	499712	----a-w-	c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4b4521a0-n\jmc.dll
2010-01-27 09:31 . 2010-01-27 09:31	61440	----a-w-	c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6a7c4eb4-n\decora-sse.dll
2010-01-27 09:31 . 2010-01-27 09:31	12800	----a-w-	c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6a7c4eb4-n\decora-d3d.dll
2010-01-08 15:00 . 2009-11-19 16:58	23096	----a-w-	c:\windows\system32\drivers\DrmRAudio.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-03 15:30 . 2009-07-12 08:49	--------	d-----w-	c:\documents and settings\Administrator\Application Data\vlc
2010-02-03 15:09 . 2009-05-25 17:59	--------	d-----w-	c:\documents and settings\Administrator\Application Data\uTorrent
2010-02-02 14:22 . 2009-02-11 06:57	--------	d-----w-	c:\documents and settings\All Users\Application Data\Google Updater
2010-01-31 20:27 . 2009-03-18 17:30	--------	d-----w-	c:\documents and settings\Administrator\Application Data\Canon
2010-01-31 17:18 . 2009-02-11 06:57	--------	d-----w-	c:\program files\Google
2010-01-27 09:31 . 2009-03-10 16:46	--------	d-----w-	c:\program files\Java
2010-01-25 12:47 . 2009-07-08 19:01	--------	d-----w-	c:\program files\Common Files\Adobe AIR
2010-01-25 12:25 . 2009-08-20 12:02	38784	----a-w-	c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-25 12:25 . 2009-07-08 19:01	38784	----a-w-	c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-20 19:45 . 2009-03-14 08:26	--------	d-----w-	c:\program files\Microsoft Silverlight
2010-01-13 13:48 . 2009-02-06 13:35	--------	d-----w-	c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-08 17:04 . 2009-08-16 19:44	--------	d-----w-	c:\program files\Online TV Player 4
2010-01-08 17:03 . 2009-08-15 07:20	--------	d-----w-	c:\program files\LEGO Company
2009-12-31 18:26 . 2009-12-31 18:24	--------	d-----w-	c:\program files\Acoustica Mixcraft
2009-12-31 18:25 . 2009-12-31 18:25	--------	d-----w-	c:\program files\Acoustica Shared Effects
2009-12-21 19:14 . 2008-04-14 02:42	916480	----a-w-	c:\windows\system32\wininet.dll
2009-12-20 16:54 . 2009-02-06 15:33	--------	d-----w-	c:\documents and settings\All Users\Application Data\WinZip
2009-12-17 19:25 . 2009-02-20 14:09	--------	d-----w-	c:\program files\McAfee
2009-12-17 17:14 . 2009-02-06 17:06	411368	----a-w-	c:\windows\system32\deploytk.dll
2009-12-01 12:29 . 2009-09-18 17:49	56136	---ha-w-	c:\windows\system32\mlfcache.dat
2009-12-01 11:44 . 2009-02-06 15:14	68456	----a-w-	c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-26 18:31 . 2009-11-26 18:31	3351812	----a-w-	c:\documents and settings\All Users\Application Data\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\msxml6Exec.exe
2009-11-26 18:31 . 2009-11-26 18:31	36864	----a-w-	c:\documents and settings\All Users\Application Data\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\Sleep.exe
2009-11-26 18:31 . 2009-11-26 18:31	3203453	----a-w-	c:\documents and settings\All Users\Application Data\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\Installer\CommonCustomActions\vcredistExec.exe
2009-11-26 18:31 . 2009-11-26 18:32	24403616	----a-w-	c:\documents and settings\All Users\Application Data\Installations\{4C911A61-39EA-41CC-AB3C-FE3BFFDB5F78}\NokiaSoftwareUpdaterSetup_en[1].exe
2009-11-21 15:51 . 2008-04-14 02:41	471552	----a-w-	c:\windows\AppPatch\aclayers.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-07-02 393216]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-11 39408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-09 13680640]
"nwiz"="nwiz.exe" [2009-02-09 1657376]
"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2008-05-14 29831168]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-11-02 167936]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-28 141600]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-09 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [2009-8-14 95744]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [20/02/2009 14:12 93320]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [06/02/2009 15:32 238080]
S2 gupdate1c98c16d15483c;Google Update Service (gupdate1c98c16d15483c);c:\program files\Google\Update\GoogleUpdate.exe [11/02/2009 06:57 133104]
S3 DrmRAudio;DrmRAudio;c:\windows\system32\drivers\DrmRAudio.sys [08/01/2010 15:00 23096]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [06/02/2009 16:50 13224]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [26/11/2009 18:33 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [26/11/2009 18:33 8320]
S3 RTL8187B;NETGEAR WG111v3 Wireless-G USB Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [31/07/2009 07:12 341504]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [06/02/2009 17:27 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [06/02/2009 17:27 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [06/02/2009 17:27 120744]
S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [06/02/2009 17:27 114216]
S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [06/02/2009 17:27 25512]
S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [06/02/2009 17:27 110632]
S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [06/02/2009 17:27 115752]
S3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\drivers\s0017bus.sys [06/02/2009 17:27 90536]
S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\drivers\s0017mdfl.sys [06/02/2009 17:27 15016]
S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\drivers\s0017mdm.sys [06/02/2009 17:27 122152]
S3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0017mgmt.sys [06/02/2009 17:27 115496]
S3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\drivers\s0017nd5.sys [06/02/2009 17:27 25768]
S3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\drivers\s0017obex.sys [06/02/2009 17:27 111912]
S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\drivers\s0017unic.sys [06/02/2009 17:27 117672]
.
Contents of the 'Scheduled Tasks' folder

2009-02-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2010-02-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-11 14:22]

2010-02-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-11 06:57]

2010-02-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-11 06:57]

2009-02-20 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-02-20 11:22]

2009-02-20 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-02-20 11:22]

2010-02-04 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]

2010-02-03 c:\windows\Tasks\User_Feed_Synchronization-{D373DDC3-74B0-4452-81D5-BCA17C59F51F}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvLsp.dll
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.8.1/GarminAxControl.CAB
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-04 19:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-117609710-1580818891-1801674531-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,89,43,a5,10,d6,b2,71,47,a4,07,c8,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,89,43,a5,10,d6,b2,71,47,a4,07,c8,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(808)
c:\windows\system32\nvLsp.dll
.
Completion time: 2010-02-04 19:28:25
ComboFix-quarantined-files.txt 2010-02-04 19:28

Pre-Run: 107,469,938,688 bytes free
Post-Run: 107,460,087,808 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /usepmtimer /NoExecute=OptOut
multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Microsoft Windows XP Professional"=optin /fastdetect
multi(0)disk(0)rdisk(1)partition(1)\C="Microsoft Windows XP Professional"=optin /fastdetect

- - End Of File - - 95E2568711E994BC3CE05997D8F828EA


----------



## Nozza (Mar 1, 2006)

next bit!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:34:23, on 04/02/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: BBC iPlayer Desktop.lnk = C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O16 - DPF: Garmin Communicator Plug-In - https://my.garmin.com/static/m/cab/2.8.1/GarminAxControl.CAB
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553550000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
O23 - Service: Google Update Service (gupdate1c98c16d15483c) (gupdate1c98c16d15483c) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 10247 bytes

The beers are on me!


----------



## Matt197 (Dec 27, 2006)

How does the computer feel now?

Looks like most of the infection has been removed, now just need to do a bit of cleaning.

*STEP 1*

Open HijackThis and this time only click on "Do a system scan only"

Once the scan is complete tick the following.

*O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE

O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll*

Make shure you tick the right ones, when all of them are checked click "Fix Checked"

*STEP 2*

I noticed you are running an out of date version of Java.

To update,

1. Go to control panel and change the view to "Classic" 
2. You should see an icon for Java listed, double click it
3. Click the "Update" tab alone the top
4. Then "Update Now"

I would say your computer is now infection free, but if you have any problems such as websites redirecting on you then we may have to run another piece of software to clean your HOST files :thumb:


----------



## Nozza (Mar 1, 2006)

The PC feels OK now to be honest Matt, thanks again for all your help! I'll do the bits you say and report back.


----------



## Nozza (Mar 1, 2006)

right, for the 010 bits, it says to download LSPfix for that,as it cannot repair 010 winsock LSP entries.


----------



## Matt197 (Dec 27, 2006)

Thats fine, as long as the other ones have been removed.

And no problem glad I was able to help :thumb:


----------



## Nozza (Mar 1, 2006)

thanks mate, I definately owe you a few beers! It's working fine now, but I'm backing everything up just in case, got a 1TB External drive now to whack everything on, got stuff I don't want to lose so backing it all up!


----------



## Nozza (Mar 1, 2006)

PC is still running OK, but I'm doing more scans just in case.


----------



## Matt197 (Dec 27, 2006)

Missed your last reply, it’s a good idea to get in the habit of backing up your files anyway, never know what’s around the corner.


----------



## Brian.Morin (Feb 9, 2010)

Hi everyone. I have read everything here! Why you say??? I have had the same error messages etc. I have gotten to the stage where I have run Haijac this. It other words I have done. 

Combfix
ccleaner 
Hijack this. and have reports. Could I post them here??? As when I did the Hijack this routine, at the end it said to post it here (button). I clicked and it told me I had no internet connection. I was on the net and surfing this site at the time.... Anyway, if you give me permission I will post my results here. If that is exceptable, just let me know which log(s) to post. Otherwise, please direct me to the next steps I should take please. 

Thank in advance for being here. 
bri


----------



## Matt197 (Dec 27, 2006)

Brian.Morin said:


> Hi everyone. I have read everything here! Why you say??? I have had the same error messages etc. I have gotten to the stage where I have run Haijac this. It other words I have done.
> 
> Combfix
> ccleaner
> ...


Hi Brian,

I should have stated that these directions were posed just for Nozza and should not be followed by anyone else.

Reason why is that every circumstance is different and what works for one type of infection will not always work for another, and Combfix is a very powerfully program that can do more harm that good if used incorrectly.

Your best bet is to start a new thread in "The Tech & Gadget Zone" detailing exactly what your problem is and what you have done, I will then try and help you and advise you what to do.

Matt


----------



## Brian.Morin (Feb 9, 2010)

Matt197 said:


> Hi Brian,
> 
> I should have stated that these directions were posed just for Nozza and should not be followed by anyone else.
> 
> ...


Ok, thanks Matt. I will do just that. ;-)))

bri


----------



## Brian.Morin (Feb 9, 2010)

Thanks Danny. I have been thinking about this for such a long time... It makes me a bit nervous, as I have everything I on the MS system. It is quite a leap. Maybe some day... You are perfectly correct though. - bri <3


----------



## ant_s (Jan 29, 2009)

I've got the exact same thing as you mate, ive got a RUNDLL "thingy" popping up that says the same - C:\WINDOWS\uyasizeb.dll.

It's doing my head in, everytime I turn my laptop on it's there! Grrrrrrr 

But even reading through what you've said Matt197, i'm still confuzeled lol.


----------



## Superspec (Feb 25, 2011)

Norton 360 or Norton Internet Security 2011 are the best security packages on the market and use very little system resource. The way they update and find viruses is unique and very powerful.

Norton IS is pretty much always on an offer or some description. I wouldn't use anything else. (Have Norton IS)


----------

