Solve : Is this a virus or a trojan or something??

1.	Solve : Is this a virus or a trojan or something??
Answer» Hi.... I see "rundll32.exe C:\WINDOWS\system32\drvriw.dll,startup" ---> it's something like this sometimes it;'s drvriw.dll, or drvrph or something else similar and there is also something to do with MSDisp32 on my computer. I deleted the referencing startup entry from system startup using CCleaner and problem seems to go away. Another time I started computer, similar problem appear. Problem doesn't occur every boot but it happens now and then so I wonder what's going on I wonder how to fix this problem? I used malwarebyte's antimalware and AVG 8.0 free on my computer and have deleted all problematic things both have discovered. ---------------------------------------- Windows Vista w/ SP1 AVG8.0 free installed, updated. Malwarebyte's AntiMalware free version updated. Windows Firewall enabled --> I would be using Commodo firewall but I didn't like all the popups that tell me to approve/block some new software or process. Thanks! Download and rename TrendMicro HijackThis.exe (HJT) Double-click on HJTInstall. Click on the Install button. It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Upon install, HijackThis should open for you. Close HijackThis and rename it. Go to C:\Program Files\Trend Micro\HijackThis.exe Right click on HijackThis.exe and select Rename. Type in sniper.exe and press Enter. Right-click on sniper.exe and select Send To > Desktop (create shortcut) From the desktop open Hijackthis. If using Windows Vista, Right-click and Run As Administrator. Click on the Do a system scan and save a log file button Hijackthis will scan and then a log will open in notepad. Copy and then paste the entire contents of the log in your post. Do not have Hijackthis fix anything yet. Most of what it finds will be harmless or even required. Although we have renamed Hijackthis to sniper, we will still refer to it as Hijackthis or HJT. Hi evilfantasy .... I posted HJT log so please check it. I hope my computer is all clean now so that I may go about doing what I was doing Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:00:22 PM, on 6/25/2008 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v7.00 (7.00.6001.18000) Boot mode: Normal Running processes: C:\WINDOWS\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Ad Muncher\AdMunch.exe C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe C:\Windows\System32\rundll32.exe C:\Program Files\AVG\AVG8\avgtray.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Windows\SOUNDMAN.EXE C:\Program Files\Veoh Networks\Veoh\VeohClient.exe C:\Windows\ehome\ehtray.exe C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe C:\Windows\System32\rundll32.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe C:\Windows\ehome\ehmsas.exe C:\Program Files\Microsoft Office\Office\WINWORD.EXE C:\Windows\MSAgent\agentsvr.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\system32\SearchFilterHost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = file://C:\PROGRA~1\SPEEDB~1\proxy.pac R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file) O2 - BHO: Groove GFS BROWSER Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Plug-In\PayPalHelper.dll O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [Ad Muncher] "C:\Program Files\Ad Muncher\AdMunch.exe" /bt O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Google IME Autoupdater] "C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe" O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [SpeedBitVideoAccelerator] "C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [Gadwin PrintScreen] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash O4 - HKCU\..\Run: [MSSMSGS] rundll32.exe windig32.rom,FFdRun O4 - HKCU\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (file missing) O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (file missing) O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL (file missing) O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe O13 - Gopher Prefix: O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.windowsvistatestdrive.com/ActiveX/VMRCActiveXClient1.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: avgrsstx.dll O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Microsoft Office Groove Audit Service - Unknown owner - C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe (file missing) O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software GmbH - C:\Windows\System32\TuneUpDefragService.exe O23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\Program Files\SpeedBit Video Accelerator\VideoAcceleratorService.exe -- End of file - 9736 bytes ------- [recovering disk space -- attachment deleted by admin]Open Hijackthis and select Do a system scan only. Place a check mark next to the following entries: (if there) R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm O4 - HKCU\..\Run: [MSSMSGS] rundll32.exe windig32.rom,FFdRun [/b] Important: Close all windows except for Hijackthis and then click Fix checked. Exit Hijackthis. ---------- Download, install and run CCleaner # Double click the CCleaner shortcut on the desktop to start the program. # On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit). # If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla. # Click on the "Options" icon at the left side of the window, then click on "Advanced." deselect "Only delete files in Windows Temp folders older than 48 hours." # Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program. # After CCleaner has completed its process exit CCleaner. ---------- Download Malwarebytes' Anti-Malware from here or here Double Click mbam-setup.exe to install the application. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy&Paste the entire report in your next reply. Extra Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately. ---------- Next post add MBAM log A NEW Hijackthis log1. I booted my computer a few minutes ago and I see some drvbock.dll detected by AVG and AVG says it's a possible unwanted program or something like that and I pressed move to vault. 2. ok. I have done the Hijackthis system scan. Both entries you mentioned existed, so I fixed all as you recommended. 3. I have done the CCleaner cleanup. 4. I have not yet done the Malwarebyte check.... will do that later. I'm moving this to the Computer viruses and spyware forum. drvbock.dll is an unknown virus which is why AVG isn't fixing it. If MBAM doesn't get it we will go to more powerful tools. Don't worry, we'll get it!!! I scanned with spybot S&D program and I see MSDSip registry entries detected under VIRTUMONDE error. I will double check TOMORROW with the MBAM program and also with Spybot. Spybot said some of the virtumonde errors can't be fixed as they are detected to be in use in the memory and now I have to restart and have Spybot scan and clean before computer loads otherwise it might fail again. Also, like I said, drvbock.dll came up this time. drvriw.dll came up last time and if this problem still goes on, it might report a different dll is problematic. I think AVG isn't fixing the dll problems. But it knows it's problematic which is why i think the dll can't run error comes up-- AVG blocks it. Without following through on my instructions we will end up making this a very long process when it doesn't need to be. You'll notice that with every step I request it produces a log to be posted. Without "seeing" whats going on it's all just debate and guess work. I have to find the location of the infected file(s) to be able to know how to get rid of them.Hi evilfantasy, sorry I did not follow your directions. After all, you're the PC doctor and now, hopefully, we can get my computer healthy and back to sanity again, Anyway, here are a few things for you: 1. a MBAM Log (MBAM found 2 trojans) 3. new HJT log. 3. a AVG threat popup that appeared when MBAM scan completed. (I provided screenshot for you to look at and I clicked on 'move to vault' already) All three are attached with this message.... so check the attachments included [recovering disk space -- attachment deleted by admin]OK, we need to do another more thorough scan. This one won't take long. Download Combofix by sUBs from one of the below links. Link #1 Link #2 Important! Combofix.exe MUST be saved to and ran from the Desktop. Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix. Important! Temporarily disable your antivirus, script blocking and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them. If yours is not listed and you don't know how to disable it, please ask. Warning: Combofix disconnects your computer from the internet. The connection is automatically restored before Combofix completes its run. Double click combofix.exe & follow the prompts. Choose Yes to accept the Disclaimers. When finished, it will produce a log for you. Post that log in your next reply. Warning: Do not mouseclick Combofix's window while it is running. That may cause it to stall If Combofix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer. Important: Remember to re-enable your antivirus and antispyware before reconnecting to the Internet. If needed, see this Combofix tutorial with screenshots that will detail more thoroughly the downloading and running of Combofix. ---------- Next post add Combofix logcombofix wouldn't run on my computer. But anyway, I have reinstalled windows and all is okay now. Thanks for all the help earlier.Thanks for the update. I was curious why combofix would not run. I had double clicked it like any normal proram and the loading bar appeared and it stopped there, nothing going on but I could use my computer as noirmal. Anyhow, yeah no problem. thanks again evilfantasy for your help and I am happy that my computer is all good again

Answer»

Hi....

I see "rundll32.exe C:\WINDOWS\system32\drvriw.dll,startup" ---> it's something like this sometimes it;'s drvriw.dll, or drvrph or something else similar and there is also something to do with MSDisp32 on my computer.

I deleted the referencing startup entry from system startup using CCleaner and problem seems to go away. Another time I started computer, similar problem appear. Problem doesn't occur every boot but it happens now and then so I wonder what's going on

I wonder how to fix this problem? I used malwarebyte's antimalware and AVG 8.0 free on my computer and have deleted all problematic things both have discovered.

----------------------------------------

Windows Vista w/ SP1
AVG8.0 free installed, updated.
Malwarebyte's AntiMalware free version updated.
Windows Firewall enabled --> I would be using Commodo firewall but I didn't like all the popups that tell me to approve/block some new software or process.

Thanks!

Download and rename TrendMicro HijackThis.exe (HJT)

Double-click on HJTInstall.
Click on the Install button.
It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
Upon install, HijackThis should open for you.

Close HijackThis and rename it.
Go to C:\Program Files\Trend Micro\HijackThis.exe
Right click on HijackThis.exe and select Rename.
Type in sniper.exe and press Enter.
Right-click on sniper.exe and select Send To > Desktop (create shortcut)

From the desktop open Hijackthis.
If using Windows Vista, Right-click and Run As Administrator.
Click on the Do a system scan and save a log file button
Hijackthis will scan and then a log will open in notepad.
Copy and then paste the entire contents of the log in your post.
Do not have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Although we have renamed Hijackthis to sniper, we will still refer to it as Hijackthis or HJT.
Hi evilfantasy ....

I posted HJT log so please check it. I hope my computer is all clean now so that I may go about doing what I was doing

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:00:22 PM, on 6/25/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Ad Muncher\AdMunch.exe
C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\SOUNDMAN.EXE
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Windows\MSAgent\agentsvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = file://C:\PROGRA~1\SPEEDB~1\proxy.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Groove GFS BROWSER Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Plug-In\PayPalHelper.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Ad Muncher] "C:\Program Files\Ad Muncher\AdMunch.exe" /bt
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Google IME Autoupdater] "C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe"
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SpeedBitVideoAccelerator] "C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Gadwin PrintScreen] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - HKCU\..\Run: [MSSMSGS] rundll32.exe windig32.rom,FFdRun
O4 - HKCU\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (file missing)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (file missing)
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O13 - Gopher Prefix:
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.windowsvistatestdrive.com/ActiveX/VMRCActiveXClient1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Microsoft Office Groove Audit Service - Unknown owner - C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software GmbH - C:\Windows\System32\TuneUpDefragService.exe
O23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\Program Files\SpeedBit Video Accelerator\VideoAcceleratorService.exe

--
End of file - 9736 bytes

-------

[recovering disk space -- attachment deleted by admin]Open Hijackthis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O4 - HKCU\..\Run: [MSSMSGS] rundll32.exe windig32.rom,FFdRun

[/b]
Important: Close all windows except for Hijackthis and then click Fix checked.

Exit Hijackthis.

----------

Download, install and run CCleaner

# Double click the CCleaner shortcut on the desktop to start the program.
# On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
# If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
# Click on the "Options" icon at the left side of the window, then click on "Advanced."
deselect "Only delete files in Windows Temp folders older than 48 hours."
# Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
# After CCleaner has completed its process exit CCleaner.

----------

Download Malwarebytes' Anti-Malware from here or here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

----------

Next post add
MBAM log
A NEW Hijackthis log1. I booted my computer a few minutes ago and I see some drvbock.dll detected by AVG and AVG says it's a possible unwanted program or something like that and I pressed move to vault.

2. ok. I have done the Hijackthis system scan. Both entries you mentioned existed, so I fixed all as you recommended.

3. I have done the CCleaner cleanup.

4. I have not yet done the Malwarebyte check.... will do that later.

I'm moving this to the Computer viruses and spyware forum.

drvbock.dll is an unknown virus which is why AVG isn't fixing it. If MBAM doesn't get it we will go to more powerful tools.

Don't worry, we'll get it!!! I scanned with spybot S&D program and I see MSDSip registry entries detected under VIRTUMONDE error.

I will double check TOMORROW with the MBAM program and also with Spybot. Spybot said some of the virtumonde errors can't be fixed as they are detected to be in use in the memory and now I have to restart and have Spybot scan and clean before computer loads otherwise it might fail again.

Also, like I said, drvbock.dll came up this time. drvriw.dll came up last time and if this problem still goes on, it might report a different dll is problematic.

I think AVG isn't fixing the dll problems. But it knows it's problematic which is why i think the dll can't run error comes up-- AVG blocks it. Without following through on my instructions we will end up making this a very long process when it doesn't need to be.

You'll notice that with every step I request it produces a log to be posted. Without "seeing" whats going on it's all just debate and guess work. I have to find the location of the infected file(s) to be able to know how to get rid of them.Hi evilfantasy, sorry I did not follow your directions. After all, you're the PC doctor and now, hopefully, we can get my computer healthy and back to sanity again,

Anyway, here are a few things for you:

1. a MBAM Log (MBAM found 2 trojans)
3. new HJT log.
3. a AVG threat popup that appeared when MBAM scan completed. (I provided screenshot for you to look at and I clicked on 'move to vault' already)

All three are attached with this message.... so check the attachments included

[recovering disk space -- attachment deleted by admin]OK, we need to do another more thorough scan. This one won't take long.

Download Combofix by sUBs from one of the below links.

Important! Combofix.exe MUST be saved to and ran from the Desktop.

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix.
Important! Temporarily disable your antivirus, script blocking and any antispyware real time protection before performing a scan.
- Click this link to see a list of security programs that should be disabled and how to disable them.
- If yours is not listed and you don't know how to disable it, please ask.
Warning: Combofix disconnects your computer from the internet. The connection is automatically restored before Combofix completes its run.
Double click combofix.exe & follow the prompts.

Choose Yes to accept the Disclaimers.

When finished, it will produce a log for you.
Post that log in your next reply.

Warning: Do not mouseclick Combofix's window while it is running. That may cause it to stall

If Combofix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
Important: Remember to re-enable your antivirus and antispyware before reconnecting to the Internet.

If needed, see this Combofix tutorial with screenshots that will detail more thoroughly the downloading and running of Combofix.

----------

Next post add
Combofix logcombofix wouldn't run on my computer.

But anyway, I have reinstalled windows and all is okay now. Thanks for all the help earlier.Thanks for the update.
I was curious why combofix would not run. I had double clicked it like any normal proram and the loading bar appeared and it stopped there, nothing going on but I could use my computer as noirmal.

Anyhow, yeah no problem. thanks again evilfantasy for your help and I am happy that my computer is all good again

Solve : Is this a virus or a trojan or something??

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment