Disappear, re-appear, Rundll32.dll, ieuser.exe, Virus, Bizarre... HELP!!

[haroonie]

Hello all,

I really need help with this one. My computer is seemingly infected
with a virus. I double clicked on an executable file, and the
executable seemingly disappeared. My problem now is that I think I am
infected with an unknown virus / spyware. My mouse cursor will stay
as an arrow for a couple seconds, then switch to the arrow + thinking
sign, then back to the arrow.

By looking at the task manager I've noticed that everytime the cursor
does this, rundll32.exe and sometimes ieuser.exe will simultaneously
show up, then disappear intune with the changing of the cursor.

It does this nonstop and i'm worried, never did this before. I am
working on a project and cannot go through the task of reformatting
and reinstalling, i have to keep working. My computer is no slower,
and seems normal exept for this.

I've run spybot, spyware doctor, ad aware, symantec corporate
antivirus; all with current updated definitions... to no avail.
Running them the first time i'd remove the problems. after rebooting i
run again and then system is clean. usually i will get a report and
follow accordingly to remove it by googling. This problem wont show
up in the searches or in google searches.

I really need assistance and any help would be greatly appreciated.
Below is my hijackthis.log

Logfile of HijackThis v1.99.1
Scan saved at 4:42:58 AM, on 3/15/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.EXE
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Windows\system32\WUDFHost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\mobsync.exe
C:\Windows\ehome\ehsched.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\ehome\ehRecvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\haroonie\AppData\Local\Temp\GD-Mon-2364-Dis-4352-Cr-5548.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\haroonie\Desktop\hijackthis_sfx\HijackThis.exe
C:\Windows\system32\DllHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch
=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,AutoConfigURL = http://localhost:9100/proxy.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName
=
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-
B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX
\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:
\Program Files\Spybot\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}
- C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-
DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator
\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:
\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper -
{9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files
\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-
A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-
AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-
C89982D87CBF} - C:\Program Files\Google\Web Accelerator
\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender
\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%
\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime
\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD
\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk
\googletalk.exe /autostart
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google
\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files
\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program
Files\Google\Gmail Notifier\gnotify.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools
\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia
\RemCtrl\ATIRW.EXE
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE
\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier
\1.2.1128.2480\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player
\WMPNSCFG.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor
\swdoctor.exe" /Q
O4 - Startup: CCC.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google
\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files
\Google\Web Accelerator\GoogleWebAccWarden.exe
O4 - Global Startup: SpeedFan.lnk = C:\Program Files\SpeedFan
\speedfan.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
- C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-
AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Send to OneNote -
{2670000A-7350-4f3c-8081-5663EE0C6C49} - C:
\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote -
{2670000A-7350-4f3c-8081-5663EE0C6C49} - C:
\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-
A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 -
{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile
\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}
- C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile
\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:
\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:
\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:
\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:
\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:
\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945}
- C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files
\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:
\Windows\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:
\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
(file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner -
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h
ccCommon (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) -
Symantec Corporation - C:\Program Files\Symantec AntiVirus
\DefWatch.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) -
Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google
\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program
Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec
\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown
owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files
\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research
Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) -
Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program
Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101
(WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player
\wmpnetwk.exe (file missing)
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:
\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

 

[Guest]

Hello all,

I really need help with this one. My computer is seemingly infected
with a virus. I double clicked on an executable file, and the
executable seemingly disappeared. My problem now is that I think I am
infected with an unknown virus / spyware. My mouse cursor will stay
as an arrow for a couple seconds, then switch to the arrow + thinking
sign, then back to the arrow.

By looking at the task manager I've noticed that everytime the cursor
does this, rundll32.exe and sometimes ieuser.exe will simultaneously
show up, then disappear intune with the changing of the cursor.

It does this nonstop and i'm worried, never did this before. I am
working on a project and cannot go through the task of reformatting
and reinstalling, i have to keep working. My computer is no slower,
and seems normal exept for this.

I've run spybot, spyware doctor, ad aware, symantec corporate
antivirus; all with current updated definitions... to no avail.
Running them the first time i'd remove the problems. after rebooting i
run again and then system is clean. usually i will get a report and
follow accordingly to remove it by googling. This problem wont show
up in the searches or in google searches.

I really need assistance and any help would be greatly appreciated.
Below is my hijackthis.log

Logfile of HijackThis v1.99.1
Scan saved at 4:42:58 AM, on 3/15/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.EXE
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Windows\system32\WUDFHost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\mobsync.exe
C:\Windows\ehome\ehsched.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\ehome\ehRecvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\haroonie\AppData\Local\Temp\GD-Mon-2364-Dis-4352-Cr-5548.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\haroonie\Desktop\hijackthis_sfx\HijackThis.exe
C:\Windows\system32\DllHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch
=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,AutoConfigURL = http://localhost:9100/proxy.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName
=
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-
B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX
\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:
\Program Files\Spybot\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}
- C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-
DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator
\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:
\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper -
{9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files
\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-
A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-
AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-
C89982D87CBF} - C:\Program Files\Google\Web Accelerator
\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender
\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%
\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime
\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD
\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk
\googletalk.exe /autostart
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google
\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files
\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program
Files\Google\Gmail Notifier\gnotify.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools
\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia
\RemCtrl\ATIRW.EXE
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE
\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier
\1.2.1128.2480\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player
\WMPNSCFG.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor
\swdoctor.exe" /Q
O4 - Startup: CCC.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google
\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files
\Google\Web Accelerator\GoogleWebAccWarden.exe
O4 - Global Startup: SpeedFan.lnk = C:\Program Files\SpeedFan
\speedfan.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
- C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-
AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Send to OneNote -
{2670000A-7350-4f3c-8081-5663EE0C6C49} - C:
\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote -
{2670000A-7350-4f3c-8081-5663EE0C6C49} - C:
\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-
A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 -
{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile
\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}
- C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile
\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:
\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:
\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:
\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:
\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:
\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945}
- C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files
\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:
\Windows\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:
\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
(file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner -
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h
ccCommon (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) -
Symantec Corporation - C:\Program Files\Symantec AntiVirus
\DefWatch.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) -
Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google
\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program
Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec
\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown
owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files
\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research
Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) -
Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program
Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101
(WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player
\wmpnetwk.exe (file missing)
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:
\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

You have a lot of suspicious Files/folders and running processes on your
VISTA operating system?.
I really can't recommend an Anti-Virus and guarantee it will be compatible
with Vista, so you need to Send your HijackThis to one of many forums for
analysis, no body here will give you an answer to your log file even they
know, because it is MS NG not HijackThis F orum.
Download the Hijackthis and send the report to one of many
forums for analysis and troubleshooting:
When all else fails, HijackThis v1.99.1
(http://aumha.org/downloads/hijackthis.zip) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware. Post
your log to http://aumha.net/viewforum.php?f=30,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7, or other appropriate
forums for expert analysis, not here.
HTH.
It will be nice to let us know your findings.
Good luck.
nass
===
www.nasstec.co.uk

 

[Newbie Coder]

Nass. You are incorrect because I help users with HijackThis reports 7 days
a week & spyware, adware, malware & virus problems too.

Haroonie,

There are some users here that don't like people cluttering up these
newsgroups with log files & I have said in the past that if the users uses
Outlook Express to view these newsgroups then they can add the log to their
post & I will look through it when I get the chance

Please remember that HijackThis is a fantastic application but it misses
some vital places in its search & to give a proper reading you should never
run HijackThis from the Desktop or a folder located on the Desktop like you
have done

I see you are using Symantec Antivirus. Is it Corporate version? If so, when
you click Custom or full search you can click the OPTIONS button to tick the
MEMORY... threats before you scan computer. It helps stop many items.

Haven't seen that you have any firewall enabled or installed.

You have so, so, so many BHO's. Delete all except that Spybot
({53707962-6F74-2D53-2644-206D7942484F}) one

Delete Spy Doctor. Known in the past to give false positives

Also, get rid of rubbish like Google Desktop/notifier and the other Google
stuff for sure.

In Spybot, TOOLS | Advanced mode & click on the left the BHO's to delete
them (as I mentioned above). On the Browser Pages, double click the entries
that say 'http://go.microsoft.com/fwlink/?LinkId=69157' & change them back
to something else for now

In your TEMP folder (C:\Users\haroonie\AppData\Local\Temp), delete all items
because there is a suspicious executable in there

Why are you running Spybot, Spy Doctor & Windows Defender? Yes, the latter
is built into Vista.

If I counted correctly you have 4 missing services

You can safely remove Quicktime from startup (Oon HijackThis), Spyware
Doctor, plus all the Google rubbish too. Then you can safely delete O8 & all
O9's

Please clean the things I have mentioned above then create a report (Spybot
& HijackThis) & add them (as an attachment) to your reply

Another thing I have notices is that you have many svchost's, but I cannot
say that they are suspicious without studying them

Good luck,

 

[haroonie]

Thank you for your help and tips..

Here are my published logs from hijackthis and spybot. I am using
google groups and i dont think there is an option to attach a file.

http://docs.google.com/Doc?id=dch2x5kc_8hhcx7c
http://docs.google.com/Doc?id=dch2x5kc_7c5jx3k

Haven't seen that you have any firewall enabled or installed.

I am using Vista's firewall, I have not found a firewall program for
Vista I am content with using... (waiting for vista version of ZA or
Kerio).

You have so, so, so many BHO's. Delete all except that Spybot
({53707962-6F74-2D53-2644-206D7942484F}) one
Done

Delete Spy Doctor. Known in the past to give false positives
Done

Also, get rid of rubbish like Google Desktop/notifier and the other Google
stuff for sure.
Done

In Spybot, TOOLS | Advanced mode & click on the left the BHO's to delete
them (as I mentioned above). On the Browser Pages, double click the entries
that say 'http://go.microsoft.com/fwlink/?LinkId=69157'& change them back
to something else for now
Done

In your TEMP folder (C:\Users\haroonie\AppData\Local\Temp), delete all items
because there is a suspicious executable in there

Done (might have fixed it)

Why are you running Spybot, Spy Doctor & Windows Defender? Yes, the latter
is built into Vista.

I am not running defender it was disabled. I ran one after another, a
tip from someone else... spy doctor detected some spyware and got rid
of it when spybot and ad aware couldn't.

If I counted correctly you have 4 missing services
?which.

You can safely remove Quicktime from startup (Oon HijackThis), Spyware
Doctor, plus all the Google rubbish too. Then you can safely delete O8 & all
O9's
DOne.

Please clean the things I have mentioned above then create a report (Spybot
& HijackThis) & add them (as an attachment) to your reply

Another thing I have notices is that you have many svchost's, but I cannot
say that they are suspicious without studying them

Thanks for your help, it's greatly appreciated. The problem has
seemingly dissappeared after restart... Do you see anything else I can
do to clean my system further or and other tips?

Thanks.

 

[Newbie Coder]

Haroonie,

Sorry for taking some time to look through your logs

The Hijack log is almost 100% perfect now & wouldn't bother with any other
changes to it

The other log isn't that bad either except I see two dodgy applications on
there:

1) Torrent
2) Trillian
-----------------------
Limewire is better but never download anything that is 197 Kb or 857 kb
because all are file sharing viruses. Did you buy this pro version? )

One of these is probably going to be your downfall.

Nice to see you have C++ installed too

Another thing I have noticed is you have RealVNC. If you have the server
installed make sure that you have a secure password or disable the service
when its unneeded.

Not sure about this Collectorz.com stuff. Did you have to install a
downloaded program files app when installing? For some reason this
application has adware written all over it, but that is just my opinion

Any more problems post back & I will be glad to help you further,