Author Topic: totours.exe...ticking me off (Read 662 times)

mikey6969 · « **on:** May 10, 2007, 02:56:03 PM »

totours.exe..
msccrt.dll..

it keeps reapperaing after i remove it with AVG..heres HJT log

any help would be appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 3:51:49 PM, on 5/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\Desktop\Antivirus\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lib.verycd.com/tv/integration/archive/00005.html
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: Seekmo Search Assistant Helper /fleok=1D8A83A5C4E5147C9EAB6D2A1FBB39BFE4976E26CAEDDA7D5474452C3FCEC3 - {5929CD6E-2062-44a4-B2C5-2C7E78FBAB38} - c:\program files\seekmo\seekmohook.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [udz7e3iqlkel] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Servere.exe
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.travian.com
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)

guestolo · « **Reply #1 on:** May 10, 2007, 11:00:13 PM »

Do a "System scan only" with Hijackthis and put a check next to these entries:

O2 - BHO: Seekmo Search Assistant Helper /fleok=1D8A83A5C4E5147C9EAB6D2A1FBB39BFE4976E26CAEDDA7D5474452C3FCEC3 - {5929CD6E-2062-44a4-B2C5-2C7E78FBAB38} - c:\program files\seekmo\seekmohook.dll (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [udz7e3iqlkel] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Servere.exe

After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot your computer

Back in Windows
* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, Click Options > Change settings
Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
Back at the main window, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured.
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

Also include a fresh hijackthis log

mikey6969 · « **Reply #2 on:** May 12, 2007, 03:50:40 PM »

[quote name=\'guestolo\' post=\'324343\' date=\'May 10 2007, 10:00 PM\']Do a "System scan only" with Hijackthis and put a check next to these entries:

O2 - BHO: Seekmo Search Assistant Helper /fleok=1D8A83A5C4E5147C9EAB6D2A1FBB39BFE4976E26CAEDDA7D5474452C3FCEC3 - {5929CD6E-2062-44a4-B2C5-2C7E78FBAB38} - c:\program files\seekmo\seekmohook.dll (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [udz7e3iqlkel] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Servere.exe

After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot your computer

Back in Windows
* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, Click Options > Change settings
Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
Back at the main window, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured.
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

Also include a fresh hijackthis log[/quote]

Here's what was in DrWeb:

dbmmgr32.dll;c:\windows\media;Trojan.Spambot;Will be cured after reboot.;
SetupDTSB.exe;C:\Program Files\DAEMON Tools;Adware.SaveNow;Incurable.Moved.;
A0025238.exe;C:\System Volume Information\_restore{938221C4-1183-4D3B-A7B3-EBADAFF02DAD}\RP264;Adware.Zango;Incurable.Moved.;
A0025373.dll;C:\System Volume Information\_restore{938221C4-1183-4D3B-A7B3-EBADAFF02DAD}\RP267;Adware.Zango;Incurable.Moved.;
A0025375.exe;C:\System Volume Information\_restore{938221C4-1183-4D3B-A7B3-EBADAFF02DAD}\RP267;Adware.Hotbar;Incurable.Moved.;
A0025376.dll;C:\System Volume Information\_restore{938221C4-1183-4D3B-A7B3-EBADAFF02DAD}\RP267;Adware.Hotbar;Incurable.Moved.;
A0025567.dll;C:\System Volume Information\_restore{938221C4-1183-4D3B-A7B3-EBADAFF02DAD}\RP271;Adware.Zango;Incurable.Moved.;
A0025569.exe;C:\System Volume Information\_restore{938221C4-1183-4D3B-A7B3-EBADAFF02DAD}\RP271;Adware.Hotbar;Incurable.Moved.;
A0025570.dll;C:\System Volume Information\_restore{938221C4-1183-4D3B-A7B3-EBADAFF02DAD}\RP271;Adware.Hotbar;Incurable.Moved.;
A0025572.dll;C:\System Volume Information\_restore{938221C4-1183-4D3B-A7B3-EBADAFF02DAD}\RP271;Adware.Zango;Incurable.Moved.;
A0025577.exe;C:\System Volume Information\_restore{938221C4-1183-4D3B-A7B3-EBADAFF02DAD}\RP271;Adware.Zango;Incurable.Moved.;
A0025814.exe;C:\System Volume Information\_restore{938221C4-1183-4D3B-A7B3-EBADAFF02DAD}\RP276;Adware.Zango;Incurable.Moved.;
A0026261.dll;C:\System Volume Information\_restore{938221C4-1183-4D3B-A7B3-EBADAFF02DAD}\RP283;Adware.Zango;Incurable.Moved.;
A0027082.exe;C:\System Volume Information\_restore{938221C4-1183-4D3B-A7B3-EBADAFF02DAD}\RP298;Adware.Zango;Incurable.Moved.;
A0027085.dll;C:\System Volume Information\_restore{938221C4-1183-4D3B-A7B3-EBADAFF02DAD}\RP298;Adware.Zango;Incurable.Moved.;
A0027185.exe;C:\System Volume Information\_restore{938221C4-1183-4D3B-A7B3-EBADAFF02DAD}\RP299;Trojan.PWS.Wsgame;Deleted.;
A0028498.exe;C:\System Volume Information\_restore{938221C4-1183-4D3B-A7B3-EBADAFF02DAD}\RP304;Adware.Zango;Incurable.Moved.;
A0028622.dll;C:\System Volume Information\_restore{938221C4-1183-4D3B-A7B3-EBADAFF02DAD}\RP305;Adware.Zango;Incurable.Moved.;
A0030084.dll;C:\System Volume Information\_restore{938221C4-1183-4D3B-A7B3-EBADAFF02DAD}\RP317;Adware.Hotbar;Incurable.Moved.;
A0030086.dll;C:\System Volume Information\_restore{938221C4-1183-4D3B-A7B3-EBADAFF02DAD}\RP317;Adware.Hotbar;Incurable.Moved.;
A0030090.dll;C:\System Volume Information\_restore{938221C4-1183-4D3B-A7B3-EBADAFF02DAD}\RP317;Adware.Starware;Incurable.Moved.;
A0030093.dll;C:\System Volume Information\_restore{938221C4-1183-4D3B-A7B3-EBADAFF02DAD}\RP317;Adware.Zango;Incurable.Moved.;
A0030094.exe;C:\System Volume Information\_restore{938221C4-1183-4D3B-A7B3-EBADAFF02DAD}\RP317;Adware.Zango;Incurable.Moved.;
A0030096.exe;C:\System Volume Information\_restore{938221C4-1183-4D3B-A7B3-EBADAFF02DAD}\RP317;Adware.Zango;Incurable.Moved.;
dbmmgr32.dll;C:\WINDOWS\Media;Trojan.Spambot;Will be cured after reboot.;

And this is the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 4:44:29 PM, on 5/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\program files\steam\steam.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Administrator\Desktop\Antivirus\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lib.verycd.com/tv/integration/archive/00005.html
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.travian.com
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)

guestolo · « **Reply #3 on:** May 12, 2007, 07:14:34 PM »

I'm just on my way out, in the meantime
can you run a couple quick scans for me and post the logs

Download [color=\"red\"]SDFix[/color] and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode on the top of the screen that appears.
Sign in with your normal user account

SDFix
Go to START>>My Computer>>Double click to open the C:\ folder

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt

I'll need to see that log later

Download this file - Combofix.exe and save it ONLY to your desktop
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Post the log from combofix please along with the log from SDFix

mikey6969 · « **Reply #4 on:** May 13, 2007, 06:18:19 PM »

SDFix.exe log:

SDFix: Version 1.83

Run by Administrator - 2007-05-13 - 18:39:29.76

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hdpD9.tmp - Deleted

Removing Temp Files

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\onew1ng3dEmail Removed\Sharing Folders\morrispeterson_17Email Removed\The.Number.23.[TS-Screener].[www.BitBox.us]\Thumbs.db

Finished

combofix log:

"Administrator" - 2007-05-13 18:47:09 Service Pack 2
ComboFix 07-05.13.V - Running from: "C:\Documents and Settings\Administrator\Desktop\"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\death.sishen

((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\nm

((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-13 ))))))))))))))))))))))))))))))))))

2007-05-12 15:57   <DIR>   d--------   C:\DOCUME~1\ADMINI~1\DoctorWeb
2007-05-11 20:22   <DIR>   d--------   C:\My Music
2007-05-11 20:21   <DIR>   d--------   C:\Program Files\MP3 Convert Lord
2007-05-10 22:25   <DIR>   d--------   C:\Program Files\ParadisePoker
2007-05-06 07:27   <DIR>   d--hs----   C:\WINDOWS\ftpcache
2007-05-05 10:55   <DIR>   d--h-----   C:\WINDOWS\PIF
2007-05-04 21:08   679,936   --a------   C:\WINDOWS\system32\D3DX81ab.dll
2007-05-04 21:08   1,970,176   --a------   C:\WINDOWS\system32\d3dx9.dll
2007-05-04 21:08   <DIR>   d--------   C:\Program Files\Cheat Engine
2007-04-23 16:31   <DIR>   d--------   C:\Program Files\Seekmo
2007-04-21 13:21   552   --a------   C:\WINDOWS\system32\d3d8caps.dat
2007-04-16 22:21   <DIR>   d--------   C:\WINDOWS\system32\ActiveScan
2007-04-16 08:00   12,245,711   ---------   C:\AVG7QT.DAT
2007-04-15 20:12   162,132   --a------   C:\LSPRegBackup_15042007_201213.REG
2007-04-15 19:59   <DIR>   d--------   C:\DOCUME~1\ADMINI~1\APPLIC~1\Prevx
2007-04-15 19:58   77,312   --a------   C:\WINDOWS\ua2.dll
2007-04-15 19:58   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Prevx
2007-04-13 18:48   <DIR>   d--------   C:\Program Files\Yahoo! Games
2007-04-13 18:48   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia
2007-04-13 18:48   <DIR>   d--------   C:\DOCUME~1\ADMINI~1\APPLIC~1\funkitron

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-13 22:49:55   --------   d-----w   C:\Program Files\eMule
2007-05-13 22:49:37   --------   d-----w   C:\Program Files\Steam
2007-05-12 20:38:35   --------   d-----w   C:\Program Files\DAEMON Tools
2007-05-11 15:17:50   --------   d-----w   C:\Program Files\Tiger Gaming
2007-05-10 20:34:06   --------   d-----w   C:\DOCUME~1\ADMINI~1\APPLIC~1\U3
2007-04-30 19:34:03   --------   d-----w   C:\Program Files\Conquer 2.0
2007-04-29 19:10:30   --------   d-----w   C:\Program Files\Warcraft III
2007-04-20 00:04:45   79,891   ----a-w   C:\WINDOWS\War3Unin.dat
2007-04-18 11:19:52   --------   d-----w   C:\Program Files\BitComet
2007-04-18 11:19:31   2,560   ----a-w   C:\WINDOWS\system32\BitCometRes.dll
2007-04-17 11:35:22   --------   d-----w   C:\Program Files\NJStar CJK Viewer
2007-04-17 11:35:20   --------   d-----w   C:\Program Files\MSN Messenger
2007-04-17 11:34:57   --------   d-----w   C:\Program Files\Messenger Plus! Live
2007-04-05 01:54:53   --------   d-----w   C:\DOCUME~1\ADMINI~1\APPLIC~1\CoreCodec
2007-04-05 01:54:16   --------   d-----w   C:\Program Files\CoreCodec
2007-04-05 01:51:47   36,734   ----a-w   C:\WINDOWS\system32\OggDSuninst.exe
2007-03-27 00:41:16   --------   d-----w   C:\Program Files\Flash Movie Player
2007-03-25 04:38:55   --------   d--h--w   C:\Program Files\InstallShield Installation Information
2007-03-25 04:38:55   --------   d-----w   C:\Program Files\Full Tilt Poker
2007-03-25 04:30:09   --------   d-----w   C:\Program Files\Incomplete
2007-03-25 04:27:21   --------   d-----w   C:\Program Files\LimeWire
2007-03-25 03:57:04   --------   d-----w   C:\DOCUME~1\ADMINI~1\APPLIC~1\LimeWire
2007-03-05 22:06:23   --------   d-----w   C:\Program Files\PokerStars

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}=C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll [2007-03-29 10:31]
{55EA1964-F5E4-4D6A-B9B2-125B37655FCB}=C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll [2006-01-10 12:09]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll [2006-12-15 04:23]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-07-07 12:29]
{bf00e119-21a3-4fd1-b178-3b8537e75c92}=C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll [2006-12-11 18:46]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"
"High Definition Audio Property Page Shortcut"="HDAShCut.exe"
"SoundMan"="SOUNDMAN.EXE"
"AlcWzrd"="ALCWZRD.EXE"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"PrevxOne"="\"C:\\Program Files\\Prevx1\\PXConsole.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 C:\WINDOWS\system32\HdAShCut.exe])
"SoundMan"="SOUNDMAN.EXE" [])
"AlcWzrd"="ALCWZRD.EXE" [])
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 04:23]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-09-27 19:11]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2006-09-26 10:49]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-09-14 16:09]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-24 09:10]
"PrevxOne"="C:\Program Files\Prevx1\PXConsole.exe" [2007-03-27 11:16]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2006-07-29 19:34]
"Steam"="c:\program files\steam\steam.exe" [2007-01-08 19:25]
"eMuleAutoStart"="C:\Program Files\eMule\emule.exe" [2006-09-14 10:15]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Steam"="\"c:\\program files\\steam\\steam.exe\" -silent"
"eMuleAutoStart"="C:\\Program Files\\eMule\\emule.exe -AutoStart"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoVisualStyleChoice"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRemoteRecursiveEvents"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=dword:00000001
"NoSaveSettings"=dword:00000000
"NoSMConfigurePrograms"=dword:00000001
"NoRecentDocsMenu"=dword:00000001
"NoLowDiskSpaceChecks"=dword:00000001
"NoChangeKeyboardNavigationIndicators"=dword:00000000
"NoSharedDocuments"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages   msv1_0
Security Packages   kerberosmsv1_0schannelwdigest
Notification Packages   scecli

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter   HTTPFilter
LocalService   AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV
NetworkService   DnsCache
DcomLaunch   DcomLaunchTermService
rpcss   RpcSs
imgsvc   StiSvc
termsvcs   TermService
Usnsvc   usnsvc

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{732da908-4d50-11db-a548-00112f2f07c9}]
Shell\AutoRun\command   M:\LaunchU3.exe

~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070512-155154-898
O2 - BHO: Seekmo Search Assistant Helper /fleok=1D8A83A5C4E5147C9EAB6D2A1FBB39BFE4976E26CAEDDA7D5474452C3FCEC3 - {5929CD6E-2062-44a4-B2C5-2C7E78FBAB38} - c:\program files\seekmo\seekmohook.dll (file missing)
backup-20070512-155154-753
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
backup-20070512-155154-533
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
backup-20070512-155154-928
O4 - HKCU\..\Run: [udz7e3iqlkel] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Servere.exe
backup-20070510-155113-807
O4 - HKLM\..\RunOnce: [SeekmoToolbar] cmd /c "rmdir "C:\Program Files\SeekmoToolbar" /s /q"
backup-20070510-155027-371
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
backup-20070510-155015-765
O4 - HKLM\..\Run: [seekmo] "c:\program files\seekmo\seekmo.exe"
backup-20070510-155015-910
O4 - HKLM\..\Run: [msccrt] C:\WINDOWS\msccrt.exe
backup-20070510-152700-110
O3 - Toolbar: Seekmo Toolbar - {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - C:\Program Files\SeekmoToolbar\Bin\4.8.4.0\SkHostIE.dll
backup-20070510-152700-965
O3 - Toolbar: Starware Recipe Toolbar - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - C:\Program Files\Starware337\bin\Starware337.dll

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-13 18:50:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 2007-05-13 18:51:08 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-13 18:51

And after that, prevx found a malware called swsc.exe

guestolo · « **Reply #5 on:** May 14, 2007, 09:50:02 PM »

Sorry for the delay
Can you let me know how things are running
Do you have restrictions on your account to not allow change from Windows XP theme to Classic theme
OR
Not to be able to share files on network

Quote

And after that, prevx found a malware called swsc.exe

Not to worry, it's a false positive, it's just from a tool that we used

mikey6969 · « **Reply #6 on:** May 17, 2007, 03:32:16 PM »

[quote name=\'guestolo\' post=\'326062\' date=\'May 14 2007, 08:50 PM\']Sorry for the delay
Can you let me know how things are running
Do you have restrictions on your account to not allow change from Windows XP theme to Classic theme
OR
Not to be able to share files on network
Not to worry, it's a false positive, it's just from a tool that we used[/quote]

Nope! Everything seems A'ok guestolo! Hopefully I can gain the knowledge to do this on my own sooner or later !

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' /> Thanks!

guestolo · « **Reply #7 on:** May 22, 2007, 07:26:26 PM »

I'll lock this topic as all is OK, take care

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

TheTechGuide Forum

News:

Author Topic: totours.exe...ticking me off (Read 662 times)

mikey6969

totours.exe...ticking me off

guestolo

totours.exe...ticking me off

mikey6969

totours.exe...ticking me off

guestolo

totours.exe...ticking me off

mikey6969

totours.exe...ticking me off

guestolo

totours.exe...ticking me off

mikey6969

totours.exe...ticking me off

guestolo

totours.exe...ticking me off