# Please help to remove //rond.starsdoor.com which has infected my computer



## tay10 (Jun 14, 2007)

Somehow the pop-up Http://rond.starsdoor.com/ac.php?bannerid= etc. has gotten on my computer, i have blocked it from popping up, but since then my anti-virus software has been reporting about infected files, especially ones with 'Win32' at the begging of it.

I don't have a clue how to delete it, i've run lots of recommended softwares, but nothing seems to work

I have included a Logfile of HijackThis and one from ComboFix (ComboFix is at the bottom, after the HijackThis log)

Please could someone help me to get rid of this.

Thank you


Logfile of HijackThis v1.99.1
Scan saved at 20:17:53, on 14/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Documents and Settings\All Users\Application Data\gtuncnqj.exe
C:\Program Files\FolderShare\FolderShare.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=0070112
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [gtuncnqj.exe] C:\Documents and Settings\All Users\Application Data\gtuncnqj.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [FolderShare] "C:\Program Files\FolderShare\FolderShare.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1168981977168
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169669871404
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe





ComboFix 07-06-13.3 
"James Taylor" - 2007-06-14 19:48:17 - Service Pack 2  NTFS  


((((((((((((((((((((((((((((((((((((((((((((   V Log   )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\winuns32.dll 


* * *  POST RUN FILES/FOLDERS  * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\JAMEST~1\APPLIC~1.\macromedia\Flash Player\#SharedObjects\PUWUH9WH\www.broadcaster.com
C:\DOCUME~1\JAMEST~1\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\JAMEST~1\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\install.log
C:\Program Files\Common Files\svchost.exe
C:\Program Files\Common Files\Yazzle1162OinAdmin.exe
C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\retadpu1000272.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\winsys64.exe
C:\WINDOWS\wr.txt


(((((((((((((((((((((((((   Files Created from 2007-05-14 to 2007-06-14  )))))))))))))))))))))))))))))))


2007-06-14 19:46	49,152	--a------	C:\WINDOWS\nircmd.exe
2007-06-14 19:20	<DIR>	d--------	C:\WINDOWS\system32\ActiveScan
2007-06-14 18:27	76,560	--a------	C:\WINDOWS\system32\drivers\tmcomm.sys
2007-06-14 16:59	<DIR>	d--------	C:\DOCUME~1\JAMEST~1\.housecall6.6
2007-06-14 07:28	57,344	--a------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\gtuncnqj.exe
2007-06-13 21:22	<DIR>	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-13 21:18	<DIR>	d--------	C:\Program Files\Common Files\Wise Installation Wizard
2007-06-10 15:07	640	--a------	C:\WINDOWS\eReg.dat
2007-06-10 14:59	<DIR>	d--------	C:\Program Files\EA Games
2007-06-08 09:01	<DIR>	d--------	C:\Program Files\THQ
2007-06-04 15:18	9,344	--a------	C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 15:17	8,320	--a------	C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 15:14	6,272	--a------	C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-06-03 09:45	<DIR>	d--------	C:\Program Files\WinZix
2007-06-01 20:44	<DIR>	d--------	C:\Program Files\Windows Live Safety Center
2007-05-21 15:26	<DIR>	d--------	C:\Program Files\Common Files\L&H
2007-05-15 15:47	<DIR>	d--------	C:\Program Files\Buena Vista Interactive
2007-05-14 18:01	<DIR>	d--------	C:\DOCUME~1\JAMEST~1\APPLIC~1\Activision
2007-05-14 17:49	<DIR>	d--------	C:\Program Files\Activision
2007-05-14 16:43	68,888	--a------	C:\WINDOWS\system32\xinput1_3.dll
2007-05-14 16:43	3,426,072	--a------	C:\WINDOWS\system32\d3dx9_32.dll
2007-05-14 16:43	255,848	--a------	C:\WINDOWS\system32\xactengine2_6.dll
2007-05-14 16:43	251,672	--a------	C:\WINDOWS\system32\xactengine2_5.dll
2007-05-14 16:43	237,848	--a------	C:\WINDOWS\system32\xactengine2_4.dll
2007-05-14 16:43	2,414,360	--a------	C:\WINDOWS\system32\d3dx9_31.dll
2007-05-14 16:43	15,128	--a------	C:\WINDOWS\system32\x3daudio1_1.dll


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-13 20:22:10	--------	d-----w	C:\Program Files\Lavasoft
2007-06-13 18:23:03	--------	d-----w	C:\DOCUME~1\JAMEST~1\APPLIC~1\uTorrent
2007-06-11 18:18:25	--------	d--h--w	C:\Program Files\InstallShield Installation Information
2007-06-08 10:13:08	--------	d-----w	C:\Program Files\CyberLink
2007-06-06 08:37:38	98,304	----a-w	C:\WINDOWS\system32\CmdLineExt.dll
2007-06-03 10:06:48	--------	d-----w	C:\Program Files\LucasArts
2007-06-03 09:51:43	--------	d-----w	C:\Program Files\RGB
2007-05-29 20:57:10	--------	d-----w	C:\DOCUME~1\JAMEST~1\APPLIC~1\Apple Computer
2007-05-16 15:12:02	683,520	----a-w	C:\WINDOWS\system32\inetcomm.dll
2007-05-10 20:45:17	--------	d-----w	C:\Program Files\CDisplay
2007-05-09 13:44:26	--------	d-----w	C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-02 13:06:30	630,464	----a-w	C:\WINDOWS\system32\drivers\VetEFile.sys
2007-05-02 13:06:30	108,656	----a-w	C:\WINDOWS\system32\drivers\VetEBoot.sys
2007-04-25 14:21:15	144,896	----a-w	C:\WINDOWS\system32\schannel.dll
2007-04-23 18:31:42	--------	d-----w	C:\Program Files\Google
2007-04-18 16:12:23	2,854,400	----a-w	C:\WINDOWS\system32\msi.dll
2007-04-14 16:05:09	--------	d-----w	C:\Program Files\VideoLAN
2007-04-13 14:19:52	7,680	----a-w	C:\WINDOWS\system32\lsdelete.exe
2007-03-17 13:43:01	292,864	----a-w	C:\WINDOWS\system32\winsrv.dll
2007-02-01 17:16:58	56	--sh--r	C:\WINDOWS\system32\4A72E362D7.sys
2007-02-03 11:49:34	168	--sh--r	C:\WINDOWS\system32\D762E3724A.sys
2007-02-03 11:51:06	7,518	--sha-w	C:\WINDOWS\system32\KGyGaAvL.sys


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{5CA3D70E-1895-11CF-8E15-001234567890}=C:\WINDOWS\System32\DLA\DLASHX_W.DLL [2005-09-08 06:20]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 20:33]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"SigmatelSysTrayApp"="stsystra.exe" [2006-08-15 04:00 C:\WINDOWS\stsystra.exe]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 18:41]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 15:49]
"CaAvTray"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe" [2007-02-05 17:30]
"CAVRID"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" [2007-02-05 17:30]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"gtuncnqj.exe"="C:\Documents and Settings\All Users\Application Data\gtuncnqj.exe" [2007-06-14 07:28]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"FolderShare"="C:\Program Files\FolderShare\FolderShare.exe" [2005-10-30 23:12]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"svchost.exe"=C:\WINDOWS\svchost.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe


**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-14 19:52:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-14 19:54:36 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-14 19:54

	--- E O F ---


----------



## evo3 (Jun 14, 2007)

some virus cnt be deleted just like that they need to be clean and remove with software. Try using spyterminator and see does this work. the last time i also hv the same problem like you but lucky can be remove


----------



## John McKenna (Jun 14, 2007)

Open notepad (Start > Run and type notepad) and copy/paste the text in the code box below to it:


```
File::
C:\Documents and Settings\All Users\Application Data\gtuncnqj.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"gtuncnqj.exe"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"svchost.exe"=-
```


Save this as ComboFix-Do.txt






Refering to the picture above, drag ComboFix-Do.txt into ComboFix.exe

Run ComboFix again and post the resultant log file please with a fresh HJT log please.


----------



## tay10 (Jun 16, 2007)

thanks for your help but one of my friends has helped me to fix it, sorry for wasting your time


----------



## John McKenna (Jun 16, 2007)

No worries, glad you got it sorted.


----------

