[Resolved] HT log & Win Patrol warnings

Home Forums Contact

Welcome! Register for a free account (or login) > How does it work?

Quickly register. It will only take 60 seconds.
Start a new topic. Ask your question. Wait for an email reply.
Is your system infected? Begin reading the malware removal guide.

register button

What the Tech > Spyware / Malware / Virus Removal > Infections Removal

Closed Topic

Start new topic

[Resolved] HT log & Win Patrol warnings, .dll installation warnings

progrocktv View Member Profile	Jan 5 2009, 06:11 PM Post #1
Authentic Member Group: Authentic Member Posts: 34 Joined: 26-July 04 Member No.: 11,128	Hi all, WinPatrol keeps alerting me with the following warnings: A new auto Startup Proram has been detected. This program will un each time yo login or restart your machine. Do you approve of the addition.... rqRkKaBS.dll Naturally I hit NO but then I get a second warning with: wvUoLday.dll I scanned one file wth Norton and it came up as a Trojan Vundo, but the second one didn't me up with anything. Here's my HT log (updated) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:02:01 PM, on 1/8/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\userinit.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\NETGEAR\PS121v2\PS121v2.exe C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe C:\Program Files\dvd43\dvd43_tray.exe C:\Program Files\Norton Ghost\Agent\VProTray.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\Program Files\NetMeter\NetMeter.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\Program Files\Norton Ghost\Agent\VProSvc.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Macrium\Reflect\ReflectService.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\Tablet.exe C:\WINDOWS\system32\tlntsvr.exe C:\WINDOWS\system32\WTablet\TabUserW.exe C:\WINDOWS\system32\Tablet.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Program Files\Internet Explorer\iexplore.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Render/My%20Documents/bookmark.htm R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.254.102 R3 - URLSearchHook: (no name) - {35b675b9-7f34-40df-8f49-5fab6b7e4aef} - (no file) O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [ShaPlus Bandwidth Meter] "C:\Program Files\ShaPlus Bandwidth Meter\ShaPlus Bandwidth Meter" /s O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [PS121v2] "C:\Program Files\NETGEAR\PS121v2\PS121v2.exe" /hide O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [Norton Ghost 14.0] "C:\Program Files\Norton Ghost\Agent\VProTray.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [WatchWAN] C:\Program Files\WatchWAN\WatchWAN.exe O4 - HKCU\..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\temp\ntdll64.dll O10 - Unknown file in Winsock LSP: c:\windows\temp\ntdll64.dll O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocx O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1206424661890 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1206458024234 O18 - Filter hijack: text/html - {f40000c6-d051-44ad-8c19-356ff6ec6c24} - C:\WINDOWS\system32\msiebbar.dll O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Macrium Reflect Image Mounting Service (ReflectService) - Unknown owner - C:\Program Files\Macrium\Reflect\ReflectService.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: SymSnapService - Symantec - C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe -- End of file - 7789 bytes This post has been edited by progrocktv: Jan 9 2009, 12:05 AM

Start new topic

Replies (1 - 14)

Tomk View Member Profile	Jan 9 2009, 07:17 AM Post #2
Forum God / Classroom Admin Assistant Group: Classroom Teacher Posts: 12,304 Joined: 27-December 07 From: Sisters, OR Member No.: 75,503 Operating System: xp	Hi progrocktv, My name is Tomk. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research, so please be patient and I'd be grateful if you would note the following: I will be working on your Malware issues, this may or may not, solve other issues you have with your machine. The fixes are specific to your problem and should only be used for the issues on this machine. Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear. It's often worth reading through these instructions and printing them for ease of reference. If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry. Please reply to this thread. Do not start a new topic. Please download ATF Cleaner by Atribune. Download - ATF Cleaner Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. (If you use FireFox or the Opera browser To keep saved passwords, click No at the prompt.) It's normal after running ATF cleaner that the PC will be slower to boot the first time or two. Then Please download Malwarebytes' Anti-Malware to your desktop. Double-click mbam-setup.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select Perform quick scan, then click Scan. When the scan is complete, click OK, then Show Results to view the results. Be sure that everything is checked, and click Remove Selected. When completed, a log will open in Notepad. Please save it to a convenient location and post the results. Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot (shut down your computer then restart it). Also please describe how your computer behaves at the moment.

progrocktv View Member Profile	Jan 9 2009, 09:07 PM Post #3
Authentic Member Group: Authentic Member Posts: 34 Joined: 26-July 04 Member No.: 11,128	Thanks for the help. Followed instructions and rebooted, here is the log: Malwarebytes' Anti-Malware 1.32 Database version: 1616 Windows 5.1.2600 Service Pack 2 1/9/2009 7:55:11 PM mbam-log-2009-01-09 (19-55-11).txt Scan type: Quick Scan Objects scanned: 49885 Time elapsed: 4 minute(s), 7 second(s) Memory Processes Infected: 0 Memory Modules Infected: 4 Registry Keys Infected: 19 Registry Values Infected: 2 Registry Data Items Infected: 7 Folders Infected: 0 Files Infected: 25 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\system32\wgcauups.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\wvUoLday.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\rqRkKaBS.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\TEMP\ntdll64.dll (Trojan.FakeAlert) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15a95949-b656-4cf2-a4a8-b1c00c97ad44} (Trojan.Vundo.H) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{15a95949-b656-4cf2-a4a8-b1c00c97ad44} (Trojan.Vundo.H) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rqrkkabs (Trojan.Vundo) -> Delete on reboot. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{15a95949-b656-4cf2-a4a8-b1c00c97ad44} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{50ccd00a-66b6-4d95-aaef-8ee959498f92} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1a26f07f-0d60-4835-91cf-1e1766a0ec56} (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\stfngdvw.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d45d3223 (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\wvuolday -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\wvuolday -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\wvUoLday.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\yadLoUvw.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\yadLoUvw.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\fqibdoik.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\kiodbiqf.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\wgcauups.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\spuuacgw.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\rqRkKaBS.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\nnnlighH.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\prunnet.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Render\Local Settings\Temp\senekaff87.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\ntdll64.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\senekaotqrukdi.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\senekayfuiqrwq.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\senekadf.dat (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\seneka.dat (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\senekalog.dat (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\drivers\seneka.sys (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\drivers\senekaoxvkbpyv.sys (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\warning.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\ahtn.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\frmwrk32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\TEMP\ntdll64.dll (Trojan.FakeAlert) -> Delete on reboot. C:\WINDOWS\TEMP\mousehook.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\Render\Local Settings\Temp\mousehook.dll (Trojan.FakeAlert) -> Delete on reboot.

Tomk View Member Profile	Jan 9 2009, 09:22 PM Post #4
Forum God / Classroom Admin Assistant Group: Classroom Teacher Posts: 12,304 Joined: 27-December 07 From: Sisters, OR Member No.: 75,503 Operating System: xp	progrocktv, That should have made a major difference. Lets dig a little deeper. Download ComboFix from one of these locations: Link 1 Link 2 Link 3 * IMPORTANT !!! Save ComboFix.exe to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html Double click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Notes: 1. Do not mouse-click Combofix's window while it is running. That may cause it to stall. 2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions. 3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser. 4. Combofix prevents autorun of ALL** CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper. 5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine. Also, please post me a new HijackThis log.

progrocktv View Member Profile	Jan 9 2009, 10:16 PM Post #5
Authentic Member Group: Authentic Member Posts: 34 Joined: 26-July 04 Member No.: 11,128	Yea, running MUCH better Big thanks for helping out! Here's the Combofix Log: ComboFix 09-01-09.02 - Render 2009-01-09 21:05:34.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.767.394 [GMT -7:00] Running from: c:\documents and settings\Render\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\bexmqtir.dll c:\windows\system32\rlnyxg.dll c:\windows\system32\test.ttt c:\windows\system32\uniq.tll c:\windows\system32\win32hlp.cnf c:\windows\system32\xbbdij.dll c:\windows\system32\ykcptnvn.dll Infected copy of c:\windows\system32\userinit.exe was found and disinfected Restored copy from - c:\windows\system32\init32.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_seneka ((((((((((((((((((((((((( Files Created from 2008-12-10 to 2009-01-10 ))))))))))))))))))))))))))))))) . 2009-01-09 19:49 . 2009-01-09 19:49 <DIR> d-------- c:\documents and settings\Render\Application Data\Malwarebytes 2009-01-09 19:48 . 2009-01-09 19:49 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-01-09 19:48 . 2009-01-09 19:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-01-09 19:48 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-01-09 19:48 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-01-07 22:12 . 2009-01-07 22:12 73,216 --a------ c:\windows\system32\ffkuz.dll 2009-01-05 23:01 . 2009-01-05 23:01 <DIR> d-------- c:\program files\Lavasoft 2009-01-05 23:00 . 2009-01-05 23:00 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard 2009-01-05 22:41 . 2009-01-05 22:41 24,576 --a------ c:\windows\system32\pcload.exe 2008-12-31 15:58 . 2008-12-31 15:58 <DIR> d-------- c:\program files\Moyea 2008-12-31 15:58 . 2008-12-31 15:58 <DIR> d-------- c:\documents and settings\Render\Application Data\Moyea 2008-12-20 03:23 . 2008-12-20 03:23 <DIR> d-------- c:\documents and settings\Render\Application Data\Apple Computer 2008-12-20 03:19 . 2008-12-20 03:19 <DIR> d-------- c:\program files\Common Files\Apple 2008-12-20 03:18 . 2008-12-20 03:19 <DIR> d-------- c:\program files\QuickTime 2008-12-20 03:18 . 2008-12-20 03:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer 2008-12-20 03:16 . 2008-12-20 03:16 <DIR> d-------- c:\program files\Apple Software Update 2008-12-20 03:16 . 2008-12-20 03:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-01-10 04:09 --------- d-----w c:\documents and settings\Render\Application Data\WTablet 2009-01-10 04:00 --------- d-----w c:\documents and settings\Render\Application Data\uTorrent 2009-01-09 06:48 --------- d-----w c:\documents and settings\Render\Application Data\GetRight Pro 2009-01-06 06:01 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft 2009-01-05 22:16 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2009-01-05 22:14 --------- d-----w c:\program files\SpywareBlaster 2008-12-07 02:19 --------- d-----w c:\program files\Demonoid 2008-12-07 02:19 --------- d-----w c:\program files\Conduit 2008-10-15 03:51 2,560 ----a-w c:\windows\_MSRSTRT.EXE 2008-04-26 16:08 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll 2008-04-26 16:08 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll 2008-04-26 16:08 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll 2008-04-26 16:08 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll 2008-04-26 16:08 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872] "c:\program files\NetMeter\NetMeter.exe"="c:\program files\NetMeter\NetMeter.exe" [2007-08-11 331264] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ShaPlus Bandwidth Meter"="c:\program files\ShaPlus Bandwidth Meter\ShaPlus Bandwidth Meter" [X] "vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 90112] "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792] "PS121v2"="c:\program files\NETGEAR\PS121v2\PS121v2.exe" [2007-05-23 696320] "WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-01-26 316728] "dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2008-03-01 826880] "Norton Ghost 14.0"="c:\program files\Norton Ghost\Agent\VProTray.exe" [2008-08-13 2245984] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048] Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-07-22 805392] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) "NoActiveDesktopChanges"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn] 2008-05-02 01:42 72208 c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\vio\dvacm.acm "vidc.uldx"= c:\progra~1\ULEADS~1\ULEADD~1\ULEADD~1\DivX_UL.dll "vidc.DIV3"= DivXc32.dll "vidc.DIV4"= DivXc32f.dll "msacm.divxa32"= DivXa32.acm "VIDC.HFYU"= huffyuv.dll "vidc.ffds"= c:\program files\ffdshow\ffdshow.ax [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\NETGEAR\\PS121v2\\PS121v2.exe"= "c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"= "c:\\Program Files\\eMule\\emule.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2008-05-20 15328] R3 NETGEARUHOST;NETGEAR Network USB Host Controller;c:\windows\system32\drivers\NETGEARUHOST.sys [2007-10-22 12032] R3 NETGEARUHUB;NETGEAR Network USB Root Hub;c:\windows\system32\drivers\NETGEARUHUB.sys [2007-10-22 39424] R3 SymSnapService;SymSnapService;c:\program files\Norton Ghost\Shared\Drivers\SymSnapService.exe [2007-12-20 1558000] R4 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [2008-08-06 216032] R4 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [2004-08-04 5120] S3 NETGEARUCOMP;NETGEAR Network USB Composite Device;c:\windows\system32\drivers\NETGEARUCOMP.sys [2007-10-22 12672] S4 Kbiicter;Kbiicter; [x] . Contents of the 'Scheduled Tasks' folder 2008-12-24 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34] . - - - - ORPHANS REMOVED - - - - URLSearchHooks-{35b675b9-7f34-40df-8f49-5fab6b7e4aef} - (no file) WebBrowser-{35B675B9-7F34-40DF-8F49-5FAB6B7E4AEF} - (no file) HKCU-Run-WatchWAN - c:\program files\WatchWAN\WatchWAN.exe . ------- Supplementary Scan ------- . uStart Page = file:///C:/Documents%20and%20Settings/Render/My%20Documents/bookmark.htm uInternet Settings,ProxyServer = 192.168.254.102 uInternet Settings,ProxyOverride = <local> IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm IE: Download with GetRight Pro - c:\program files\GetRight\GRdownload.htm IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm IE: Open with GetRight Pro Browser - c:\program files\GetRight\GRbrowse.htm FF - ProfilePath - . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-09 21:10:02 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Microsoft\Environment] "Licence0"="04F0D21-79D8-7A25-D702-433F" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(760) c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll c:\program files\common files\logishrd\bluetooth\LBTServ.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe c:\progra~1\SYMANT~1\SYMANT~1\DefWatch.exe c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\progra~1\SYMANT~1\SYMANT~1\Rtvscan.exe c:\program files\Norton Ghost\Agent\VProSvc.exe c:\windows\system32\HPZipm12.exe c:\windows\system32\Tablet.exe c:\windows\system32\tlntsvr.exe c:\windows\system32\WTablet\TabUserW.exe c:\windows\system32\Tablet.exe c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe c:\windows\system32\msdtc.exe . *********************************************************************** . Completion time: 2009-01-09 21:12:37 - machine was rebooted ComboFix-quarantined-files.txt 2009-01-10 04:12:32 ComboFix2.txt 2008-03-29 17:50:11 Pre-Run: 19,969,429,504 bytes free Post-Run: 20,086,878,208 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 189 --- E O F --- 2008-06-11 09:04:32 And here is the HJT log:** Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:15:14 PM, on 1/9/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe C:\Program Files\dvd43\dvd43_tray.exe C:\Program Files\Norton Ghost\Agent\VProTray.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\Program Files\NetMeter\NetMeter.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\Program Files\Norton Ghost\Agent\VProSvc.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Macrium\Reflect\ReflectService.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\Tablet.exe C:\WINDOWS\system32\tlntsvr.exe C:\WINDOWS\system32\WTablet\TabUserW.exe C:\WINDOWS\system32\Tablet.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Render/My%20Documents/bookmark.htm R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.254.102 O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file) O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [ShaPlus Bandwidth Meter] "C:\Program Files\ShaPlus Bandwidth Meter\ShaPlus Bandwidth Meter" /s O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [PS121v2] "C:\Program Files\NETGEAR\PS121v2\PS121v2.exe" /hide O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [Norton Ghost 14.0] "C:\Program Files\Norton Ghost\Agent\VProTray.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocx O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1206424661890 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1206458024234 O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Macrium Reflect Image Mounting Service (ReflectService) - Unknown owner - C:\Program Files\Macrium\Reflect\ReflectService.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: SymSnapService - Symantec - C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe -- End of file - 7448 bytes

Tomk View Member Profile	Jan 9 2009, 10:44 PM Post #6
Forum God / Classroom Admin Assistant Group: Classroom Teacher Posts: 12,304 Joined: 27-December 07 From: Sisters, OR Member No.: 75,503 Operating System: xp	progrocktv, uTorrent You have uTorrent, a P2P/file sharing programs installed on your computer. P2P applications like it are the largest source of malware we see. You'll be doing yourself a favor by removing it. References for the risk of these programs can be found in these links: http://www.microsoft.com/windows/ie/commun...protection.mspx http://www.techweb.com/wire/160500554 [url=http://www.internetworldstats.com/articles/art053.htm]http://www.internetworldstats.com/articles/art053.htm://http://www.techweb.com/wire/1605005...cles/art053.htm I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs. If you wish to keep it, please do not use it until your computer is cleaned. Disable your protection programs as we did before. Please open HijackThis and run Do a system scan only Check the boxes next to ONLY the entries listed below(if present): R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/Render/My%20Documents/bookmark.htm O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file) O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime Close all programs except for HijackThis. Click on Fix checked A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis. Next COMBOFIX-Script Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below: CODE File:: c:\windows\system32\ffkuz.dll c:\windows\system32\pcload.exe Folder:: Registry:: Driver:: Kbiicter Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop. Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal. When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply. CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall. Then Please go to Kaspersky website and perform an online antivirus scan. Read through the requirements and privacy statement and click on Accept button. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run. When the downloads have finished, click on Settings. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs Archives Mail databases Click on My Computer under Scan. Once the scan is complete, it will display the results. Click on View Scan Report. You will see a list of infected items there. Click on Save Report As.... Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Please post this log in your next reply. In your next reply please provide: ComboFix.txt Kaspersky report New HijackThis log taken after everything else completed

progrocktv View Member Profile	Jan 11 2009, 12:15 PM Post #7
Authentic Member Group: Authentic Member Posts: 34 Joined: 26-July 04 Member No.: 11,128	I'm still with ya, a few (non computer things) came up, but I'll give a try tonight.

Tomk View Member Profile	Jan 11 2009, 12:27 PM Post #8
Forum God / Classroom Admin Assistant Group: Classroom Teacher Posts: 12,304 Joined: 27-December 07 From: Sisters, OR Member No.: 75,503 Operating System: xp	progrocktv, Thanks for checking in.

progrocktv View Member Profile	Jan 12 2009, 10:26 PM Post #9
Authentic Member Group: Authentic Member Posts: 34 Joined: 26-July 04 Member No.: 11,128	Okay, I'm back. Here we go: ComboFix 09-01-09.02 - Render 2009-01-12 18:13:42.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.767.419 [GMT -7:00] Running from: c:\documents and settings\Render\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Render\Desktop\CFScript.txt * Created a new restore point FILE :: c:\windows\system32\ffkuz.dll c:\windows\system32\pcload.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\ffkuz.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_Kbiicter ((((((((((((((((((((((((( Files Created from 2008-12-13 to 2009-01-13 ))))))))))))))))))))))))))))))) . 2009-01-09 19:49 . 2009-01-09 19:49 <DIR> d-------- c:\documents and settings\Render\Application Data\Malwarebytes 2009-01-09 19:48 . 2009-01-09 19:49 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-01-09 19:48 . 2009-01-09 19:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-01-09 19:48 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-01-09 19:48 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-01-05 23:01 . 2009-01-05 23:01 <DIR> d-------- c:\program files\Lavasoft 2009-01-05 23:00 . 2009-01-05 23:00 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard 2008-12-31 15:58 . 2008-12-31 15:58 <DIR> d-------- c:\program files\Moyea 2008-12-31 15:58 . 2008-12-31 15:58 <DIR> d-------- c:\documents and settings\Render\Application Data\Moyea 2008-12-20 03:23 . 2008-12-20 03:23 <DIR> d-------- c:\documents and settings\Render\Application Data\Apple Computer 2008-12-20 03:19 . 2008-12-20 03:19 <DIR> d-------- c:\program files\Common Files\Apple 2008-12-20 03:18 . 2008-12-20 03:19 <DIR> d-------- c:\program files\QuickTime 2008-12-20 03:18 . 2008-12-20 03:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer 2008-12-20 03:16 . 2008-12-20 03:16 <DIR> d-------- c:\program files\Apple Software Update 2008-12-20 03:16 . 2008-12-20 03:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-01-13 01:17 --------- d-----w c:\documents and settings\Render\Application Data\WTablet 2009-01-11 10:32 --------- d-----w c:\documents and settings\Render\Application Data\GetRight Pro 2009-01-10 04:58 --------- d-----w c:\documents and settings\Render\Application Data\uTorrent 2009-01-06 06:01 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft 2009-01-05 22:16 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2009-01-05 22:14 --------- d-----w c:\program files\SpywareBlaster 2008-12-07 02:19 --------- d-----w c:\program files\Demonoid 2008-12-07 02:19 --------- d-----w c:\program files\Conduit 2008-10-15 03:51 2,560 ----a-w c:\windows\_MSRSTRT.EXE 2008-04-26 16:08 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll 2008-04-26 16:08 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll 2008-04-26 16:08 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll 2008-04-26 16:08 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll 2008-04-26 16:08 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll . ((((((((((((((((((((((((((((( snapshot@2009-01-09_21.11.30.81 ))))))))))))))))))))))))))))))))))))))))) . + 2009-01-13 01:17:40 16,384 ----atw c:\windows\TEMP\Perflib_Perfdata_668.dat + 2009-01-13 01:17:50 16,384 ----atw c:\windows\TEMP\Perflib_Perfdata_a00.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872] "c:\program files\NetMeter\NetMeter.exe"="c:\program files\NetMeter\NetMeter.exe" [2007-08-11 331264] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ShaPlus Bandwidth Meter"="c:\program files\ShaPlus Bandwidth Meter\ShaPlus Bandwidth Meter" [X] "vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 90112] "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152] "PS121v2"="c:\program files\NETGEAR\PS121v2\PS121v2.exe" [2007-05-23 696320] "WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-01-26 316728] "Norton Ghost 14.0"="c:\program files\Norton Ghost\Agent\VProTray.exe" [2008-08-13 2245984] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048] Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-07-22 805392] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) "NoActiveDesktopChanges"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn] 2008-05-02 01:42 72208 c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\vio\dvacm.acm "vidc.uldx"= c:\progra~1\ULEADS~1\ULEADD~1\ULEADD~1\DivX_UL.dll "vidc.DIV3"= DivXc32.dll "vidc.DIV4"= DivXc32f.dll "msacm.divxa32"= DivXa32.acm "VIDC.HFYU"= huffyuv.dll "vidc.ffds"= c:\program files\ffdshow\ffdshow.ax [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\NETGEAR\\PS121v2\\PS121v2.exe"= "c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"= "c:\\Program Files\\eMule\\emule.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2008-05-20 15328] R3 NETGEARUHOST;NETGEAR Network USB Host Controller;c:\windows\system32\drivers\NETGEARUHOST.sys [2007-10-22 12032] R3 NETGEARUHUB;NETGEAR Network USB Root Hub;c:\windows\system32\drivers\NETGEARUHUB.sys [2007-10-22 39424] R3 SymSnapService;SymSnapService;c:\program files\Norton Ghost\Shared\Drivers\SymSnapService.exe [2007-12-20 1558000] R4 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [2008-08-06 216032] R4 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [2004-08-04 5120] S3 NETGEARUCOMP;NETGEAR Network USB Composite Device;c:\windows\system32\drivers\NETGEARUCOMP.sys [2007-10-22 12672] . Contents of the 'Scheduled Tasks' folder 2008-12-24 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34] . . ------- Supplementary Scan ------- . uInternet Settings,ProxyServer = 192.168.254.102 uInternet Settings,ProxyOverride = <local> IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm IE: Download with GetRight Pro - c:\program files\GetRight\GRdownload.htm IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm IE: Open with GetRight Pro Browser - c:\program files\GetRight\GRbrowse.htm FF - ProfilePath - . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-12 18:17:52 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Microsoft\Environment] "Licence0"="04F0D21-79D8-7A25-D702-433F" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(768) c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll c:\program files\common files\logishrd\bluetooth\LBTServ.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe c:\progra~1\SYMANT~1\SYMANT~1\DefWatch.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\progra~1\SYMANT~1\SYMANT~1\Rtvscan.exe c:\program files\Norton Ghost\Agent\VProSvc.exe c:\windows\system32\Tablet.exe c:\windows\system32\tlntsvr.exe c:\windows\system32\WTablet\TabUserW.exe c:\windows\system32\Tablet.exe c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe c:\windows\system32\msdtc.exe . ************************************************************************* . Completion time: 2009-01-12 18:20:23 - machine was rebooted ComboFix-quarantined-files.txt 2009-01-13 01:20:17 ComboFix2.txt 2009-01-10 04:12:40 ComboFix3.txt 2008-03-29 17:50:11 Pre-Run: 20,403,965,952 bytes free Post-Run: 20,469,837,824 bytes free 172 --- E O F --- 2008-06-11 09:04:32 -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Monday, January 12, 2009 Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Tuesday, January 13, 2009 00:46:34 Records in database: 1611059 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: A:\ C:\ D:\ E:\ F:\ Scan statistics: Files scanned: 47653 Threat name: 5 Infected objects: 10 Suspicious objects: 0 Duration of the scan: 01:50:51 File name / Threat name / Threats count C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04A40000.VBN Infected: Packed.Win32.PolyCrypt.d 1 C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D6C0000.VBN Infected: Packed.Win32.PolyCrypt.d 1 C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E9C0000.VBN Infected: Packed.Win32.PolyCrypt.d 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\bexmqtir.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ftx 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\ffkuz.dll.vir Infected: Trojan-Downloader.Win32.Murlo.vn 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\rlnyxg.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.fxt 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\userinit.exe.vir Infected: Trojan.Win32.Agent.bfsd 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\xbbdij.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.ftx 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\ykcptnvn.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.fxt 1 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WLJW0DWO\lsp[1].exe Infected: Trojan.Win32.Agent.bfsd 1 The selected area was scanned. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:25:41 PM, on 1/12/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe C:\Program Files\Norton Ghost\Agent\VProTray.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\Program Files\Norton Ghost\Agent\VProSvc.exe C:\Program Files\Macrium\Reflect\ReflectService.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\Tablet.exe C:\WINDOWS\system32\tlntsvr.exe C:\WINDOWS\system32\WTablet\TabUserW.exe C:\WINDOWS\system32\Tablet.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\explorer.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Java\jre6\bin\java.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.254.102 O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [ShaPlus Bandwidth Meter] "C:\Program Files\ShaPlus Bandwidth Meter\ShaPlus Bandwidth Meter" /s O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [PS121v2] "C:\Program Files\NETGEAR\PS121v2\PS121v2.exe" /hide O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [Norton Ghost 14.0] "C:\Program Files\Norton Ghost\Agent\VProTray.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocx O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1206424661890 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1206458024234 O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD5/JSCDL/jre/6u1...=javadl.sun.com O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Macrium Reflect Image Mounting Service (ReflectService) - Unknown owner - C:\Program Files\Macrium\Reflect\ReflectService.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: SymSnapService - Symantec - C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe -- End of file - 7882 bytes

Tomk View Member Profile	Jan 12 2009, 11:07 PM Post #10
Forum God / Classroom Admin Assistant Group: Classroom Teacher Posts: 12,304 Joined: 27-December 07 From: Sisters, OR Member No.: 75,503 Operating System: xp	progrocktv, COMBOFIX-Script Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below: CODE File:: Folder:: C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WLJW0DWO Registry:: Driver:: Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop. Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal. When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply. CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall. Also, Please give me one more HijackThis log.

progrocktv View Member Profile	Jan 13 2009, 09:15 AM Post #11
Authentic Member Group: Authentic Member Posts: 34 Joined: 26-July 04 Member No.: 11,128	Thanks for the quick response (you guys must never sleep;-) Here ya go: ComboFix 09-01-12.03 - Render 2009-01-13 8:07:21.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.767.402 [GMT -7:00] Running from: c:\documents and settings\Render\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Render\Desktop\CFScript.txt * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WLJW0DWO c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WLJW0DWO\desktop.ini c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WLJW0DWO\lsp[1].exe . ((((((((((((((((((((((((( Files Created from 2008-12-13 to 2009-01-13 ))))))))))))))))))))))))))))))) . 2009-01-12 18:29 . 2009-01-12 18:29 <DIR> d-------- c:\windows\Sun 2009-01-12 18:29 . 2009-01-12 18:28 410,984 --a------ c:\windows\system32\deploytk.dll 2009-01-12 18:29 . 2009-01-12 18:28 73,728 --a------ c:\windows\system32\javacpl.cpl 2009-01-12 18:28 . 2009-01-12 18:28 <DIR> d-------- c:\program files\Java 2009-01-09 19:49 . 2009-01-09 19:49 <DIR> d-------- c:\documents and settings\Render\Application Data\Malwarebytes 2009-01-09 19:48 . 2009-01-09 19:49 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-01-09 19:48 . 2009-01-09 19:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-01-09 19:48 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-01-09 19:48 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-01-05 23:01 . 2009-01-05 23:01 <DIR> d-------- c:\program files\Lavasoft 2009-01-05 23:00 . 2009-01-05 23:00 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard 2008-12-31 15:58 . 2008-12-31 15:58 <DIR> d-------- c:\program files\Moyea 2008-12-31 15:58 . 2008-12-31 15:58 <DIR> d-------- c:\documents and settings\Render\Application Data\Moyea 2008-12-20 03:23 . 2008-12-20 03:23 <DIR> d-------- c:\documents and settings\Render\Application Data\Apple Computer 2008-12-20 03:19 . 2008-12-20 03:19 <DIR> d-------- c:\program files\Common Files\Apple 2008-12-20 03:18 . 2008-12-20 03:19 <DIR> d-------- c:\program files\QuickTime 2008-12-20 03:18 . 2008-12-20 03:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer 2008-12-20 03:16 . 2008-12-20 03:16 <DIR> d-------- c:\program files\Apple Software Update 2008-12-20 03:16 . 2008-12-20 03:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-01-13 15:01 --------- d-----w c:\documents and settings\Render\Application Data\WTablet 2009-01-11 10:32 --------- d-----w c:\documents and settings\Render\Application Data\GetRight Pro 2009-01-10 04:58 --------- d-----w c:\documents and settings\Render\Application Data\uTorrent 2009-01-06 06:01 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft 2009-01-05 22:16 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2009-01-05 22:14 --------- d-----w c:\program files\SpywareBlaster 2008-12-07 02:19 --------- d-----w c:\program files\Demonoid 2008-12-07 02:19 --------- d-----w c:\program files\Conduit 2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx0c.dll 2008-10-28 22:36 823,296 ----a-w c:\windows\system32\divx_xx07.dll 2008-10-28 22:35 815,104 ----a-w c:\windows\system32\divx_xx0a.dll 2008-10-28 22:35 802,816 ----a-w c:\windows\system32\divx_xx11.dll 2008-10-28 22:35 684,032 ----a-w c:\windows\system32\DivX.dll 2008-10-15 03:51 2,560 ----a-w c:\windows\_MSRSTRT.EXE 2008-04-26 16:08 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll 2008-04-26 16:08 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll 2008-04-26 16:08 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll 2008-04-26 16:08 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll 2008-04-26 16:08 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll . ((((((((((((((((((((((((((((( snapshot@2009-01-09_21.11.30.81 ))))))))))))))))))))))))))))))))))))))))) . - 2000-08-31 15:00:00 28,672 ----a-w c:\windows\NIRCMD.exe + 2000-08-31 15:00:00 29,696 ----a-w c:\windows\NIRCMD.exe + 2009-01-13 01:28:47 144,792 ----a-w c:\windows\system32\java.exe + 2009-01-13 01:28:47 144,792 ----a-w c:\windows\system32\javaw.exe + 2009-01-13 01:28:47 148,888 ----a-w c:\windows\system32\javaws.exe + 2009-01-13 15:01:50 16,384 ----atw c:\windows\TEMP\Perflib_Perfdata_3a8.dat + 2009-01-13 15:01:48 16,384 ----atw c:\windows\TEMP\Perflib_Perfdata_4e8.dat + 2009-01-13 15:01:56 16,384 ----atw c:\windows\TEMP\Perflib_Perfdata_bac.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872] "c:\program files\NetMeter\NetMeter.exe"="c:\program files\NetMeter\NetMeter.exe" [2007-08-11 331264] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ShaPlus Bandwidth Meter"="c:\program files\ShaPlus Bandwidth Meter\ShaPlus Bandwidth Meter" [X] "vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 90112] "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152] "PS121v2"="c:\program files\NETGEAR\PS121v2\PS121v2.exe" [2007-05-23 696320] "WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-01-26 316728] "Norton Ghost 14.0"="c:\program files\Norton Ghost\Agent\VProTray.exe" [2008-08-13 2245984] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-12 136600] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048] Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-07-22 805392] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) "NoActiveDesktopChanges"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn] 2008-05-02 01:42 72208 c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\vio\dvacm.acm "vidc.uldx"= c:\progra~1\ULEADS~1\ULEADD~1\ULEADD~1\DivX_UL.dll "vidc.DIV3"= DivXc32.dll "vidc.DIV4"= DivXc32f.dll "msacm.divxa32"= DivXa32.acm "VIDC.HFYU"= huffyuv.dll "vidc.ffds"= c:\program files\ffdshow\ffdshow.ax [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\NETGEAR\\PS121v2\\PS121v2.exe"= "c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"= "c:\\Program Files\\eMule\\emule.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2008-05-20 15328] R3 NETGEARUHOST;NETGEAR Network USB Host Controller;c:\windows\system32\drivers\NETGEARUHOST.sys [2007-10-22 12032] R3 NETGEARUHUB;NETGEAR Network USB Root Hub;c:\windows\system32\drivers\NETGEARUHUB.sys [2007-10-22 39424] R3 SymSnapService;SymSnapService;c:\program files\Norton Ghost\Shared\Drivers\SymSnapService.exe [2007-12-20 1558000] R4 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [2008-08-06 216032] R4 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [2004-08-04 5120] S3 NETGEARUCOMP;NETGEAR Network USB Composite Device;c:\windows\system32\drivers\NETGEARUCOMP.sys [2007-10-22 12672] . Contents of the 'Scheduled Tasks' folder 2008-12-24 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34] . . ------- Supplementary Scan ------- . uInternet Settings,ProxyServer = 192.168.254.102 uInternet Settings,ProxyOverride = <local> IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm IE: Download with GetRight Pro - c:\program files\GetRight\GRdownload.htm IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm IE: Open with GetRight Pro Browser - c:\program files\GetRight\GRbrowse.htm FF - ProfilePath - . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-13 08:08:59 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Microsoft\Environment*] "Licence0"="04F0D21-79D8-7A25-D702-433F" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(756) c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll c:\program files\common files\logishrd\bluetooth\LBTServ.dll . Completion time: 2009-01-13 8:10:39 ComboFix-quarantined-files.txt 2009-01-13 15:10:28 ComboFix2.txt 2009-01-13 01:20:25 ComboFix3.txt 2009-01-10 04:12:40 ComboFix4.txt 2008-03-29 17:50:11 Pre-Run: 20,248,358,912 bytes free Post-Run: 20,297,359,360 bytes free 167 --- E O F --- 2008-06-11 09:04:32 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:12:25 AM, on 1/13/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe C:\Program Files\Norton Ghost\Agent\VProTray.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\Program Files\Norton Ghost\Agent\VProSvc.exe C:\Program Files\Macrium\Reflect\ReflectService.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\Tablet.exe C:\WINDOWS\system32\tlntsvr.exe C:\WINDOWS\system32\WTablet\TabUserW.exe C:\WINDOWS\system32\Tablet.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.254.102 O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [ShaPlus Bandwidth Meter] "C:\Program Files\ShaPlus Bandwidth Meter\ShaPlus Bandwidth Meter" /s O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [PS121v2] "C:\Program Files\NETGEAR\PS121v2\PS121v2.exe" /hide O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [Norton Ghost 14.0] "C:\Program Files\Norton Ghost\Agent\VProTray.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocx O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1206424661890 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1206458024234 O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD5/JSCDL/jre/6u1...=javadl.sun.com O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Macrium Reflect Image Mounting Service (ReflectService) - Unknown owner - C:\Program Files\Macrium\Reflect\ReflectService.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: SymSnapService - Symantec - C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe -- End of file - 7803 bytes

Tomk View Member Profile	Jan 13 2009, 10:55 AM Post #12
Forum God / Classroom Admin Assistant Group: Classroom Teacher Posts: 12,304 Joined: 27-December 07 From: Sisters, OR Member No.: 75,503 Operating System: xp	progrocktv, Log looks good Time for some housekeeping Click START then RUN Now type Combofix /u in the runbox and click OK Note the space between the X and the U, it needs to be there. The above procedure will: Implement some cleanup procedures. Reset System Restore. Please re-enable any security that was disabled. The following is my standard advice for the future. Use what you can and pat yourself on the back for what you're already doing. Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly. For a tutorial on Firewalls and a listing of some available ones see the link below: Understanding and Using Firewalls Keep Microsoft Windows Updated - This will ensure your computer has always the latest security updates available installed on your computer. The easiest way to do this is to turn on Automatic Updates. Do this by: From your desktop, right-click on My Computer, click on Properties Select the Automatic Updates tab Click on Automatic Click on Apply button Click on OK to exit. If there are new updates to install, install them immediately, until there are no more critical updates. Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A tutorial on installing & using this product can be found here: Using SpywareBlaster to protect your computer from Spyware and Malware Download and install the free version of WinPatrol - This program protects your computer in a variety of ways and will work well with your existing security software. Winpatrol Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released. Only run one Anti-Virus and Firewall program. I would also suggest you read this: So how did I get infected in the first place? by Tony Klein Also: "How to prevent malware" by miekiemoes Please respond back that you understand the above and let me know if you have any questions. Otherwise, this thread will be closed Resolved.

progrocktv View Member Profile	Jan 13 2009, 06:18 PM Post #13
Authentic Member Group: Authentic Member Posts: 34 Joined: 26-July 04 Member No.: 11,128	Alright, read instructions and I think we're good. Again, thanks for all your help!

Tomk View Member Profile	Jan 13 2009, 07:30 PM Post #14
Forum God / Classroom Admin Assistant Group: Classroom Teacher Posts: 12,304 Joined: 27-December 07 From: Sisters, OR Member No.: 75,503 Operating System: xp	progrocktv, You are very welcome! Glad we could help. Have a Happy New Year. Good Luck and Be Well.

Tomk View Member Profile	Jan 13 2009, 07:30 PM Post #15
Forum God / Classroom Admin Assistant Group: Classroom Teacher Posts: 12,304 Joined: 27-December 07 From: Sisters, OR Member No.: 75,503 Operating System: xp	Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

« Next Oldest · Infections Removal · Next Newest »

Closed Topic

Start new topic

Similar Topics

Similar Topics

Similar Topics

		Topic Title	Replies	Topic Starter	Views	Last Action
		Infections Removal [Resolved] IE8 web browser keeps redirecting me	14	Marm	184	Yesterday, 09:29 PM Last post by: CatByte
		Infections Removal [Resolved] XP Antivirus Pro 2010 infection 12	29	Stormicats	1,205	Yesterday, 03:58 PM Last post by: extremeboy
		Infections Removal [Resolved] Perfect Keylogger.	9	lin0056	126	Yesterday, 02:34 PM Last post by: LDTate
		Infections Removal [Resolved] Lots of Malware found and removed	12	km1234	174	16th March 2010 - 11:41 PM Last post by: Tomk

Display Mode: Switch to: Standard · Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Time is now: 18th March 2010 - 12:51 AM

Advertisements do not imply our endorsement of that product or service. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk.
Member site: Alliance of Security Analysis Professionals | UNITE Against Malware
Memory Forums | Auto Repair Forum
© Geeks to Go, Inc. | All Rights Reserved | Privacy Policy

Powered By IP.Board © 2010 IPS, Inc.