[Resolved] my laptop is running very poorly because of spyware

Computer forums for help with removing malicious software (malware) and improving computer security

Welcome Guest to What the Tech! ( Log In | Register ) We specialize in the removal of malicious software (malware), but here you'll find free help and support for all your tech questions. We invite you to ask questions, share experiences, and learn. Explore our message boards, or register now to post messages of your own. Please Start Here. Register today (registration removes advertising)

What the Tech > Spyware / Malware / Virus Removal > HijackThis™ Logs and Infections Removal

2 Pages

1 2 >

[Resolved] my laptop is running very poorly because of spyware

Options

bobbob View Member Profile	May 10 2008, 12:24 PM Post #1
New Member Group: New Member Posts: 10 Joined: 3-May 08 Member No.: 78,831 Operating System: XP	I tried running spybot and adaware but they don't fix the problems. My laptop is extremely slow because of the malware and spyware that is on it. It takes me a few minutes just to open a file or any task. I can go to google.com but whenever I search something the page never loads. I can't even get into yahoo.com. most other pages load but they have ads on them for antispyware programs and adult sites. Also popup ads appear randomly when i get on to the internet. I also think that the problems in my computer have done something to my usb device. I can't double click it anymore. I have to right click it and then hit open. Logfile of HijackThis v1.99.1 Scan saved at 1:53:08 PM, on 5/10/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\S24EvMon.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\ZCfgSvc.exe C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\1XConfig.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\RegSrvc.exe C:\Program Files\Dell Support Center\bin\sprtsvc.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\wanmpsvc.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\DellSupport\DSAgnt.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\AIM6\aim6.exe C:\Program Files\Dell Support Center\bin\sprtcmd.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Common Files\AOL\Loader\aolload.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\AIM6\aolsoftware.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe C:\Program Files\Hijackthis\HijackThis.exe C:\Program Files\Symantec\LiveUpdate\AUpdate.exe C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local O3 - Toolbar: (no name) - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file) O3 - Toolbar: (no name) - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - (no file) O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exe O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Paul\lsass.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [BM7378674d] Rundll32.exe "C:\WINDOWS\system32\yufpqwgf.dll",s O4 - HKLM\..\Run: [704b54d1] rundll32.exe "C:\WINDOWS\system32\hiqcebhi.dll",b O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.symantec.com/techsupp/as...trl/tgctlsi.cab O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...trl/tgctlsr.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1168279267489 O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft Terminal Services Client Control (redist)) - http://www.tc.cornell.edu/TSWeb/msrdp.cab O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

LDTate View Member Profile	May 17 2008, 08:33 AM Post #2
Forum God Group: Root Admin Posts: 41,778 Joined: 23-September 04 From: Missouri, USA Member No.: 15,276	You might want to print these instructions out. I suggest you do this: Double-click My Computer. Click the Tools menu, and then click Folder Options. Click the View tab. Clear "Hide file extensions for known file types." Under the "Hidden files" folder, select "Show hidden files and folders." Clear "Hide protected operating system files." Click Apply, and then click OK. Please do not delete anything unless instructed to. Please download ATF Cleaner by Atribune. Download - ATF Cleaner» Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. (If you use FireFox or the Opera browser To keep saved passwords, click No at the prompt.) It's normal after running ATF cleaner that the PC will be slower to boot the first time or two. Next: Please download Malwarebytes' Anti-Malware to your desktop. Double-click mbam-setup.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select Perform quick scan, then click Scan. When the scan is complete, click OK, then Show Results to view the results. Be sure that everything is checked, and click Remove Selected. When completed, a log will open in Notepad. Please save it to a convenient location and post the results. Also "copy/paste" a new HijackThis log file into this thread. Also please describe how your computer behaves at the moment.

bobbob View Member Profile	May 17 2008, 11:18 AM Post #3
New Member Group: New Member Posts: 10 Joined: 3-May 08 Member No.: 78,831 Operating System: XP	After i unclicked hide protected operating system files some faded icons showed up on my desktop. 4 jpg files were there. When i opened them it was a picture of some random guy's face. No idea what it is. Another one of those icons was a file called desktop.ini and 2 word documents that i had previously had on my desktop are faded now. After i did the malwarebytes scan it said that some objects could not be removed and that i should reboot. You didn't exactly tell me to reboot so i didn't do it. I just ignored it and saved a new hijackthis log. I can now go to google and yahoo and search them. I can also go to the whatthetech forum now. I had to use a different computer to post here. The processes seem faster. I had received a symantec notification since the last scan. I am also a little worried that some objects could not be removed and the faded jpg files on my desktop are strange. Malwarebytes' Anti-Malware 1.12 Database version: 758 Scan type: Quick Scan Objects scanned: 44146 Time elapsed: 15 minute(s), 5 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 21 Registry Values Infected: 3 Registry Data Items Infected: 0 Folders Infected: 2 Files Infected: 17 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\SYSTEM32\hiqcebhi.dll (Trojan.Vundo) -> Unloaded module successfully. Registry Keys Infected: HKEY_CLASSES_ROOT\AppID\{ff46f4ab-a85f-487e-b399-3f191ac0fe23} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{2e4a04a1-a24d-45ae-aca4-949778400813} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{63334394-3da3-4b29-a041-03535909d361} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\testcpv6.bho (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\testcpv6.bho.1 (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{ee5a1465-1e73-4784-8f63-45983fdf0db8} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ee5a1465-1e73-4784-8f63-45983fdf0db8} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\AppID\testCPV6.DLL (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\CPV (Trojan.Downloader) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\704b54d1 (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{ee5a1465-1e73-4784-8f63-45983fdf0db8} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM7378674d (Trojan.Agent) -> Delete on reboot. Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\Program Files\CPV (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\LocalService\Application Data\NetMon (Trojan.NetMon) -> Quarantined and deleted successfully. Files Infected: C:\WINDOWS\SYSTEM32\esskshiy.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\yihsksse.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\hiqcebhi.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\SYSTEM32\ihbecqih.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\hkmjepis.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\sipejmkh.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\imcwkcqm.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\mqckwcmi.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\wqyxcdge.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\egdcxyqw.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\Paul\services.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt (Trojan.NetMon) -> Quarantined and deleted successfully. C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt (Trojan.NetMon) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\yufpqwgf.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\SYSTEM32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\packet.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\SYSTEM32\wpcap.dll (Trojan.Agent) -> Quarantined and deleted successfully. Logfile of HijackThis v1.99.1 Scan saved at 12:46:47 PM, on 5/17/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\S24EvMon.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\RegSrvc.exe C:\Program Files\Dell Support Center\bin\sprtsvc.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\system32\ZCfgSvc.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\1XConfig.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\Rundll32.exe C:\Program Files\DellSupport\DSAgnt.exe C:\Program Files\AIM6\aim6.exe C:\Program Files\Dell Support Center\bin\sprtcmd.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\AIM6\aolsoftware.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\Hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: {66577167-52bf-21fb-d874-1d36a05d2ff4} - {4ff2d50a-63d1-478d-bf12-fb2576177566} - C:\WINDOWS\system32\tokmgfdn.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: (no name) - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - (no file) O2 - BHO: (no name) - {EB7145DC-109F-4CD3-866C-4859A321EF72} - C:\WINDOWS\system32\vtUlMcYo.dll (file missing) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: (no name) - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file) O3 - Toolbar: (no name) - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - (no file) O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exe O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Paul\lsass.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [BM7378674d] Rundll32.exe "C:\WINDOWS\system32\yufpqwgf.dll",s O4 - HKLM\..\Run: [Malwarebytes Anti-Malware Reboot] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.symantec.com/techsupp/as...trl/tgctlsi.cab O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...trl/tgctlsr.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1168279267489 O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft Terminal Services Client Control (redist)) - http://www.tc.cornell.edu/TSWeb/msrdp.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll O20 - Winlogon Notify: opnkjGWn - opnkjGWn.dll (file missing) O20 - Winlogon Notify: Sebring - C:\WINDOWS\system32\LgNotify.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

LDTate View Member Profile	May 17 2008, 11:30 AM Post #4
Forum God Group: Root Admin Posts: 41,778 Joined: 23-September 04 From: Missouri, USA Member No.: 15,276	Leave those icons be for now. Some are hidden windows files. Yes you need to reboot so those can be deleted. After the above see if you can post from that PC.

bobbob View Member Profile	May 17 2008, 12:05 PM Post #5
New Member Group: New Member Posts: 10 Joined: 3-May 08 Member No.: 78,831 Operating System: XP	For some reason when i reboot and then ran malwarbytes nothing malicious was found. However, i did get a symantec notification. Malwarebytes' Anti-Malware 1.12 Database version: 758 Scan type: Quick Scan Objects scanned: 43798 Time elapsed: 16 minute(s), 13 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

LDTate View Member Profile	May 17 2008, 12:08 PM Post #6
Forum God Group: Root Admin Posts: 41,778 Joined: 23-September 04 From: Missouri, USA Member No.: 15,276	That's good Download ComboFix from Here or Here to your Desktop. Note: In the event you already have Combofix, please delete it from your desktop and download this new version . It is important that it is saved directly to your desktop -------------------------------------------------------------------- Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix. WARNING: IF you have not already done so Combofix will disconnect your machine from the Internet when it starts Please do not re-connect your machine back to the Internet until Combofix has completely finished. -------------------------------------------------------------------- Double click on combofix.exe & follow the prompts. When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ** *If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections. Give it atleast 20-30 minutes to finish

bobbob View Member Profile	May 17 2008, 01:06 PM Post #7
New Member Group: New Member Posts: 10 Joined: 3-May 08 Member No.: 78,831 Operating System: XP	I was terrified to run this program after those windows popped up. It has changed my clock setting. Will it go back after I reboot? ComboFix 08-05-15.3 - Paul 2008-05-17 14:22:58.1 - NTFSx86 Running from: C:\Documents and Settings\Paul\Desktop\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\cookies.ini C:\WINDOWS\pskt.ini C:\WINDOWS\system32\dvtoqctj.ini C:\WINDOWS\system32\esekpqce.ini C:\WINDOWS\system32\fugucjmp.ini C:\WINDOWS\system32\gmnrquam.ini C:\WINDOWS\system32\gpbgqada.ini C:\WINDOWS\system32\iperqooa.ini C:\WINDOWS\system32\krltktvh.ini C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\MSINET.oca C:\WINDOWS\SYSTEM32\njwfypmw.ini C:\WINDOWS\SYSTEM32\oYcMlUtv.ini C:\WINDOWS\SYSTEM32\oYcMlUtv.ini2 C:\WINDOWS\SYSTEM32\pwbicbth.ini C:\WINDOWS\SYSTEM32\qrytjjml.ini C:\WINDOWS\system32\qxnwalgi.dll C:\WINDOWS\system32\rribjujm.ini C:\WINDOWS\system32\ttiytcsw.ini C:\WINDOWS\system32\wohdchjg.ini C:\WINDOWS\SYSTEM32\wujqjvyt.ini C:\WINDOWS\winhelp.ini . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_CMDSERVICE -------\Legacy_NETWORK_MONITOR ((((((((((((((((((((((((( Files Created from 2008-04-17 to 2008-05-17 ))))))))))))))))))))))))))))))) . 2008-05-17 12:09 . 2008-05-17 12:09 <DIR> d-------- C:\Documents and Settings\Paul\Application Data\Malwarebytes 2008-05-17 12:08 . 2008-05-17 12:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-05-17 12:08 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys 2008-05-17 12:08 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys 2008-05-17 12:07 . 2008-05-17 12:08 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-05-17 11:25 . 2008-05-17 13:32 0 --a------ C:\WINDOWS\SYSTEM32\ihbecqih.tmp 2008-04-24 13:52 . 2008-04-24 13:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-04-24 13:51 . 2008-04-24 13:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-04-23 10:55 . 2008-05-17 14:29 <DIR> d-------- C:\Program Files\Symantec AntiVirus 2008-04-20 20:15 . 2008-04-21 12:33 <DIR> d--hs---- C:\WINDOWS\RWR3YXJkIE1lZHZpbnNreQ 2008-04-20 17:31 . 2008-05-17 11:42 109,796 --a------ C:\WINDOWS\BM7378674d.xml 2008-04-19 19:34 . 2008-04-19 19:34 <DIR> d-------- C:\WINDOWS\SYSTEM32\xcsDd18 2008-04-19 19:34 . 2008-04-19 19:34 <DIR> d-------- C:\Temp\berDrv11 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-04-24 17:54 --------- d-----w C:\Program Files\Lavasoft 2008-04-24 17:54 --------- d-----w C:\Documents and Settings\Edward Medvinsky\Application Data\Lavasoft 2008-04-23 18:48 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-04-23 15:00 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-04-23 14:59 --------- d-----w C:\Program Files\Symantec 2008-04-23 14:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 2008-04-16 02:49 --------- d-----w C:\Documents and Settings\Paul\Application Data\uTorrent 2008-01-18 01:03 49,864 ----a-w C:\Documents and Settings\Paul\Application Data\GDIPFONTCACHEV1.DAT 2005-12-30 19:33 45,976 ----a-w C:\Documents and Settings\Dana\Application Data\GDIPFONTCACHEV1.DAT 2005-07-29 20:24 472 --sha-r C:\WINDOWS\RWR3YXJkIE1lZHZpbnNreQ\lqlasrL4KHY5tJtDvBhOyk.vbs 2005-02-20 02:52 56 --sh--r C:\WINDOWS\SYSTEM32\28A6FC177A.sys 2005-02-20 02:52 1,682 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4ff2d50a-63d1-478d-bf12-fb2576177566}] C:\WINDOWS\system32\tokmgfdn.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EB7145DC-109F-4CD3-866C-4859A321EF72}] C:\WINDOWS\system32\vtUlMcYo.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208] "DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784] "Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 12:15 50528] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360] "DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-13 19:23 98304] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 09:35 536576] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 02:04 122933] "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 02:01 110592] "PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 21:15 290816] "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 12:43 53248] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-01-18 00:20 180269] "ZCfgSvc.exe"="C:\WINDOWS\system32\ZCfgSvc.exe" [2005-07-05 02:32 639040] "PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2005-06-27 08:31 135168] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24 286720] "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12 49152] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00 132496] "dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 16:44 66680] "vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-03-12 15:18 124128] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 00:23:26 282624] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360] WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-06-06 11:10:02 394856] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnkjGWn] opnkjGWn.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring] C:\WINDOWS\system32\LgNotify.dll 2005-07-05 02:33 188482 C:\WINDOWS\SYSTEM32\LgNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.ac3filter"= ac3filter.acm [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "C:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\SAGENT4.EXE"= "C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"= "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "C:\\Documents and Settings\\Paul\\Desktop\\utorrent.exe"= "C:\\Program Files\\AIM6\\aim6.exe"= R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 10:23] R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38] R3 tifm;tifm;C:\WINDOWS\system32\drivers\tifm.sys [2004-03-18 13:01] S3 flash;flash;C:\WINDOWS\system32\drivers\flash.sys [2003-08-29 18:47] S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2002-11-22 20:01] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] \Shell\AutoRun\command - D:\setup.exe -q [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aed01920-64c0-11dc-b482-00038a000015}] \Shell\Auto\command - Start.exe \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe . Contents of the 'Scheduled Tasks' folder "2008-04-22 16:19:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-05-17 18:41:00 C:\WINDOWS\Tasks\Symantec NetDetect.job" - C:\Program Files\Symantec\LiveUpdate\NDetect.exe . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-05-17 14:32:26 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\DOCUME~1\Paul\LOCALS~1\Temp\fbA.tmp C:\Documents and Settings\Paul\Local Settings\Application Data\ApplicationHistory\dsca.exe.cf6b816f.ini.inuse scan completed successfully hidden files: 2 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\SYSTEM32\S24EvMon.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\SYSTEM32\WLTRYSVC.EXE C:\WINDOWS\SYSTEM32\BCMWLTRY.EXE C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\SYSTEM32\1XConfig.exe C:\WINDOWS\SYSTEM32\igfxsrvc.exe C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\SYSTEM32\RegSrvc.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\SYSTEM32\FXSSVC.EXE C:\Program Files\AIM6\aolsoftware.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\WINDOWS\SYSTEM32\WSCNTFY.EXE . ************************************************************************ . Completion time: 2008-05-17 14:45:27 - machine was rebooted ComboFix-quarantined-files.txt 2008-05-17 18:45:13 Pre-Run: 26,225,061,888 bytes free Post-Run: 26,170,290,176 bytes free 176 --- E O F --- 2008-05-14 02:33:40 Logfile of HijackThis v1.99.1 Scan saved at 2:59:50 PM, on 5/17/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\S24EvMon.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\ZCfgSvc.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\1XConfig.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\DellSupport\DSAgnt.exe C:\Program Files\AIM6\aim6.exe C:\Program Files\Dell Support Center\bin\sprtcmd.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\RegSrvc.exe C:\Program Files\Dell Support Center\bin\sprtsvc.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\system32\fxssvc.exe C:\Program Files\AIM6\aolsoftware.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\explorer.exe C:\Program Files\Hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: {66577167-52bf-21fb-d874-1d36a05d2ff4} - {4ff2d50a-63d1-478d-bf12-fb2576177566} - C:\WINDOWS\system32\tokmgfdn.dll (file missing) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: (no name) - {EB7145DC-109F-4CD3-866C-4859A321EF72} - C:\WINDOWS\system32\vtUlMcYo.dll (file missing) O3 - Toolbar: (no name) - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file) O3 - Toolbar: (no name) - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - (no file) O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exe O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.symantec.com/techsupp/as...trl/tgctlsi.cab O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...trl/tgctlsr.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1168279267489 O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft Terminal Services Client Control (redist)) - http://www.tc.cornell.edu/TSWeb/msrdp.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll O20 - Winlogon Notify: opnkjGWn - opnkjGWn.dll (file missing) O20 - Winlogon Notify: Sebring - C:\WINDOWS\system32\LgNotify.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

LDTate View Member Profile	May 17 2008, 01:15 PM Post #8
Forum God Group: Root Admin Posts: 41,778 Joined: 23-September 04 From: Missouri, USA Member No.: 15,276	Your clock should be the least of your concerns, but it should go back to normal. Open notepad and copy/paste the text in the quotebox below into it: CODE File:: C:\WINDOWS\SYSTEM32\ihbecqih.tmp C:\WINDOWS\RWR3YXJkIE1lZHZpbnNreQ\lqlasrL4KHY5tJtDvBhOyk.vbs C:\WINDOWS\SYSTEM32\28A6FC177A.sys C:\WINDOWS\system32\tokmgfdn.dll C:\WINDOWS\system32\vtUlMcYo.dll Folder:: C:\WINDOWS\RWR3YXJkIE1lZHZpbnNreQ C:\WINDOWS\BM7378674d.xml C:\WINDOWS\SYSTEM32\xcsDd18 C:\Temp\berDrv11 C:\Program Files\Viewpoint Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4ff2d50a-63d1-478d-bf12-fb2576177566}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EB7145DC-109F-4CD3-866C-4859A321EF72}] [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnkjGWn] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aed01920-64c0-11dc-b482-00038a000015}] Save this as Save this as "CFScript" Drag CFScript.txt into ComboFix.exe Then post the results log and a new HijackThis log. Also please describe how your computer behaves at the moment.

bobbob