9 replies to this topic

[BurningChrome]

I Googled "KeyGen Neocron" then clicked on the third and eighth link. By the time I realized what was going on it was too late. I assure my interest in this KeyGen is legit if you care, I threw out the CD Key by mistake. Here is the link I beleive to be the culprit "http://www.google.co...en.name/?1=n2". and here is my Logfile

HijackThis v1.99.1

Scan saved at 10:02:55 PM, on 2/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Common Files\svchost.exe
C:\WINDOWS\system32\v6.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
c:\program files\internet explorer\iexplore.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
c:\program files\internet explorer\iexplore.exe
J:\Programs\Not installed\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [syswin] C:\WINDOWS\system32\v6.exe
O4 - HKLM\..\Run: [nfqypli.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Dea\Local Settings\Application Data\nfqypli.dll",jiuiibe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvlex.dll,startup
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\lqanedxq.dll",setvm
O4 - HKCU\..\Run: [Logitech SetPoint Event Manager (UNICODE)] C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - HKCU\..\Run: [AutoHotkey] C:\Program Files\AutoHotkey\AutoHotkey.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.h...staller_gmn.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...DC_2.3.0.97.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1152814889250
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

HiJack log,

I have already run VundoFix and restarted. When I tried to start Combofix I was told there was a rootkit error, and not to try to run ComboFix again.

[BurningChrome]

Got bored and manually moved a few files. Comp is running better but still get popups. Heres the new log I still see some problems. Any help would be greatly appreciated

Logfile of HijackThis v1.99.1
Scan saved at 12:47:58 AM, on 2/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
c:\program files\internet explorer\iexplore.exe
J:\Programs\Not installed\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKCU\..\Run: [Logitech SetPoint Event Manager (UNICODE)] C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - HKCU\..\Run: [AutoHotkey] C:\Program Files\AutoHotkey\AutoHotkey.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.h...staller_gmn.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...DC_2.3.0.97.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1152814889250
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

[random/random]

Please rename HijackThis.exe to scanner.exe and post a new log

[BurningChrome]

Logfile of HijackThis v1.99.1
Scan saved at 8:57:33 PM, on 2/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\AutoHotkey\AutoHotkey.exe
J:\Programs\Not installed\HijackThis\scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {52253032-1BA0-40E6-B0D1-31E10D7273CA} - (no file)
O2 - BHO: (no name) - {58A5B68E-363D-4851-943C-CEB1A4DB40E3} - (no file)
O2 - BHO: (no name) - {613E7B70-5380-4063-A060-C147AB994C02} - C:\WINDOWS\system32\jkkifcd.dll
O2 - BHO: (no name) - {6C1361D4-8819-61B2-EE84-06FE71EF9B20} - C:\WINDOWS\system32\ikvmacj.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {76A53AAF-1975-48FE-AB9E-61943486FDC6} - (no file)
O2 - BHO: (no name) - {880E1697-F358-4C5F-AA22-FFA30262FFCA} - (no file)
O2 - BHO: (no name) - {A1F6CE9B-20C5-4FF6-939F-A6FB8FB8F54D} - C:\WINDOWS\system32\geeby.dll
O2 - BHO: (no name) - {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} - C:\WINDOWS\system32\cmrdojoc.dll
O4 - HKLM\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\fcufcqyo.dll",setvm
O4 - HKCU\..\Run: [Logitech SetPoint Event Manager (UNICODE)] C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.h...staller_gmn.cab
O20 - Winlogon Notify: geeby - C:\WINDOWS\system32\geeby.dll
O20 - Winlogon Notify: jkkifcd - C:\WINDOWS\SYSTEM32\jkkifcd.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wineij32 - C:\WINDOWS\SYSTEM32\wineij32.dll
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

[random/random]

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Post back with a new HijackThis log and the vundofix log

[BurningChrome]

Here are the new results. Also I would like to thank you for your time and effort, but mostly for just helping me out.


VundoFix V6.3.6

Checking Java version...

Java version is 1.4.2.3

Java version is 1.5.0.3

Java version is 1.5.0.6

Scan started at 6:15:53 PM 2/20/2007

Listing files found while scanning....

C:\WINDOWS\system32\brrpmnyn.exe
C:\WINDOWS\system32\fcufcqyo.dll
C:\WINDOWS\system32\geeby.dll
C:\WINDOWS\system32\oyqcfucf.ini
C:\WINDOWS\system32\ybeeg.bak1
C:\WINDOWS\system32\ybeeg.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\brrpmnyn.exe
C:\WINDOWS\system32\brrpmnyn.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\fcufcqyo.dll
C:\WINDOWS\system32\fcufcqyo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\geeby.dll
C:\WINDOWS\system32\geeby.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\oyqcfucf.ini
C:\WINDOWS\system32\oyqcfucf.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ybeeg.bak1
C:\WINDOWS\system32\ybeeg.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ybeeg.ini
C:\WINDOWS\system32\ybeeg.ini Has been deleted!

Performing Repairs to the registry.
Done!


Logfile of HijackThis v1.99.1
Scan saved at 9:38:24 PM, on 2/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Common Files\Logitech\WebColct\webcolct.exe
C:\WINDOWS\system32\NOTEPAD.EXE
J:\Programs\Not installed\HijackThis\scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {52253032-1BA0-40E6-B0D1-31E10D7273CA} - (no file)
O2 - BHO: (no name) - {58A5B68E-363D-4851-943C-CEB1A4DB40E3} - (no file)
O2 - BHO: (no name) - {613E7B70-5380-4063-A060-C147AB994C02} - C:\WINDOWS\system32\jkkifcd.dll
O2 - BHO: (no name) - {6C1361D4-8819-61B2-EE84-06FE71EF9B20} - C:\WINDOWS\system32\ikvmacj.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {76A53AAF-1975-48FE-AB9E-61943486FDC6} - (no file)
O2 - BHO: (no name) - {880E1697-F358-4C5F-AA22-FFA30262FFCA} - (no file)
O2 - BHO: (no name) - {CC5A2B37-1C6E-4838-A4E0-B225451FE3F5} - C:\WINDOWS\system32\geeby.dll
O2 - BHO: (no name) - {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} - C:\WINDOWS\system32\cmrdojoc.dll
O4 - HKLM\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Logitech SetPoint Event Manager (UNICODE)] C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.h...staller_gmn.cab
O20 - Winlogon Notify: jkkifcd - C:\WINDOWS\SYSTEM32\jkkifcd.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wineij32 - wineij32.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

[random/random]

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once the scan is complete, Right Click inside the listbox (white box) and click add more files
• Copy&Paste the 2 entries below into the top 2 boxes (one line per box):
  • 
    C:\WINDOWS\system32\jkkifcd.dll
    C:\WINDOWS\system32\ikvmacj.dll
• Click Add Files and Click Close Window
• Click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
O2 - BHO: (no name) - {52253032-1BA0-40E6-B0D1-31E10D7273CA} - (no file)
O2 - BHO: (no name) - {58A5B68E-363D-4851-943C-CEB1A4DB40E3} - (no file)
O2 - BHO: (no name) - {613E7B70-5380-4063-A060-C147AB994C02} - C:\WINDOWS\system32\jkkifcd.dll
O2 - BHO: (no name) - {6C1361D4-8819-61B2-EE84-06FE71EF9B20} - C:\WINDOWS\system32\ikvmacj.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {76A53AAF-1975-48FE-AB9E-61943486FDC6} - (no file)
O2 - BHO: (no name) - {880E1697-F358-4C5F-AA22-FFA30262FFCA} - (no file)
O2 - BHO: (no name) - {CC5A2B37-1C6E-4838-A4E0-B225451FE3F5} - C:\WINDOWS\system32\geeby.dll
O2 - BHO: (no name) - {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} - C:\WINDOWS\system32\cmrdojoc.dll
O20 - Winlogon Notify: jkkifcd - C:\WINDOWS\SYSTEM32\jkkifcd.dll
O20 - Winlogon Notify: wineij32 - wineij32.dll (file missing)

Then close all windows except HijackThis and click Fix Checked

Post back with a new HijackThis log

[BurningChrome]

I think that did it! Thank you very much, I learned the alot here. Is there anything else
I should do?

Logfile of HijackThis v1.99.1
Scan saved at 6:35:06 PM, on 2/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
c:\program files\internet explorer\iexplore.exe
J:\Programs\Not installed\HijackThis\scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKCU\..\Run: [Logitech SetPoint Event Manager (UNICODE)] C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.h...staller_gmn.cab
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

[random/random]

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6 .
• Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
• Click the "Download" button to the right.
• Check the box that says: "Accept License Agreement".
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on the download to install the newest version.

Acrobat reader is outdated, uninstall the one you have installed and install the latest one from here:

http://www.adobe.com.../readstep2.html

You now appear to be clean. Congratulations!

Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints, you need to be registered to post as unfortunately we were hit wiht too many spam posting to allow guest posting to continue just find your country room and register your complaint.
The infection you had was Vundo

Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented

• Turn off System Restore.
  On the Desktop, right-click My Computer.
  Click Properties.
  Click the System Restore tab.
  Check Turn off System Restore.
  Click Apply, and then click OK.
  
  Reboot.
  
  Turn ON System Restore.
  On the Desktop, right-click My Computer.
  Click Properties.
  Click the System Restore tab.
  UN-Check *Turn off System Restore*.
  Click Apply, and then click OK.
  NOTE: only do this ONCE,NOT on a regular basis
• Use an antivirus program
  Two good free programs are
  AVG
  Avast<I use this one
  
  Two good paid-for programs are
  NOD32
  Bitdefender
  
  Whichever antivirus you choose, it is essential that you keep it up to date
• Use a firewall
  While the firewall built into windows XP will protect you from incoming attacks, it will not monitor outgoing connections
  It is therefore recommended that you install one of the following firewalls
  Sunbelt kerio personal firewall
  Zonealarm
  
• Keep windows up to date with the latest patches
  
  
  IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.
  
  If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
  
• Install spywareblaster
  Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
  kill bits
  in the registry, so that certain activex controls can't install.
  If you don't know what activex controls are, see here
  You can download SpywareBlaster here here
  Make sure to update it on a regular basis
• Install IE-SPYAD
  Dowload and instructions located here
  Make sure to update it on a regular basis
• Use a HOSTS file
  • Every version of windows has a hosts file as part of them.
  • In a very basic sense, they are used to locate webpages.
  • We can customize a hosts file so that it blocks certain webpages.
  • However, it can slow down certain computers.
  • This is why using a hosts file is optional!!
  Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
  If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
  • Click the start button (at the lower left hand corner of your screen)
  • Click run
  • In the dialog box, type services.msc
  • hit enter, then locate dns client
  • Highlight it, then double-click it.
  • On the dropdown box, change the setting from automatic to manual.
  • Click ok
• Install and use Ad-aware & Spybot search & destroy
  Instructions are located here
  Make sure to update them on a regular basis
• Most exploits are aimed at internet explorer, so I recommend you switch to an altenative browser
  Two good alternative browsers are
  Firefox
  Opera
  It is essential to update to the latest version of your browser, as the updates fix known security holes
• Even if you do decide to switch to another browser, it is still a good idea to lock down Internet explorer
  This can be done by following these simple instructions:
  From within Internet Explorer click on the Tools menu and then click on Options.
  Click once on the Security tab
  Click once on the Internet icon so it becomes highlighted.
  Click once on the Custom Level button.
  Change the Download signed ActiveX controls to Prompt
  Change the Download unsigned ActiveX controls to Disable
  Change the Initialize and script ActiveX controls not marked as safe to Disable
  Change the Installation of desktop items to Prompt
  Change the Launching programs and files in an IFRAME to Prompt
  Change the Navigate sub-frames across different domains to Prompt
  Change the allow paste operations via script to Disable
  When all these settings have been made, click on the OK button.
  If it prompts you as to whether or not you want to save the settings, press the Yes button.
  Next press the Apply button and then the OK to exit the Internet Properties page.
• Clean out you temp file on a regular basis
  I use and recommend ATF Cleaner by Attribune
  To use it, follow these instructions
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Main at the top and choose Select All from the list.
  • Click the Empty Selected button.
  If you use Firefox browser:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  If you use Opera browser:
  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  Click Exit on the Main menu to close the program.
• Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date

[little eagle]

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php