WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93112 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

[Resolved] HijackThis Logs - Help

Started by kcneedhelp , Jan 28 2008 10:28 PM

This topic is locked

14 replies to this topic

#1 kcneedhelp

New Member

New Member
7 posts

Posted 28 January 2008 - 10:28 PM

Here is my hijackthis log. I have some virus which disable my task manager and regedit. I have regedit working but can not get the task manager enabled. Also have text across my screen about my computer being infected.

Logfile of HijackThis v1.99.1
Scan saved at 9:50:16 PM, on 1/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rxjddnvj.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bestbuy.msn.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://antispywareup...96.cacec6d1cdcd
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\rxjddnvj.exe,
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: My Web Search Bar BHO - {8EAB99C1-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [fmnkoa] C:\WINDOWS\system32\arfutg.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Framework] C:\WINDOWS\system32\scvh0st.exe
O4 - HKLM\..\Run: [mmnext06] C:\WINDOWS\trjdwnl.dll
O4 - HKLM\..\Run: [shellbn] C:\WINDOWS\shlext32.exe
O4 - HKLM\..\Run: [Tapicfg.exe] tapicfg.exe
O4 - HKLM\..\Run: [anti_troj] C:\WINDOWS\system32\anti_troj.exe
O4 - HKLM\..\Run: [vmlib] vmlib.exe
O4 - HKLM\..\Run: [cssrss.exe] cssrss.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcopho...stcoActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.w...ler/install.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://www.samsphoto...ploadClient.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup160.cab
O20 - Winlogon Notify: rqromlm - rqromlm.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Advertisements

Register to Remove

#2 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 29 January 2008 - 09:08 PM

It doesn't appear your McAfee anti-virus is active in the running processes and I can see some bad guys running.

I suggest you do this:

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.

Please do not delete anything unless instructed to.

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#3 kcneedhelp

New Member

New Member
7 posts

Posted 30 January 2008 - 07:59 PM

Thanks for getting back to me. I still can not get my task manager enabled. Following is the log: Malwarebytes' Anti-Malware 1.01 Database version: 301 Scan type: Quick Scan Objects scanned: 27558 Time elapsed: 8 minute(s), 34 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 31 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 9 Files Infected: 76 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06dfedaa-6196-11d5-bfc8-00508b4a487d} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53c330d6-a4ab-419b-b45d-fd4411c1fef4} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{669695bc-a811-4a9d-8cdf-ba8c795f261e} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bb936323-19fa-4521-ba29-eca6a121bc78} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13} (Adware.AdGoblin) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{24e31ea9-fce2-404f-bd80-20543565d946} (Trojan.Fakealert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208} (Adware.Accoona) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000012-890e-4aac-afd9-eff6954a34dd} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{12f02779-6d88-4958-8ad3-83c12d86adc7} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{54645654-2225-4455-44a1-9f4543d34546} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c5af2622-8c75-4dfb-9693-23ab7686a456} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c} (Fake.Dropped.Malware) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\xflock (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\mywebsearchwbbar.settingsplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\mywebsearchwbbar.settingsplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\mywebsearchwbbar.toolbarplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\mywebsearchwbbar.toolbarplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\mywebsearchwbtoolbar.temperaturebarbutton (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\mywebsearchwbtoolbar.temperaturebarbutton.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{24e31ea9-fce2-404f-bd80-20543565d946} (Trojan.Fakealert) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\Program Files\Accoona (Adware.Accoona) -> Quarantined and deleted successfully. C:\Program Files\e-zshopper (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\Program Files\p2pnetworks (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\Program Files\amsys (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\Program Files\3721 (Fake.Dropped.Malware ) -> Quarantined and deleted successfully. C:\Program Files\3721\assist (Fake.Dropped.Malware ) -> Quarantined and deleted successfully. C:\Program Files\akl (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\system32\acespy (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\PerfInfo (Rogue.WinPerformance) -> Quarantined and deleted successfully. Files Infected: C:\WINDOWS\system32\fk.dll (Rogue.Installer) -> Quarantined and deleted successfully. C:\Program Files\Accoona\ASearchAssist.dll (Adware.Accoona) -> Quarantined and deleted successfully. C:\Program Files\e-zshopper\BarLcher.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\Program Files\p2pnetworks\amp2pl.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\Program Files\amsys\awmsg.dat (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\Program Files\amsys\guid.dat (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\Program Files\amsys\ijl15.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\Program Files\amsys\mfc42.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\Program Files\amsys\msvcrt.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\Program Files\amsys\unins000.dat (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\Program Files\amsys\unis000.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\Program Files\amsys\winam.dat (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\Program Files\3721\helper.dll (Fake.Dropped.Malware ) -> Quarantined and deleted successfully. C:\Program Files\3721\assist\asbar.dll (Fake.Dropped.Malware ) -> Quarantined and deleted successfully. C:\Program Files\akl\akl.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\Program Files\akl\akl.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\Program Files\akl\curlog.htm (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\Program Files\akl\keylog.txt (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\Program Files\akl\readme.txt (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\Program Files\akl\uninstall.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\Program Files\akl\unsetup.dat (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\Program Files\akl\unsetup.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\system32\acespy\systune.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\system32\acespy\__acelog.ndx (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\PerfInfo\nTBirJgEvvwp.exe (Rogue.WinPerformance) -> Quarantined and deleted successfully. C:\WINDOWS\system32\msole32.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\system32\ESHOPEE.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\system32\ace16win.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\system32\wml.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\system32\vxddsk.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\764.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\7search.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\absolute key logger.lnk (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\aconti.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\aconti.ini (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\aconti.log (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\aconti.sdb (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\acontidialer.txt (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\adbar.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\cbinst$.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\daxtime.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\dp0.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\eventlowg.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\fhfmm-Uninstaller.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\fhfmm.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\flt.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\hcwprn.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\hotporn.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\ie_32.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\iexplorr23.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\jd2002.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\kkcomp$.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\kkcomp.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\kkcomp.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\kvnab$.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\kvnab.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\kvnab.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\liqad$.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\liqad.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\liqad.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\liqui-Uninstaller.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\liqui.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\liqui.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\ngd.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\pbar.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\pbsysie.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\settn.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\spredirect.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\wbeCheck.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\wbeInst$.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\xadbrk.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\xadbrk.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\xadbrk_.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\xxxvideo.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\wml.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\vxddsk.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

#4 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 30 January 2008 - 08:02 PM

I suggest you do this:

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.

Please do not delete anything unless instructed to.

Next:

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time.

Next:

Download ComboFix from Here to your Desktop.

**Note: In the event you already have Combofix, please delete it from your desktop and download this new version . It is important that it is saved directly to your desktop**
--------------------------------------------------------------------

Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
WARNING: IF you have not already done so Combofix will disconnect your machine from the Internet when it starts
Please do not re-connect your machine back to the Internet until Combofix has completely finished.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#5 kcneedhelp

New Member

New Member
7 posts

Posted 30 January 2008 - 09:19 PM

Things are looking better. I don't have the splash "...virus..." message across my screen and my task manager is enable.

Here is the combofix and new hijackthis log.

ComboFix 08-01-30.1 - Karl 2008-01-30 20:44:01.2 - NTFSx86
Running from: C:\Documents and Settings\Karl\Desktop\Combo-Fix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin2.zip
C:\WINDOWS\default.htm
C:\WINDOWS\PerfInfo
C:\WINDOWS\PerfInfo\nTBirJgEvvwp.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\SpyKillerProFilter

((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-31 )))))))))))))))))))))))))))))))
.

2008-01-30 19:42 . 2008-01-30 19:42 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-01-30 19:42 . 2008-01-30 19:42 <DIR> d-------- C:\Documents and Settings\Karl\Application Data\Malwarebytes
2008-01-30 00:17 . 2008-01-30 00:17 <DIR> d-------- C:\EmergencyUtils
2008-01-29 22:38 . 2008-01-29 22:38 <DIR> d-------- C:\Documents and Settings\Administrator\.java
2008-01-29 22:38 . 2008-01-29 22:38 <DIR> d-------- C:\ComboFix
2008-01-28 23:46 . 2008-01-29 22:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-28 22:45 . 2008-01-29 08:10 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-01-28 22:45 . 2008-01-28 22:45 30,208 --a------ C:\ck.doc
2008-01-28 22:42 . 2008-01-29 22:38 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-01-28 21:49 . 2008-01-28 21:49 488,144 --a------ C:\HJTsetup
2008-01-28 21:30 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-28 20:41 . 2008-01-29 22:37 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-01-27 21:46 . 2008-01-29 22:38 <DIR> d-------- C:\Documents and Settings\Karl\.housecall6.6
2008-01-26 20:55 . 2008-01-26 20:55 <DIR> d-------- C:\WINDOWS\lgrsskpb
2008-01-26 20:54 . 2008-01-26 20:54 207,360 --a------ C:\WINDOWS\nermnkbg.dll
2008-01-26 20:53 . 2008-01-26 20:54 89,617 --a------ C:\WINDOWS\system32\rxjddnvj.exe
2008-01-26 20:39 . 2008-01-26 20:39 4,286 --a------ C:\WINDOWS\system32\everybodybets.32x32.4.ico
2008-01-26 18:16 . 2008-01-26 18:16 270,698 --a------ C:\WINDOWS\system32\L7E16.tmp
2008-01-06 19:15 . 2008-01-16 17:53 <DIR> d-------- C:\Program Files\PopCap Games
2008-01-06 19:15 . 2008-01-21 10:55 21 --a------ C:\WINDOWS\popcinfot.dat
2008-01-06 19:15 . 2008-01-06 19:15 0 --a------ C:\WINDOWS\popcreg.dat
2008-01-02 20:56 . 2008-01-02 20:56 <DIR> d-------- C:\WINDOWS\VirtualEar
2008-01-02 20:56 . 2008-01-02 20:56 <DIR> d-------- C:\Program Files\Analog Devices
2008-01-02 18:06 . 2008-01-02 20:56 <DIR> d-------- C:\Documents and Settings\Karl\Application Data\RegistryClear
2008-01-02 18:05 . 2008-01-02 20:56 <DIR> d-------- C:\Program Files\RegistryClear
2007-12-16 19:17 . 2007-12-16 19:17 <DIR> d-------- C:\Documents and Settings\Cassidy\Application Data\Viewpoint

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-30 14:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-30 02:01 --------- d-----w C:\Documents and Settings\Karl\Application Data\AVG7
2008-01-26 20:24 --------- d-----w C:\Program Files\Wal-Mart Music Downloads Store
2008-01-24 02:23 --------- d-----w C:\Documents and Settings\Adam\Application Data\WeatherBug
2008-01-11 01:54 --------- d-----w C:\Documents and Settings\Karl\Application Data\WeatherBug
2007-12-31 21:51 --------- d-----w C:\Documents and Settings\Karl\Application Data\Apple Computer
2007-12-23 15:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-23 01:33 --------- d-----w C:\Documents and Settings\Cassidy\Application Data\WeatherBug
2007-11-30 01:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\ScanSoft
2000-08-16 04:49 923 ----a-w C:\Program Files\RLA.scp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2004-08-31 15:32 1597440]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 03:40 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" []
"nwiz"="nwiz.exe" [2002-07-17 15:16 372736 C:\WINDOWS\system32\nwiz.exe]
"WorksFUD"="C:\Program Files\Microsoft Works\wkfud.exe" [2000-07-14 18:00 24576]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2000-07-14 18:00 311350]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-07-14 18:00 28739]
"CHotkey"="mHotkey.exe" [2002-09-21 16:12 482816 C:\WINDOWS\mHotkey.exe]
"GWMDMMSG"="GWMDMMSG.exe" [2002-08-06 21:24 90112 C:\WINDOWS\GWMDMMSG.exe]
"GWMDMpi"="C:\WINDOWS\GWMDMpi.exe" [2002-08-06 21:24 53248]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-02 21:01 579072]
"MediaFace Integration"="C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe" [2003-08-18 17:46 53248]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2005-03-11 06:08 81920]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 10:00 49152]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 17:18 151552]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 11:49 163840]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 21:02 53248]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 17:29 303104]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 11:05 212992]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 08:41 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-28 08:14 270648]
"fmnkoa"="C:\WINDOWS\system32\arfutg.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-25 07:13 219136]

C:\Documents and Settings\Karl\Start Menu\Programs\Startup\
DING!.lnk - C:\Program Files\Southwest Airlines\Ding\Ding.exe [2006-06-22 13:15:48 462848]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 01:15:54 65588]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-07-14 18:00:00 24633]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"nTBirJgEvv"= rundll32.exe "C:\WINDOWS\nermnkbg.dll",DllCleanServer

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqromlm]
rqromlm.dll

.
Contents of the 'Scheduled Tasks' folder
"2008-01-21 16:41:15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-28 09:30:00 C:\WINDOWS\Tasks\RegistryClear Scheduled Scan.job"
- C:\Program Files\RegistryClear\RegistryClear.ex
- C:\Program Files\RegistryClear
"2008-01-31 02:51:26 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-30 20:52:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\PerfInfo

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\nermnkbg.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\GWMDMMSG.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-01-30 20:57:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-31 02:57:48
ComboFix2.txt 2008-01-28 02:27:44
.
2008-01-26 16:03:12 --- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 9:18:40 PM, on 1/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\GWMDMMSG.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\HJT\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.vprmatrix.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r3.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = sas.r3.attbi.com;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: My Web Search Bar BHO - {8EAB99C1-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [fmnkoa] C:\WINDOWS\system32\arfutg.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcopho...stcoActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.w...ler/install.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://www.samsphoto...ploadClient.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup160.cab
O20 - Winlogon Notify: rqromlm - rqromlm.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

#6 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 31 January 2008 - 03:39 PM

Do you know what this directory / folder is?
C:\WINDOWS\lgrsskpb

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\nermnkbg.dll
C:\WINDOWS\system32\rxjddnvj.exe
C:\WINDOWS\system32\everybodybets.32x32.4.ico
C:\WINDOWS\system32\L7E16.tmp
C:\WINDOWS\system32\arfutg.exe
C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL
C:\WINDOWS\system32\arfutg.exe

Folder::
C:\Documents and Settings\Cassidy\Application Data\Viewpoint
C:\Program Files\Viewpoint
C:\Program Files\MyWebSearchWB
C:\WINDOWS\lgrsskpb

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"fmnkoa"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"nTBirJgEvv"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqromlm]

Save this as Save this as "CFScript"

Posted Image

Drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.

Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#7 kcneedhelp

New Member

New Member
7 posts

Posted 31 January 2008 - 08:14 PM

I don't know what C:\WINDOWS\lgrsskpb it is. Can I delete it?

#8 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 31 January 2008 - 08:18 PM

I don't know what
C:\WINDOWS\lgrsskpb
it is. Can I delete it?

I added it to the above fix :thumbup:

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#9 kcneedhelp

New Member

New Member
7 posts

Posted 31 January 2008 - 08:49 PM

Thanks! My computer is running a little slow. Just before I ran the combofix, I was still getting some pop-ups that would say
"Critical System Threads"
"Help speed up your pc"

Here are the logs:

ComboFix 08-01-30.1 - Karl 2008-01-31 20:20:16.3 - NTFSx86
Running from: C:\Documents and Settings\Karl\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\Karl\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL
C:\WINDOWS\nermnkbg.dll
C:\WINDOWS\system32\arfutg.exe
C:\WINDOWS\system32\everybodybets.32x32.4.ico
C:\WINDOWS\system32\L7E16.tmp
C:\WINDOWS\system32\rxjddnvj.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Cassidy\Application Data\Viewpoint
C:\Documents and Settings\Cassidy\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\-678331546.mtz
C:\Documents and Settings\Cassidy\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\1106236703.swf
C:\Documents and Settings\Cassidy\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\1057593760.jpg
C:\Documents and Settings\Cassidy\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\149522599.jpg
C:\Documents and Settings\Cassidy\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\-351416385.jpg
C:\Documents and Settings\Cassidy\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\-789050290.jpg
C:\Documents and Settings\Cassidy\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\1052380094.jpg
C:\Documents and Settings\Cassidy\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\1404232407.swf
C:\Documents and Settings\Cassidy\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\-678331521.mts
C:\Documents and Settings\Cassidy\Application Data\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\998646808.jpg
C:\Program Files\MyWebSearchWB
C:\Program Files\MyWebSearchWB\bar\1.bin\NPMYSRWB.DLL
C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL
C:\Program Files\MyWebSearchWB\bar\1.bin\W6FFXTBR.JAR
C:\Program Files\MyWebSearchWB\bar\1.bin\W6NTSTBR.JAR
C:\Program Files\MyWebSearchWB\bar\1.bin\W6WBTEMP.DLL
C:\Program Files\MyWebSearchWB\bar\Cache\000169B1.bin
C:\Program Files\MyWebSearchWB\bar\Cache\00018075.bin
C:\Program Files\MyWebSearchWB\bar\Cache\0002BD1C.bin
C:\Program Files\MyWebSearchWB\bar\Cache\00052C86.bin
C:\Program Files\MyWebSearchWB\bar\Cache\000B0BF1.bin
C:\Program Files\MyWebSearchWB\bar\Cache\003279A1.bin
C:\Program Files\MyWebSearchWB\bar\Cache\0039FF79.bin
C:\Program Files\MyWebSearchWB\bar\Cache\005EE0D1.bin
C:\Program Files\MyWebSearchWB\bar\Cache\005EE1CB.bin
C:\Program Files\MyWebSearchWB\bar\Cache\008D3D59.bin
C:\Program Files\MyWebSearchWB\bar\Cache\00A6406C.bin
C:\Program Files\MyWebSearchWB\bar\Cache\00DEEFE6.bin
C:\Program Files\MyWebSearchWB\bar\Cache\00F8A6C9.bin
C:\Program Files\MyWebSearchWB\bar\Cache\00F91FF0.bin
C:\Program Files\MyWebSearchWB\bar\Cache\00F920CB.bin
C:\Program Files\MyWebSearchWB\bar\Cache\012CB16A
C:\Program Files\MyWebSearchWB\bar\Cache\0181FE35.bin
C:\Program Files\MyWebSearchWB\bar\Cache\01C2E87E.bin
C:\Program Files\MyWebSearchWB\bar\Cache\020F3351.bin
C:\Program Files\MyWebSearchWB\bar\Cache\02283607.bin
C:\Program Files\MyWebSearchWB\bar\Cache\02283701.bin
C:\Program Files\MyWebSearchWB\bar\Cache\0228378D.bin
C:\Program Files\MyWebSearchWB\bar\Cache\022C2039.bin
C:\Program Files\MyWebSearchWB\bar\Cache\023DBE6B.bin
C:\Program Files\MyWebSearchWB\bar\Cache\024218FB.bin
C:\Program Files\MyWebSearchWB\bar\Cache\024219B6.bin
C:\Program Files\MyWebSearchWB\bar\Cache\026E0DE9.bin
C:\Program Files\MyWebSearchWB\bar\Cache\0282C977.bin
C:\Program Files\MyWebSearchWB\bar\Cache\028AEAE3.bin
C:\Program Files\MyWebSearchWB\bar\Cache\03B7F451.bin
C:\Program Files\MyWebSearchWB\bar\Cache\03DFBBE9.bin
C:\Program Files\MyWebSearchWB\bar\Cache\04329840.bin
C:\Program Files\MyWebSearchWB\bar\Cache\043298FC.bin
C:\Program Files\MyWebSearchWB\bar\Cache\04329979.bin
C:\Program Files\MyWebSearchWB\bar\Cache\04427F7B.bin
C:\Program Files\MyWebSearchWB\bar\Cache\04F23E82.bin
C:\Program Files\MyWebSearchWB\bar\Cache\04F23F4D.bin
C:\Program Files\MyWebSearchWB\bar\Cache\04F23FE9.bin
C:\Program Files\MyWebSearchWB\bar\Cache\04F24095.bin
C:\Program Files\MyWebSearchWB\bar\Cache\04FC5AA4.bin
C:\Program Files\MyWebSearchWB\bar\Cache\0508F285.bin
C:\Program Files\MyWebSearchWB\bar\Cache\0529CE14.bin
C:\Program Files\MyWebSearchWB\bar\Cache\0529CED0.bin
C:\Program Files\MyWebSearchWB\bar\Cache\0529CF4D.bin
C:\Program Files\MyWebSearchWB\bar\Cache\05609E2F.bin
C:\Program Files\MyWebSearchWB\bar\Cache\0560A023.bin
C:\Program Files\MyWebSearchWB\bar\Cache\0560A16B.bin
C:\Program Files\MyWebSearchWB\bar\Cache\05CCD08C.bin
C:\Program Files\MyWebSearchWB\bar\Cache\060037AA.bin
C:\Program Files\MyWebSearchWB\bar\Cache\071C7F1E.bin
C:\Program Files\MyWebSearchWB\bar\Cache\07835F2D.bin
C:\Program Files\MyWebSearchWB\bar\Cache\07836150.bin
C:\Program Files\MyWebSearchWB\bar\Cache\07836354.bin
C:\Program Files\MyWebSearchWB\bar\Cache\07836529.bin
C:\Program Files\MyWebSearchWB\bar\Cache\0783673C.bin
C:\Program Files\MyWebSearchWB\bar\Cache\07877FD1.bin
C:\Program Files\MyWebSearchWB\bar\Cache\07A45BE1.bin
C:\Program Files\MyWebSearchWB\bar\Cache\07B8B356.bin
C:\Program Files\MyWebSearchWB\bar\Cache\07B8B48F.bin
C:\Program Files\MyWebSearchWB\bar\Cache\082F7BD9.bin
C:\Program Files\MyWebSearchWB\bar\Cache\082F7CE2.bin
C:\Program Files\MyWebSearchWB\bar\Cache\082F7D6F.bin
C:\Program Files\MyWebSearchWB\bar\Cache\084947F9.bin
C:\Program Files\MyWebSearchWB\bar\Cache\084948B4.bin
C:\Program Files\MyWebSearchWB\bar\Cache\08494941.bin
C:\Program Files\MyWebSearchWB\bar\Cache\084949CE.bin
C:\Program Files\MyWebSearchWB\bar\Cache\08494A5A.bin
C:\Program Files\MyWebSearchWB\bar\Cache\08494AE7.bin
C:\Program Files\MyWebSearchWB\bar\Cache\08EB03E7.bin
C:\Program Files\MyWebSearchWB\bar\Cache\08EB0520.bin
C:\Program Files\MyWebSearchWB\bar\Cache\08EB05DB.bin
C:\Program Files\MyWebSearchWB\bar\Cache\08EB82CB.bin
C:\Program Files\MyWebSearchWB\bar\Cache\091CDDAF.bin
C:\Program Files\MyWebSearchWB\bar\Cache\091CDEA9.bin
C:\Program Files\MyWebSearchWB\bar\Cache\091CDF35.bin
C:\Program Files\MyWebSearchWB\bar\Cache\09EA6C2E.bin
C:\Program Files\MyWebSearchWB\bar\Cache\09EA6E8F.bin
C:\Program Files\MyWebSearchWB\bar\Cache\09EA6FC8.bin
C:\Program Files\MyWebSearchWB\bar\Cache\09EA70C2.bin
C:\Program Files\MyWebSearchWB\bar\Cache\09EA719D.bin
C:\Program Files\MyWebSearchWB\bar\Cache\09EA7287.bin
C:\Program Files\MyWebSearchWB\bar\Cache\09EA7362.bin
C:\Program Files\MyWebSearchWB\bar\Cache\0A142277.bin
C:\Program Files\MyWebSearchWB\bar\Cache\0A19DC87.bin
C:\Program Files\MyWebSearchWB\bar\Cache\0A19DDEF.bin
C:\Program Files\MyWebSearchWB\bar\Cache\0B3AE18B.bin
C:\Program Files\MyWebSearchWB\bar\Cache\0BB52FF7.bin
C:\Program Files\MyWebSearchWB\bar\Cache\0BB530B3.bin
C:\Program Files\MyWebSearchWB\bar\Cache\0BB5314F.bin
C:\Program Files\MyWebSearchWB\bar\Cache\0BB531DC.bin
C:\Program Files\MyWebSearchWB\bar\Cache\0CA80DCB.bin
C:\Program Files\MyWebSearchWB\bar\Cache\0CA80EA6.bin
C:\Program Files\MyWebSearchWB\bar\Cache\0F31AC68.bin
C:\Program Files\MyWebSearchWB\bar\Cache\0FC8CC94.bin
C:\Program Files\MyWebSearchWB\bar\Cache\105B9D2C.bin
C:\Program Files\MyWebSearchWB\bar\Cache\111C209F.bin
C:\Program Files\MyWebSearchWB\bar\Cache\11EF2EC6.bin
C:\Program Files\MyWebSearchWB\bar\Cache\11EF303D.bin
C:\Program Files\MyWebSearchWB\bar\Cache\11EF3146.bin
C:\Program Files\MyWebSearchWB\bar\Cache\11EF3231.bin
C:\Program Files\MyWebSearchWB\bar\Cache\11EF330B.bin
C:\Program Files\MyWebSearchWB\bar\Cache\12CAA842.bin
C:\Program Files\MyWebSearchWB\bar\Cache\1378D00F.bin
C:\Program Files\MyWebSearchWB\bar\Cache\1378D109.bin
C:\Program Files\MyWebSearchWB\bar\Cache\1378D196.bin
C:\Program Files\MyWebSearchWB\bar\Cache\1378D222.bin
C:\Program Files\MyWebSearchWB\bar\Cache\1378D29F.bin
C:\Program Files\MyWebSearchWB\bar\Cache\1378D31C.bin
C:\Program Files\MyWebSearchWB\bar\Cache\1378D3A9.bin
C:\Program Files\MyWebSearchWB\bar\Cache\1378D445.bin
C:\Program Files\MyWebSearchWB\bar\Cache\13BE28FD.bin
C:\Program Files\MyWebSearchWB\bar\Cache\13DD5C2C.bin
C:\Program Files\MyWebSearchWB\bar\Cache\13DD5D07.bin
C:\Program Files\MyWebSearchWB\bar\Cache\1409362F.bin
C:\Program Files\MyWebSearchWB\bar\Cache\1542B3B9.bin
C:\Program Files\MyWebSearchWB\bar\Cache\16711209.bin
C:\Program Files\MyWebSearchWB\bar\Cache\1AA61D5D.bin
C:\Program Files\MyWebSearchWB\bar\Cache\1C27AECF.bin
C:\Program Files\MyWebSearchWB\bar\Cache\1D56A5F3.bin
C:\Program Files\MyWebSearchWB\bar\Cache\1FB4F21C.bin
C:\Program Files\MyWebSearchWB\bar\Cache\2136237C.bin
C:\Program Files\MyWebSearchWB\bar\Cache\files.ini
C:\Program Files\MyWebSearchWB\bar\History\search
C:\Program Files\MyWebSearchWB\bar\Settings\prevcfg.htm
C:\Program Files\Viewpoint
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Common\VistaBoot.sdll
C:\Program Files\Viewpoint\Viewpoint Manager\CPtask.xml
C:\Program Files\Viewpoint\Viewpoint Manager\VETScriptInterpreter.dll
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCP.cpl
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\s.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_header_av.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_header_cp.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_header_up.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_inner_bg.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_inner_bottom.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab_bg.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab1_off.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab1_on.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab2_off.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vm_tab2_on.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\images\vwpt_logo.gif
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\options.ini
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\viewpoint.ico
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPData\vmctrl.html
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCPexe.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrCore.dll
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe
C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream_0302021C.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream_0302021C_.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream_0305000D.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\ClassIDs.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\ComponentMgr_0305000D.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\ComponentRegistry.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\AOLUserShell.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\JpegReader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\Mts3Reader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SceneComponent.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SreeDMMX.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SWFView.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMgr.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMPSpeech.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMPVideo.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMPVideo2.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\WaveletReader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\DownLoadHist.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\HostRegistry.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MetaStreamConfig.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MetaStreamID.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MtsAxInstaller.exe
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\Cursors.dll
C:\WINDOWS\nermnkbg.dll
C:\WINDOWS\PerfInfo
C:\WINDOWS\PerfInfo\nTBirJgEvvwp.exe
C:\WINDOWS\system32\everybodybets.32x32.4.ico
C:\WINDOWS\system32\L7E16.tmp
C:\WINDOWS\system32\rxjddnvj.exe

.
((((((((((((((((((((((((( Files Created from 2008-01-01 to 2008-02-01 )))))))))))))))))))))))))))))))
.

2008-01-30 22:51 . 2008-01-30 22:51 772,701 --a------ C:\virus screen shot.rtf
2008-01-30 19:42 . 2008-01-30 19:42 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-01-30 19:42 . 2008-01-30 19:42 <DIR> d-------- C:\Documents and Settings\Karl\Application Data\Malwarebytes
2008-01-30 00:17 . 2008-01-30 00:17 <DIR> d-------- C:\EmergencyUtils
2008-01-29 22:38 . 2008-01-29 22:38 <DIR> d-------- C:\Documents and Settings\Administrator\.java
2008-01-29 22:38 . 2008-01-29 22:38 <DIR> d-------- C:\ComboFix
2008-01-28 23:46 . 2008-01-29 22:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-28 22:45 . 2008-01-29 08:10 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-01-28 22:45 . 2008-01-28 22:45 30,208 --a------ C:\ck.doc
2008-01-28 22:42 . 2008-01-29 22:38 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-01-28 21:49 . 2008-01-28 21:49 488,144 --a------ C:\HJTsetup
2008-01-28 21:30 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-28 20:41 . 2008-01-29 22:37 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-01-27 21:46 . 2008-01-29 22:38 <DIR> d-------- C:\Documents and Settings\Karl\.housecall6.6
2008-01-26 20:55 . 2008-01-26 20:55 <DIR> d-------- C:\WINDOWS\lgrsskpb
2008-01-06 19:15 . 2008-01-16 17:53 <DIR> d-------- C:\Program Files\PopCap Games
2008-01-06 19:15 . 2008-01-21 10:55 21 --a------ C:\WINDOWS\popcinfot.dat
2008-01-06 19:15 . 2008-01-06 19:15 0 --a------ C:\WINDOWS\popcreg.dat
2008-01-02 20:56 . 2008-01-02 20:56 <DIR> d-------- C:\WINDOWS\VirtualEar
2008-01-02 20:56 . 2008-01-02 20:56 <DIR> d-------- C:\Program Files\Analog Devices
2008-01-02 18:06 . 2008-01-02 20:56 <DIR> d-------- C:\Documents and Settings\Karl\Application Data\RegistryClear
2008-01-02 18:05 . 2008-01-02 20:56 <DIR> d-------- C:\Program Files\RegistryClear

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-01 00:49 --------- d-----w C:\Documents and Settings\Adam\Application Data\WeatherBug
2008-01-30 14:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-30 02:01 --------- d-----w C:\Documents and Settings\Karl\Application Data\AVG7
2008-01-26 20:24 --------- d-----w C:\Program Files\Wal-Mart Music Downloads Store
2008-01-11 01:54 --------- d-----w C:\Documents and Settings\Karl\Application Data\WeatherBug
2007-12-31 21:51 --------- d-----w C:\Documents and Settings\Karl\Application Data\Apple Computer
2007-12-23 15:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-23 01:33 --------- d-----w C:\Documents and Settings\Cassidy\Application Data\WeatherBug
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2000-08-16 04:49 923 ----a-w C:\Program Files\RLA.scp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2004-08-31 15:32 1597440]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 03:40 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" []
"nwiz"="nwiz.exe" [2002-07-17 15:16 372736 C:\WINDOWS\system32\nwiz.exe]
"WorksFUD"="C:\Program Files\Microsoft Works\wkfud.exe" [2000-07-14 18:00 24576]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2000-07-14 18:00 311350]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-07-14 18:00 28739]
"CHotkey"="mHotkey.exe" [2002-09-21 16:12 482816 C:\WINDOWS\mHotkey.exe]
"GWMDMMSG"="GWMDMMSG.exe" [2002-08-06 21:24 90112 C:\WINDOWS\GWMDMMSG.exe]
"GWMDMpi"="C:\WINDOWS\GWMDMpi.exe" [2002-08-06 21:24 53248]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-02 21:01 579072]
"MediaFace Integration"="C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe" [2003-08-18 17:46 53248]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2005-03-11 06:08 81920]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 10:00 49152]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 17:18 151552]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 11:49 163840]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 21:02 53248]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 17:29 303104]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 11:05 212992]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 08:41 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-28 08:14 270648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-25 07:13 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 01:15:54 65588]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-07-14 18:00:00 24633]

R0 fasttrak;fasttrak;C:\WINDOWS\system32\DRIVERS\fasttrak.sys [2002-06-18 11:50]
R1 ATMhelpr;ATMhelpr;C:\WINDOWS\system32\drivers\ATMhelpr.sys [1997-06-17 04:00]
R2 NMSSvc;Intel® NMS;C:\WINDOWS\System32\NMSSvc.exe [2002-03-05 15:35]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" []
R3 NMSCFG;NIC Management Service Configuration Driver;C:\WINDOWS\system32\drivers\NMSCFG.SYS [2002-03-05 15:35]
S2 CoachWdm;Samsung Digimax 210SE Camera;C:\WINDOWS\system32\Drivers\CoachWdm.sys [2000-10-21 13:29]

*Newly Created Service* - NMSCFG
.
Contents of the 'Scheduled Tasks' folder
"2008-01-21 16:41:15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-28 09:30:00 C:\WINDOWS\Tasks\RegistryClear Scheduled Scan.job"
- C:\Program Files\RegistryClear\RegistryClear.ex
- C:\Program Files\RegistryClear
"2008-02-01 00:49:53 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-31 20:25:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\nermnkbg.dll
.
Completion time: 2008-01-31 20:31:38
ComboFix-quarantined-files.txt 2008-02-01 02:31:32
ComboFix2.txt 2008-01-31 02:57:53
ComboFix3.txt 2008-01-28 02:27:44
.
2008-01-26 16:03:12 --- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 8:47:40 PM, on 1/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\GWMDMMSG.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\HJT\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.vprmatrix.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r3.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = sas.r3.attbi.com;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcopho...stcoActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.w...ler/install.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://www.samsphoto...ploadClient.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup160.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

#10 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 31 January 2008 - 08:56 PM

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\virus screen shot.rtf
C:\Program Files\RLA.scp
C:\WINDOWS\nermnkbg.dll

Folder::
C:\WINDOWS\lgrsskpb

Save this as Save this as "CFScript"

Posted Image

Drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.

Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#11 kcneedhelp

New Member

New Member
7 posts

Posted 31 January 2008 - 09:13 PM

My computer seems to be running good. I have not seen any other pop-ups. Here are the logs:

ComboFix 08-01-30.1 - Karl 2008-01-31 21:05:09.4 - NTFSx86
Running from: C:\Documents and Settings\Karl\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\Karl\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Program Files\RLA.scp
C:\virus screen shot.rtf
C:\WINDOWS\nermnkbg.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\RLA.scp
C:\virus screen shot.rtf
C:\WINDOWS\lgrsskpb
C:\WINDOWS\lgrsskpb\1.png
C:\WINDOWS\lgrsskpb\2.png
C:\WINDOWS\lgrsskpb\3.png
C:\WINDOWS\lgrsskpb\4.png
C:\WINDOWS\lgrsskpb\5.png
C:\WINDOWS\lgrsskpb\6.png
C:\WINDOWS\lgrsskpb\7.png
C:\WINDOWS\lgrsskpb\8.png
C:\WINDOWS\lgrsskpb\9.png
C:\WINDOWS\lgrsskpb\bottom-rc.gif
C:\WINDOWS\lgrsskpb\config.png
C:\WINDOWS\lgrsskpb\content.png
C:\WINDOWS\lgrsskpb\download.gif
C:\WINDOWS\lgrsskpb\frame-bg.gif
C:\WINDOWS\lgrsskpb\frame-bottom-left.gif
C:\WINDOWS\lgrsskpb\frame-h1bg.gif
C:\WINDOWS\lgrsskpb\head.png
C:\WINDOWS\lgrsskpb\icon.png
C:\WINDOWS\lgrsskpb\indexwp.html
C:\WINDOWS\lgrsskpb\main.css
C:\WINDOWS\lgrsskpb\memory-prots.png
C:\WINDOWS\lgrsskpb\net.png
C:\WINDOWS\lgrsskpb\pc-mag.gif
C:\WINDOWS\lgrsskpb\pc.gif
C:\WINDOWS\lgrsskpb\poloska1.png
C:\WINDOWS\lgrsskpb\poloska2.png
C:\WINDOWS\lgrsskpb\poloska3.png
C:\WINDOWS\lgrsskpb\promowp1.html
C:\WINDOWS\lgrsskpb\promowp2.html
C:\WINDOWS\lgrsskpb\promowp3.html
C:\WINDOWS\lgrsskpb\promowp4.html
C:\WINDOWS\lgrsskpb\promowp5.html
C:\WINDOWS\lgrsskpb\reg.png
C:\WINDOWS\lgrsskpb\repair.png
C:\WINDOWS\lgrsskpb\scr-1.png
C:\WINDOWS\lgrsskpb\scr-2.png
C:\WINDOWS\lgrsskpb\start.png
C:\WINDOWS\lgrsskpb\styles.css
C:\WINDOWS\lgrsskpb\Thumbs.db
C:\WINDOWS\lgrsskpb\top-rc.gif
C:\WINDOWS\lgrsskpb\vline.gif
C:\WINDOWS\lgrsskpb\wp.png

.
((((((((((((((((((((((((( Files Created from 2008-01-01 to 2008-02-01 )))))))))))))))))))))))))))))))
.

2008-01-30 19:42 . 2008-01-30 19:42 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-01-30 19:42 . 2008-01-30 19:42 <DIR> d-------- C:\Documents and Settings\Karl\Application Data\Malwarebytes
2008-01-30 00:17 . 2008-01-30 00:17 <DIR> d-------- C:\EmergencyUtils
2008-01-29 22:38 . 2008-01-29 22:38 <DIR> d-------- C:\Documents and Settings\Administrator\.java
2008-01-29 22:38 . 2008-01-29 22:38 <DIR> d-------- C:\ComboFix
2008-01-28 23:46 . 2008-01-29 22:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-28 22:45 . 2008-01-29 08:10 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-01-28 22:45 . 2008-01-28 22:45 30,208 --a------ C:\ck.doc
2008-01-28 22:42 . 2008-01-29 22:38 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-01-28 21:49 . 2008-01-28 21:49 488,144 --a------ C:\HJTsetup
2008-01-28 21:30 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-28 20:41 . 2008-01-29 22:37 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
2008-01-27 21:46 . 2008-01-29 22:38 <DIR> d-------- C:\Documents and Settings\Karl\.housecall6.6
2008-01-06 19:15 . 2008-01-16 17:53 <DIR> d-------- C:\Program Files\PopCap Games
2008-01-06 19:15 . 2008-01-21 10:55 21 --a------ C:\WINDOWS\popcinfot.dat
2008-01-06 19:15 . 2008-01-06 19:15 0 --a------ C:\WINDOWS\popcreg.dat
2008-01-02 20:56 . 2008-01-02 20:56 <DIR> d-------- C:\WINDOWS\VirtualEar
2008-01-02 20:56 . 2008-01-02 20:56 <DIR> d-------- C:\Program Files\Analog Devices
2008-01-02 18:06 . 2008-01-02 20:56 <DIR> d-------- C:\Documents and Settings\Karl\Application Data\RegistryClear
2008-01-02 18:05 . 2008-01-02 20:56 <DIR> d-------- C:\Program Files\RegistryClear

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-01 00:49 --------- d-----w C:\Documents and Settings\Adam\Application Data\WeatherBug
2008-01-30 14:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-30 02:01 --------- d-----w C:\Documents and Settings\Karl\Application Data\AVG7
2008-01-26 20:24 --------- d-----w C:\Program Files\Wal-Mart Music Downloads Store
2008-01-11 01:54 --------- d-----w C:\Documents and Settings\Karl\Application Data\WeatherBug
2007-12-31 21:51 --------- d-----w C:\Documents and Settings\Karl\Application Data\Apple Computer
2007-12-23 15:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-23 01:33 --------- d-----w C:\Documents and Settings\Cassidy\Application Data\WeatherBug
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2004-08-31 15:32 1597440]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 03:40 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" []
"nwiz"="nwiz.exe" [2002-07-17 15:16 372736 C:\WINDOWS\system32\nwiz.exe]
"WorksFUD"="C:\Program Files\Microsoft Works\wkfud.exe" [2000-07-14 18:00 24576]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2000-07-14 18:00 311350]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-07-14 18:00 28739]
"CHotkey"="mHotkey.exe" [2002-09-21 16:12 482816 C:\WINDOWS\mHotkey.exe]
"GWMDMMSG"="GWMDMMSG.exe" [2002-08-06 21:24 90112 C:\WINDOWS\GWMDMMSG.exe]
"GWMDMpi"="C:\WINDOWS\GWMDMpi.exe" [2002-08-06 21:24 53248]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-02 21:01 579072]
"MediaFace Integration"="C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe" [2003-08-18 17:46 53248]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2005-03-11 06:08 81920]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 10:00 49152]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 17:18 151552]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 11:49 163840]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 21:02 53248]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 17:29 303104]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 11:05 212992]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 08:41 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-28 08:14 270648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-25 07:13 219136]

C:\Documents and Settings\Karl\Start Menu\Programs\Startup\
DING!.lnk - C:\Program Files\Southwest Airlines\Ding\Ding.exe [2006-06-22 13:15:48 462848]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 01:15:54 65588]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-07-14 18:00:00 24633]

R0 fasttrak;fasttrak;C:\WINDOWS\system32\DRIVERS\fasttrak.sys [2002-06-18 11:50]
R1 ATMhelpr;ATMhelpr;C:\WINDOWS\system32\drivers\ATMhelpr.sys [1997-06-17 04:00]
S2 CoachWdm;Samsung Digimax 210SE Camera;C:\WINDOWS\system32\Drivers\CoachWdm.sys [2000-10-21 13:29]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-21 16:41:15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-28 09:30:00 C:\WINDOWS\Tasks\RegistryClear Scheduled Scan.job"
- C:\Program Files\RegistryClear\RegistryClear.ex
- C:\Program Files\RegistryClear
"2008-02-01 02:38:11 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-31 21:08:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-31 21:09:21
ComboFix-quarantined-files.txt 2008-02-01 03:09:06
ComboFix2.txt 2008-02-01 02:31:39
ComboFix3.txt 2008-02-01 02:33:56
ComboFix4.txt 2008-01-28 02:27:44
.
2008-01-26 16:03:12 --- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 9:12:37 PM, on 1/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\GWMDMMSG.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\HJT\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.vprmatrix.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r3.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = sas.r3.attbi.com;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcopho...stcoActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.w...ler/install.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://www.samsphoto...ploadClient.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup160.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

#12 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 31 January 2008 - 09:15 PM

Good job

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
Here's my usual all clean post

Log looks good

You need to create a new Clean restore point.

Note: This will remove all previous Restore Points

Click Start Menu > Run > copy and paste

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it (something you'll remember) and click Create, when the confirmation screen shows the restore point has been created click Close.

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Check "Hide file extensions for known file types."
Under the "Hidden files" folder, Uncheck "Show hidden files and folders."
Check "Hide protected operating system files."
Click Apply, and then click OK.
- Make your Internet Explorer more secure - This can be done by following these simple instructions:
  - From within Internet Explorer click on the Tools menu and then click on Options.
  - Click once on the Security tab
  - Click once on the Internet icon so it becomes highlighted.
  - Click once on the Custom Level button.
  - Change the Download signed ActiveX controls to Prompt
  - Change the Download unsigned ActiveX controls to Disable
  - Change the Initialize and script ActiveX controls not marked as safe to Disable
  - Change the Installation of desktop items to Prompt
  - Change the Launching programs and files in an IFRAME to Prompt
  - Change the Navigate sub-frames across different domains to Prompt
  - When all these settings have been made, click on the OK button.
  - If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Next press the Apply button and then the OK to exit the Internet Properties page.
Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week
(Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.
Without a firewall your computer is succeptible to being hacked and taken over.
I am very serious about this and see it happen almost every day with my clients.
Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:
Note: I no longer suggest Zone Alarm

Understanding and Using Firewalls
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
This will ensure your computer has always the latest security updates available installed on your computer.
If there are new updates to install, install them immediately, reboot your computer, and revisit the site
until there are no more critical updates.
Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer
settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Using IE-SPYAD to help block unwanted sites and activities
Winpatrol
Update all these programs regularly - Make sure you update all the programs I have listed regularly.
Without regular updates you WILL NOT be protected when new malicious programs are released.

Only run one Anti-Virus and Firewall program.

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#13 kcneedhelp

New Member

New Member
7 posts

Posted 31 January 2008 - 09:35 PM

I will be running the clean-up steps now. I want to thank you very very much for your help. IThank You! Thank You! Thank You!

#14 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 31 January 2008 - 09:36 PM

Great job

You're more then welcome. Glad we were able to help Peace be with you :wavey:

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#15 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 31 January 2008 - 09:44 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

Body Background

skin color theme