Help - Search - Members - Calendar
Full Version: Antivirus XP 2008.....HELP!!!
SWI Forums > Spyware, thiefware, browser hijackers, and other advertising parasites > Malware Removal > Resolved or inactive Malware Removal
joelw23
Jul 1 2008, 04:57 PM
How do i get rid of this thing?confused.gif
joelw23
Jul 2 2008, 06:58 AM
I used combofix and instructions from another thread to attempt to clean it...It seemed to work, but here is my hijack this log and combofix log..... Thanks..


Logfile of HijackThis v1.99.1
Scan saved at 06:53, on 2008-07-02
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Symantec AntiVirus\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
H:\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\AVG Anti-Spyware 7.5\guard.exe
H:\iPod Access for Windows\iPAHelper.exe
C:\Program Files\Kontiki\KService.exe
H:\Ahead\Nero\Nero8\Nero BackItUp\NBService.exe
H:\Orb\bin\OrbMediaService.exe
C:\WINDOWS\system32\IoctlSvc.exe
H:\Orb\bin\OrbTray.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
H:\Orb\bin\Orb.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\SmcGui.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
H:\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
H:\Itunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
H:\WinTV\Ir.exe
H:\Logitech\SetPoint\SetPoint.exe
H:\No-IP\DUC20.exe
C:\Program Files\RaidenFTPD\r.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
H:\Mozilla Firefox\firefox.exe
H:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
O3 - Toolbar: nqgpedlr - {6374A4B4-45BA-4718-9972-E56A8912ED9E} - C:\WINDOWS\nqgpedlr.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [RemoteControl] h:\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "H:\Itunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [6086b841] rundll32.exe "C:\WINDOWS\system32\dmsaysxe.dll",b
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "H:\Ahead\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [lphcvetj0ec9g] C:\WINDOWS\system32\lphcvetj0ec9g.exe
O4 - HKLM\..\Run: [SMrhcretj0ec9g] C:\Program Files\rhcretj0ec9g\rhcretj0ec9g.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Orb] "H:\Orb\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - Startup: No-IP Duct.lnk = H:\No-IP\DUC20.exe
O4 - Startup: r.exe.lnk = C:\Program Files\RaidenFTPD\r.exe
O4 - Global Startup: AutoStart IR.lnk = H:\WinTV\Ir.exe
O4 - Global Startup: Logitech SetPoint.lnk = H:\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.netflix.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8194E061-414F-4F72-904E-1581462A7890}: NameServer = 192.168.1.1
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: okmdepgb - {29ACEEE1-3186-428D-ACC0-61DD50AB0DC5} - C:\WINDOWS\okmdepgb.dll
O21 - SSODL: axrfgvek - {56F0F7EF-992E-4E1D-B635-B5E8BB25A122} - C:\WINDOWS\axrfgvek.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - H:\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - H:\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPAHelper.exe - Unknown owner - H:\iPod Access for Windows\iPAHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - H:\Ahead\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: OrbMediaService - Orb Networks - H:\Orb\bin\OrbMediaService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\SNAC.EXE
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (file missing)
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

joelw23
Jul 2 2008, 07:29 AM
ComboFix 08-06-30.2 - Joel 2008-07-02 7:00:54.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1079 [GMT -5:00]
Running from: C:\Documents and Settings\Joel\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\dmsaysxe.dll
C:\WINDOWS\system32\DNnqAJlm.ini
C:\WINDOWS\system32\DNnqAJlm.ini2
C:\WINDOWS\system32\exsyasmd.ini
C:\WINDOWS\system32\mlJAqnND.dll
.
---- Previous Run -------
.
C:\Documents and Settings\Joel\Application Data\rhcretj0ec9g
C:\Program Files\rhcretj0ec9g
C:\WINDOWS\erab.exe
C:\WINDOWS\resources\ChkSetup.dll
C:\WINDOWS\system32\931928
C:\WINDOWS\system32\931928\931928.dll
C:\WINDOWS\system32\lphcvetj0ec9g.exe
C:\WINDOWS\system32\opnllLBT.dll
C:\WINDOWS\system32\pjujufky.dll
C:\WINDOWS\system32\pphcvetj0ec9g.exe
C:\WINDOWS\system32\TBLllnpo.ini
C:\WINDOWS\system32\TBLllnpo.ini2
C:\WINDOWS\system32\ykfujujp.ini

.
((((((((((((((((((((((((( Files Created from 2008-06-02 to 2008-07-02 )))))))))))))))))))))))))))))))
.

2008-07-02 03:00 . 2008-07-02 03:00 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-07-01 22:47 . 2008-07-01 22:47 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-07-01 17:05 . 2008-07-01 22:32 94,208 --a------ C:\WINDOWS\system32\31.tmp
2008-07-01 16:34 . 2008-07-01 16:34 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-07-01 16:26 . 2008-07-01 16:30 94,208 --a------ C:\WINDOWS\system32\F.tmp
2008-07-01 16:12 . 2008-07-01 16:12 <DIR> d-------- C:\Documents and Settings\Joel\Application Data\Nero
2008-07-01 16:05 . 2008-07-01 16:08 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-07-01 16:05 . 2008-07-01 16:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-07-01 14:41 . 2008-07-01 14:41 28,288 --a------ C:\WINDOWS\system32\nnnOETKE.dll
2008-07-01 14:36 . 2008-07-01 13:17 303,104 --a------ C:\WINDOWS\kgqfweltbnk.dll
2008-07-01 14:36 . 2008-07-01 13:17 233,472 --a------ C:\WINDOWS\okmdepgb.dll
2008-07-01 14:36 . 2008-07-01 13:17 180,224 --a------ C:\WINDOWS\axrfgvek.dll
2008-07-01 14:36 . 2008-07-01 13:17 155,648 --a------ C:\WINDOWS\nqgpedlr.dll
2008-07-01 14:36 . 2008-07-01 13:17 81,920 --a------ C:\WINDOWS\mrvtdpqe.exe
2008-06-27 14:03 . 2008-07-01 11:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WholeSecurity
2008-06-18 15:39 . 2008-06-18 15:39 <DIR> d-------- C:\Program Files\Common Files\eSellerate
2008-06-18 15:38 . 2008-06-18 15:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Findley Designs
2008-06-11 00:46 . 2008-06-13 06:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 00:46 . 2008-05-08 09:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-10 10:14 . 2008-06-10 10:16 <DIR> d-------- C:\Documents and Settings\Joel\Application Data\rockbox.org

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-02 12:20 --------- d-----w C:\Program Files\RaidenFTPD
2008-07-02 12:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-07-02 03:39 --------- d-----w C:\Documents and Settings\Joel\Application Data\uTorrent
2008-07-01 20:16 --------- d-----w C:\Program Files\Common Files\Ahead
2008-07-01 19:48 1,082,880 ----a-w C:\WINDOWS\system32\AutoPartNt.exe
2008-06-30 15:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-06-28 18:46 --------- d-----w C:\Program Files\Safari
2008-06-27 19:03 --------- d-----w C:\Program Files\PayPal
2008-06-26 18:22 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-06-26 12:34 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-06-19 18:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 13:01 --------- d-----w C:\Program Files\Coupons
2008-05-21 14:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-14 14:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-14 13:31 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-14 13:30 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-14 13:30 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-14 13:30 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-14 13:30 10,563 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-14 13:30 --------- d-----w C:\Program Files\Symantec
2008-05-09 14:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\OrbNetworks
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 12:05 --------- d-----w C:\Documents and Settings\Joel\Application Data\GARMIN
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-14 10:42 985,088 ----a-w C:\WINDOWS\system32\setupapi.dll
2008-04-14 10:42 11,264 ----a-w C:\WINDOWS\system32\spnpinst.exe
2008-04-14 10:41 423,936 ----a-w C:\WINDOWS\system32\licdll.dll
2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 00:13 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 00:13 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 00:13 299,520 ----a-w C:\WINDOWS\system32\drmclien.dll
2008-04-14 00:13 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\system32\msgina.dll
2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-14 00:10 102,912 ----a-w C:\WINDOWS\system32\dpcdll.dll
2008-04-13 19:30 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-13 19:24 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-13 18:44 17,664 ----a-w C:\WINDOWS\system32\watchdog.sys
2008-04-13 18:43 9,728 ----a-w C:\WINDOWS\system32\comsdupd.exe
2008-04-13 18:43 12,800 ----a-w C:\WINDOWS\system32\spiisupd.exe
2008-04-13 18:31 7,424 ----a-w C:\WINDOWS\system32\kd1394.dll
2008-04-13 18:31 2,023,936 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-04-13 18:30 61,440 ----a-w C:\WINDOWS\system32\msvcrt40.dll
2008-04-13 18:14 76,800 ----a-w C:\WINDOWS\system32\msshavmsg.dll
2008-04-13 17:39 438,784 ----a-w C:\WINDOWS\system32\xpob2res.dll
2008-04-13 17:39 2,897,920 ----a-w C:\WINDOWS\system32\xpsp2res.dll
2008-04-13 17:39 187,392 ----a-w C:\WINDOWS\system32\xpsp1res.dll
2008-04-13 17:37 208,384 ----a-w C:\WINDOWS\system32\rsaenh.dll
2008-04-13 17:37 138,752 ----a-w C:\WINDOWS\system32\dssenh.dll
2008-04-13 17:27 79,872 ----a-w C:\WINDOWS\system32\msxml6r.dll
2008-04-13 17:26 94,208 ----a-w C:\WINDOWS\system32\odbcint.dll
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\odbcp32r.dll
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\mscpx32r.dll
2008-04-13 17:24 20,480 ----a-w C:\WINDOWS\system32\msorc32r.dll
2008-04-13 17:21 733,696 ----a-w C:\WINDOWS\system32\qedwipes.dll
2008-04-13 17:09 4,096 ----a-w C:\WINDOWS\system32\dsprpres.dll
2008-04-13 17:03 63,488 ----a-w C:\WINDOWS\system32\browselc.dll
2008-04-13 17:03 549,376 ----a-w C:\WINDOWS\system32\shdoclc.dll
2008-04-13 16:48 1,647,616 ----a-w C:\WINDOWS\system32\winbrand.dll
2008-04-13 16:45 216,064 ----a-w C:\WINDOWS\system32\moricons.dll
2008-04-13 16:23 48,128 ----a-w C:\WINDOWS\system32\msprivs.dll
2008-04-13 16:22 48,128 ----a-w C:\WINDOWS\system32\inetres.dll
2008-04-13 15:39 884,736 ----a-w C:\WINDOWS\system32\msimsg.dll
2008-04-05 00:03 91,632 ----a-w C:\WINDOWS\system32\nts.dll
2008-04-05 00:03 83,440 ----a-w C:\WINDOWS\system32\pds.dll
2008-04-05 00:03 83,384 ----a-w C:\WINDOWS\system32\loc32vc0.dll
2008-04-05 00:03 46,584 ----a-w C:\WINDOWS\system32\msgsys.dll
2008-04-05 00:03 34,288 ----a-w C:\WINDOWS\system32\cba.dll
2008-04-04 23:58 357,760 ----a-w C:\WINDOWS\system32\sysfer.dll
2008-04-04 23:58 107,904 ----a-w C:\WINDOWS\system32\SymVPN.dll
2008-04-04 23:55 48,000 ----a-w C:\WINDOWS\system32\FwsVpn.dll
2007-12-13 12:56 81,920 ----a-w C:\Documents and Settings\Joel\Application Data\ezpinst.exe
2007-12-13 12:56 47,360 ----a-w C:\Documents and Settings\Joel\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{28220052-D9A9-44B1-AB98-EDC594D238B6}]
2008-07-01 14:41 28288 --a------ C:\WINDOWS\system32\nnnOETKE.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E859DCC4-2549-4667-9E0D-CBCB6F2FCC78}]
2008-07-01 13:17 303104 --a------ C:\WINDOWS\kgqfweltbnk.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6374A4B4-45BA-4718-9972-E56A8912ED9E}"= "C:\WINDOWS\nqgpedlr.dll" [2008-07-01 13:17 155648]

[HKEY_CLASSES_ROOT\clsid\{6374a4b4-45ba-4718-9972-e56a8912ed9e}]
[HKEY_CLASSES_ROOT\nqgpedlr.1]
[HKEY_CLASSES_ROOT\TypeLib\{9C84F3E1-BE66-4AC6-85ED-FB0913344C5E}]
[HKEY_CLASSES_ROOT\nqgpedlr]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:12 15360]
"Orb"="H:\Orb\bin\OrbTray.exe" [2008-05-13 20:29 507904]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 18:07 1828136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 17:12 131072]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 10:12 90112]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 16:22 3739648]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 18:08 813912]
"OSSelectorReinstall"="C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe" [2006-04-12 16:15 1261475]
"RemoteControl"="h:\PowerDVD\PDVDServ.exe" [2005-01-12 03:01 32768]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="H:\Itunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-01 01:25 115560]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2008-04-28 17:14 570664]
"NBKeyScan"="H:\Ahead\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 17:29 2221352]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="H:\Picasa2\PicasaMediaDetector.exe" [2007-09-27 20:17 443968]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 03:18 437160]

C:\Documents and Settings\Joel\Start Menu\Programs\Startup\
No-IP Duct.lnk - H:\No-IP\DUC20.exe [2007-03-05 13:48:02 1172992]
r.exe.lnk - C:\Program Files\RaidenFTPD\r.exe [2007-02-19 10:01:08 4763648]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoStart IR.lnk - H:\WinTV\Ir.exe [2007-10-24 16:57:40 106551]
Logitech SetPoint.lnk - H:\Logitech\SetPoint\SetPoint.exe [2007-07-25 07:43:50 692224]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{28220052-D9A9-44B1-AB98-EDC594D238B6}"= "C:\WINDOWS\system32\nnnOETKE.dll" [2008-07-01 14:41 28288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"okmdepgb"= {29ACEEE1-3186-428D-ACC0-61DD50AB0DC5} - C:\WINDOWS\okmdepgb.dll [2008-07-01 13:17 233472]
"axrfgvek"= {56F0F7EF-992E-4E1D-B635-B5E8BB25A122} - C:\WINDOWS\axrfgvek.dll [2008-07-01 13:17 180224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnOETKE]
2008-07-01 14:41 28288 C:\WINDOWS\system32\nnnOETKE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk
backup=C:\WINDOWS\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Joel^Start Menu^Programs^Startup^palmOne Registration.lnk]
path=C:\Documents and Settings\Joel\Start Menu\Programs\Startup\palmOne Registration.lnk
backup=C:\WINDOWS\pss\palmOne Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 H:\Itunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
--a------ 2007-03-14 17:52 3770024 H:\TomTom HOME\TomTomHOME.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"H:\\utorrent.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\Symantec AntiVirus\\Rtvscan.exe"=
"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"I:\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"I:\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"H:\\Joost\\xulrunner\\tvprunner.exe"=
"C:\\Program Files\\kontiki\\KService.exe"=
"H:\\FlashFXP\\FlashFXP.exe"=
"H:\\Itunes\\iTunes.exe"=
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"H:\\Orb\\bin\\Orb.exe"=
"H:\\Orb\\bin\\OrbTray.exe"=
"H:\\Orb\\bin\\OrbStreamerClient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2007-05-29 13:55]
S3 PsSdk30;PsSdk30;C:\WINDOWS\system32\Drivers\PsSdk30.drv []
S3 SIUSBXP;SIUSBXP;C:\WINDOWS\system32\drivers\SiUSBXp.sys [2007-03-01 13:11]
S3 uisp;Motorola USB ICP driver;C:\WINDOWS\system32\Drivers\usbicp.sys []
S3 ultradfg;ultradfg;C:\WINDOWS\system32\DRIVERS\ultradfg.sys [2007-12-05 01:27]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4021c7ee-c0e4-11db-bdb1-005056c00008}]
\Shell\AutoRun\command - L:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{55a810a2-d635-11db-b854-000129d2ec15}]
\Shell\AutoRun\command - G:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60b359ca-d0b5-11db-b851-000129d2ec15}]
\Shell\AutoRun\command - L:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{69b8e2c1-bf43-11db-af5d-806d6172696f}]
\Shell\AutoRun\command - K:\SETUP.EXE /UPDATE


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E555}]
F:\SlySoft\AnyDVD 6.3.0.0\AnyDVD leftover killer 1.3.exe -M
.
Contents of the 'Scheduled Tasks' folder
"2008-06-28 02:34:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-14 13:30:25 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-6086b841 - C:\WINDOWS\system32\dmsaysxe.dll
HKLM-Run-lphcvetj0ec9g - C:\WINDOWS\system32\lphcvetj0ec9g.exe
HKLM-Run-SMrhcretj0ec9g - C:\Program Files\rhcretj0ec9g\rhcretj0ec9g.exe
HKLM-Run-BluetoothAuthenticationAgent - bthprops.cpl,,BluetoothAuthenticationAgent


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-02 07:15:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PsSdk30]
"ImagePath"="\??\C:\WINDOWS\system32\Drivers\PsSdk30.drv"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\nnnOETKE.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Symantec AntiVirus\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
H:\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\AVG Anti-Spyware 7.5\guard.exe
H:\iPod Access for Windows\iPAHelper.exe
C:\Program Files\kontiki\KService.exe
H:\Ahead\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Symantec AntiVirus\SmcGui.exe
C:\WINDOWS\system32\WgaTray.exe
H:\Orb\bin\OrbMediaService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
.
**************************************************************************
.
Completion time: 2008-07-02 7:28:06 - machine was rebooted [Joel]
ComboFix-quarantined-files.txt 2008-07-02 12:27:57

Pre-Run: 1,528,430,592 bytes free
Post-Run: 1,520,271,360 bytes free

309 --- E O F --- 2008-07-02 08:00:26
joelw23
Jul 2 2008, 08:29 AM
seemed to get rid of it, but now "antivirus 2008 PRO" shows up......

Help please!!!!!!!!!!!!!
joelw23
Jul 2 2008, 08:54 AM
now i ran malwarebytes

Malwarebytes' Anti-Malware 1.19
Database version: 913
Windows 5.1.2600 Service Pack 3

8:53:24 AM 7/2/2008
mbam-log-7-2-2008 (08-53-24).txt

Scan type: Quick Scan
Objects scanned: 43892
Time elapsed: 10 minute(s), 53 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 11
Registry Keys Infected: 30
Registry Values Infected: 8
Registry Data Items Infected: 2
Folders Infected: 5
Files Infected: 28

Memory Processes Infected:
C:\Documents and Settings\Joel\Local Settings\Temp\dssec.exe (Rogue.Installer) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\egntbmff.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\xxyaBQgF.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\okmdepgb.dll (Trojan.FakeAlert) -> Unloaded module successfully.
C:\WINDOWS\kgqfweltbnk.dll (Trojan.FakeAlert) -> Unloaded module successfully.
C:\WINDOWS\nqgpedlr.dll (Trojan.FakeAlert) -> Unloaded module successfully.
C:\WINDOWS\Resources\RomSetup.dll (Trojan.Clicker) -> Unloaded module successfully.
C:\WINDOWS\Resources\VoidUnknown.dll (Trojan.Clicker) -> Unloaded module successfully.
C:\WINDOWS\system32\nnnOETKE.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\xxyxWQKC.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\yaywVpQH.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\axrfgvek.dll (Trojan.FakeAlert) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c1934623-3d0f-4396-919d-23791ca5d12e} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{c1934623-3d0f-4396-919d-23791ca5d12e} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{0201c323-0ba0-4d5e-a140-142d435b04c7} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{29aceee1-3186-428d-acc0-61dd50ab0dc5} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2a2eace7-a8f9-4617-8b24-2f9a1ae75131} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e9053081-cc70-433f-bcb2-4686ccae2dc5} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\etlrlws.btpv (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\etlrlws.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{76525548-f642-4771-b487-4f98ef4cd704} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{91b0e0fe-2457-4de2-9d1b-88d8f28aa2b5} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{6126d77b-9ad6-4daf-b219-9bc05f1fca5f} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e859dcc4-2549-4667-9e0d-cbcb6f2fcc78} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e859dcc4-2549-4667-9e0d-cbcb6f2fcc78} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3d03fe5f-7e1c-49a9-8319-ca1e6c96d598} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{9c84f3e1-be66-4ac6-85ed-fb0913344c5e} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6374a4b4-45ba-4718-9972-e56a8912ed9e} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Antivirus 2008 PRO (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6d18aa24-d2b0-40e6-baf0-7d6c5ed8afff} (Trojan.Clicker) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{06cf086b-49f5-4733-b20f-11d73fa3991d} (Trojan.Clicker) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{28220052-d9a9-44b1-ab98-edc594d238b6} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{28220052-d9a9-44b1-ab98-edc594d238b6} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nnnoetke (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{56f0f7ef-992e-4e1d-b635-b5e8bb25a122} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d57687cc-8981-4bd0-8ad2-2cc5a9004ec4} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\nqgpedlr.bges (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\nqgpedlr.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6086b841 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\okmdepgb (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antivirus-2008pro.exe (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{6374a4b4-45ba-4718-9972-e56a8912ed9e} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\RomSetup (Trojan.Clicker) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\VoidUnknown (Trojan.Clicker) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{28220052-d9a9-44b1-ab98-edc594d238b6} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\axrfgvek (Trojan.FakeAlert) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\xxyabqgf -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Backdoor.Agent) -> Data: c:\windows\system32\xxyabqgf -> Delete on reboot.

Folders Infected:
C:\Program Files\Antivirus 2008 PRO (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\Antivirus 2008 PRO\Infected (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\Antivirus 2008 PRO\Suspicious (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\Joel\Start Menu\Programs\Antivirus 2008 PRO (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\xxyaBQgF.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\FgQBayxx.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FgQBayxx.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\egntbmff.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ffmbtnge.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\okmdepgb.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Joel\Local Settings\Temp\dssec.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\Antivirus 2008 PRO\antivirus-2008pro.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\kgqfweltbnk.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\nqgpedlr.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\Program Files\Antivirus 2008 PRO\vscan.tsi (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\Antivirus 2008 PRO\zlib.dll (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\Joel\Start Menu\Programs\Antivirus 2008 PRO\antivirus-2008pro.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\WINDOWS\Resources\RomSetup.dll (Trojan.Clicker) -> Delete on reboot.
C:\WINDOWS\Resources\VoidUnknown.dll (Trojan.Clicker) -> Delete on reboot.
C:\WINDOWS\system32\nnnOETKE.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\xxyxWQKC.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\yaywVpQH.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\mrvtdpqe.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\axrfgvek.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Joel\Desktop\antivirus-2008pro.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\Joel\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus-2008pro.lnk (Rogue.Antivirus) -> Quarantined and deleted successfully.
TheJoker
Jul 3 2008, 06:19 PM
Hi joelw23, and Welcome to SWI

I suggest printing out each set of instructions and reading the entire post before proceeding. It will make following them easier.

Please disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.

Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.

Now you need to run HijackThis and click "Do a system scan only." Place a check next to the following entries (if they are still there):

O3 - Toolbar: nqgpedlr - {6374A4B4-45BA-4718-9972-E56A8912ED9E} - C:\WINDOWS\nqgpedlr.dll
O4 - HKLM\..\Run: [6086b841] rundll32.exe "C:\WINDOWS\system32\dmsaysxe.dll",b
O4 - HKLM\..\Run: [lphcvetj0ec9g] C:\WINDOWS\system32\lphcvetj0ec9g.exe
O4 - HKLM\..\Run: [SMrhcretj0ec9g] C:\Program Files\rhcretj0ec9g\rhcretj0ec9g.exe
O4 - Startup: r.exe.lnk = C:\Program Files\RaidenFTPD\r.exe
O21 - SSODL: okmdepgb - {29ACEEE1-3186-428D-ACC0-61DD50AB0DC5} - C:\WINDOWS\okmdepgb.dll
O21 - SSODL: axrfgvek - {56F0F7EF-992E-4E1D-B635-B5E8BB25A122} - C:\WINDOWS\axrfgvek.dll

Now close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked.

We need to make sure you have the most recent version of ComboFix.
Delete your current copy of ComboFix.exe.
Download ComboFix© by sUBs from one of these links:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Save the file to your Desktop.
Disconnect from the Internet (pull the connection cable) <-- Important
Close Symantec AntiVirus and any anti-spyware applications you may be running.

For this next step, please ensure that ComboFix.exe is on your desktop:

Please open Notepad *Do Not Use Wordpad!* (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
Save this as "CFScript.txt" and change the "Save as type" to "All Files" and place it on your desktop.

QUOTE
File::
C:\WINDOWS\nqgpedlr.dll
C:\WINDOWS\okmdepgb.dll
C:\WINDOWS\axrfgvek.dll
C:\WINDOWS\kgqfweltbnk.dll
C:\WINDOWS\mrvtdpqe.exe
C:\WINDOWS\system32\nnnOETKE.dll

Driver::
uisp

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{28220052-D9A9-44B1-AB98-EDC594D238B6}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E859DCC4-2549-4667-9E0D-CBCB6F2FCC78}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6374A4B4-45BA-4718-9972-E56A8912ED9E}"=-
[-HKEY_CLASSES_ROOT\clsid\{6374a4b4-45ba-4718-9972-e56a8912ed9e}]
[-HKEY_CLASSES_ROOT\nqgpedlr.1]
[-HKEY_CLASSES_ROOT\TypeLib\{9C84F3E1-BE66-4AC6-85ED-FB0913344C5E}]
[-HKEY_CLASSES_ROOT\nqgpedlr]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{28220052-D9A9-44B1-AB98-EDC594D238B6}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnOETKE]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{69b8e2c1-bf43-11db-af5d-806d6172696f}]



Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

After the system restarts, your antivirus should be running again.
If it isn't, restart it manually.
Reconnect to the Internet.

Please go to VirusTotal and submit the following file for a scan and post the results in your next reply:
C:\Program Files\RaidenFTPD\r.exe

Please post a new HijackThis log, the results of scanning the file at VirusTotal, and in a second reply (due to length) the log from ComboFix (combofix.txt), and note any errors encountered.
joelw23
Jul 8 2008, 08:41 PM
ComboFix 08-06-30.2 - Joel 2008-07-08 19:10:46.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1083 [GMT -5:00]
Running from: C:\Documents and Settings\Joel\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Joel\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\axrfgvek.dll
C:\WINDOWS\kgqfweltbnk.dll
C:\WINDOWS\mrvtdpqe.exe
C:\WINDOWS\nqgpedlr.dll
C:\WINDOWS\okmdepgb.dll
C:\WINDOWS\system32\nnnOETKE.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\kgqfweltbnk.dll
C:\WINDOWS\nqgpedlr.dll
C:\WINDOWS\okmdepgb.dll
C:\WINDOWS\resources\RomSetup.dll
C:\WINDOWS\resources\VoidUnknown.dll
C:\WINDOWS\system32\egntbmff.dll
C:\WINDOWS\system32\FgQBayxx.ini
C:\WINDOWS\system32\FgQBayxx.ini2
C:\WINDOWS\system32\nnnOETKE.dll
C:\WINDOWS\system32\xxyaBQgF.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_uisp


((((((((((((((((((((((((( Files Created from 2008-06-09 to 2008-07-09 )))))))))))))))))))))))))))))))
.

2008-07-02 13:09 . 2008-07-02 13:09 <DIR> d-------- C:\Program Files\nanoPEG for WinTV
2008-07-02 13:09 . 2006-12-28 13:12 290,816 --a------ C:\WINDOWS\system32\hcwzblast.dll
2008-07-02 13:09 . 2007-03-28 07:16 90,175 --a------ C:\WINDOWS\system32\hcwblast.ocx
2008-07-02 13:09 . 2007-03-28 07:15 65,603 --a------ C:\WINDOWS\system32\hcwIRblast.dll
2008-07-02 13:09 . 2005-07-28 13:33 40,960 --a------ C:\WINDOWS\system32\GButton.ocx
2008-07-02 13:09 . 2004-10-06 14:03 248 --a------ C:\WINDOWS\HCWBlast.ini
2008-07-02 13:08 . 2007-02-19 16:30 46,488 --a------ C:\WINDOWS\system32\HCWTVServer.tlb
2008-07-02 13:07 . 2007-06-01 11:01 397,312 --a------ C:\WINDOWS\system32\HCWChMgr.ocx
2008-07-02 13:07 . 2006-07-21 15:07 176,197 --a------ C:\WINDOWS\system32\hcwmux.ax
2008-07-02 13:07 . 2007-05-01 12:13 168,007 --a------ C:\WINDOWS\system32\HCWPsiParser.ax
2008-07-02 13:07 . 2007-04-02 16:27 159,744 --a------ C:\WINDOWS\system32\hcwChDB.dll
2008-07-02 13:07 . 2006-10-12 11:28 139,264 --a------ C:\WINDOWS\system32\hcwdvbsubtitles.ax
2008-07-02 13:07 . 2004-09-10 15:58 94,208 --a------ C:\WINDOWS\system32\hcwsstereo.ax
2008-07-02 13:07 . 2006-04-06 13:46 65,536 --a------ C:\WINDOWS\system32\hcwNowNext.ax
2008-07-02 13:07 . 2006-03-28 17:38 57,344 --a------ C:\WINDOWS\system32\HCWdlace.ax
2008-07-02 13:07 . 2006-09-13 11:13 23,304 --a------ C:\WINDOWS\system32\HcwChDB.tlb
2008-07-02 08:40 . 2008-07-02 08:40 <DIR> d-------- C:\Documents and Settings\Joel\Application Data\Malwarebytes
2008-07-02 08:40 . 2008-07-02 08:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-02 08:40 . 2008-06-28 14:23 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-02 08:40 . 2008-06-28 14:23 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-02 08:18 . 2008-07-02 08:25 <DIR> d-------- C:\WINDOWS\system32\734914
2008-07-02 08:18 . 2008-07-02 08:53 28,288 --------- C:\WINDOWS\system32\xxyxWQKC.dll
2008-07-02 08:05 . 2008-07-02 08:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-07-02 03:00 . 2008-07-02 03:00 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-07-01 22:47 . 2008-07-08 18:41 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-07-01 17:05 . 2008-07-01 22:32 94,208 --a------ C:\WINDOWS\system32\31.tmp
2008-07-01 16:34 . 2008-07-01 16:34 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-07-01 16:26 . 2008-07-01 16:30 94,208 --a------ C:\WINDOWS\system32\F.tmp
2008-07-01 16:12 . 2008-07-01 16:12 <DIR> d-------- C:\Documents and Settings\Joel\Application Data\Nero
2008-07-01 16:05 . 2008-07-01 16:08 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-07-01 16:05 . 2008-07-01 16:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-06-27 14:03 . 2008-07-01 11:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WholeSecurity
2008-06-18 15:39 . 2008-06-18 15:39 <DIR> d-------- C:\Program Files\Common Files\eSellerate
2008-06-18 15:38 . 2008-06-18 15:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Findley Designs
2008-06-11 00:46 . 2008-06-13 06:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 00:46 . 2008-05-08 09:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-10 10:14 . 2008-06-10 10:16 <DIR> d-------- C:\Documents and Settings\Joel\Application Data\rockbox.org

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-09 00:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-07-08 23:31 --------- d-----w C:\Program Files\RaidenFTPD
2008-07-08 19:37 --------- d-----w C:\Documents and Settings\Joel\Application Data\uTorrent
2008-07-02 18:08 --------- d-----w C:\Program Files\WinTV
2008-07-02 13:55 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-01 20:16 --------- d-----w C:\Program Files\Common Files\Ahead
2008-06-30 15:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-06-28 18:46 --------- d-----w C:\Program Files\Safari
2008-06-27 19:03 --------- d-----w C:\Program Files\PayPal
2008-06-26 18:22 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-06-26 12:34 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-06-19 18:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 13:01 --------- d-----w C:\Program Files\Coupons
2008-05-21 14:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-14 14:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-14 13:31 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-14 13:30 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-14 13:30 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-14 13:30 10,563 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-14 13:30 --------- d-----w C:\Program Files\Symantec
2008-05-09 14:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\OrbNetworks
2008-04-14 00:12 69,120 ----a-w C:\WINDOWS\notepad.exe
2008-04-14 00:12 50,688 ----a-w C:\WINDOWS\twain_32.dll
2008-04-14 00:12 34,816 ----a-w C:\WINDOWS\Help\sniffpol.dll
2008-04-14 00:12 33,280 ----a-w C:\WINDOWS\Help\sstub.dll
2008-04-14 00:12 32,866 ------w C:\WINDOWS\slrundll.exe
2008-04-14 00:12 283,648 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-14 00:12 279,040 ----a-w C:\WINDOWS\Help\tshoot.dll
2008-04-14 00:12 146,432 ----a-w C:\WINDOWS\regedit.exe
2008-04-14 00:12 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-14 00:12 1,033,728 ----a-w C:\WINDOWS\explorer.exe
2008-04-14 00:11 451,072 ----a-w C:\WINDOWS\AppPatch\aclayers.dll
2008-04-14 00:11 39,424 ----a-w C:\WINDOWS\AppPatch\acadproc.dll
2008-04-14 00:11 245,248 ----a-w C:\WINDOWS\AppPatch\acspecfc.dll
2008-04-14 00:11 141,312 ----a-w C:\WINDOWS\AppPatch\aclua.dll
2008-04-14 00:11 116,224 ----a-w C:\WINDOWS\AppPatch\acxtrnal.dll
2008-04-14 00:11 1,852,928 ----a-w C:\WINDOWS\AppPatch\acgenral.dll
2007-12-13 12:56 81,920 ----a-w C:\Documents and Settings\Joel\Application Data\ezpinst.exe
2007-12-13 12:56 47,360 ----a-w C:\Documents and Settings\Joel\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((( snapshot@2008-07-02_ 7.26.39.37 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-02 12:11:08 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-09 00:23:15 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2006-05-08 14:54:42 69,632 ----a-w C:\WINDOWS\system32\3DES.dll
+ 2006-01-25 22:38:22 69,632 ----a-w C:\WINDOWS\system32\3DES.dll
- 2004-10-14 16:53:06 90,190 ----a-w C:\WINDOWS\system32\Bt848WST.DLL
+ 2004-01-26 19:49:00 90,190 ----a-w C:\WINDOWS\system32\Bt848WST.DLL
+ 2008-04-14 00:11:56 47,616 -c--a-w C:\WINDOWS\system32\dllcache\iyuv_32.dll
+ 2008-04-13 19:16:36 141,056 -c--a-w C:\WINDOWS\system32\dllcache\ks.sys
+ 2008-04-14 00:12:02 16,896 -c--a-w C:\WINDOWS\system32\dllcache\msyuv.dll
+ 2008-04-14 00:12:08 53,760 -c--a-w C:\WINDOWS\system32\dllcache\vfwwdm32.dll
- 2007-02-06 18:27:02 185,728 ----a-r C:\WINDOWS\system32\drivers\hcwPP2.sys
+ 2006-08-15 20:18:10 177,152 ----a-w C:\WINDOWS\system32\drivers\hcwPP2.sys
- 1999-04-27 06:26:10 11,264 ----a-w C:\WINDOWS\system32\hcwhook.dll
+ 1999-04-27 21:26:10 11,264 ----a-w C:\WINDOWS\system32\hcwhook.dll
- 2005-12-22 22:13:56 94,264 ----a-w C:\WINDOWS\system32\hcwi2c32.dll
+ 2007-01-19 16:34:58 98,360 ----a-w C:\WINDOWS\system32\hcwi2c32.dll
- 2006-01-20 14:42:20 229,432 ----a-w C:\WINDOWS\system32\hcwpnp32.dll
+ 2007-04-12 16:49:46 258,104 ----a-w C:\WINDOWS\system32\hcwpnp32.dll
- 2001-07-19 14:44:06 393,216 ----a-w C:\WINDOWS\system32\hcwsnbd9.dll
+ 2001-07-19 13:44:06 393,216 ----a-w C:\WINDOWS\system32\hcwsnbd9.dll
- 2003-11-07 18:45:18 106,559 ----a-w C:\WINDOWS\system32\hcwTVDlg.dll
+ 2003-11-07 17:45:18 106,559 ----a-w C:\WINDOWS\system32\hcwTVDlg.dll
- 2006-04-21 21:37:54 639,049 ----a-w C:\WINDOWS\system32\hcwtvwnd.dll
+ 2007-06-01 15:59:26 749,641 ----a-w C:\WINDOWS\system32\hcwtvwnd.dll
- 2004-06-08 06:03:40 36,921 ----a-w C:\WINDOWS\system32\hcwutl32.dll
+ 2004-06-08 05:03:40 36,921 ----a-w C:\WINDOWS\system32\hcwutl32.dll
- 2006-07-21 19:50:32 66,048 ----a-r C:\WINDOWS\system32\hcwXDS.dll
+ 2006-07-21 19:50:34 66,048 ----a-w C:\WINDOWS\system32\hcwXDS.dll
- 2008-04-14 00:11:55 47,616 ----a-w C:\WINDOWS\system32\iyuv_32.dll
+ 2008-04-14 00:11:56 47,616 ----a-w C:\WINDOWS\system32\iyuv_32.dll
- 2008-03-25 01:21:00 2,889,088 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
+ 2008-03-25 03:21:18 2,889,088 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
- 2008-03-25 01:21:00 218,496 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2008-03-25 03:21:20 218,496 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2008-07-02 14:24:44 70,264 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
- 2008-04-14 00:12:45 294,912 ----a-w C:\WINDOWS\system32\msh263.drv
+ 2008-04-14 00:12:46 294,912 ----a-w C:\WINDOWS\system32\msh263.drv
- 2008-04-14 00:12:01 16,896 ----a-w C:\WINDOWS\system32\msyuv.dll
+ 2008-04-14 00:12:02 16,896 ----a-w C:\WINDOWS\system32\msyuv.dll
- 2008-05-21 13:18:24 71,966 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-07-02 13:41:25 71,966 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-05-21 13:18:25 442,860 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-02 13:41:25 442,860 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-02-06 18:27:02 185,728 ----a-r C:\WINDOWS\system32\ReinstallBackups\0031\DriverFiles\DriverA2\hcwPP2.sys
+ 2006-07-21 19:50:32 66,048 ----a-r C:\WINDOWS\system32\ReinstallBackups\0031\DriverFiles\DriverA2\hcwXDS.dll
+ 2008-04-14 00:11:55 47,616 ----a-w C:\WINDOWS\system32\ReinstallBackups\0031\DriverFiles\i386\iyuv_32.dll
+ 2008-04-13 19:16:36 141,056 ----a-w C:\WINDOWS\system32\ReinstallBackups\0031\DriverFiles\i386\ks.sys
+ 2008-04-14 00:11:56 4,096 ----a-w C:\WINDOWS\system32\ReinstallBackups\0031\DriverFiles\i386\ksuser.dll
+ 2008-04-14 00:12:45 294,912 ----a-w C:\WINDOWS\system32\ReinstallBackups\0031\DriverFiles\i386\msh263.drv
+ 2008-04-14 00:12:01 16,896 ----a-w C:\WINDOWS\system32\ReinstallBackups\0031\DriverFiles\i386\msyuv.dll
+ 2001-08-18 03:36:34 8,192 ----a-w C:\WINDOWS\system32\ReinstallBackups\0031\DriverFiles\i386\tsbyuv.dll
+ 2008-04-14 00:12:08 53,760 ----a-w C:\WINDOWS\system32\ReinstallBackups\0031\DriverFiles\i386\vfwwdm32.dll
- 2008-07-02 12:12:08 16,384 --sha-w C:\WINDOWS\Temp\Cookies\index.dat
+ 2008-07-09 00:24:26 16,384 --sha-w C:\WINDOWS\Temp\Cookies\index.dat
- 2008-07-02 12:12:08 16,384 --sha-w C:\WINDOWS\Temp\History\History.IE5\index.dat
+ 2008-07-09 00:24:26 16,384 --sha-w C:\WINDOWS\Temp\History\History.IE5\index.dat
+ 2008-07-09 00:24:00 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_9e4.dat
+ 2008-07-09 00:27:45 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_cfc.dat
- 2008-07-02 12:12:08 32,768 --sha-w C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2008-07-09 00:24:26 32,768 --sha-w C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2005-09-23 06:35:10 65,536 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0ee63867\vcomp.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:12 15360]
"Orb"="H:\Orb\bin\OrbTray.exe" [2008-05-13 20:29 507904]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 18:07 1828136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 17:12 131072]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 10:12 90112]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 16:22 3739648]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 18:08 813912]
"OSSelectorReinstall"="C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe" [2006-04-12 16:15 1261475]
"RemoteControl"="h:\PowerDVD\PDVDServ.exe" [2005-01-12 03:01 32768]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="H:\Itunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-01 01:25 115560]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2008-04-28 17:14 570664]
"NBKeyScan"="H:\Ahead\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 17:29 2221352]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="H:\Picasa2\PicasaMediaDetector.exe" [2007-09-27 20:17 443968]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 03:18 437160]

C:\Documents and Settings\Joel\Start Menu\Programs\Startup\
No-IP Duct.lnk - H:\No-IP\DUC20.exe [2007-03-05 13:48:02 1172992]
r.exe.lnk - C:\Program Files\RaidenFTPD\r.exe [2007-02-19 10:01:08 4763648]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoStart IR.lnk - H:\WinTV\Ir.exe [2007-10-24 16:57:40 106551]
Logitech SetPoint.lnk - H:\Logitech\SetPoint\SetPoint.exe [2007-07-25 07:43:50 692224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk
backup=C:\WINDOWS\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Joel^Start Menu^Programs^Startup^palmOne Registration.lnk]
path=C:\Documents and Settings\Joel\Start Menu\Programs\Startup\palmOne Registration.lnk
backup=C:\WINDOWS\pss\palmOne Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 H:\Itunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
--a------ 2007-03-14 17:52 3770024 H:\TomTom HOME\TomTomHOME.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"H:\\utorrent.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\Symantec AntiVirus\\Rtvscan.exe"=
"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"I:\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"I:\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"H:\\Joost\\xulrunner\\tvprunner.exe"=
"C:\\Program Files\\kontiki\\KService.exe"=
"H:\\FlashFXP\\FlashFXP.exe"=
"H:\\Itunes\\iTunes.exe"=
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"H:\\Orb\\bin\\Orb.exe"=
"H:\\Orb\\bin\\OrbTray.exe"=
"H:\\Orb\\bin\\OrbStreamerClient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R3 HauppaugeTVServer;HauppaugeTVServer;C:\PROGRA~1\WinTV\HCWTVS~1.EXE [2007-02-20 15:11]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2007-05-29 13:55]
S3 PsSdk30;PsSdk30;C:\WINDOWS\system32\Drivers\PsSdk30.drv []
S3 SIUSBXP;SIUSBXP;C:\WINDOWS\system32\drivers\SiUSBXp.sys [2007-03-01 13:11]
S3 ultradfg;ultradfg;C:\WINDOWS\system32\DRIVERS\ultradfg.sys [2007-12-05 01:27]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4021c7ee-c0e4-11db-bdb1-005056c00008}]
\Shell\AutoRun\command - L:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{55a810a2-d635-11db-b854-000129d2ec15}]
\Shell\AutoRun\command - G:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60b359ca-d0b5-11db-b851-000129d2ec15}]
\Shell\AutoRun\command - L:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E555}]
F:\SlySoft\AnyDVD 6.3.0.0\AnyDVD leftover killer 1.3.exe -M
.
Contents of the 'Scheduled Tasks' folder
"2008-07-05 02:34:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-09 00:26:43 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-08 19:25:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PsSdk30]
"ImagePath"="\??\C:\WINDOWS\system32\Drivers\PsSdk30.drv"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Symantec AntiVirus\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
H:\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec AntiVirus\SmcGui.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\AVG Anti-Spyware 7.5\guard.exe
H:\iPod Access for Windows\iPAHelper.exe
C:\Program Files\kontiki\KService.exe
H:\Ahead\Nero\Nero8\Nero BackItUp\NBService.exe
H:\Orb\bin\OrbMediaService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
H:\Orb\bin\Orb.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.exe
C:\PROGRA~1\WinTV\HCBE33~1.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-07-08 19:42:41 - machine was rebooted [Joel]
ComboFix-quarantined-files.txt 2008-07-09 00:42:29
ComboFix2.txt 2008-07-02 12:28:10

Pre-Run: 1,457,459,200 bytes free
Post-Run: 1,444,724,736 bytes free

329 --- E O F --- 2008-07-02 08:00:26
joelw23
Jul 8 2008, 08:42 PM
Logfile of HijackThis v1.99.1
Scan saved at 8:40:37 PM, on 7/8/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Symantec AntiVirus\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
H:\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec AntiVirus\SmcGui.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\AVG Anti-Spyware 7.5\guard.exe
H:\iPod Access for Windows\iPAHelper.exe
C:\Program Files\Kontiki\KService.exe
H:\Ahead\Nero\Nero8\Nero BackItUp\NBService.exe
H:\Orb\bin\OrbMediaService.exe
C:\WINDOWS\system32\IoctlSvc.exe
H:\Orb\bin\OrbTray.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
H:\Orb\bin\Orb.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
H:\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
H:\Itunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iPod\bin\iPodService.exe
H:\WinTV\Ir.exe
C:\PROGRA~1\WinTV\HCWTVS~1.EXE
H:\Logitech\SetPoint\SetPoint.exe
H:\No-IP\DUC20.exe
C:\Program Files\RaidenFTPD\r.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\wuauclt.exe
H:\Mozilla Firefox\firefox.exe
H:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - H:\FlashFXP\IEFlash.dll
O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Plug-In\PayPalHelper.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [RemoteControl] h:\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "H:\Itunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "H:\Ahead\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Orb] "H:\Orb\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - Startup: No-IP Duct.lnk = H:\No-IP\DUC20.exe
O4 - Startup: r.exe.lnk = C:\Program Files\RaidenFTPD\r.exe
O4 - Global Startup: AutoStart IR.lnk = H:\WinTV\Ir.exe
O4 - Global Startup: Logitech SetPoint.lnk = H:\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.netflix.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8194E061-414F-4F72-904E-1581462A7890}: NameServer = 192.168.1.1
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - H:\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - H:\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - C:\PROGRA~1\WinTV\HCWTVS~1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPAHelper.exe - Unknown owner - H:\iPod Access for Windows\iPAHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - H:\Ahead\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: OrbMediaService - Orb Networks - H:\Orb\bin\OrbMediaService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\SNAC.EXE
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (file missing)
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

joelw23
Jul 8 2008, 08:42 PM
C:\Program Files\RaidenFTPD\r.exe

This is a program that i installed...so it's safe....it's a ftp program..
TheJoker
Jul 8 2008, 10:06 PM
I failed to mention that you version of HijackThis is outdated.
Please download the current version of 'Hijack This!:
http://www.trendsecure.com/portal/en-US/th...p?page=download
Please save it in a convenient permanent folder such as C:\HJT\,
and be sure the next log is with the newer version.

QUOTE
C:\Program Files\RaidenFTPD\r.exe

This is a program that i installed...so it's safe....it's a ftp program..

I thought that's what it was, but could you please still scan it at VirusTotal anyway and post the results? That information will help me submit information on the file so others will also recoginze it as a safe program.

Please disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.

Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.

We need to make sure you have the most recent version of ComboFix.
Delete your current copy of ComboFix.exe.
Download ComboFix© by sUBs from one of these links:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Save the file to your Desktop.
Disconnect from the Internet (pull the connection cable) <-- Important
Close Symantec AntiVirus and any anti-spyware application you may be running.

For this next step, please ensure that ComboFix.exe is on your desktop:

Please open Notepad *Do Not Use Wordpad!* (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
Save this as "CFScript.txt" and change the "Save as type" to "All Files" and place it on your desktop.

QUOTE
Driver::
PsSdk30

File:
C:\WINDOWS\system32\xxyxWQKC.dll
C:\WINDOWS\system32\31.tmp
C:\WINDOWS\system32\F.tmp

Resistry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4021c7ee-c0e4-11db-bdb1-005056c00008}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{55a810a2-d635-11db-b854-000129d2ec15}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60b359ca-d0b5-11db-b851-000129d2ec15}]



Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

After the system restarts, your antivirus program should be running again.
If it isn't, restart it manually.
Reconnect to the Internet.

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Please post a new HijackThis log (with the current verison), the log from ESET's online scan, the results of scanning r.exe at VirusTotal, and in a second reply (due to length) the log from ComboFix (combofix.txt), and note any errors encountered.
joelw23
Jul 9 2008, 07:56 AM
http://www.virustotal.com/analisis/1ecc7a4...d367f2844b46b73
joelw23
Jul 9 2008, 08:53 AM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:52, on 2008-07-09
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Symantec AntiVirus\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
H:\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\SmcGui.exe
H:\iPod Access for Windows\iPAHelper.exe
C:\Program Files\Kontiki\KService.exe
H:\Ahead\Nero\Nero8\Nero BackItUp\NBService.exe
H:\Orb\bin\OrbMediaService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
H:\Orb\bin\OrbTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\system32\ctfmon.exe
H:\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
H:\Itunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
H:\WinTV\Ir.exe
H:\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\System32\svchost.exe
H:\No-IP\DUC20.exe
C:\Program Files\RaidenFTPD\r.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
H:\Mozilla Firefox\firefox.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
H:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - H:\FlashFXP\IEFlash.dll
O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Plug-In\PayPalHelper.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [RemoteControl] h:\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "H:\Itunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "H:\Ahead\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Orb] "H:\Orb\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] H:\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] H:\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Startup: No-IP Duct.lnk = H:\No-IP\DUC20.exe
O4 - Startup: r.exe.lnk = C:\Program Files\RaidenFTPD\r.exe
O4 - Global Startup: AutoStart IR.lnk = H:\WinTV\Ir.exe
O4 - Global Startup: Logitech SetPoint.lnk = H:\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://www.netflix.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8194E061-414F-4F72-904E-1581462A7890}: NameServer = 192.168.1.1
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - H:\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - H:\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - C:\PROGRA~1\WinTV\HCWTVS~1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPAHelper.exe - Unknown owner - H:\iPod Access for Windows\iPAHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - H:\Ahead\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: OrbMediaService - Orb Networks - H:\Orb\bin\OrbMediaService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\SNAC.EXE
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (file missing)
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 9425 bytes
joelw23
Jul 9 2008, 09:27 AM
ESET scanner update failed, so i couldn't scan...
joelw23
Jul 9 2008, 09:29 AM
it's working now......i'll post the log shortly
TheJoker
Jul 9 2008, 04:00 PM
I'm glad you got it working. I'll be looking for the log. smile.gif
joelw23
Jul 11 2008, 07:42 AM
# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3260 (20080710)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=5731a2986a18304cb272f51b6cbb9bb4
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-07-11 04:49:46
# local_time=2008-07-10 11:49:46 (-0600, Central Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=668588
# found=0
# scan_time=10648
TheJoker
Jul 11 2008, 08:19 PM
I have a question about this file again
C:\Program Files\RaidenFTPD\r.exe

You said:
QUOTE
This is a program that i installed...so it's safe....it's a ftp program..

Do you have a web site reference and the site you downloaded it at?
From the folder name, it would appear to be RaidenFTPD, but from their manual, the executable for that would appear to be RaidenFTPD.EXE, and it can't be renamed:
http://www.raidenftpd.com/en/raiden-ftpd-d...raidenftpd.html

I did find reference to a file named r.exe as being a trojan:
http://www.bleepingcomputer.com/startups/r.exe-11707.html
http://www.castlecops.com/startuplist-10489.html
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2008 Invision Power Services, Inc.