• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
quaf069

Virus

34 posts in this topic

Hello,

 

I've had issues with virsus recently (Trojan popups on Avira Antivir). However, Malwarebytes didn't detect anything. I ran combofix and it seemed to clear the issue. However, since then (over the course of two weeks) my computer has been slowing.

 

I also get the following .dll messages after booting up into windows

 

c:\windows\opovufepovax.dll

c:\windows\modpfsc.dll

 

"modules cannot be found"

 

 

Here is my Hijackthis log:

 

----------

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:58:52 AM, on 23/06/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Winamp\Winampa.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Belkin\Nostromo\nost_LM.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Executive Software\Diskeeper\DkService.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

c:\program files\aol\aim toolbar 5.0\AolTbServer.exe

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\loader.exe

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\smss.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Hijack this\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\ADMINISTRATOR\Application Data\Mozilla\Profiles\default\p2cpzlrg.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\ADMINISTRATOR\Application Data\Mozilla\Profiles\default\p2cpzlrg.slt\prefs.js)

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll (file missing)

O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"

O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [Kzocetomi] rundll32.exe "C:\WINDOWS\opovufepovax.dll",Startup

O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

O4 - HKCU\..\Run: [Dgamoqosiho] rundll32.exe "C:\WINDOWS\modpfsc.dll",Startup

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe

O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm

O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100

O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

 

--

End of file - 10130 bytes

 

 

 

 

Any help would be appreciated..

 

Thanks

Quaf

Share this post


Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

 

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

 

Thank you for your patience.

 

 

[this is an automated reply]

Share this post


Link to post
Share on other sites

Hi,

I'm nasdaq and will be helping you.

 

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

 

[*]Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

 

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll (file missing)

O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O4 - HKLM\..\Run: [Kzocetomi] rundll32.exe "C:\WINDOWS\opovufepovax.dll",Startup

O4 - HKCU\..\Run: [Dgamoqosiho] rundll32.exe "C:\WINDOWS\modpfsc.dll",Startup

 

Click on Fix Checked when finished and exit HijackThis.

 

  • Restart your computer in Safe Mode, start pressing the F8 key on your keyboard. On a computer that is configured for booting to multiple operating systems, you can press the F8 key when you see the Boot Menu.
  • When the Windows Advanced Options menu appears, select an option, and then press ENTER.
  • When the Boot menu appears again, and the words "Safe Mode" appear in blue at the bottom, select the installation that you want to start, and then press ENTER.

 

Delete these files in bold if found.

 

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\loader.exe

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\smss.exe

 

Restart the computer normally.

===

 

Please run this security check for my review.

 

Download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

===

 

Submit a fresh HijackThis log.

 

Let me know what problem persists.

Share this post


Link to post
Share on other sites

Hey Nasdaq,

 

Thanks for your help. Unchecked the hijack items you said. Didn't see

 

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\loader.exe

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\smss.exe

 

(although i'm not sure what folders it would exactly be in? documents and settings?)

 

...here's my log for the security:

 

Results of screen317's Security Check version 0.99.4

Windows XP Service Pack 2

Out of date service pack!!

Internet Explorer 6 Out of date!

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

Avira AntiVir Personal - Free Antivirus

Antivirus up to date!

```````````````````````````````

Anti-malware/Other Utilities Check:

Ad-Aware

Malwarebytes' Anti-Malware

HijackThis 2.0.2

Java 6 Update 7

Out of date Java installed!

Adobe Flash Player 10.0.32.18

Mozilla Thunderbird (2.0.0) Thunderbird Out of Date!

````````````````````````````````

Process Check:

objlist.exe by Laurent

Ad-Aware AAWService.exe is disabled!

Ad-Aware AAWTray.exe is disabled!

Avira Antivir avgnt.exe

Avira Antivir avguard.exe

````````````````````````````````

DNS Vulnerability Check:

Unknown. This method cannot test your vulnerability to DNS cache poisoning.

 

``````````End of Log````````````

 

 

 

Thanks

Quaf

Share this post


Link to post
Share on other sites

Run this tool. All file in a Temp\ folder will be deleted.

 

Clean your Temporary files/Folders.

 

Download TFC to your desktop

  • Close any open windows.
  • Double click the TFC icon to run the program.
  • TFC will close all open programs itself in order to run.
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted, it should not take long to finish.
  • Once it's finished, click OK to reboot.
  • If it does not reboot, reboot your system manually.

===

 

Support for Windows XP Service Pack 2 ends 13/07/2010

http://support.microsoft.com/lifecycle/?LN=en-gb&C2=1173

 

For continued support get the Service Pack 3.

 

http://windows.microsoft.com/en-us/windows/help/learn-how-to-install-windows-xp-service-pack-3-sp3

===

 

Internet Explorer 6 Out of date!

For your added security you should update to Version 8.

===

 

Please download JavaRa

 

If you get this message:

Problems with the download? Please use this direct link or try another mirror.

 

Select the Direct link download unzip it to your Desktop.

 

Double click JavaRa.exe then click Remove Older Versions.

 

Follow any prompts; a log will popup (JavaRa.log)-- please post the contents of this log.

 

Next, open JavaRa.exe again, and select Search For Updates.

 

Select Update Using Sun Java's Website --> Search, and continue the instructions for downloading and installing the latest Java version. Look for JDK 6 Update 20 (JDK or JRE). On the right select this one Download JRE..

===

 

Again for your Security make sure you update.

Mozilla Thunderbird (2.0.0) Thunderbird Out of Date!

===

 

Submit a fresh HijackThis log.

 

Let me know what issues remains.

Share this post


Link to post
Share on other sites

Hey Nasdaq,

 

I ran TFC and everything seemed ok...but now I cannot open firefox. I keep getting:

 

"Firefox is already running but not responding. To open a new window, you must first close the existing firefox process or restart your system."

 

However when going into task manger under processes, I don't see it running. What do you suggest I do now to get firefox working (I'm typing from another computer)?

 

Thanks

 

Quaf

Share this post


Link to post
Share on other sites

Mozilla Thunderbird running?

 

Can you delete Thunderbird or Firefox from the Add/Remove program list.

 

Then reinstall the one you want.

 

Run HijackThis and click on Open the Misc Tools section.

In the next window, click on Open Uninstall Manager...

In the final window, click on Save list... and save it to your Desktop.

Copy and paste this file: uninstall_list.txt into your next reply.

Share this post


Link to post
Share on other sites

nasdaq,

 

-Thunderbird was working fine

-I reinstalled Firefox...seems to be ok...

 

Here is the uninstall list...

 

ABC (remove only)

Acronis True Image Home

Ad-Aware SE Professional

Adobe Acrobat 7.0 Professional

Adobe Bridge 1.0

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Photoshop CS2

Adobe Stock Photos 1.0

AIM 6

AIM Toolbar 5.0

America's Army

America's Army Deploy Client

Apple Software Update

ATI Control Panel

ATI Decoder

ATI Display Driver

ATI HYDRAVISION

ATI Multimedia Center 9.01

ATI Remote Wonder 2.3

AudioCatalyst

Avira AntiVir Personal - Free Antivirus

C-Media WDM Audio Driver

Diskeeper Professional Edition

DVD Decrypter (Remove Only)

DVD Shrink 3.2

DVDFab HD Decrypter 4.1.2.0

FileZilla Client 3.0.5.2

Finale NotePad 2008

FlashGet(JetCar)

HijackThis 2.0.2

HP Image Zone 4.7

HP PSC & OfficeJet 4.7

HP Software Update

IrfanView (remove only)

J2SE Runtime Environment 5.0 Update 3

Java 6 Update 7

Kaspersky Online Scanner

K-Lite Codec Pack 4.4.2 (Full)

LimeWire 4.18.3

Malwarebytes' Anti-Malware

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 SP1

Microsoft .NET Framework 2.0

Microsoft Office FrontPage 2003

Microsoft Office Professional Edition 2003

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Mozilla Firefox (3.6.6)

Mozilla Thunderbird (2.0.0.24)

MSN Messenger 7.0

MWSnap 3

Nero 6 Ultra Edition

Netscape (7.2)

Nostromo Array Programming Software

NVIDIA Drivers

Pdf995

Pinnacle Hollywood FX 5

PowerDVD

PunkBuster Services

QuickTime Alternative 1.81

Realtek AC'97 Audio

Red Eye Remover 2.0

Registry Workshop

Serials 2000 7.1+

SmartSound Quicktracks Plugin

Studio 9

Studio 9.4 Patch

Studio Content DVD

Ventrilo Client

VideoLAN VLC media player 0.8.4a

Web Photo Album 1.1

Winamp (remove only)

Windows Media Encoder 9 Series

Windows Media Encoder 9 Series

Windows Media Format Runtime

Windows Media Player 10

WinRAR archiver

XingMP3 Player

 

Thanks for your help.....

 

Quaf

Share this post


Link to post
Share on other sites

Nice work.

 

Delete this old version of Java Via the Add/Remove Programs list.

J2SE Runtime Environment 5.0 Update 3

Share this post


Link to post
Share on other sites

Hey Nasdaq,

 

Thanks for the help thus far. Today got a trojan popup on my antivir guard (unsure if this was still lingering from the last issue)....

 

Saw this ill.exe running in my processes and it was taking up a ton of memory. All sorts of weird things began to happen, from not being able to open programs (got error messages popping up telling me there was an infection and I couldn't open them), to not being able to load webpages...

 

I was able to run hijackthis in safe mode.....

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:09:16 PM, on 05/07/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Winamp\Winampa.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Ill.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Belkin\Nostromo\nost_LM.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Executive Software\Diskeeper\DkService.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\HPZinw12.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Hijack this\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\ADMINISTRATOR\Application Data\Mozilla\Profiles\default\p2cpzlrg.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\ADMINISTRATOR\Application Data\Mozilla\Profiles\default\p2cpzlrg.slt\prefs.js)

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"

O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

O4 - HKCU\..\Run: [{CC3F55A8-BFD5-5D12-CA5B-0DCBD3D2E1B1}] "C:\Documents and Settings\Administrator\Application Data\Fivu\uxdy.exe"

O4 - HKCU\..\Run: [EWABQAF7KL] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Ill.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe

O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm

O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100

O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{A9C2CAD3-8C57-4736-A6C8-CFBADCC4B46C}: NameServer = 93.188.162.228,93.188.166.208

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.162.228,93.188.166.208

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.162.228,93.188.166.208

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.228,93.188.166.208

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

 

--

End of file - 10283 bytes

 

 

Thanks in advance

Quaf

Share this post


Link to post
Share on other sites

Hi,

I'm nasdaq and will be helping you.

 

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

 

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

 

O4 - HKCU\..\Run: [{CC3F55A8-BFD5-5D12-CA5B-0DCBD3D2E1B1}] "C:\Documents and Settings\Administrator\Application Data\Fivu\uxdy.exe"

O4 - HKCU\..\Run: [EWABQAF7KL] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Ill.exe

 

Click on Fix Checked when finished and exit HijackThis.

 

Delete these files/folders in bold if found.

 

Folder

C:\Documents and Settings\Administrator\Application Data\Fivu\

 

File

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Ill.exe

===

 

Secure your system by updating 3rd party programs.

 

ADOBE - Reader and Flash Players vulnerabilities.

 

Visit Link to ADOBE and download the latest version of Acrobat Reader.

Having the latest updates ensures there are no security vulnerabilities in your system.

 

Adobe has confirmed a critical vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions.

I suggest you install version 9.3 - see link to Security Advisory... below.

http://www.adobe.com/support/downloads/detail.jsp?ftpID=4607

 

Latest Security Advisory for Adobe Reader and Acrobat

http://www.adobe.com/support/security/bulletins/apsb10-07.html

http://krebsonsecurity.com/2010/06/adobe-warns-of-critical-flaw-in-flash-acrobat-reader/

 

===

 

To make sure you have the latest version of Adobe Flash Player installed:

1. To uninstall an older version, download this file to your Desktop: uninstall_flash_player.exe

2. Quit ALL running applications, including all Internet Explorer or other browser windows, and messenger applications (like AOL Instant Messenger, Yahoo Messenger, MSN Messenger.

3. Double-click on the file you've downloaded to uninstall Flash.

4. If uninstalled successfully, go to this site: Install Adobe Flash Player, and choose Agree and install now. This will install the newest version of Flash for your browser (note: Flash plugins for IE and Firefox must be installed separately).

Note: I recommend you uncheck an optional install (Free McAfee Security Scan or Free Google Toolbar).

 

Latest Security update available for Adobe Flash Player

http://www.adobe.com/support/security/bulletins/apsb10-14.html

 

===

 

Vulnerabilities in Adobe Shockwave Player could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system. Adobe recommends users of Adobe Shockwave Player 11.5.6.606 and earlier versions update to Adobe Shockwave Player 11.5.7.609, using the link provided below.

http://get.adobe.com/shockwave/

===

 

Submit a fresh HijackThis log.

 

Let me know what issues remains.

Share this post


Link to post
Share on other sites

Hey Nasdaq...

 

 

Followed your instructions and updated the adobe reader and flash....here is an updated hijackthis. Things seem to be better..will give it a couple of days!

 

Thanks for all your help!

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:52:22 PM, on 06/07/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Winamp\Winampa.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Belkin\Nostromo\nost_LM.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Executive Software\Diskeeper\DkService.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\uTorrent\uTorrent.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Hijack this\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\ADMINISTRATOR\Application Data\Mozilla\Profiles\default\p2cpzlrg.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\ADMINISTRATOR\Application Data\Mozilla\Profiles\default\p2cpzlrg.slt\prefs.js)

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"

O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\RunOnce: [uninstall Adobe Download Manager] "C:\WINDOWS\system32\rundll32.exe" "C:\Program Files\NOS\bin\getPlus_Helper.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp

O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

O4 - HKCU\..\Run: [{CC3F55A8-BFD5-5D12-CA5B-0DCBD3D2E1B1}] "C:\Documents and Settings\Administrator\Application Data\Fivu\uxdy.exe"

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe

O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm

O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100

O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{A9C2CAD3-8C57-4736-A6C8-CFBADCC4B46C}: NameServer = 93.188.162.228,93.188.166.208

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.162.228,93.188.166.208

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.162.228,93.188.166.208

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.228,93.188.166.208

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

 

--

End of file - 10760 bytes

Share this post


Link to post
Share on other sites

This item is still listed on your log. It may have been fix it you have since restarter the computer.

 

Run HijackThis and check if it's still listed.

 

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

 

O4 - HKCU\..\Run: [{CC3F55A8-BFD5-5D12-CA5B-0DCBD3D2E1B1}] "C:\Documents and Settings\Administrator\Application Data\Fivu\uxdy.exe"

 

Click on Fix Checked when finished and exit HijackThis.

 

Make sure you restart the computer to complete the fix.

 

See my post No 5.

 

Make sure you download JavaRa and run it.

I still see an old version of Java that is vulnerable to infection.

====

 

Check with your Internet supplier and make sure you need the IP addresses. I suspect that are part of the old infection.

O17 - HKLM\System\CCS\Services\Tcpip\..\{A9C2CAD3-8C57-4736-A6C8-CFBADCC4B46C}: NameServer = 93.188.162.228,93.188.166.208

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.162.228,93.188.166.208

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.162.228,93.188.166.208

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.228,93.188.166.208

 

Submit a fresh HijackThis log.

Share this post


Link to post
Share on other sites

Nasdaq,

 

Unchecked in Hijack this...Restarted. I did the JavaRa.

 

Still seeing Ill.exe...

 

Here is my latest Hijackthis

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:03:17 PM, on 07/07/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Winamp\Winampa.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Ill.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Belkin\Nostromo\nost_LM.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe

C:\Program Files\Executive Software\Diskeeper\DkService.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Misc\JavaRa.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Hijack this\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\ADMINISTRATOR\Application Data\Mozilla\Profiles\default\p2cpzlrg.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\ADMINISTRATOR\Application Data\Mozilla\Profiles\default\p2cpzlrg.slt\prefs.js)

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"

O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

O4 - HKCU\..\Run: [{CC3F55A8-BFD5-5D12-CA5B-0DCBD3D2E1B1}] "C:\Documents and Settings\Administrator\Application Data\Fivu\uxdy.exe"

O4 - HKCU\..\Run: [EWABQAF7KL] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Ill.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe

O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm

O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{A9C2CAD3-8C57-4736-A6C8-CFBADCC4B46C}: NameServer = 93.188.162.228,93.188.166.208

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.162.228,93.188.166.208

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.162.228,93.188.166.208

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.228,93.188.166.208

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

 

 

 

 

Nasdaq....unsure what you mean by the below...can you elaborate? Thanks!

 

 

Check with your Internet supplier and make sure you need the IP addresses. I suspect that are part of the old infection.

O17 - HKLM\System\CCS\Services\Tcpip\..\{A9C2CAD3-8C57-4736-A6C8-CFBADCC4B46C}: NameServer = 93.188.162.228,93.188.166.208

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.162.228,93.188.166.208

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.162.228,93.188.166.208

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.228,93.188.166.208

Share this post


Link to post
Share on other sites

Nasdaq,

 

I called my internet provider, they said I can delete the IP addresses. I did and here is the new log.....

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:06:53 PM, on 07/07/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Winamp\Winampa.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Belkin\Nostromo\nost_LM.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Executive Software\Diskeeper\DkService.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Hijack this\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\ADMINISTRATOR\Application Data\Mozilla\Profiles\default\p2cpzlrg.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\ADMINISTRATOR\Application Data\Mozilla\Profiles\default\p2cpzlrg.slt\prefs.js)

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"

O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe

O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm

O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

 

--

End of file - 10106 bytes

Share this post


Link to post
Share on other sites

Hey Nasdaq....still having issues...turned on the computer and Antivir popped up with TR/PCK.katusha.n.1798 Trojan

 

It say's its in C:documents and settings\administrator\local settings\temp\ill.exe

(i cannot seem to access this folder). I don't see a "local settings" folder within in my administrator folder.

how do i get to it?

 

I cannot open malewarebytes or internet explorer (says Internet Explorer Warning - visiting this web site may harm your computer when trying to open on google)....and its in my hijjack this again:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:28:40 AM, on 08/07/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Winamp\Winampa.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Ill.exe

C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Belkin\Nostromo\nost_LM.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Executive Software\Diskeeper\DkService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\HPZinw12.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Avira\AntiVir Desktop\GUARDGUI.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Hijack this\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\ADMINISTRATOR\Application Data\Mozilla\Profiles\default\p2cpzlrg.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\ADMINISTRATOR\Application Data\Mozilla\Profiles\default\p2cpzlrg.slt\prefs.js)

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"

O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

O4 - HKCU\..\Run: [EWABQAF7KL] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Ill.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe

O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm

O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{A9C2CAD3-8C57-4736-A6C8-CFBADCC4B46C}: NameServer = 93.188.162.228,93.188.166.208

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.162.228,93.188.166.208

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.162.228,93.188.166.208

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.228,93.188.166.208

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

 

--

End of file - 10808 bytes

 

quaf

Share this post


Link to post
Share on other sites

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

 

A Rootkit must be protecting or regeneraging the file.

 

The file may also be hidden.


  • Click Start.
    Open My Computer.
    Select the Tools menu and click Folder Options.
    Select the View Tab.
    Under the Hidden files and folders heading select Show hidden files and folders.
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.
    Click OK.

 

 

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)

There are 3 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click and choose Run as Admin

You only need to get one of them to run, not all of them.

 

rkill.exe

rkill.com

rkill.scr

===

 

When done run Malwarebytes and submit a report if you can.

===

 

Let me see the results of this scan also.

 

Download ComboFix from one of these locations:

 

Link 1

Link 2

 

* IMPORTANT !!! Save ComboFix.exe to your Desktop

 

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
     
  • Double click on ComboFix.exe & follow the prompts.
     
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
     
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
     
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

 

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

 

RcAuto1.gif

 

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

 

whatnext.png

 

Click on Yes, to continue scanning for malware.

 

Under some rootkit infection you may have to restart the computer a few time, follow the instructions. If you see this message:

Rootkit_Found_TDL3.png

Make sure you copy the path and the filename correctly. Post it in your next message.

 

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply with a fresh HijackThis log.

 

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

 

Do not mouse click combofix's window while it's running. That may cause it to stall

Share this post


Link to post
Share on other sites

Thanks Nasdaq,,

 

I will be out of town until Sunday night (funeral) when i will walk through your instructions when I get back. Thanks for your help...I'll let you know

 

Quaf

Share this post


Link to post
Share on other sites

Nasdaq,

 

 

Followed all the instructions....here are my logs....

Maleware Bytes)

 

 

Malwarebytes' Anti-Malware 1.28

Database version: 1200

Windows 5.1.2600 Service Pack 2

 

12/07/2010 12:09:43 PM

mbam-log-2010-07-12 (12-09-43).txt

 

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 109757

Time elapsed: 21 minute(s), 15 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

(No malicious items detected)

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

(No malicious items detected)

 

 

 

 

 

 

 

 

2) COMBO FIX:

 

 

 

omboFix 10-07-11.07 - Administrator 12/07/2010 12:15:45.38.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.2.1033.18.1535.1161 [GMT -4:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

* Created a new restore point

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\documents and settings\Administrator\Local Settings\Application Data\Windows Server

c:\documents and settings\Administrator\Local Settings\Application Data\Windows Server\flags.ini

c:\documents and settings\Administrator\Local Settings\Application Data\Windows Server\uses32.dat

c:\documents and settings\NetworkService\Local Settings\Application Data\cmdssrjwh

c:\documents and settings\NetworkService\Local Settings\Application Data\cmdssrjwh\ypxcbrctssd.exe

c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

 

Infected copy of c:\windows\system32\drivers\dmio.sys was found and disinfected

Restored copy from - Kitty had a snack :p

Infected copy of c:\windows\system32\msgsvc.dll was found and disinfected

Restored copy from - c:\windows\erdnt\cache\msgsvc.dll

 

c:\windows\system32\logonui.exe . . . is infected!!

 

.

((((((((((((((((((((((((( Files Created from 2010-06-12 to 2010-07-12 )))))))))))))))))))))))))))))))

.

 

2010-07-12 16:14 . 2010-07-06 01:05 50688 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\IQ79c17u.dll

2010-07-12 15:22 . 2010-07-06 01:05 50688 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\1sK31g.dll

2010-07-08 11:41 . 2010-07-06 01:05 50688 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\93o79m17w.dll

2010-07-08 01:47 . 2010-07-06 01:05 50688 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\17oC17.dll

2010-07-08 00:09 . 2010-07-06 01:05 50688 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\YWS31s.dll

2010-07-07 23:01 . 2010-07-07 23:01 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4027cb66-n\msvcp71.dll

2010-07-07 23:01 . 2010-07-07 23:01 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4027cb66-n\jmc.dll

2010-07-07 23:01 . 2010-07-07 23:01 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4027cb66-n\msvcr71.dll

2010-07-07 23:01 . 2010-07-07 23:01 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-252ef817-n\decora-sse.dll

2010-07-07 23:01 . 2010-07-07 23:01 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-252ef817-n\decora-d3d.dll

2010-07-07 23:01 . 2010-07-07 23:01 423656 ----a-w- c:\windows\system32\deployJava1.dll

2010-07-07 22:57 . 2010-07-07 22:57 -------- d-----w- C:\Misc

2010-07-07 22:50 . 2010-07-06 01:05 50688 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\S1793yW9.dll

2010-07-07 22:46 . 2010-07-06 01:05 50688 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\e5aA5.dll

2010-07-07 01:46 . 2010-07-07 01:46 53632 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2010-07-07 01:46 . 2010-07-07 01:46 -------- d-----w- c:\program files\Common Files\Adobe AIR

2010-07-07 01:45 . 2010-07-07 01:46 2568656 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe

2010-07-07 01:45 . 2010-07-07 01:45 71680 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe

2010-07-07 01:45 . 2010-07-07 22:45 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-07-06 02:03 . 2010-07-06 01:05 50688 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\55oC5.dll

2010-07-06 01:40 . 2010-07-06 01:05 50688 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\3sKU3mYW.dll

2010-07-06 01:37 . 2010-07-06 01:05 50688 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\U7mY17.dll

2010-07-06 01:13 . 2010-07-06 01:05 50688 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\E31kUO17m.dll

2010-07-06 01:09 . 2010-07-06 01:05 50688 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\79317g3.dll

2010-07-06 01:05 . 2010-07-06 01:05 50688 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\MY79o179.dll

2010-07-01 02:38 . 2010-07-01 02:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2010-06-19 01:33 . 2010-06-19 01:33 -------- d-----w- c:\program files\uTorrent

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-12 16:16 . 2008-12-25 07:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\Fivu

2010-07-12 15:45 . 2008-03-14 21:30 -------- d-----w- c:\program files\Mozilla Thunderbird

2010-07-08 13:28 . 2008-02-02 16:50 -------- d-----w- c:\program files\Hijack this

2010-07-07 23:02 . 2008-01-12 02:58 -------- d-----w- c:\program files\Common Files\Java

2010-07-07 23:01 . 2008-01-12 02:58 -------- d-----w- c:\program files\Java

2010-07-07 22:50 . 2008-10-24 18:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\Aggii

2010-07-07 01:57 . 2008-01-26 19:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent

2010-07-07 01:39 . 2008-01-12 02:52 -------- d-----w- c:\program files\Common Files\Adobe

2010-06-28 12:55 . 2008-04-28 02:20 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI MMC

2010-06-19 01:38 . 2008-01-16 04:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\LimeWire

2010-06-10 21:46 . 2010-06-10 21:46 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP

2010-06-09 20:29 . 2010-06-01 17:53 120 ----a-w- c:\windows\Yvinu.dat

2010-06-09 08:06 . 2010-06-09 08:06 976832 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\28579\AdobeARM.exe

2010-06-09 08:06 . 2010-06-09 08:06 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\28579\AdobeExtractFiles.dll

2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\28579\ReaderUpdater.exe

2010-06-09 08:06 . 2010-06-09 08:06 331176 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\28579\AcrobatUpdater.exe

2010-06-09 04:52 . 2010-06-01 17:53 0 ----a-w- c:\windows\Pqoqojafabi.bin

2009-08-11 15:54 . 2009-08-11 15:53 27917616 ----a-w- c:\program files\snagit.exe

2009-07-21 03:14 . 2009-07-21 03:14 1591808 ----a-w- c:\program files\SteamInstall.msi

2008-12-15 04:11 . 2008-12-15 04:11 234 ----a-w- c:\program files\WorldNowASX.asp

2008-07-30 14:08 . 2008-07-30 14:09 5697032 ----a-w- c:\program files\wmvfirefoxpluginsetup_3.1f.exe

2008-04-11 19:20 . 2008-01-15 02:28 1495112 ----a-w- c:\program files\install_flash_player.exe

2008-02-16 23:57 . 2008-02-16 23:57 779536 ----a-w- c:\program files\MoveMediaPlayer_07076007.exe

2002-01-23 21:36 . 2008-01-31 04:00 16384 ----a-w- c:\program files\MPEG-2.exe

2002-01-23 21:24 . 2008-01-31 04:00 647 ----a-w- c:\program files\Read_Me.txt

2000-03-29 23:18 . 2008-01-31 04:00 94208 ----a-w- c:\program files\Mpeg2Parser.ax

2000-03-29 23:18 . 2008-01-31 04:00 139264 ----a-w- c:\program files\Mpeg2Decoder.ax

.

 

((((((((((((((((((((((((((((( SnapShot@2009-09-08_19.22.28 )))))))))))))))))))))))))))))))))))))))))

.

+ 2007-11-07 07:19 . 2007-11-07 07:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll

+ 2008-07-29 11:07 . 2008-07-29 11:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll

+ 2008-07-29 11:07 . 2008-07-29 11:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll

+ 2010-07-12 16:25 . 2010-07-12 16:25 16384 c:\windows\Temp\Perflib_Perfdata_f0.dat

+ 2010-07-12 16:25 . 2010-07-12 16:25 16384 c:\windows\Temp\Perflib_Perfdata_4d4.dat

+ 2010-07-12 16:14 . 2010-07-12 16:14 16384 c:\windows\Temp\Perflib_Perfdata_42c.dat

+ 2002-12-31 12:00 . 2010-04-05 15:46 62460 c:\windows\system32\perfc009.dat

- 2002-12-31 12:00 . 2009-04-05 18:48 62460 c:\windows\system32\perfc009.dat

+ 2008-02-07 22:21 . 2009-05-11 15:12 28520 c:\windows\system32\drivers\ssmdrv.sys

+ 2009-11-18 01:57 . 2009-03-30 15:33 96104 c:\windows\system32\drivers\avipbb.sys

+ 2009-11-18 01:57 . 2009-02-13 17:29 22360 c:\windows\system32\drivers\avgntmgr.sys

+ 2009-11-18 01:57 . 2009-12-08 14:18 56816 c:\windows\system32\drivers\avgntflt.sys

+ 2009-11-18 01:57 . 2009-02-13 17:17 45416 c:\windows\system32\drivers\avgntdd.sys

+ 2010-07-06 00:30 . 2010-07-06 00:30 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2008-01-12 02:41 . 2010-07-06 00:29 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2008-01-12 02:41 . 2009-05-30 23:45 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2010-07-06 00:30 . 2010-07-06 00:29 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2010-07-07 01:46 . 2010-07-07 01:46 24576 c:\windows\Installer\97b7c.msi

+ 2010-07-07 01:46 . 2010-07-07 01:46 28160 c:\windows\Installer\97b76.msi

+ 2008-07-29 13:05 . 2008-07-29 13:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll

+ 2008-07-29 08:54 . 2008-07-29 08:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll

+ 2002-12-31 12:00 . 2010-04-05 15:46 401372 c:\windows\system32\perfh009.dat

- 2002-12-31 12:00 . 2009-04-05 18:48 401372 c:\windows\system32\perfh009.dat

+ 2010-07-07 01:46 . 2010-07-07 01:46 231888 c:\windows\system32\Macromed\Flash\FlashUtil10h_Plugin.exe

+ 2010-07-07 23:01 . 2010-07-07 23:01 153376 c:\windows\system32\javaws.exe

+ 2010-07-07 23:01 . 2010-07-07 23:01 145184 c:\windows\system32\javaw.exe

+ 2008-08-06 20:48 . 2010-07-07 23:01 145184 c:\windows\system32\java.exe

+ 2009-11-18 01:54 . 2009-11-18 01:54 228352 c:\windows\Installer\7a9c0.msi

+ 2010-07-07 23:02 . 2010-07-07 23:02 180224 c:\windows\Installer\71249.msi

+ 2010-07-07 23:01 . 2010-07-07 23:01 677376 c:\windows\Installer\71243.msi

+ 2008-07-29 13:05 . 2008-07-29 13:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll

+ 2010-07-07 01:46 . 2010-07-07 01:46 5612496 c:\windows\system32\Macromed\Flash\NPSWF32.dll

+ 2010-07-07 01:39 . 2010-07-07 01:39 3940352 c:\windows\Installer\97b70.msi

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATI Remote Control"="c:\program files\ATI Multimedia\RemCtrl\ATIRW.exe" [2004-04-16 196608]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-01 7618560]

"nwiz"="nwiz.exe" [2006-06-01 1519616]

"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]

"DiskeeperSystray"="c:\program files\Executive Software\Diskeeper\DkIcon.exe" [2002-12-31 176216]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]

"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2006-10-17 1164912]

"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2006-10-17 1941784]

"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-10-17 87584]

"SoundMan"="SOUNDMAN.EXE" [2004-02-09 65024]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-06-01 86016]

"WinampAgent"="c:\program files\Winamp\Winampa.exe" [2001-10-02 10752]

"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-07-11 339968]

"ATI DeviceDetect"="c:\program files\ATI Multimedia\main\ATIDtct.EXE" [2004-06-16 69705]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2002-12-31 15360]

 

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-1-11 25214]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]

HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]

Loadout Manager.lnk - c:\program files\Belkin\Nostromo\nost_LM.exe [2003-6-24 442368]

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Limewire\\LimeWire.exe"=

"c:\\Program Files\\Java\\jre1.6.0_07\\bin\\jusched.exe"=

"c:\\Program Files\\Belkin\\Nostromo\\nost_LM.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

 

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [17/11/2009 9:57 PM 108289]

S3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys [23/07/2003 3:16 PM 22821]

.

Contents of the 'Scheduled Tasks' folder

 

2010-06-20 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 21:57]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

uInternet Settings,ProxyOverride = <local>

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Download All by FlashGet - c:\progra~1\FlashGet\jc_all.htm

IE: Download using FlashGet - c:\progra~1\FlashGet\jc_link.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\y27phbbi.default\

FF - prefs.js: browser.startup.homepage - hxxp://home.netscape.com/bookmark/7_2/home.html

FF - plugin: c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071500000347.dll

FF - plugin: c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071503000010.dll

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL

FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

 

---- FIREFOX POLICIES ----

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

.

------- File Associations -------

.

inifile=tyutr654fdbdte.exe %1

txtfile=tyutr654fdbdte.exe %1

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-12 12:25

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

 

[HKEY_USERS\S-1-5-21-1993962763-1035525444-1801674531-500\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'explorer.exe'(1628)

c:\program files\Belkin\Nostromo\nost_FSH.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\SOUNDMAN.EXE

c:\windows\system32\rundll32.exe

c:\program files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe

c:\program files\HP\Digital Imaging\bin\hpqgalry.exe

c:\program files\Common Files\Acronis\Schedule2\schedul2.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Executive Software\Diskeeper\DkService.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\HPZipm12.exe

c:\windows\system32\PnkBstrA.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\HPZinw12.exe

.

**************************************************************************

.

Completion time: 2010-07-12 12:27:36 - machine was rebooted

ComboFix-quarantined-files.txt 2010-07-12 16:27

ComboFix2.txt 2010-06-16 17:16

ComboFix3.txt 2010-06-09 21:17

ComboFix4.txt 2010-06-09 21:02

ComboFix5.txt 2010-07-12 16:11

 

Pre-Run: 36,974,100,480 bytes free

Post-Run: 37,001,490,432 bytes free

 

- - End Of File - - CF6B2E6C002EF33F2D937952DC304EDA

 

 

 

 

 

 

 

3)Fresh Hijackthis after running maleware and combofix:

 

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:44:38 PM, on 12/07/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Winamp\Winampa.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Belkin\Nostromo\nost_LM.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Executive Software\Diskeeper\DkService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\HPZinw12.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Hijack this\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\ADMINISTRATOR\Application Data\Mozilla\Profiles\default\p2cpzlrg.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\ADMINISTRATOR\Application Data\Mozilla\Profiles\default\p2cpzlrg.slt\prefs.js)

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"

O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe

O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm

O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

 

--

End of file - 10232 bytes

 

 

 

FYI...things seem to be better...don't see ill.exe running in the processes.

 

I'm guessing we should give this a day or two to make sure all is well.

 

Thanks for all your help! Where do I go about making a donation?

 

Quaf

Share this post


Link to post
Share on other sites

c:\windows\system32\logonui.exe . . . is infected!!

Combofix was not able to find a backup copy on your hard disk.

 

Read this article.

http://windowshelp.net/windows-processes/logonui.exe.aspx

 

If the files was not modified by you or an IT personnel then it's infected.

Please rename name it c:\windows\system32\logonui.exe.old

 

Let me know if you have access to the XP installation disk with SP2 (Platform: Windows XP SP2) to find a replacement.

Or you may have to update to XP 3 to get a new one.

===

 

You need to change the file association with your .ini and .txt files

 

inifile=tyutr654fdbdte.exe %1

txtfile=tyutr654fdbdte.exe %1

That is wrong.

 

Find a .ini and a .txt file ( any such file.) Right click on the file and when asked what program to use when opening such file select NotePad.

<<<>>>

 

Open notepad and copy/paste the text in the quote box below into it:

 

File::
c:\windows\system32\Spool\prtprocs\w32x86\IQ79c17u.dll
c:\windows\system32\Spool\prtprocs\w32x86\1sK31g.dll
c:\windows\system32\Spool\prtprocs\w32x86\93o79m17w.dll
c:\windows\system32\Spool\prtprocs\w32x86\17oC17.dll
c:\windows\system32\Spool\prtprocs\w32x86\YWS31s.dll
c:\windows\system32\Spool\prtprocs\w32x86\S1793yW9.dll
c:\windows\system32\Spool\prtprocs\w32x86\e5aA5.dll
c:\windows\system32\Spool\prtprocs\w32x86\55oC5.dll
c:\windows\system32\Spool\prtprocs\w32x86\3sKU3mYW.dll
c:\windows\system32\Spool\prtprocs\w32x86\U7mY17.dll
c:\windows\system32\Spool\prtprocs\w32x86\E31kUO17m.dll
c:\windows\system32\Spool\prtprocs\w32x86\79317g3.dll
c:\windows\system32\Spool\prtprocs\w32x86\MY79o179.dll

 

Save this as CFScript on your desktop.

 

CFScriptB-4.gif

 

Referring to the picture above, drag CFScript into ComboFix.exe

Then post the resultant log

===

 

Thanks for all your help! Where do I go about making a donation?

 

Click the Donation button on the bottom of the page.

Thank your for your support.

 

Keep me posted.

Share this post


Link to post
Share on other sites

Hey Nasdaq,

 

If I can't find the installation disck, can I copy the file from another computer I have that is running the same OS (same service pack too)?

 

 

 

Also, can you explain (in laymans terms) what you mean/is going on with the below:

 

 

 

 

You need to change the file association with your .ini and .txt files

 

inifile=tyutr654fdbdte.exe %1

txtfile=tyutr654fdbdte.exe %1

That is wrong.

 

Find a .ini and a .txt file ( any such file.) Right click on the file and when asked what program to use when opening such file select NotePad.

<<<>>>

 

Open notepad and copy/paste the text in the quote box below into it:

 

Code

 

File::

c:\windows\system32\Spool\prtprocs\w32x86\IQ79c17u.dll

c:\windows\system32\Spool\prtprocs\w32x86\1sK31g.dll

c:\windows\system32\Spool\prtprocs\w32x86\93o79m17w.dll

c:\windows\system32\Spool\prtprocs\w32x86\17oC17.dll

c:\windows\system32\Spool\prtprocs\w32x86\YWS31s.dll

c:\windows\system32\Spool\prtprocs\w32x86\S1793yW9.dll

c:\windows\system32\Spool\prtprocs\w32x86\e5aA5.dll

c:\windows\system32\Spool\prtprocs\w32x86\55oC5.dll

c:\windows\system32\Spool\prtprocs\w32x86\3sKU3mYW.dll

c:\windows\system32\Spool\prtprocs\w32x86\U7mY17.dll

c:\windows\system32\Spool\prtprocs\w32x86\E31kUO17m.dll

c:\windows\system32\Spool\prtprocs\w32x86\79317g3.dll

c:\windows\system32\Spool\prtprocs\w32x86\MY79o179.dll

 

 

 

Thanks Quaf

Share this post


Link to post
Share on other sites
If I can't find the installation disck, can I copy the file from another computer I have that is running the same OS (same service pack too)?

 

Yes but first rename the corrupt copy with a .old extension.

===

 

Also, can you explain (in laymans terms) what you mean/is going on with the below:

 

You need to change the file association with your .ini and .txt files

 

inifile=tyutr654fdbdte.exe %1

txtfile=tyutr654fdbdte.exe %1

That is wrong.

 

Find a .ini and a .txt file ( any such file.) Right click on the file and when asked what program to use when opening such file select NotePad.

<<<>>>

 

Open notepad and copy/paste the text in the quote box below into it:

 

Code

 

File::

c:\windows\system32\Spool\prtprocs\w32x86\IQ79c17u.dll

c:\windows\system32\Spool\prtprocs\w32x86\1sK31g.dll

c:\windows\system32\Spool\prtprocs\w32x86\93o79m17w.dll

c:\windows\system32\Spool\prtprocs\w32x86\17oC17.dll

c:\windows\system32\Spool\prtprocs\w32x86\YWS31s.dll

c:\windows\system32\Spool\prtprocs\w32x86\S1793yW9.dll

c:\windows\system32\Spool\prtprocs\w32x86\e5aA5.dll

c:\windows\system32\Spool\prtprocs\w32x86\55oC5.dll

c:\windows\system32\Spool\prtprocs\w32x86\3sKU3mYW.dll

c:\windows\system32\Spool\prtprocs\w32x86\U7mY17.dll

c:\windows\system32\Spool\prtprocs\w32x86\E31kUO17m.dll

c:\windows\system32\Spool\prtprocs\w32x86\79317g3.dll

c:\windows\system32\Spool\prtprocs\w32x86\MY79o179.dll

 

At the moment when you double click a .txt or .ini file are they opened correctly?

 

 

The File listed above in this folder are not needed.

c:\windows\system32\Spool\prtprocs\w32x86\

 

The fix with Combofix as suggested in my previous post will delete them.

 

Let me know if you need additional information.

Share this post


Link to post
Share on other sites

Hey Nasdaq,

 

Followed your instructions....here is my combofix log:

 

ComboFix 10-07-14.01 - Administrator 14/07/2010 17:19:35.39.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.2.1033.18.1535.982 [GMT -4:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\system32\spool\prtprocs\w32x86\17oC17.dll

c:\windows\system32\spool\prtprocs\w32x86\1sK31g.dll

c:\windows\system32\spool\prtprocs\w32x86\3sKU3mYW.dll

c:\windows\system32\spool\prtprocs\w32x86\55oC5.dll

c:\windows\system32\spool\prtprocs\w32x86\79317g3.dll

c:\windows\system32\spool\prtprocs\w32x86\93o79m17w.dll

c:\windows\system32\spool\prtprocs\w32x86\E31kUO17m.dll

c:\windows\system32\spool\prtprocs\w32x86\e5aA5.dll

c:\windows\system32\spool\prtprocs\w32x86\IQ79c17u.dll

c:\windows\system32\spool\prtprocs\w32x86\MY79o179.dll

c:\windows\system32\spool\prtprocs\w32x86\S1793yW9.dll

c:\windows\system32\spool\prtprocs\w32x86\U7mY17.dll

c:\windows\system32\spool\prtprocs\w32x86\YWS31s.dll

 

Infected copy of c:\windows\system32\msgsvc.dll was found and disinfected

Restored copy from - c:\windows\erdnt\cache\msgsvc.dll

 

c:\windows\system32\logonui.exe . . . is infected!!

 

.

((((((((((((((((((((((((( Files Created from 2010-06-14 to 2010-07-14 )))))))))))))))))))))))))))))))

.

 

2010-07-14 21:14 . 2002-12-31 12:00 2329088 ----a-w- c:\windows\system32\logonui.exe

2010-07-07 23:01 . 2010-07-07 23:01 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4027cb66-n\msvcp71.dll

2010-07-07 23:01 . 2010-07-07 23:01 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4027cb66-n\jmc.dll

2010-07-07 23:01 . 2010-07-07 23:01 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4027cb66-n\msvcr71.dll

2010-07-07 23:01 . 2010-07-07 23:01 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-252ef817-n\decora-sse.dll

2010-07-07 23:01 . 2010-07-07 23:01 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-252ef817-n\decora-d3d.dll

2010-07-07 23:01 . 2010-07-07 23:01 423656 ----a-w- c:\windows\system32\deployJava1.dll

2010-07-07 22:57 . 2010-07-07 22:57 -------- d-----w- C:\Misc

2010-07-07 01:46 . 2010-07-07 01:46 -------- d-----w- c:\program files\Common Files\Adobe AIR

2010-07-07 01:45 . 2010-07-07 01:46 2568656 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe

2010-07-07 01:45 . 2010-07-07 01:45 71680 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe

2010-07-07 01:45 . 2010-07-07 22:45 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-07-01 02:38 . 2010-07-01 02:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2010-06-19 01:33 . 2010-06-19 01:33 -------- d-----w- c:\program files\uTorrent

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-12 19:27 . 2008-03-14 21:30 -------- d-----w- c:\program files\Mozilla Thunderbird

2010-07-12 16:44 . 2008-02-02 16:50 -------- d-----w- c:\program files\Hijack this

2010-07-12 16:16 . 2008-12-25 07:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\Fivu

2010-07-07 23:02 . 2008-01-12 02:58 -------- d-----w- c:\program files\Common Files\Java

2010-07-07 23:01 . 2008-01-12 02:58 -------- d-----w- c:\program files\Java

2010-07-07 22:50 . 2008-10-24 18:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\Aggii

2010-07-07 01:57 . 2008-01-26 19:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent

2010-07-07 01:39 . 2008-01-12 02:52 -------- d-----w- c:\program files\Common Files\Adobe

2010-06-28 12:55 . 2008-04-28 02:20 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI MMC

2010-06-19 01:38 . 2008-01-16 04:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\LimeWire

2010-06-10 21:46 . 2010-06-10 21:46 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP

2010-06-09 20:29 . 2010-06-01 17:53 120 ----a-w- c:\windows\Yvinu.dat

2010-06-09 04:52 . 2010-06-01 17:53 0 ----a-w- c:\windows\Pqoqojafabi.bin

2009-08-11 15:54 . 2009-08-11 15:53 27917616 ----a-w- c:\program files\snagit.exe

2009-07-21 03:14 . 2009-07-21 03:14 1591808 ----a-w- c:\program files\SteamInstall.msi

2008-12-15 04:11 . 2008-12-15 04:11 234 ----a-w- c:\program files\WorldNowASX.asp

2008-07-30 14:08 . 2008-07-30 14:09 5697032 ----a-w- c:\program files\wmvfirefoxpluginsetup_3.1f.exe

2008-04-11 19:20 . 2008-01-15 02:28 1495112 ----a-w- c:\program files\install_flash_player.exe

2008-02-16 23:57 . 2008-02-16 23:57 779536 ----a-w- c:\program files\MoveMediaPlayer_07076007.exe

2002-01-23 21:36 . 2008-01-31 04:00 16384 ----a-w- c:\program files\MPEG-2.exe

2002-01-23 21:24 . 2008-01-31 04:00 647 ----a-w- c:\program files\Read_Me.txt

2000-03-29 23:18 . 2008-01-31 04:00 94208 ----a-w- c:\program files\Mpeg2Parser.ax

2000-03-29 23:18 . 2008-01-31 04:00 139264 ----a-w- c:\program files\Mpeg2Decoder.ax

.

 

((((((((((((((((((((((((((((( SnapShot@2009-09-08_19.22.28 )))))))))))))))))))))))))))))))))))))))))

.

+ 2007-11-07 07:19 . 2007-11-07 07:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll

+ 2008-07-29 11:07 . 2008-07-29 11:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll

+ 2008-07-29 11:07 . 2008-07-29 11:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll

+ 2010-07-14 21:25 . 2010-07-14 21:25 16384 c:\windows\Temp\Perflib_Perfdata_5e4.dat

+ 2010-07-14 21:25 . 2010-07-14 21:25 16384 c:\windows\Temp\Perflib_Perfdata_5bc.dat

+ 2010-07-14 12:09 . 2010-07-14 12:09 16384 c:\windows\Temp\Perflib_Perfdata_574.dat

+ 2002-12-31 12:00 . 2010-04-05 15:46 62460 c:\windows\system32\perfc009.dat

- 2002-12-31 12:00 . 2009-04-05 18:48 62460 c:\windows\system32\perfc009.dat

+ 2008-02-07 22:21 . 2009-05-11 15:12 28520 c:\windows\system32\drivers\ssmdrv.sys

+ 2009-11-18 01:57 . 2009-03-30 15:33 96104 c:\windows\system32\drivers\avipbb.sys

+ 2009-11-18 01:57 . 2009-02-13 17:29 22360 c:\windows\system32\drivers\avgntmgr.sys

+ 2009-11-18 01:57 . 2009-12-08 14:18 56816 c:\windows\system32\drivers\avgntflt.sys

+ 2009-11-18 01:57 . 2009-02-13 17:17 45416 c:\windows\system32\drivers\avgntdd.sys

+ 2010-07-06 00:30 . 2010-07-06 00:30 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2008-01-12 02:41 . 2010-07-06 00:29 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2008-01-12 02:41 . 2009-05-30 23:45 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2010-07-07 01:46 . 2010-07-07 01:46 24576 c:\windows\Installer\97b7c.msi

+ 2010-07-07 01:46 . 2010-07-07 01:46 28160 c:\windows\Installer\97b76.msi

+ 2008-07-29 13:05 . 2008-07-29 13:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll

+ 2008-07-29 08:54 . 2008-07-29 08:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll

+ 2002-12-31 12:00 . 2010-04-05 15:46 401372 c:\windows\system32\perfh009.dat

- 2002-12-31 12:00 . 2009-04-05 18:48 401372 c:\windows\system32\perfh009.dat

+ 2010-07-07 01:46 . 2010-07-07 01:46 231888 c:\windows\system32\Macromed\Flash\FlashUtil10h_Plugin.exe

+ 2010-07-07 23:01 . 2010-07-07 23:01 153376 c:\windows\system32\javaws.exe

+ 2010-07-07 23:01 . 2010-07-07 23:01 145184 c:\windows\system32\javaw.exe

+ 2008-08-06 20:48 . 2010-07-07 23:01 145184 c:\windows\system32\java.exe

+ 2009-11-18 01:54 . 2009-11-18 01:54 228352 c:\windows\Installer\7a9c0.msi

+ 2010-07-07 23:02 . 2010-07-07 23:02 180224 c:\windows\Installer\71249.msi

+ 2010-07-07 23:01 . 2010-07-07 23:01 677376 c:\windows\Installer\71243.msi

+ 2008-07-29 13:05 . 2008-07-29 13:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll

+ 2008-07-29 13:05 . 2008-07-29 13:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll

+ 2010-07-07 01:46 . 2010-07-07 01:46 5612496 c:\windows\system32\Macromed\Flash\NPSWF32.dll

+ 2002-12-31 12:00 . 2002-12-31 12:00 2329088 c:\windows\system32\logonui.old.exe

+ 2010-07-07 01:39 . 2010-07-07 01:39 3940352 c:\windows\Installer\97b70.msi

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATI Remote Control"="c:\program files\ATI Multimedia\RemCtrl\ATIRW.exe" [2004-04-16 196608]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-01 7618560]

"nwiz"="nwiz.exe" [2006-06-01 1519616]

"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]

"DiskeeperSystray"="c:\program files\Executive Software\Diskeeper\DkIcon.exe" [2002-12-31 176216]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]

"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2006-10-17 1164912]

"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2006-10-17 1941784]

"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-10-17 87584]

"SoundMan"="SOUNDMAN.EXE" [2004-02-09 65024]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-06-01 86016]

"WinampAgent"="c:\program files\Winamp\Winampa.exe" [2001-10-02 10752]

"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-07-11 339968]

"ATI DeviceDetect"="c:\program files\ATI Multimedia\main\ATIDtct.EXE" [2004-06-16 69705]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2002-12-31 15360]

 

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-1-11 25214]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]

HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]

Loadout Manager.lnk - c:\program files\Belkin\Nostromo\nost_LM.exe [2003-6-24 442368]

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Limewire\\LimeWire.exe"=

"c:\\Program Files\\Java\\jre1.6.0_07\\bin\\jusched.exe"=

"c:\\Program Files\\Belkin\\Nostromo\\nost_LM.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

 

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [17/11/2009 9:57 PM 108289]

S3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys [23/07/2003 3:16 PM 22821]

.

Contents of the 'Scheduled Tasks' folder

 

2010-06-20 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 21:57]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

uInternet Settings,ProxyOverride = <local>

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Download All by FlashGet - c:\progra~1\FlashGet\jc_all.htm

IE: Download using FlashGet - c:\progra~1\FlashGet\jc_link.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\y27phbbi.default\

FF - prefs.js: browser.startup.homepage - hxxp://home.netscape.com/bookmark/7_2/home.html

FF - plugin: c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071500000347.dll

FF - plugin: c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071503000010.dll

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL

FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

 

---- FIREFOX POLICIES ----

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-14 17:25

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

 

[HKEY_USERS\S-1-5-21-1993962763-1035525444-1801674531-500\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'explorer.exe'(2676)

c:\program files\Belkin\Nostromo\nost_FSH.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\SOUNDMAN.EXE

c:\windows\system32\rundll32.exe

c:\program files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe

c:\program files\Common Files\Acronis\Schedule2\schedul2.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Executive Software\Diskeeper\DkService.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\HPZipm12.exe

c:\program files\HP\Digital Imaging\bin\hpqgalry.exe

c:\windows\system32\PnkBstrA.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2010-07-14 17:28:00 - machine was rebooted

ComboFix-quarantined-files.txt 2010-07-14 21:27

ComboFix2.txt 2010-07-12 16:27

ComboFix3.txt 2010-06-16 17:16

ComboFix4.txt 2010-06-09 21:17

ComboFix5.txt 2010-07-14 21:18

 

Pre-Run: 36,991,737,856 bytes free

Post-Run: 36,961,316,864 bytes free

 

- - End Of File - - 1145988918C09C28293437B776AC5350

 

I copied the longonui.exe file from another computer into my system32 folder, but combofix still says its infected. I ran combofix twice and it still said it was infected. Also, I noticed that both times when i ran combofix I got:

 

"Infected copy of c:\windows\system32\msgsvc.dll was found and disinfected

Restored copy from - c:\windows\erdnt\cache\msgsvc.dll "

 

It keeps getting infected, even though its being restored each time?

 

Thanks

Quaf

Share this post


Link to post
Share on other sites

Lets check the files.

 

Please submit the files in bold to the following link for a scan, then post the results in your next message for me to see.

http://virusscan.jotti.org/

 

 

c:\windows\system32\msgsvc.dll

 

c:\windows\system32\logonui.exe

Share this post


Link to post
Share on other sites

Hey Nasdaq....I never even got a chance to do your instructions. Everything seemed ok...then all of a sudden my Avira poppped up with a notification from an vrius that got on my own website ( I talked to my provider and they said it was hijacked and removed the malicious code). I hit quarantine...then My comupter shut down and I got the blue screen of death. I cannot boot windows at all. I just get a problem has been detected and windows has been shut down to prevent damage to my computer. Trying to boot in safe mode or last known configuration just brings be back to the same blue screen with the error on it.

 

I get A STOP ERROR: 0X0000007E (0XC00000005, 0X897E5963, 0XF78CE84B, 0XF78CE5B0)

 

 

I thought maybe there was a hardware issue (bad memory or the HDD crashed), but I checked the memory and was ok. I was going to do a reinstall.

 

However, the following then occured. My wife was on her netbook (running windows xp) looking up information on rasberries and Avira popped up about some java update. The same thing then happened. I'm getting the s STOP: 0X0000007E error on her netbook now and can't do anything.

 

(0XC00000005, 0X8599EDAC, 0XF7AA4C10, 0XF7AA490C)

 

Could I be dealing with a virus that is now on my home network? How do I get rid of that?

 

I'm typing to you from my wife's desktop (still working ok for now)

 

Would you have any insight on to my next course of action?

 

Thanks

Quaf

Share this post


Link to post
Share on other sites

There could be a worm that changes some of the operating files.

It did happen with the files replaced by ComboFix.

 

Have a look at this Microsoft article.

How to troubleshoot a Stop 0x0000007E error in Windows XP

 

You may be promted to fix it, I tried it and I was, I decline because I was just looking for the error message.

 

I must admit that it's stange that both of the computers are experiencing similar STOP issues.

 

It could mean that your router is infected.

 

 

Run this scan on both computer.

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

 

If the other computer is infected please start a new topic for your wife's computer.

Let me know the topic link and I will expedite the matter.

Share this post


Link to post
Share on other sites

Nasdaq,

 

Thanks for the quick reply...I did read the article..a bit confusing. Alot of their resolutions seem to be based on me getting into windows. I can't get past the blue screen on either my computer or my wife's netbook.

 

How do I get past the blue screen error?

 

quaf

Share this post


Link to post
Share on other sites

  • Restart your computer in Safe Mode, start pressing the F8 key on your keyboard. On a computer that is configured for booting to multiple operating systems, you can press the F8 key when you see the Boot Menu.
  • When the Windows Advanced Options menu appears, select an option, and then press ENTER.
  • When the Boot menu appears again, and the words "Safe Mode" appear in blue at the bottom, select the installation that you want to start, and then press ENTER.

 

If you can select Safe Mode with Internet support/connection.

Share this post


Link to post
Share on other sites

Nasdaq,

 

Thanks for all the help. I couldn't boot windows on either computer...safe mode...last known configuration...it would all take me back to the stop error.

 

- For my desktop I restored an old image of my system (I have my computer partitioned so my data is all still there) via acronis and everything is ok. Just have to reinstall some software.

 

- For the netbook I called acer and was able to do a windows restore (ALT + F11 at bootup) that also saved my files!

 

Everything seems to be running well at this point (although I'm not sure how this problem got so out of control or what the last issue was that gave me the stop error). You mentioned about my router can be infected. Any way to test that? Thanks for all your help.

 

Quaf

Share this post


Link to post
Share on other sites
You mentioned about my router can be infected. Any way to test that?

 

When the router was installed did you protect it with a password?

If not it may be at risk.

 

If you have a linksys router have a look a this article.

http://www.ehow.com/how_2188502_reset-password-linksys-router.html

Share this post


Link to post
Share on other sites

Update ComboFix.

 

Run the tool and you should be asked to update.

 

Run it and submit the results.

Share this post


Link to post
Share on other sites

Glad we could help. :)

 

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0