Gots me some Virtumode. Help please!

[Meshyf]

Here is the HJT log. Let me know if I messed something up.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:50:12 PM, on 1/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20935)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\mmm.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\DVDAudio\CTDVDDET.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [PowerTweaK Menu] C:\WINDOWS\system32\mmm.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O20 - AppInit_DLLs: prio.dll mmvqro.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe

--
End of file - 5403 bytes

[ken545]

Hello Meshyf

Welcome to Safer Networking.

Please read Before You Post
That said, All advice given by anyone volunteering here, is taken at your own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.


Do a few things for me please.

You need to enable windows to Show All Files and Folders.
Instructions Here


Go to VirusTotal and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see.

C:\WINDOWS\system32\mmm.exe<---This file





Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and Paste the entire report in your next reply along with a New Hijackthis log.

[Meshyf]

I wasn't sure if you wanted the Virus total report or not so I'll start with that.

File unknown received on 01.28.2009 18:55:13 (CET)
Current status: finished
Result: 4/39 (10.26%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared - - -
AhnLab-V3 - - -
AntiVir - - -
Authentium - - -
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - (Suspicious) - DNAScan
ClamAV - - -
Comodo - - -
DrWeb - - -
eSafe - - -
eTrust-Vet - - -
F-Prot - - -
F-Secure - - -
Fortinet - - -
GData - - -
Ikarus - - -
K7AntiVirus - - Trojan.Win32.Malware.1
Kaspersky - - -
McAfee - - -
McAfee+Artemis - - -
Microsoft - - -
NOD32 - - -
Norman - - -
nProtect - - -
Panda - - -
PCTools - - -
Prevx1 - - -
Rising - - -
SecureWeb-Gateway - - Win32.Malware.gen (suspicious)
Sophos - - -
Sunbelt - - VIPRE.Suspicious
Symantec - - -
TheHacker - - -
TrendMicro - - -
VBA32 - - -
ViRobot - - -
VirusBuster - - -
Additional information
MD5: c464fee5a2ffe71e9a25d8ebe3d43ac4
SHA1: cbd0ae8d981bbfd2a0b4f75af2ec1761c4ef5a73
SHA256: 434b91d1378cc9e5dfd76c0e6fa70a8bc4644d3530302d8520b1261f061405fd




And now the Malwarebytes

Malwarebytes' Anti-Malware 1.33
Database version: 1721
Windows 5.1.2600 Service Pack 3

3/02/2009 11:26:04 AM
mbam-log-2009-02-03 (11-26-01).txt

Scan type: Quick Scan
Objects scanned: 50007
Time elapsed: 3 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 16
Registry Values Infected: 2
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\cbXPjIbX.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\erkvll.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\xxywTJCU.dll (Trojan.Vundo) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{379ddd0f-34e9-4247-bfd3-24cb408c8a63} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{379ddd0f-34e9-4247-bfd3-24cb408c8a63} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\xxywtjcu (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{78e5384e-b50a-4beb-ad4a-a16f11db0ca0} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{78e5384e-b50a-4beb-ad4a-a16f11db0ca0} (Trojan.Vundo.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{78e5384e-b50a-4beb-ad4a-a16f11db0ca0} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{379ddd0f-34e9-4247-bfd3-24cb408c8a63} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\38228c41 (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\cbxpjibx -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\cbxpjibx -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (Hijack.Help) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (Hijack.Help) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\cbXPjIbX.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\XbIjPXbc.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\XbIjPXbc.ini2 (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\xxywTJCU.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\erkvll.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\jvqlahov.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\vohalqvj.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\arrarc.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\mmvqro.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\ftlqwnfg.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\gfdaopqu.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\xlochbnd.dll (Trojan.Vundo) -> No action taken.
C:\Users\Administrator\Local Settings\Temporary Internet Files\Content.IE5\DU87IM4F\index[1] (Trojan.Vundo) -> No action taken.
C:\Users\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MXIR0WD8\upd105320[1] (Trojan.Vundo) -> No action taken.
C:\Users\Administrator\Local Settings\Temporary Internet Files\Content.IE5\R52MTWTB\divx20[1] (Trojan.Vundo) -> No action taken.

It asked for a restart and another scan and didn't come up with any viruses. So it must have gotten them all.

Finally the HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:36:39 AM, on 3/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20935)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exea
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\mmm.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\DVDAudio\CTDVDDET.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [PowerTweaK Menu] C:\WINDOWS\system32\mmm.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O20 - AppInit_DLLs: prio.dll erkvll.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe

--
End of file - 5809 bytes



Thank you for your assistance in advance.

[ken545]

Hello,

Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

If you or a systems administrator set these than leave them be otherwise fix them
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present

Fix this
O20 - AppInit_DLLs: prio.dll erkvll.dll


You have two files that I am concerned about, lets run Combofix and see if it removes them , if not we will deal with them later.


Please download ATF Cleaner by Atribune to your desktop.

• This program is for XP and Windows 2000 only
• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.






Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• See this Link for programs that need to be disabled and instruction on how to disable them.
• Remember to re-enable them when we're done.
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

[Meshyf]

COMBO FIX
ComboFix 09-02-02.04 - Administrator 2009-02-03 23:34:58.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1643 [GMT -8:00]
Running from: c:\users\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\cmpssssv.ini
c:\windows\system32\ksjpjvbh.ini

.
((((((((((((((((((((((((( Files Created from 2009-01-04 to 2009-02-04 )))))))))))))))))))))))))))))))
.

2009-02-03 11:21 . 2009-02-03 11:21 <DIR> d-------- c:\users\All Users\Application Data\Malwarebytes
2009-02-03 11:21 . 2009-02-03 11:21 <DIR> d-------- c:\users\Administrator\Application Data\Malwarebytes
2009-02-03 11:21 . 2009-02-03 11:21 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-03 11:21 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-03 11:21 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-02 12:24 . 2009-02-02 12:28 <DIR> d-------- c:\program files\Common Files\Adobe
2009-02-02 12:23 . 2009-02-02 12:23 <DIR> d-------- c:\users\Administrator\Application Data\DAEMON Tools Pro
2009-02-02 12:23 . 2009-02-02 12:23 <DIR> d-------- c:\users\Administrator\Application Data\DAEMON Tools
2009-02-02 12:23 . 2008-04-13 18:42 75,776 --a------ c:\windows\system32\OLD4DA.tmp
2009-02-02 12:22 . 2009-02-02 12:22 <DIR> d-------- c:\users\All Users\Application Data\DAEMON Tools Lite
2009-02-02 12:21 . 2009-02-02 12:23 <DIR> d-------- c:\users\Administrator\Application Data\DAEMON Tools Lite
2009-02-02 12:21 . 2009-02-02 12:21 <DIR> d-------- c:\program files\DAEMON Tools Lite
2009-02-01 23:49 . 2009-02-01 23:49 <DIR> d-------- c:\program files\Trend Micro
2009-02-01 23:41 . 2009-02-01 23:42 <DIR> d-------- c:\program files\ERUNT
2009-02-01 12:38 . 2009-02-01 12:38 95 --a------ c:\windows\wininit.ini
2009-02-01 02:01 . 2009-02-03 13:22 4,096 --a------ c:\windows\system32\crash
2009-01-31 04:14 . 2009-01-31 04:14 <DIR> d-------- c:\program files\Common Files\NSV
2009-01-31 03:56 . 2009-01-31 03:56 <DIR> d-------- c:\program files\DEFCON
2009-01-31 03:43 . 2009-01-31 03:43 <DIR> d-------- c:\program files\LG Electronics
2009-01-31 03:43 . 2007-04-09 09:55 22,912 --a------ c:\windows\system32\drivers\lgusbmodem.sys
2009-01-31 03:43 . 2007-04-09 09:56 21,248 --a------ c:\windows\system32\drivers\lgusbdiag.sys
2009-01-31 03:43 . 2007-04-09 09:53 12,672 --a------ c:\windows\system32\drivers\lgusbbus.sys
2009-01-31 01:53 . 2009-01-31 01:53 <DIR> d-------- c:\users\Administrator\Application Data\teamspeak2
2009-01-31 01:53 . 2009-01-31 01:53 <DIR> d-------- c:\program files\Teamspeak
2009-01-31 01:53 . 2009-01-31 01:53 34,064 --a------ c:\windows\system32\lhacm.acm
2009-01-31 01:45 . 2009-01-31 01:45 <DIR> d-------- c:\users\Administrator\Application Data\Ventrilo
2009-01-31 01:45 . 2009-01-31 01:45 <DIR> d-------- c:\program files\Ventrilo
2009-01-31 01:44 . 2009-01-31 01:44 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-31 01:44 . 2009-01-31 01:45 262 --a------ c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2009-01-31 01:30 . 2009-02-02 21:01 <DIR> d-------- c:\users\Administrator\Application Data\HPAppData
2009-01-31 01:00 . 2009-01-31 01:17 <DIR> d-------- c:\users\Administrator\Application Data\ImgBurn
2009-01-31 00:49 . 2009-01-31 00:49 <DIR> d-------- c:\program files\ImgBurn
2009-01-30 14:09 . 2009-01-30 14:09 <DIR> d-------- c:\users\Administrator\Application Data\Nero
2009-01-30 13:50 . 2009-01-30 13:50 <DIR> d-------- c:\program files\Common Files\Nero
2009-01-30 12:42 . 2009-01-30 12:42 <DIR> d-------- c:\program files\MSXML 4.0
2009-01-30 12:14 . 2009-02-02 14:11 <DIR> d-------- c:\users\Administrator\Application Data\uTorrent
2009-01-30 12:14 . 2009-01-30 12:14 <DIR> d-------- c:\program files\uTorrent
2009-01-29 10:51 . 2009-01-29 10:51 <DIR> d-------- c:\users\Administrator\Application Data\HP
2009-01-29 10:45 . 2009-01-29 10:45 <DIR> d-------- c:\users\All Users\Application Data\HP Product Assistant
2009-01-29 10:44 . 2009-01-29 10:44 <DIR> d-------- c:\users\All Users\Application Data\HP
2009-01-29 10:43 . 2009-01-29 10:43 <DIR> d-------- c:\program files\Hewlett-Packard
2009-01-29 10:43 . 2009-01-29 10:43 <DIR> d-------- c:\program files\Common Files\HP
2009-01-29 10:43 . 2009-01-29 10:43 <DIR> d-------- c:\program files\Common Files\Hewlett-Packard
2009-01-29 10:41 . 2009-01-29 10:41 <DIR> d-------- c:\windows\yellowtail
2009-01-29 10:41 . 2007-11-06 18:04 1,373,528 -ra------ c:\windows\hpzshl01.exe
2009-01-29 10:41 . 2007-11-06 18:15 1,140,056 -ra------ c:\windows\hpzmsi01.exe
2009-01-29 10:41 . 2007-10-31 02:35 729,088 -ra------ c:\windows\system32\hpwwiax4.dll
2009-01-29 10:41 . 2007-10-31 02:35 593,920 -ra------ c:\windows\system32\hpwtscl3.dll
2009-01-29 10:41 . 2007-01-17 08:31 294,912 -ra------ c:\windows\system32\hpovst11.dll
2009-01-29 10:41 . 2008-01-07 06:10 10,563 -ra------ c:\windows\hpwscr19.dat
2009-01-29 10:40 . 2009-01-29 10:45 <DIR> d-------- c:\program files\HP
2009-01-29 10:40 . 2008-04-13 13:15 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2009-01-29 10:37 . 2009-01-29 10:37 <DIR> d-------- c:\users\All Users\Application Data\Hewlett-Packard
2009-01-29 10:37 . 2007-11-06 18:10 271,704 -ra------ c:\windows\system32\hpzids01.dll
2009-01-29 10:37 . 2009-01-29 10:50 176,437 --a------ c:\windows\hpwins19.dat
2009-01-29 10:37 . 2007-11-05 19:07 118,272 --a------ c:\windows\system32\hpz3l5mu.dll
2009-01-29 10:37 . 2007-01-17 08:37 49,920 -ra------ c:\windows\system32\drivers\HPZid412.sys
2009-01-29 10:37 . 2007-01-17 08:37 16,496 -ra------ c:\windows\system32\drivers\HPZipr12.sys
2009-01-29 10:37 . 2008-01-07 06:08 997 -ra------ c:\windows\hpwmdl19.dat
2009-01-29 10:19 . 2009-01-29 10:19 <DIR> d----c--- c:\windows\system32\DRVSTORE
2009-01-29 10:19 . 2007-01-17 08:37 364,544 -ra------ c:\windows\system32\hppldcoi.dll
2009-01-29 10:19 . 2007-01-17 08:37 309,760 -ra------ c:\windows\system32\difxapi.dll
2009-01-29 10:19 . 2007-01-17 08:37 21,568 -ra------ c:\windows\system32\drivers\HPZius12.sys
2009-01-29 10:13 . 2008-04-13 13:17 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2009-01-29 01:33 . 2009-01-29 01:33 <DIR> d-------- c:\program files\BitPim
2009-01-29 01:01 . 2009-01-29 01:01 <DIR> d-------- c:\users\Administrator\Application Data\Thunderbird
2009-01-29 01:01 . 2009-01-29 01:01 <DIR> d-------- c:\users\Administrator\Application Data\Talkback
2009-01-27 20:15 . 2008-04-12 23:42 363,520 --a------ c:\windows\system32\PsisDecd.dll
2009-01-27 20:15 . 2008-04-12 23:42 56,832 --a------ c:\windows\system32\MSDvbNP.ax
2009-01-27 20:15 . 2008-04-12 23:42 33,280 --a------ c:\windows\system32\PsisRndr.ax
2009-01-27 20:15 . 2008-04-13 10:41 21,504 --a------ c:\windows\system32\hidserv.dll
2009-01-27 20:15 . 2008-04-12 23:42 18,432 --a------ c:\windows\system32\BdaPlgIn.ax
2009-01-27 20:15 . 2008-04-12 18:16 11,776 --a------ c:\windows\system32\drivers\BdaSup.sys
2009-01-27 20:14 . 2008-04-13 05:10 57,600 --a------ c:\windows\system32\drivers\redbook.sys
2009-01-27 20:13 . 2008-04-12 23:42 91,136 --a------ c:\windows\system32\kswdmcap.ax
2009-01-27 20:13 . 2008-04-12 23:42 61,952 --a------ c:\windows\system32\kstvtune.ax
2009-01-27 20:13 . 2008-04-12 23:42 57,344 --a------ c:\windows\system32\vfwwdm32.dll
2009-01-27 20:13 . 2008-04-12 23:42 43,008 --a------ c:\windows\system32\ksxbar.ax
2009-01-27 20:13 . 2008-04-12 23:42 28,672 --a------ c:\windows\system32\vidcap.ax
2009-01-27 20:13 . 2009-01-27 20:13 0 --a------ c:\windows\ativpsrm.bin
2009-01-27 20:12 . 2009-01-27 13:17 <DIR> d-------- c:\windows\system32\data
2009-01-27 20:12 . 2001-08-16 18:46 6,400 --a------ c:\windows\system32\drivers\enum1394.sys
2009-01-27 20:11 . 2008-04-13 13:49 146,048 --a------ c:\windows\system32\drivers\portcls.sys
2009-01-27 20:11 . 2008-04-13 18:42 129,536 --a------ c:\windows\system32\ksproxy.ax
2009-01-27 20:11 . 2008-04-13 10:42 83,456 --a------ c:\windows\system32\usbui.dll
2009-01-27 20:11 . 2008-04-13 13:15 60,160 --a------ c:\windows\system32\drivers\drmk.sys
2009-01-27 20:11 . 2008-04-13 05:06 42,368 --a------ c:\windows\system32\drivers\AGP440.SYS
2009-01-27 20:11 . 2008-04-13 18:41 4,096 --a------ c:\windows\system32\ksuser.dll
2009-01-27 20:06 . 2009-01-27 20:06 4,444 --a------ c:\windows\system32\pid.PNF
2009-01-27 20:06 . 2009-01-27 10:33 1,374 --a------ c:\windows\imsins.BAK
2009-01-27 20:05 . 2009-01-30 12:19 <DIR> dr------- c:\users\All Users\Documents
2009-01-27 20:03 . 2009-02-03 12:47 <DIR> d-------- c:\windows\system32\CatRoot2
2009-01-27 20:03 . 2009-01-27 12:25 <DIR> d-------- c:\windows\system32\CatRoot
2009-01-27 20:03 . 2009-01-27 09:36 1,541,185 --a------ c:\windows\setupapi.log.0.old
2009-01-27 20:03 . 2008-04-13 21:40 1,296,669 -ra------ c:\windows\SET3.tmp
2009-01-27 20:03 . 2008-04-13 21:34 1,088,840 -ra------ c:\windows\SET4.tmp
2009-01-27 20:03 . 2008-04-13 21:34 16,535 -ra------ c:\windows\SET7.tmp
2009-01-27 20:01 . 2004-08-23 12:36 376,836 --a------ c:\windows\system32\drivers\cxfalcon.rom
2009-01-27 20:01 . 2005-02-14 14:42 91,904 --a------ c:\windows\system32\drivers\AF2VCap.sys
2009-01-27 20:01 . 2004-11-23 13:55 69,632 --a------ c:\windows\system32\colorcvt.ax
2009-01-27 20:01 . 2004-11-11 13:11 65,536 --a------ c:\windows\system32\cxtvrate.dll
2009-01-27 20:01 . 2004-11-11 13:11 57,344 --a------ c:\windows\system32\falctrl.ax
2009-01-27 20:01 . 2004-11-09 12:22 13,837 --a------ c:\windows\system32\drivers\makoaud.rom
2009-01-27 20:01 . 2004-08-02 07:58 13,235 --a------ c:\windows\system32\drivers\makoaudA.rom
2009-01-27 20:01 . 2004-11-30 08:06 12,288 --a------ c:\windows\system32\CPDetect.ax
2009-01-27 18:07 . 2009-01-27 18:07 <DIR> d-------- c:\users\All Users\Application Data\ATI
2009-01-27 18:07 . 2009-01-27 18:07 <DIR> d-------- c:\users\Administrator\Application Data\ATI
2009-01-27 18:02 . 2009-01-27 18:20 <DIR> d-------- c:\program files\ATI
2009-01-27 13:46 . 2009-01-27 13:46 <DIR> d-------- c:\users\NetworkService\Application Data\Xfire
2009-01-27 13:45 . 2009-02-03 23:19 <DIR> d-------- c:\users\Administrator\Application Data\Xfire
2009-01-27 13:45 . 2009-01-30 23:33 <DIR> d-------- c:\program files\Xfire
2009-01-27 13:39 . 2009-02-03 12:58 <DIR> d-------- c:\program files\Steam
2009-01-27 13:32 . 2009-01-27 13:34 <DIR> d-------- c:\program files\Nero Burning ROM Portable
2009-01-27 13:30 . 2009-02-03 23:13 <DIR> d-------- c:\program files\Mozilla Thunderbird
2009-01-27 13:28 . 2009-01-27 13:28 <DIR> d-------- c:\users\All Users\Application Data\Apple Computer
2009-01-27 13:28 . 2009-01-27 13:28 <DIR> d-------- c:\program files\QuickTime Alternative
2009-01-27 13:28 . 2009-01-27 13:28 <DIR> d-------- c:\program files\Media Player Classic
2009-01-27 13:27 . 2009-01-27 13:27 <DIR> d-------- c:\program files\iZotope
2009-01-27 13:26 . 2009-01-27 13:28 <DIR> d-------- c:\users\Administrator\Application Data\Winamp
2009-01-27 13:26 . 2009-01-27 13:27 <DIR> d-------- c:\program files\Winamp
2009-01-27 13:19 . 2009-01-27 13:22 <DIR> d-------- c:\program files\Creative
2009-01-27 13:03 . 2009-01-27 13:03 <DIR> d-------- c:\program files\XP Smoker
2009-01-27 13:02 . 2009-01-27 13:02 <DIR> d-------- c:\users\All Users\Application Data\TuneUp Software
2009-01-27 13:02 . 2009-01-27 13:02 <DIR> d-------- c:\users\Administrator\Application Data\TuneUp Software
2009-01-27 13:02 . 2009-01-27 13:02 <DIR> d-------- c:\program files\TuneUp Utilities 2009

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-31 11:43 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-28 04:12 --------- d-----w c:\users\Administrator\Application Data\Creative
2009-01-28 02:02 --------- d-----w c:\program files\ATI Technologies
2009-01-27 21:18 444,952 ----a-w c:\windows\system32\wrap_oal.dll
2009-01-27 21:18 109,080 ----a-w c:\windows\system32\OpenAL32.dll
2009-01-27 21:02 603,904 ----a-w c:\windows\system32\TUProgSt.exe
2009-01-27 21:02 362,240 ----a-w c:\windows\system32\TuneUpDefragService.exe
2009-01-27 17:52 --------- d-----w c:\program files\Common Files\InstallShield
2009-01-27 17:51 --------- d-----w c:\program files\Common Files\ATI Technologies
2009-01-27 17:49 --------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2009-01-27 17:45 --------- d-----w c:\program files\Xvid
2009-01-27 17:45 --------- d-----w c:\program files\Universal Extractor
2009-01-27 17:44 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-01-27 17:44 --------- d-----w c:\program files\Java
2009-01-27 17:40 --------- d-----w c:\program files\Reference Assemblies
2009-01-27 17:40 --------- d-----w c:\program files\MSBuild
2009-01-27 17:37 717,296 ----a-w c:\windows\system32\drivers\sptd.sys
2009-01-27 17:36 --------- d-----w c:\program files\Alky for Applications
2009-01-27 17:31 --------- d-----w c:\users\Administrator\Application Data\Xentient
2009-01-27 17:31 --------- d-----w c:\program files\CCleaner
2009-01-27 17:30 --------- d-----w c:\program files\Windows Media Connect 2
2009-01-27 17:30 --------- d-----w c:\program files\Prio
2009-01-27 17:29 --------- d-----w c:\program files\Utilities
2009-01-27 17:29 --------- d-----w c:\program files\Unlocker
2009-01-27 17:29 --------- d-----w c:\program files\TaskSwitchXP
2009-01-27 17:29 --------- d-----w c:\program files\Run With Arguments
2009-01-27 17:29 --------- d-----w c:\program files\Attribute Changer
2009-01-27 17:28 --------- d-----w c:\program files\System
2009-01-23 01:17 42,320 ----a-w c:\windows\system32\xfcodec.dll
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-09 14:06 597,506 ----a-w c:\windows\system32\APOIM32.exe
2008-12-03 22:51 52,224 ----a-w c:\windows\system32\dmutil.dll
2008-12-03 22:51 47,104 ----a-w c:\windows\system32\cnbjmon.dll
2008-12-03 22:51 35,328 ----a-w c:\windows\system32\pid.dll
2008-12-03 22:51 2,185,216 ----a-w c:\windows\system32\ntkrnlpa.exe
2008-12-03 22:51 15,360 ----a-w c:\windows\system32\pjlmon.dll
2008-12-03 22:49 78,336 ----a-w c:\windows\system32\srclient.dll
2008-12-03 22:47 92,160 ----a-w c:\windows\system32\osuninst.dll
2008-12-03 22:46 99,840 ----a-w c:\windows\system32\msiexec.exe
2008-12-03 22:45 99,152 ----a-w c:\windows\system32\jobexec.dll
2008-12-03 22:44 99,328 ----a-w c:\windows\system32\ahui.exe
2008-12-03 22:42 28,672 ----a-w c:\windows\system32\setupold.exe
2008-12-03 22:19 8,704 ----a-w c:\windows\system32\wdfmgr.exe
2008-12-03 22:13 86,073 ----a-w c:\windows\system32\usrfaxa.dll
2008-12-03 22:09 990,208 ----a-w c:\windows\system32\syssetup.dll
2008-12-03 22:09 712,704 ----a-w c:\windows\system32\windowscodecs.dll
2008-12-03 22:09 347,648 ----a-w c:\windows\system32\windowscodecsext.dll
2008-12-03 22:09 218,624 ----a-w c:\windows\system32\uxtheme.dll
2008-12-03 22:09 140,288 ----a-w c:\windows\system32\sfc_os.dll
2008-12-03 22:07 74,240 ----a-w c:\windows\system32\mscms.dll
2008-12-03 22:07 691,712 ----a-w c:\windows\system32\inetcomm.dll
2008-12-03 22:07 253,952 ----a-w c:\windows\system32\es.dll
2008-12-03 22:07 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-12-03 22:05 467,984 ----a-w c:\windows\system32\d3dx10_39.dll
2008-12-03 22:04 16,384 ----a-w c:\windows\system32\lcid.exe
2008-12-02 01:28 2,686 ----a-w c:\windows\system32\boot01.cmd
2008-12-01 20:52 425,984 ----a-w c:\windows\system32\ATIDEMGX.dll
2008-12-01 20:51 318,464 ----a-w c:\windows\system32\ati2dvag.dll
2008-12-01 20:46 11,304,960 ----a-w c:\windows\system32\atioglxx.dll
2008-12-01 20:41 188,416 ----a-w c:\windows\system32\atipdlxx.dll
2008-12-01 20:40 43,520 ----a-w c:\windows\system32\ati2edxx.dll
2008-12-01 20:40 26,112 ----a-w c:\windows\system32\Ati2mdxx.exe
2008-12-01 20:40 147,456 ----a-w c:\windows\system32\Oemdspif.dll
2008-12-01 20:40 143,360 ----a-w c:\windows\system32\ati2evxx.dll
2008-12-01 20:38 598,016 ----a-w c:\windows\system32\ati2evxx.exe
2008-12-01 20:37 53,248 ----a-w c:\windows\system32\ATIDDC.DLL
2008-12-01 20:27 4,120,384 ----a-w c:\windows\system32\ati3duag.dll
2008-12-01 20:19 307,200 ----a-w c:\windows\system32\atiiiexx.dll
2008-12-01 20:11 2,495,360 ----a-w c:\windows\system32\ativvaxx.dll
2008-12-01 19:57 48,640 ----a-w c:\windows\system32\amdpcom32.dll
2008-12-01 19:53 45,056 ----a-w c:\windows\system32\amdcalrt.dll
2008-12-01 19:53 45,056 ----a-w c:\windows\system32\amdcalcl.dll
2008-12-01 19:53 401,408 ----a-w c:\windows\system32\atikvmag.dll
2008-12-01 19:52 86,016 ----a-w c:\windows\system32\atiadlxx.dll
2008-12-01 19:52 17,408 ----a-w c:\windows\system32\atitvo32.dll
2008-12-01 19:50 3,252,224 ----a-w c:\windows\system32\Amdcaldd.dll
2008-12-01 19:50 286,720 ----a-w c:\windows\system32\atiok3x2.dll
2008-12-01 19:45 577,536 ----a-w c:\windows\system32\ati2cqag.dll
2008-12-01 14:25 497,664 ----a-w c:\windows\system32\CTAPO32.dll
2008-12-01 14:25 47,104 ----a-w c:\windows\system32\ctppld.dll
2008-12-01 09:16 1,750,528 ----a-w c:\windows\system32\winntbbu.dll
2008-12-01 03:35 593,920 ------w c:\windows\system32\ati2sgag.exe
2008-11-30 11:44 3,816 ----a-w c:\windows\system32\presetup.cmd
2008-11-26 23:16 4,353,536 ----a-w c:\windows\system32\logonui.exe
2008-11-20 06:49 3,549,552 ----a-w c:\windows\system32\procexp.exe
2008-11-20 06:46 417,136 ----a-w c:\windows\system32\handle.exe
2008-11-18 00:45 2,292,224 ----a-w c:\windows\system32\ntoskrnl.exe
2008-11-13 08:58 244,592 ----a-w c:\windows\system32\ZoomIt.exe
2008-11-13 08:32 312,176 ----a-w c:\windows\system32\accesschk.exe
2008-11-13 00:44 27,904 ----a-w c:\windows\system32\uxtuneup.dll
2008-11-09 11:21 92,696 ----a-w c:\windows\system32\cdm.dll
2008-11-09 11:21 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-11-09 11:21 43,544 ----a-w c:\windows\system32\wups2.dll
2008-11-09 11:21 34,328 ----a-w c:\windows\system32\wups.dll
2008-11-09 11:21 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-11-06 07:09 2,892,656 ----a-w c:\windows\system32\Procmon.exe
.

------- Sigcheck -------

2008-12-03 14:49 641024 383a594be6a1eaf9d4993f204f80a7aa c:\windows\system32\user32.dll

2008-12-03 14:09 361600 5d4e7ce1b563fc1b24b2bde0ec6d6d33 c:\windows\system32\drivers\tcpip.sys

2008-12-03 14:49 557056 7dd9ce78dd441eea2bbaff6d3eeaad08 c:\windows\system32\winlogon.exe

2008-12-03 14:51 2185216 15ea496a45d5e0cf5c23c45878453e51 c:\windows\system32\ntkrnlpa.exe

2008-11-17 16:45 2292224 ccf64982ad1b27461a5b85401657b29a c:\windows\system32\ntoskrnl.exe

2008-12-03 14:44 1569792 c1521c8c352c5a182cd03fad7edf6dfd c:\windows\explorer.exe

2008-12-03 14:44 40448 c1d50243355a290cb3aa684fd8b38170 c:\windows\system32\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PowerTweaK Menu"="c:\windows\system32\mmm.exe" [2005-07-04 828416]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2008-05-14 344064]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-28 61440]
"UltraMon"="c:\program files\UltraMon\UltraMon.exe" [2006-10-12 304640]
"CTDVDDET"="c:\program files\Creative\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 c:\windows\SOUNDMAN.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2008-02-20 c:\windows\system32\Ctxfihlp.exe]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 c:\windows\Logi_MwX.Exe]
"CTHelper"="CTHELPER.EXE" [2008-08-21 c:\windows\system32\CtHelper.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-12-03 40448]
"TaskSwitchXP"="c:\program files\TaskSwitchXP\TaskSwitchXP.exe" [2006-08-03 62976]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.EXE" [2008-08-21 c:\windows\system32\mididef.exe]
"_nltide_3"="advpack.dll" [2008-10-16 c:\windows\system32\advpack.dll]

c:\users\Administrator\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\users\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 1 (0x1)
"StartMenuFavorites"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoFavoritesMenu"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoFavoritesMenu"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Steam\\steamapps\\bigyoman\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Users\\All Users\\Start Menu\\Programs\\Defcon\\defcon.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\return to castle wolfenstein\\WolfSP.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\return to castle wolfenstein\\WolfMP.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\ultimate doom\\ultimate.bat"=
"c:\\Program Files\\Steam\\steamapps\\bigyoman\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\bigyoman\\zombie panic! source\\hl2.exe"=

R1 Prio;Prio;c:\windows\system32\drivers\prio.sys [2009-01-27 34064]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\program files\System\CPL Bonus\vcdrom.sys [2009-01-27 8576]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-01-27 603904]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [2006-09-24 11776]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2009-01-27 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2009-01-27 555032]
R3 ctgame;Game Port;c:\windows\system32\drivers\ctgame.sys [2009-01-27 18840]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2009-01-27 566296]
R3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\UltraMonMirror.sys [2006-09-24 3584]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2009-01-27 99352]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2009-01-27 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2009-01-27 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2009-01-27 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2009-01-27 566296]
S3 CXFALCON;AVerMedia AVerTV Video Capture (Falcon);c:\windows\system32\drivers\AF2VCap.sys [2009-01-27 91904]
S3 DLKRTS;D-Link DFE-530TX+ PCI Adapter;c:\windows\system32\drivers\DLKRTS.SYS [2009-01-27 45568]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - VCDROM

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-02-04 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-11-20 16:28]
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-RunOnce-tscuninstall - c:\windows\system32\tscupgrd.exe


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
FF - ProfilePath - c:\users\Administrator\Application Data\Mozilla\Firefox\Profiles\mb3pdfov.default\

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-03 23:36:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTxfiHlp = CTXFIHLP.EXE?
CTHelper = CTHELPER.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1136)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\COMRes.dll
c:\windows\system32\cscui.dll

- - - - - - - > 'lsass.exe'(1256)
c:\windows\system32\SETUPAPI.dll
.
Completion time: 2009-02-03 23:37:09
ComboFix-quarantined-files.txt 2009-02-04 07:37:07

Pre-Run: 94,125,391,872 bytes free
Post-Run: 94,109,995,008 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /noexecute=alwaysoff

385 --- E O F --- 2009-01-30 20:42:26


HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:38:06 PM, on 3/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20935)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\WINDOWS\system32\mmm.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [PowerTweaK Menu] C:\WINDOWS\system32\mmm.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe

--
End of file - 4889 bytes

[ken545]

C:\WINDOWS\system32\mmm.exe <--Concerned about this file

Do you have this program installed ?
http://hace-software.com/mmm.shtml



Open Hijackthis

• Go to Misc Tools> Open Uninstall Manager.
• Click on Save List.
• The list will open in Notepad.
• Copy and Paste the List into this thread

[Meshyf]

32 Bit HP CIO Components Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Shockwave Player 11
Alky for Applications (Windows XP)
ATI - Software Uninstall Utility
ATI AVIVO Codecs
ATI Catalyst Control Center
ATI Control Panel
ATI Display Driver
Attribute Changer 6.0a
Audiosurf
BitPim 1.0.6
Catalyst Control Center - Branding
CCleaner (remove only)
Counter-Strike: Source
Creative Audio Console
Creative EAX Console
Creative Graphic Equalizer
Creative MediaSource DVD-Audio Player
Creative Speaker Settings
Day of Defeat: Source
ERUNT 1.1j
Half-Life
Half-Life 2
Half-Life 2: Episode One
Half-Life 2: Episode Two
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows Media Player 11 (KB935957)
HP Document Manager 1.0
HP Imaging Device Functions 10.0
HP Officejet J4500 Series
HP Smart Web Printing
HP Solution Center 10.0
HP Update
ImgBurn
iZotope Ozone 1.0 for Winamp2 and Winamp3
Java(TM) 6 Update 11
Kels' CPL Bonus Pack!
LG USB Modem driver
Malwarebytes' Anti-Malware
Media Player Classic 6.4.9.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Mozilla Firefox (3.0.6)
Mozilla Thunderbird (2.0.0.19)
MSXML 4.0 SP2 (KB954430)
Nero Burning ROM Portable 9.0.9.4d
OCR Software by I.R.I.S. 10.0
Portal
PowerTweaK Menu (mmm)
Prio v1.9.8
QuickTime Alternative 2.7.0
Realtek AC'97 Audio
RefreshEM
RegShot
Resource Hacker
Return to Castle Wolfenstein
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB958687)
Sendto Xtras
Service Tweaker
Shop for HP Supplies
SoundFont Bank Manager
Spybot - Search & Destroy
Steam
Surround Mixer
TaskSwitchXP
Team Fortress 2
TeamSpeak 2 RC2
TuneUp Utilities 2009
Ultimate Doom
UltraMon
Universal Extractor 1.6
Unlocker 1.8.7
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Ventrilo Client
Winamp
Windows Vista Wallpapers
World of Warcraft FREE Trial
Xfire (remove only)
XP Smoker Pro
Xvid 1.1.3 final uninstall
Zombie Panic! Source

[ken545]

Lets remove it with this program, then reboot and if windows squawks, we can put it back, 99% of the searches I have done on this is saying its bad.

Please download the OTMoveIt3 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code:

:Files
C:\WINDOWS\system32\mmm.exe

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.



How are things running now?

[Meshyf]

========== FILES ==========
C:\WINDOWS\system32\mmm.exe moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02042009_125422


Things are running a lot better now. No more annoying pop ups and my computer doesn't try to read from the A:\ when I shut down now. Which is nice :D

THank youf or all your help.

[ken545]

Great, post one last HJT log and lets make sure nothing has returned