Junk in the trunk

**spiderman0521** · 2009-05-17, 13:40

I've got weird popups and processes happening, I think I need help in ridding myself of something. I've made backup of my system registry with ERUNT, I've turned TeaTimer off, have run Search & Destroy a couple of times and keep coming up with a few things, the same things. Something is keeping all of my browsers from even going to the Kapersky launch page, so something bad is definitely going on.

While it may go without saying, I would appreciate your help and am very grateful for the work all of you are doing for all of us.

Here's my HJT logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:29:18 AM, on 5/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\sopidkc.exe
C:\Documents and Settings\Colin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Logitech\SetPoint\LU\LULnchr.exe
C:\Program Files\Logitech\SetPoint\LU\LogitechUpdate.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\system32\wltray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [IgfxTray.exe] C:\Program Files\Rosetta Stone\Rosetta Stone V3\Patch.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [VirusScannerPro] C:\PROGRA~1\AVANQU~1\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [15762184] C:\Documents and Settings\All Users\Application Data\15762184\15762184.exe
O4 - HKLM\..\Run: [95772176] C:\Documents and Settings\All Users\Application Data\95772176\95772176.exe
O4 - HKLM\..\Run: [65782179] C:\Documents and Settings\All Users\Application Data\65782179\65782179.exe
O4 - HKLM\..\Run: [Secure AntiVirus Pro] C:\WINDOWS\AV.EXE
O4 - HKLM\..\Run: [ROBOTFTPSCHED] C:\Program Files\FTPShell\botsched.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA4601] command.com /c del "C:\WINDOWS\Temp\UAC1b6d.tmp_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9645] cmd.exe /c del "C:\WINDOWS\Temp\UAC1b6d.tmp_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3156] command.com /c del "C:\WINDOWS\Temp\UAC1b6d.tmp"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9725] cmd.exe /c del "C:\WINDOWS\Temp\UAC1b6d.tmp"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3448] command.com /c del "C:\WINDOWS\system32\drivers\UACd.sys_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3242] cmd.exe /c del "C:\WINDOWS\system32\drivers\UACd.sys_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3551] command.com /c del "C:\WINDOWS\system32\drivers\UACd.sys"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1413] cmd.exe /c del "C:\WINDOWS\system32\drivers\UACd.sys"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7897] command.com /c del "C:\WINDOWS\system32\drivers\UACmxobrrnkcfybwwe.sys_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8124] cmd.exe /c del "C:\WINDOWS\system32\drivers\UACmxobrrnkcfybwwe.sys_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8714] command.com /c del "C:\WINDOWS\system32\drivers\UACmxobrrnkcfybwwe.sys"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9181] cmd.exe /c del "C:\WINDOWS\system32\drivers\UACmxobrrnkcfybwwe.sys"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9328] command.com /c del "C:\WINDOWS\system32\drivers\UACsapjnmsewlrnoey.sys_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8830] cmd.exe /c del "C:\WINDOWS\system32\drivers\UACsapjnmsewlrnoey.sys_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA12] command.com /c del "C:\WINDOWS\system32\drivers\UACsapjnmsewlrnoey.sys"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7066] cmd.exe /c del "C:\WINDOWS\system32\drivers\UACsapjnmsewlrnoey.sys"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7596] command.com /c del "C:\WINDOWS\system32\drivers\UACvdtmnbebdpulqbu.sys_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2517] cmd.exe /c del "C:\WINDOWS\system32\drivers\UACvdtmnbebdpulqbu.sys_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8625] command.com /c del "C:\WINDOWS\system32\drivers\UACvdtmnbebdpulqbu.sys"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7500] cmd.exe /c del "C:\WINDOWS\system32\drivers\UACvdtmnbebdpulqbu.sys"
O4 - HKLM\..\RunOnce: [SpybotDeletingA922] command.com /c del "C:\WINDOWS\system32\uacinit.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1420] cmd.exe /c del "C:\WINDOWS\system32\uacinit.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6102] command.com /c del "C:\WINDOWS\system32\uacinit.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3425] cmd.exe /c del "C:\WINDOWS\system32\uacinit.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2653] command.com /c del "C:\WINDOWS\system32\UACjjricngsomqtwbx.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8993] cmd.exe /c del "C:\WINDOWS\system32\UACjjricngsomqtwbx.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3965] command.com /c del "C:\WINDOWS\system32\UACjjricngsomqtwbx.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4060] cmd.exe /c del "C:\WINDOWS\system32\UACjjricngsomqtwbx.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1226] command.com /c del "C:\WINDOWS\system32\UACpfwmeuxtprridme.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3241] cmd.exe /c del "C:\WINDOWS\system32\UACpfwmeuxtprridme.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5071] command.com /c del "C:\WINDOWS\system32\UACpfwmeuxtprridme.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4013] cmd.exe /c del "C:\WINDOWS\system32\UACpfwmeuxtprridme.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7705] command.com /c del "C:\WINDOWS\system32\UACpkjwqxmlkiqbmhe.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4989] cmd.exe /c del "C:\WINDOWS\system32\UACpkjwqxmlkiqbmhe.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9134] command.com /c del "C:\WINDOWS\system32\UACpkjwqxmlkiqbmhe.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9444] cmd.exe /c del "C:\WINDOWS\system32\UACpkjwqxmlkiqbmhe.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3868] command.com /c del "C:\WINDOWS\system32\UACwbkwyiqweqacxep.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6082] cmd.exe /c del "C:\WINDOWS\system32\UACwbkwyiqweqacxep.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1081] command.com /c del "C:\WINDOWS\system32\UACwbkwyiqweqacxep.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5842] cmd.exe /c del "C:\WINDOWS\system32\UACwbkwyiqweqacxep.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5900] command.com /c del "C:\WINDOWS\system32\UACygbnmpfucvdkvbk.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5126] cmd.exe /c del "C:\WINDOWS\system32\UACygbnmpfucvdkvbk.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7451] command.com /c del "C:\WINDOWS\system32\UACygbnmpfucvdkvbk.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9977] cmd.exe /c del "C:\WINDOWS\system32\UACygbnmpfucvdkvbk.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA963] command.com /c del "C:\WINDOWS\system32\UACtqlhypckciqvkde.log_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2382] cmd.exe /c del "C:\WINDOWS\system32\UACtqlhypckciqvkde.log_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8922] command.com /c del "C:\WINDOWS\system32\UACtqlhypckciqvkde.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8360] cmd.exe /c del "C:\WINDOWS\system32\UACtqlhypckciqvkde.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1310] command.com /c del "C:\WINDOWS\system32\UACtanxvdkjeidulqp.dat_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3644] cmd.exe /c del "C:\WINDOWS\system32\UACtanxvdkjeidulqp.dat_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7764] command.com /c del "C:\WINDOWS\system32\UACtanxvdkjeidulqp.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingC218] cmd.exe /c del "C:\WINDOWS\system32\UACtanxvdkjeidulqp.dat"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Colin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe"
O4 - HKCU\..\Run: [ChronoControl] C:\Program Files\ChronoControl\ChronoControl.exe
O4 - HKCU\..\Run: [doubleTwist] C:\Program Files\doubleTwist 2.0\DoubleTwist.DeviceHelper.exe
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\990071320.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [SYS32DLL] SYS32DLL (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: santa.bat
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe (HKCU)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1179160082484
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1179978589843
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: mqlucv.dll mgntbf.dll,c:\progra~1\ThunMail\testabd.dll
O20 - Winlogon Notify: khfGyabB - C:\WINDOWS\
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: Fix-It Task Manager - Avanquest North America, Inc. - C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 16755 bytes

**pskelley** · 2009-05-18, 12:43

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You have a nasty infection here, if you still want help, follow the directions and do not expect safe or easy. Keep the computer offline except when troubleshooting, the junk will download more.

1) C:\Program Files\DNA\btdna.exe, C:\Program Files\BitTorrent\bittorrent.exe
Uninstall all p2p programs, see this:
http://forums.spybot.info/showthread.php?t=282

If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.

2) Please DO NOT ENABLE Spybot S&D TeaTimer while we work together.

3) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

Download ComboFix from here:

Link 1

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Tutorial if needed
http://www.bleepingcomputer.com/comb...o-use-combofix

4) Post also an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
06:41 AM 2009-05-18Image: http://img.bleepingcomputer.com/tuto...nstall-man.jpg

Thanks

**spiderman0521** · 2009-05-18, 15:35

I, Colin W. S., hereby absolve you or any other person on this board helping me from any harm or loss with regards to my computer. :-)

Now that that's out of the way, let us proceed. And again, I thank you for your efforts in trying to make my computer healthy again.

I read the malware removal intro, so I've removed BitTorrent and turned off TeaTimer. I've turned off AvantQuest's auto virus scanner and downloaded ComboFix, which I will use with a great deal of caution.

When launching ComboFix, I get the following alert:
!! ALERT !! It is NOT SAFE to continue!
The contents of the ComboFix package has been compromised.
Please download a fresh copy from:
http://www.bleepingcomputer.com/comb...o-use-combofix
Note: you may be infected with a file patching virus (Virut)

And then ComboFix DISAPPEARS from my desktop. Wow, never seen that happen before, this nasty problem must really hate ComboFix. So is the error a fake? I'm not going to proceed with ComboFix until I hear back from you.

Here's my uninstall list:
--- begin
1.0.3
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop 6.0
Adobe Reader 8.1.4
Adobe Shockwave Player 11
Adobe SVG Viewer
Agood MP3 AMR OGG AAC M4A AC3 WAV Converter Free 4.0
Alarm Clock v1.0
Apple Mobile Device Support
Apple Software Update
Audacity 1.2.6
Belkin Wireless Utility
Bonjour
CCleaner (remove only)
CDDRV_Installer
CDisplayEx 1.4
Choice Guard
Combat Arms
Compatibility Pack for the 2007 Office system
Daily Alarm Clock
Dell Photo Printer 720
Dinner Timer Lite
ERUNT 1.1j
ffdshow [rev 2527] [2008-12-19]
Fix-It Utilities 8 Professional
FlashGet 1.9.6.1073
Free Mp3/Wma/Ogg Converter 4.0.1
FTP Voyager 15.1
FTPShell Client 3.5
GetRight
Google Talk (remove only)
Google Talk Plugin
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB952287)
InFlac 1.1.1
Intel(R) Extreme Graphics Driver
Intel(R) PRO Network Adapters and Drivers
IrfanView (remove only)
IsoBuster 2.4
iTunes
Japanese Fonts Support For Adobe Reader 8
Java(TM) 6 Update 13
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Jott Express
Jott Express
Jubler subtitle editor
Karen's Alarm Clock
KhalInstallWrapper
K-Lite Codec Pack 3.3.5 Full
Logitech Desktop Messenger
Logitech QuickCam
Logitech QuickCam Driver Package
Logitech SetPoint
Malwarebytes' Anti-Malware
Mavis Beacon Teaches Typing Platinum 20
Medieval CUE Splitter
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Moffsoft FreeCalc
Monkey's Audio
Mozilla Firefox (3.0.10)
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Nero 8
neroxml
NoteTab Light 5 (Remove only)
N-Type 1.0
Pando Media Booster
Parental Lock Guard
Picasa 3
PokerStars.net
PopCap Browser Plugin
QuickTime
RealPlayer
Safari
SAMSUNG CDMA Modem Driver Set
Samsung Contacts Copier
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Segoe UI
Skype™ 4.0
SoundMAX
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy
The Hot Yoga Doctor
TOSHIBA Hotkey Utility for Display Devices
Total Video Converter 3.12 080330
TweakNow RegCleaner Standard
TypingMaster TypingTest
Unlocker 1.8.7
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
VCRedistSetup
VLC media player 0.9.9
Winamp
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows XP Service Pack 3
WinRAR archiver
Wootalyzer
Wootalyzer!
wootAmatorInstall
Yahoo! Install Manager
Yahoo! Messenger

---- end

**pskelley** · 2009-05-18, 15:41

I am sorry, but see this

Note: you may be infected with a file patching virus (Virut)

If you wish to be positive Virut is present, Kaspersky Online Scan will show it if there:
Do an online scan with Kaspersky Online Scanner

http://www.kaspersky.com/virusscanner

1. Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
2. Click on the Accept button and install any components it needs.
3. The program will install and then begin downloading the latest definition files.
4. After the files have been downloaded on the left side of the page in the Scan section select My Computer
5. This will start the program and scan your system.
6. The scan will take a while, so be patient and let it run.
7. Once the scan is complete, click on View scan report
8. Now, click on the Save Report as button.
9. Save the file to your desktop.
10. Copy and paste that information in your next post

If you are infected with Virut, these will be the next instructions.

This machine needs to be formatted.

This system is infected with a polymorphic file infector called Virut. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a format and clean install, or destructive recovery if you have an OEM recovery partition, is the best way to clean the infection and it is the best and safest way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.

Also, avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.

Recent variants also modify htm, html, asp and php files.

Do not back up to another machine, as it may become compromised. Burn to DVD/CD, or to an external drive which has nothing else on it, and which you can format should it happen to become infected from the backups.

See miekiemoes' blog for similar comments here:
http://miekiemoes.blogspot.com/2009/...-throwing.html

Information Links

http://free.avg.com/66558
http://www.avast.com/eng/win32-virut.html
http://www.ca.com/us/securityadvisor....aspx?ID=66586
http://securitywatch.eweek.com/explo...hic_punch.html

**spiderman0521** · 2009-05-24, 03:00

Reformatted and reinstalled Win XP. Installed avast! and Comodo firewall.

Thanks

**pskelley** · 2009-05-24, 11:17

Thanks for taking the time to let me know

safe suring.

Here is some information that may be helpful.

http://users.telenet.be/bluepatchy/m...wcomputer.html
http://www.microsoft.com/windowsxp/u...s/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/m...revention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

How hard are your passwords to crack?
http://www.microsoft.com/protect/you...d/checker.mspx

http://users.telenet.be/bluepatchy/m...oes/Links.html
http://www.microsoft.com/windows/ie/...rotection.mspx
Improve the safety of your browsing and e-mail activities
http://www.microsoft.com/protect/com.../browsing.mspx

Thread: Junk in the trunk

Thread Tools

Display

Junk in the trunk

Posting Permissions