PDA

View Full Version : Unknown infection



Leprkon
2007-09-05, 05:55
Alright, so here is the problem. Normally, I would do a system restore and be rid of the nuisance, but that wouldn't work this time.

Every time I ran a virus scanner, I recieved different end results displaying a different type of infection each time. Of course, I removed these. But no matter how many times I removed them, different infections would appear in the results. So, this got me to thinking, what if the "real" infection embeded itself into my computer and isn't showing up on scans. So, I came here. I tried using
Kaspersky Online Scanner in order to provide the board with a log, but was constantly encountering a problem when a message appeared asing for a file called "002E08D9.key".
So in-place, I have provided a HJT log. I hope that will be enough.:laugh:

--------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:50:18 PM, on 9/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\wuauclt.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\system32\XWatDog.exe
D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\Program Files\HP\hpcoretech\hpcmpmgr.exe
D:\Program Files\Eset\nod32kui.exe
D:\WINDOWS\svhost.exe
D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
D:\Program Files\Eset\nod32krn.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\HPZipm12.exe
D:\WINDOWS\system32\wuauclt.exe
C:\sysreset\mirc.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\MSN Messenger\usnsvc.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
F3 - REG:win.ini: load=D:\WINDOWS\wuauclt.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NVMixerTray] "D:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RegServer] regserve.exe
O4 - HKLM\..\Run: [XGIWatchDog] XWatDog.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] "D:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "D:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [winlogon] D:\WINDOWS\csrss.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [svhost] "D:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [NI.UWAS7_0001_N91M2703] "D:\DOCUME~1\TSURUG~1\LOCALS~1\Temp\winaspsnet.exe" -nag
O4 - HKLM\..\Run: [{79-9F-FB-BB-ZN}] D:\WINDOWS\system32\lldsrngn.exe CHD003
O4 - HKLM\..\RunOnce: [SpybotDeletingA1693] command /c del "D:\WINDOWS\system32\lldsrngn.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2122] cmd /c del "D:\WINDOWS\system32\lldsrngn.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7150] command /c del "D:\WINDOWS\system32\dwdsrngt.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6060] cmd /c del "D:\WINDOWS\system32\dwdsrngt.exe_tobedeleted"
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6553] command /c del "D:\WINDOWS\system32\lldsrngn.exe_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD899] cmd /c del "D:\WINDOWS\system32\lldsrngn.exe_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6219] command /c del "D:\WINDOWS\system32\dwdsrngt.exe_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9703] cmd /c del "D:\WINDOWS\system32\dwdsrngt.exe_tobedeleted"
O4 - Startup: TA_Start.lnk = D:\WINDOWS\system32\lldsrngn.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v8.cab
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5597 bytes
--------------------------------------------------------

ken545
2007-09-06, 01:48
Hello Leprkon

Welcome to Safer Networking.

Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)

You do have a few issues we need to address.

Open HijackThis > Do a System Scan Only, close your browser and all open windows, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

F3 - REG:win.ini: load=D:\WINDOWS\wuauclt.exe

O4 - HKLM\..\Run: [winlogon] D:\WINDOWS\csrss.exe
O4 - HKLM\..\Run: [svhost] "D:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [NI.UWAS7_0001_N91M2703] "D:\DOCUME~1\TSURUG~1\LOCALS~1\Temp\winaspsnet.exe" -nag
O4 - HKLM\..\Run: [{79-9F-FB-BB-ZN}] D:\WINDOWS\system32\lldsrngn.exe CHD003
O4 - HKLM\..\RunOnce: [SpybotDeletingA1693] command /c del "D:\WINDOWS\system32\lldsrngn.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2122] cmd /c del "D:\WINDOWS\system32\lldsrngn.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7150] command /c del "D:\WINDOWS\system32\dwdsrngt.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6060] cmd /c del "D:\WINDOWS\system32\dwdsrngt.exe_tobedeleted"




1. Please download The Avenger (http://swandog46.geekstogo.com/avenger.zip) by Swandog46 to your Desktop. Click on Avenger.zip to open the file Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


Files to Delete:
D:\WINDOWS\csrss.exe
D:\WINDOWS\svhost.exe
D:\WINDOWS\wuauclt.exe

Folders to delete:


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply





Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.

This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up

Thank You Atribune :bigthumb:

I need to see the Avenger log and a New HJT log please.

Leprkon
2007-09-06, 04:01
How's this? :)

HJK
-----

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:56:41 PM, on 9/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Eset\nod32krn.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\system32\XWatDog.exe
D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\Program Files\HP\hpcoretech\hpcmpmgr.exe
D:\Program Files\Eset\nod32kui.exe
D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
D:\WINDOWS\system32\HPZipm12.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Eset\nod32.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F3 - REG:win.ini: load=D:\WINDOWS\wuauclt.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NVMixerTray] "D:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RegServer] regserve.exe
O4 - HKLM\..\Run: [XGIWatchDog] XWatDog.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] "D:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "D:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Startup: TA_Start.lnk = D:\WINDOWS\system32\lldsrngn.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v8.cab
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe

--
End of file - 4565 bytes

Avenger
------------

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\gamxrvny

*******************

Script file located at: \??\D:\WINDOWS\system32\ukjwaxga.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at D:\Avenger

*******************

Beginning to process script file:



File D:\WINDOWS\csrss.exe not found!
Deletion of file D:\WINDOWS\csrss.exe failed!

Could not process line:
D:\WINDOWS\csrss.exe
Status: 0xc0000034

File D:\WINDOWS\svhost.exe deleted successfully.
File D:\WINDOWS\wuauclt.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

ken545
2007-09-06, 04:14
Hello Again,

Avenger shows this file as deleted but its still present.

Remove this entry with HJT
F3 - REG:win.ini: load=D:\WINDOWS\wuauclt.exe



Download Pocket Killbox (http://www.majorgeeks.com/Pocket_KillBox_d4709.html) to your desktop.

Highlight the file with the complete path inside the Quote Box and press Ctrl C on your keyboard.


D:\WINDOWS\wuauclt.exe


Open Pocket Killbox
Go to File > Paste from clipboard
Set it to Delete on Reboot
Tick the box that says End Explorer shell while killing file
If its not greyed out..Click the radio button that say Unregister .dll before deleting.
Make sure Single File is selected
Click on the Red circle with the white X
It will ask you to confirm the deletion...Say yes
It will ask you to reboot, say yes

If you get a message "pending operations has been stopped by external process!" then reboot the computer manually.


Post a new HJT log please

Leprkon
2007-09-06, 05:06
And here you are sir. :)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:04:42 PM, on 9/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Eset\nod32krn.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\system32\XWatDog.exe
D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\Program Files\HP\hpcoretech\hpcmpmgr.exe
D:\Program Files\Eset\nod32kui.exe
D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\WINDOWS\system32\HPZipm12.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F3 - REG:win.ini: load=D:\WINDOWS\wuauclt.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NVMixerTray] "D:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RegServer] regserve.exe
O4 - HKLM\..\Run: [XGIWatchDog] XWatDog.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] "D:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "D:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Startup: TA_Start.lnk = D:\WINDOWS\system32\lldsrngn.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v8.cab
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe

--
End of file - 4449 bytes

ken545
2007-09-06, 13:39
Its still there, that file in the windows\system32 folder is legit and is for your windows updates, but in the folder its in , its a virus.

* Download OTMoveIt.exe from here and place it on your desktop:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

* Open OTMoveIt.exe.
In the left pane where it says: "Paste List of Files/Folders to be Moved", copy and paste next part:

D:\WINDOWS\wuauclt.exe
D:\WINDOWS\system32\lldsrngn.exe

Then click the MoveIt button below.
In case you get a "Bad Image" error, just click OK at the promt. It will move the file anyway.
When done, it will create a log (********_******.log -- * stands for date and time) in next folder: C:\_OTMoveIt\MovedFiles.
Copy and paste this log in your next reply.




Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall


Then remove these with HJT
F3 - REG:win.ini: load=D:\WINDOWS\wuauclt.exe
O4 - Startup: TA_Start.lnk = D:\WINDOWS\system32\lldsrngn.exe

Leprkon
2007-09-07, 00:17
Here ya go.

HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:11:30 PM, on 9/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Eset\nod32krn.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\WINDOWS\system32\XWatDog.exe
D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\Program Files\HP\hpcoretech\hpcmpmgr.exe
D:\Program Files\Eset\nod32kui.exe
D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\WINDOWS\system32\HPZipm12.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\sysreset\mirc.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\uTorrent\uTorrent.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\system32\notepad.exe
D:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NVMixerTray] "D:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RegServer] regserve.exe
O4 - HKLM\..\Run: [XGIWatchDog] XWatDog.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] "D:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "D:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v8.cab
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe

--
End of file - 4657 bytes


ComboFix

ComboFix 07-08-30.3 - "Tsurugi Kyo" 2007-09-06 6:53:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.149 [GMT -5:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


D:\DOCUME~1\TSURUG~1\STARTM~1\Programs\Startup.\TA_Start.lnk
D:\DOCUME~1\TSURUG~1\STARTM~1\Programs\Startup\ta_start.lnk
D:\Program Files\outerinfo
D:\Program Files\outerinfo\Terms.rtf
D:\Program Files\svhost
D:\Program Files\svhost\wr-1-77.exe
D:\WINDOWS\svchost.exe
D:\WINDOWS\system32\f02WtR
D:\WINDOWS\system32\zxdnt3d.cfg


((((((((((((((((((((((((( Files Created from 2007-08-06 to 2007-09-06 )))))))))))))))))))))))))))))))


2007-09-06 06:52 51,200 --a------ D:\WINDOWS\nircmd.exe
2007-09-05 20:47 <DIR> d-------- D:\!KillBox
2007-09-05 04:13 <DIR> d-------- D:\Program Files\Microsoft ActiveSync
2007-09-05 04:12 <DIR> d-------- D:\WINDOWS\ShellNew
2007-09-04 21:49 <DIR> d-------- D:\Program Files\Trend Micro
2007-09-04 15:47 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-04 15:32 <DIR> d-------- D:\DOCUME~1\TSURUG~1\APPLIC~1\Lavasoft
2007-09-02 21:34 <DIR> d-------- D:\WINDOWS\system32\SolidStateNetworks
2007-09-02 21:34 <DIR> d-------- D:\WINDOWS\system32\QuickTime
2007-09-02 21:34 <DIR> d-------- D:\Program Files\uTorrent
2007-08-23 16:47 <DIR> d-------- D:\Program Files\URUSoft
2007-08-23 16:43 <DIR> d-------- D:\Program Files\MKVtoolnix
2007-08-23 14:23 <DIR> d-------- D:\Program Files\AllToAVI
2007-08-23 14:07 <DIR> d-------- D:\Program Files\videofixer
2007-08-23 13:49 <DIR> d-------- D:\Program Files\Matroska Pack
2007-08-23 13:41 <DIR> d-------- D:\DOCUME~1\TSURUG~1\APPLIC~1\River Past G5
2007-08-23 13:41 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\River Past G5
2007-08-23 13:29 <DIR> d-------- D:\DOCUME~1\TSURUG~1\APPLIC~1\vlc
2007-08-23 13:20 <DIR> d-------- D:\Program Files\VideoLAN
2007-08-23 13:15 <DIR> d-------- D:\DOCUME~1\TSURUG~1\APPLIC~1\DivX
2007-08-21 23:22 <DIR> d-------- D:\DOCUME~1\TSURUG~1\APPLIC~1\uTorrent
2007-08-20 11:50 36,864 --a------ D:\WINDOWS\system32\wbsys.dll
2007-08-20 11:20 2,560 --a------ D:\WINDOWS\_MSRSTRT.EXE
2007-08-20 01:51 <DIR> d-------- D:\Program Files\Stardock
2007-08-20 01:38 512,096 --a------ D:\WINDOWS\system32\drivers\amon.sys
2007-08-20 01:38 298,104 --a------ D:\WINDOWS\system32\imon.dll
2007-08-20 01:38 15,424 --a------ D:\WINDOWS\system32\drivers\nod32drv.sys
2007-08-19 12:06 <DIR> d----c--- D:\WINDOWS\system32\DRVSTORE
2007-08-18 22:06 <DIR> d-------- D:\DOCUME~1\TSURUG~1\Contacts
2007-08-18 21:22 <DIR> d-------- D:\Program Files\MSN Messenger
2007-08-18 18:40 <DIR> d-------- D:\Program Files\Real Alternative
2007-08-18 18:40 <DIR> d-------- D:\DOCUME~1\TSURUG~1\APPLIC~1\Real
2007-08-18 18:40 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Real
2007-08-06 20:23 <DIR> d-------- D:\Program Files\Hewlett-Packard
2007-08-06 20:23 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Hewlett-Packard
2007-08-06 20:22 82,432 -ra------ D:\WINDOWS\system32\MSXML4r.dll
2007-08-06 20:22 626,960 -ra------ D:\WINDOWS\system32\hpvaut32.dll
2007-08-06 20:22 487,424 -ra------ D:\WINDOWS\system32\hpvcp70.dll
2007-08-06 20:22 44,544 -ra------ D:\WINDOWS\system32\MSXML4a.dll
2007-08-06 20:22 344,064 -ra------ D:\WINDOWS\system32\hpvcr70.dll
2007-08-06 20:22 1,230,336 -ra------ D:\WINDOWS\system32\MSXML4.dll
2007-08-06 20:16 <DIR> d-------- D:\Program Files\Common Files\Hewlett-Packard
2007-08-06 20:15 51,088 -ra------ D:\WINDOWS\system32\drivers\hpzid412.sys
2007-08-06 20:15 16,496 -ra------ D:\WINDOWS\system32\drivers\HPZipr12.sys
2007-08-06 20:14 21,744 -ra------ D:\WINDOWS\system32\drivers\HPZius12.sys
2007-08-06 20:14 15,104 --a--c--- D:\WINDOWS\system32\dllcache\usbscan.sys
2007-08-06 20:14 15,104 --a------ D:\WINDOWS\system32\drivers\usbscan.sys
2007-08-06 20:13 94,208 --a------ D:\WINDOWS\system32\HPZipt12.dll
2007-08-06 20:13 65,536 --a------ D:\WINDOWS\system32\HPZipm12.exe
2007-08-06 20:13 61,440 --a------ D:\WINDOWS\system32\HPZinw12.exe
2007-08-06 20:13 57,344 --a------ D:\WINDOWS\system32\HPZisn12.dll
2007-08-06 20:13 278,584 --a------ D:\WINDOWS\system32\HPZidr12.dll
2007-08-06 20:13 204,800 --a------ D:\WINDOWS\system32\HPZipr12.dll
2007-08-06 20:10 <DIR> d-------- D:\Program Files\HP
2007-08-06 19:56 17,176 --------- D:\WINDOWS\hpomdl04.dat
2007-08-06 19:56 104,664 --a------ D:\WINDOWS\hpoins04.dat


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-02 22:14 --------- d-------- D:\Program Files\Combined Community Codec Pack
2007-09-02 21:34 --------- d-------- D:\Program Files\DivX
2007-09-02 21:34 --------- d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-08-26 15:44 --------- d--h----- D:\Program Files\InstallShield Installation Information
2007-08-20 01:49 502272 --a------ D:\WINDOWS\system32\winlogon.exe
2007-08-07 15:21 --------- d-------- D:\DOCUME~1\TSURUG~1\APPLIC~1\Ahead
2007-08-05 11:26 --------- d-------- D:\Program Files\7-Zip
2007-08-04 08:25 682232 --a------ D:\WINDOWS\system32\drivers\sptd.sys
2007-08-04 07:39 --------- d-------- D:\Program Files\DVD Decrypter
2007-08-03 00:42 --------- d-------- D:\Program Files\Common Files\Ahead
2007-08-03 00:40 --------- d-------- D:\Program Files\Nero
2007-08-01 06:01 --------- d-------- D:\DOCUME~1\TSURUG~1\APPLIC~1\CoreCodec
2007-07-31 23:34 --------- d-------- D:\Program Files\BearShare
2007-07-31 23:32 --------- d-------- D:\DOCUME~1\TSURUG~1\APPLIC~1\WinRAR
2007-07-31 23:23 --------- d-------- D:\Program Files\Haali
2007-07-31 23:23 --------- d-------- D:\Program Files\CoreCodec
2007-07-31 22:59 --------- d-------- D:\Program Files\R-Drive Image
2007-07-29 17:07 43520 --a------ D:\WINDOWS\system32\CmdLineExt03.dll
2007-07-29 10:26 --------- d-------- D:\DOCUME~1\TSURUG~1\APPLIC~1\Google
2007-07-29 00:29 --------- d-------- D:\Program Files\Google
2007-07-29 00:14 --------- d-------- D:\DOCUME~1\TSURUG~1\APPLIC~1\Nexon
2007-07-28 23:18 --------- d-------- D:\DOCUME~1\TSURUG~1\APPLIC~1\InstallShield
2007-07-28 23:13 94208 --a------ D:\WINDOWS\system32\NTDisUn.dll
2007-07-28 23:13 4404 --a------ D:\WINDOWS\system32\SIMPLDRV.SYS
2007-07-28 23:13 --------- d-------- D:\Program Files\XGI Technology,Inc
2007-07-28 23:13 --------- d-------- D:\Program Files\VolariV3-V1.16.02
2007-07-28 23:00 --------- d-------- D:\Program Files\NVIDIA Corporation
2007-07-28 23:00 --------- d-------- D:\Program Files\Common Files\NVIDIA Shared
2007-07-28 23:00 --------- d-------- D:\Program Files\Common Files\InstallShield
2007-07-28 22:28 --------- d-------- D:\Program Files\microsoft frontpage
2007-07-25 21:53 200704 --a------ D:\WINDOWS\system32\ssldivx.dll
2007-07-25 21:53 1044480 --a------ D:\WINDOWS\system32\libdivx.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="D:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 20:51]
"SoundMan"="SOUNDMAN.EXE" [2004-09-16 20:39 D:\WINDOWS\SOUNDMAN.EXE]
"RegServer"="regserve.exe" [2005-01-28 15:41 D:\WINDOWS\system32\RegServe.exe]
"XGIWatchDog"="XWatDog.exe" [2005-01-28 15:42 D:\WINDOWS\system32\XWatDog.exe]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"NeroFilterCheck"="D:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"HP Software Update"="D:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 13:38]
"HP Component Manager"="D:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18]
"nod32kui"="D:\Program Files\Eset\nod32kui.exe" [2007-08-20 01:35]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-31 15:14]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 16:25]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
D:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll 2001-12-20 23:34 24576 D:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

R2 ousbehci;OrangeWare USB Enhanced Host Controller Service;D:\WINDOWS\system32\Drivers\ousbehci.sys
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;D:\WINDOWS\system32\DRIVERS\ousb2hub.sys
R3 Xgiv3;Xgiv3;D:\WINDOWS\system32\DRIVERS\Xgiv3m.sys
S3 DrvSnSht;DrvSnSht;\??\D:\Program Files\R-Drive Image\DrvSnSht.sys
S3 MzBot;MzBot;\??\C:\MzBot.sys
S3 R-ImageDisk;R-ImageDisk;\??\D:\Program Files\R-Drive Image\R-ImageDisk.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1121d1e3-3d53-11dc-a004-806d6172696f}]
AutoRun\command- H:\SETUP.EXE /UPDATE

*Newly Created Service* - CATCHME
*Newly Created Service* - HTTPFILTER

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-06 06:55:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-09-06 6:55:46
D:\ComboFix-quarantined-files.txt ... 2007-09-06 06:55

--- E O F ---

ken545
2007-09-07, 02:47
By Jove youve done it :bigthumb: There gone.

How is your system running now??

Leprkon
2007-09-07, 02:52
:laugh:
It was all thanks to you though. *bows*

My connection to Internet explorer is a little slow, and computer is lagging up a bit, but a simple restart should fix that.

Other than that, no pop-ups, wierd sounds playingd when nothing is open, and nothing has showed up in scans. ^_^ Thanks alot!

:D::laugh::laugh::laugh::laugh::laugh::D:

ken545
2007-09-07, 02:58
Thats great :bigthumb:

Some reading and free programs for you.

It's Not Always Malware

Slow Computer (http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html)
Microsoft (http://www.microsoft.com/windows/IE/community/columns/IEtopten.mspx)

Speedup Windows
TechBuilder (http://www.techbuilder.org/recipes/59201471)

Windows Tips
Techruler (http://www.techruler.com/tips.html#1)
Kellys Korner (http://www.kellys-korner-xp.com/xp_abc.htm)



How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
Tom Coyote (http://forums.tomcoyote.org/index.php?showtopic=48151)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
Geeks To Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)




Here are some free programs to install, these are must haves to help keep you secure

Spybot Search and Destroy 1.4 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis.

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts.

Win Patrol (http://www.winpatrol.com/download.html) This program will warn you when any changes are being made to your system and give
you the option to deny the change.

IE-Spyad (http://forums.windowsforum.org/index.php?showtopic=6640)
IE-Spyad places over 4000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads
(cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 2.0 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and
painless download and install, it will no way interfere with IE, you can use them both.

Zone Alarm (http://www.pcworld.com/downloads/file_description/0,fid,7228,00.asp) Here is a free Firewall from Zone Labs, I
wouldn't access the internet without it.



Glad we could help

Safe Surfn
Ken

Leprkon
2007-09-07, 14:41
I will look at those links as soon as possible. ^_^

Thanks again, you saved me from having to do a clean setup of windows. =P

ken545
2007-09-07, 15:52
Glad things are well and we could help you.

Ken:bigthumb: