PDA

View Full Version : Virtumonde and smitfraud infection



OMGWTFBBQ
2008-08-04, 23:07
This is a nasty infection. Please help!

Heres the Hijackthis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:04:10 PM, on 8/4/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\PROGRA~1\VEXIRA~1\Bin\VBSysTry.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\cusrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Administrator\Desktop\OMGWTFBBQ\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dms.wcs.k12.va.us/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\vbpdtvdp.exe,
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: {8b63fc67-fa03-7d68-9f44-25cc61dbf1a0} - {0a1fbd16-cc52-44f9-86d7-30af76cf36b8} - C:\WINDOWS\System32\nojvtq.dll
O2 - BHO: (no name) - {4E262DD1-6958-4ED8-973E-E4485DC1EBCA} - C:\WINDOWS\System32\jkkjHAQK.dll (file missing)
O2 - BHO: (no name) - {509B62FF-EB4A-43D9-8206-87B9CA6498ED} - C:\WINDOWS\System32\fccaArss.dll (file missing)
O2 - BHO: (no name) - {71866C4D-3D0D-4B59-835F-BE8549DD5ED5} - C:\WINDOWS\System32\yayyYRIC.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {B76CF1F4-ECDC-4CA1-89F8-32403496528E} - C:\WINDOWS\System32\pmnmligh.dll
O2 - BHO: (no name) - {DEA68CA5-B854-434E-9331-7B89A1E589A0} - C:\WINDOWS\System32\cbXOGYPF.dll (file missing)
O2 - BHO: (no name) - {E18FFCA6-A4FC-4A1F-A6F2-41265D5A7EA0} - C:\WINDOWS\System32\ljJYSllK.dll (file missing)
O2 - BHO: (no name) - {FC122EBA-52B3-4D10-8B3E-1E649890F98F} - C:\WINDOWS\System32\khfEXpqO.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" /Start
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [VBSysTray] "C:\PROGRA~1\VEXIRA~1\Bin\VBSysTry.exe"
O4 - HKLM\..\Run: [AVLoginToDo] "C:\PROGRA~1\VEXIRA~1\Bin\avltd.exe"
O4 - HKLM\..\Run: [ZCfgSvc.exe] c:\WINDOWS\System32\ZCfgSvc.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] "c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [BM0e72309a] Rundll32.exe "C:\WINDOWS\System32\wamhihpk.dll",s
O4 - HKLM\..\Run: [0d410306] rundll32.exe "C:\WINDOWS\System32\pfjwvwwd.dll",b
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA3358] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1031] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6243] command /c del "C:\WINDOWS\system32\jkkjHAQK.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1537] cmd /c del "C:\WINDOWS\system32\jkkjHAQK.dll_old"
O4 - HKCU\..\Run: [HP Mobile Printing] "C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Antispyware] "C:\Program Files\AntiSpywareApp\Antispyware.exe" -boot
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1818] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2751] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKCU\..\RunOnce: [SpybotDeletingB157] command /c del "C:\WINDOWS\system32\jkkjHAQK.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8140] cmd /c del "C:\WINDOWS\system32\jkkjHAQK.dll_old"
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\mcntrkdm.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\jqwnw64p.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {F534E6F2-4293-4461-A868-B06AE215A0BA} (rlprint) - http://renplace.wcs.k12.va.us/RenaissanceServer/SharedApp/Downloads/rlprint.cab
O20 - AppInit_DLLs: spaihhya.dll
O20 - Winlogon Notify: pmnmligh - C:\WINDOWS\SYSTEM32\pmnmligh.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/msohtml1/01/clip_image002.gif
O24 - Desktop Component 1: (no name) - file:///C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg

--
End of file - 9067 bytes

I hope this is everything.

Shaba
2008-08-06, 16:51
Hi OMGWTFBBQ

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

BitTorrent DNA

I'd like you to read the this thread (http://forums.spybot.info/showthread.php?t=282).

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Please run a new HJT scan when finished and post the log back here.

OMGWTFBBQ
2008-08-06, 18:18
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:16:11 AM, on 8/6/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\cusrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\PROGRA~1\VEXIRA~1\Bin\VBSysTry.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\OMGWTFBBQ\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dms.wcs.k12.va.us/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\vbpdtvdp.exe,
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4E262DD1-6958-4ED8-973E-E4485DC1EBCA} - C:\WINDOWS\System32\jkkjHAQK.dll (file missing)
O2 - BHO: (no name) - {509B62FF-EB4A-43D9-8206-87B9CA6498ED} - C:\WINDOWS\System32\fccaArss.dll (file missing)
O2 - BHO: (no name) - {71866C4D-3D0D-4B59-835F-BE8549DD5ED5} - C:\WINDOWS\System32\yayyYRIC.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: {b374a172-e8c7-bdf8-edd4-cd8fe06aa797} - {797aa60e-f8dc-4dde-8fdb-7c8e271a473b} - C:\WINDOWS\System32\duwlik.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {B76CF1F4-ECDC-4CA1-89F8-32403496528E} - C:\WINDOWS\System32\pmnmligh.dll
O2 - BHO: (no name) - {DEA68CA5-B854-434E-9331-7B89A1E589A0} - C:\WINDOWS\System32\cbXOGYPF.dll (file missing)
O2 - BHO: (no name) - {E18FFCA6-A4FC-4A1F-A6F2-41265D5A7EA0} - C:\WINDOWS\System32\ljJYSllK.dll (file missing)
O2 - BHO: (no name) - {FC122EBA-52B3-4D10-8B3E-1E649890F98F} - C:\WINDOWS\System32\khfEXpqO.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" /Start
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [VBSysTray] "C:\PROGRA~1\VEXIRA~1\Bin\VBSysTry.exe"
O4 - HKLM\..\Run: [AVLoginToDo] "C:\PROGRA~1\VEXIRA~1\Bin\avltd.exe"
O4 - HKLM\..\Run: [ZCfgSvc.exe] c:\WINDOWS\System32\ZCfgSvc.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] "c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [0d410306] rundll32.exe "C:\WINDOWS\System32\uibkhpmf.dll",b
O4 - HKLM\..\Run: [BM0e72309a] Rundll32.exe "C:\WINDOWS\System32\wamhihpk.dll",s
O4 - HKCU\..\Run: [HP Mobile Printing] "C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Antispyware] "C:\Program Files\AntiSpywareApp\Antispyware.exe" -boot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\mcntrkdm.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\jqwnw64p.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {F534E6F2-4293-4461-A868-B06AE215A0BA} (rlprint) - http://renplace.wcs.k12.va.us/RenaissanceServer/SharedApp/Downloads/rlprint.cab
O20 - AppInit_DLLs: spaihhya.dll
O20 - Winlogon Notify: pmnmligh - C:\WINDOWS\SYSTEM32\pmnmligh.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/msohtml1/01/clip_image002.gif
O24 - Desktop Component 1: (no name) - file:///C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg

--
End of file - 8141 bytes

I think I got it.

Shaba
2008-08-06, 19:54
We will begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

OMGWTFBBQ
2008-08-07, 04:55
ComboFix 08-08-06.02 - Administrator 2008-08-06 21:19:05.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.218 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\winxpsp1_en_pro_bf.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\3GWD7347\interclick.com
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\#SharedObjects\3GWD7347\interclick.com\ud.sol
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Administrator\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Deewoo.lnk
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\DW_Start.lnk
C:\Program Files\AntispyStorm
C:\Program Files\AntispyStorm\AntispyStorm.exe.MANIFEST
C:\Program Files\AntispyStorm\logs\05.26.08_12_01_52.log
C:\Program Files\AntispyStorm\stat.bin
C:\Program Files\AntispyStorm\uninstall.exe
C:\Program Files\AntispyStorm\uninstall.log
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\Temp\vtmp2
C:\Temp\vtmp2\ktnv33.log
C:\WINDOWS\astctl32.ocx
C:\WINDOWS\BM0e72309a.txt
C:\WINDOWS\BM0e72309a.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\ctfmon32.exe
C:\WINDOWS\ctrlpan.dll
C:\WINDOWS\directx32.exe
C:\WINDOWS\dnsrelay.dll
C:\WINDOWS\editpad.exe
C:\WINDOWS\explore.exe
C:\WINDOWS\explorer32.exe
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\Fonts\Setup.exe
C:\WINDOWS\funniest.exe
C:\WINDOWS\funny.exe
C:\WINDOWS\gfmnaaa.dll
C:\WINDOWS\helpcvs.exe
C:\WINDOWS\inetinf.exe
C:\WINDOWS\internet.exe
C:\WINDOWS\mainms.vpi
C:\WINDOWS\msconfd.dll
C:\WINDOWS\msspi.dll
C:\WINDOWS\mswsc10.dll
C:\WINDOWS\mswsc20.dll
C:\WINDOWS\muotr.so
C:\WINDOWS\pskt.ini
C:\WINDOWS\qttasks.exe
C:\WINDOWS\quicken.exe
C:\WINDOWS\rundll16.exe
C:\WINDOWS\rundll32.vbe
C:\WINDOWS\searchword.dll
C:\WINDOWS\svchost32.exe
C:\WINDOWS\svcinit.exe
C:\WINDOWS\system32\aivbvnhd.dll
C:\WINDOWS\system32\bdoobsyw.ini
C:\WINDOWS\system32\bjqcbwhg.ini
C:\WINDOWS\system32\byygey.dll
C:\WINDOWS\system32\cgkvlefo.dll
C:\WINDOWS\system32\CIRYyyay.ini
C:\WINDOWS\system32\CIRYyyay.ini2
C:\WINDOWS\system32\csicxpuf.dll
C:\WINDOWS\system32\dmbavlgm.dll
C:\WINDOWS\system32\dtqiqv.dll
C:\WINDOWS\system32\duwlik.dll
C:\WINDOWS\system32\dwwvwjfp.ini
C:\WINDOWS\system32\dyrnbz.dll
C:\WINDOWS\system32\eokyotlp.dll
C:\WINDOWS\system32\etfeuwdq.dll
C:\WINDOWS\system32\euuuvhda.dll
C:\WINDOWS\system32\ewpgiltm.dll
C:\WINDOWS\system32\ffzjwt.dll
C:\WINDOWS\system32\fjcnrq.dll
C:\WINDOWS\system32\fmphkbiu.ini
C:\WINDOWS\system32\FPYGOXbc.ini
C:\WINDOWS\system32\FPYGOXbc.ini2
C:\WINDOWS\system32\g63.exe
C:\WINDOWS\system32\gcxwkglh.dll
C:\WINDOWS\system32\ghwbcqjb.dll
C:\WINDOWS\system32\gmxbdbvf.dll
C:\WINDOWS\system32\goxvcpgt.ini
C:\WINDOWS\system32\gtmvcgmi.ini
C:\WINDOWS\system32\hcilpltl.ini
C:\WINDOWS\system32\hemlfvgs.dll
C:\WINDOWS\system32\hfpkvpac.dll
C:\WINDOWS\system32\hjhqabhv.ini
C:\WINDOWS\system32\hlgkwxcg.ini
C:\WINDOWS\system32\hljwugsf.bin
C:\WINDOWS\system32\hmbpmmei.ini
C:\WINDOWS\system32\hpjpdbxk.dll
C:\WINDOWS\system32\hrqlmtmx.dll
C:\WINDOWS\system32\iemmpbmh.dll
C:\WINDOWS\system32\iiffFuTK.dll
C:\WINDOWS\system32\imkmcbra.dll
C:\WINDOWS\system32\jfybkz.dll
C:\WINDOWS\system32\jxadsnyq.dll
C:\WINDOWS\system32\kdhqqqdf.dll
C:\WINDOWS\system32\khkchi.dll
C:\WINDOWS\system32\khrnjz.dll
C:\WINDOWS\system32\KllSYJjl.ini
C:\WINDOWS\system32\KllSYJjl.ini2
C:\WINDOWS\system32\kotlsn.dll
C:\WINDOWS\system32\KQAHjkkj.ini
C:\WINDOWS\system32\KQAHjkkj.ini2
C:\WINDOWS\system32\KTuFffii.ini
C:\WINDOWS\system32\KTuFffii.ini2
C:\WINDOWS\system32\kxbdpjph.ini
C:\WINDOWS\system32\kxircptu.dll
C:\WINDOWS\system32\lhwkem.dll
C:\WINDOWS\system32\llwmodpt.ini
C:\WINDOWS\system32\ltlplich.dll
C:\WINDOWS\system32\lwujowcl.dll
C:\WINDOWS\system32\mbaqjktg.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mfwtqyjx.ini
C:\WINDOWS\system32\mhkgxfko.dll
C:\WINDOWS\system32\moksaknq.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\mxmkmaek.dll
C:\WINDOWS\system32\nhfwdxly.dll
C:\WINDOWS\system32\nojvtq.dll
C:\WINDOWS\system32\nyhyfe.dll
C:\WINDOWS\system32\ofelvkgc.ini
C:\WINDOWS\system32\oohewumv.dll
C:\WINDOWS\system32\OqpXEfhk.ini
C:\WINDOWS\system32\OqpXEfhk.ini2
C:\WINDOWS\system32\oxlyxctd.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pmnmligh.dll
C:\WINDOWS\system32\qdwuefte.ini
C:\WINDOWS\system32\qkmnyfuu.dll
C:\WINDOWS\system32\qobnqdst.ini
C:\WINDOWS\system32\qycovpjy.dll
C:\WINDOWS\system32\rtggyrdy.ini
C:\WINDOWS\system32\rwwnw64d.exe
C:\WINDOWS\system32\sepeiahx.ini
C:\WINDOWS\system32\sgvflmeh.ini
C:\WINDOWS\system32\socubgfo.dll
C:\WINDOWS\system32\ssrAaccf.ini
C:\WINDOWS\system32\ssrAaccf.ini2
C:\WINDOWS\system32\sxjvnwpm.dll
C:\WINDOWS\system32\udafkikp.dll
C:\WINDOWS\system32\unvpogmg.dll
C:\WINDOWS\system32\uvymavvk.dll
C:\WINDOWS\system32\wamhihpk.dll
C:\WINDOWS\system32\wcwadass.dll
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\xbnuktrv.dll
C:\WINDOWS\system32\xhaiepes.dll
C:\WINDOWS\system32\ycjchriv.dll
C:\WINDOWS\system32\yhgsvsbk.dll
C:\WINDOWS\system32\ythhpqvo.dll
C:\WINDOWS\system32\yynyet.dll
C:\WINDOWS\time.exe
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-07-07 to 2008-08-07 )))))))))))))))))))))))))))))))
.

2008-08-06 21:37 . 2008-08-06 21:37 <DIR> d-------- C:\Temp\tn3
2008-08-06 12:17 . 2008-08-06 12:17 2,048 --a------ C:\WINDOWS\system32\jvmbdayd.exe
2008-08-06 11:06 . 2008-08-06 11:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-07-30 21:27 . 2008-07-30 21:27 <DIR> d-------- C:\WINDOWS\system32\WTablet
2008-07-30 21:27 . 2008-07-30 21:27 <DIR> d-------- C:\Program Files\Tablet
2008-07-30 21:27 . 2005-06-17 15:18 1,444,870 --a------ C:\WINDOWS\system32\PenTablet.znc
2008-07-30 21:27 . 2005-06-17 16:01 1,265,664 --a------ C:\WINDOWS\system32\PenTablet.cpl
2008-07-30 21:27 . 2008-08-06 21:37 12,912 --a------ C:\WINDOWS\system32\tablet.dat
2008-07-30 21:27 . 2001-04-09 16:45 8,138 --a------ C:\WINDOWS\system32\drivers\PenClass.sys
2008-07-30 21:26 . 2005-06-17 16:00 749,568 --a------ C:\WINDOWS\system32\Tablet.exe
2008-07-30 21:26 . 2005-06-17 16:34 102,400 --a------ C:\WINDOWS\system32\Wintab32.dll
2008-07-30 21:26 . 1999-05-07 12:12 15,744 --a------ C:\WINDOWS\system32\Wintab.dll
2008-07-23 12:16 . 2008-07-23 12:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\.BitTornado
2008-07-21 20:14 . 2008-07-21 20:14 8,337 --a------ C:\WINDOWS\system32\ljJCrSLB.dll
2008-07-21 17:39 . 2008-07-21 17:39 8,337 --a------ C:\WINDOWS\system32\jkkKbCsT.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-07 01:36 167,976 ------w C:\WINDOWS\system32\drivers\core.cache.dsk
2008-08-05 03:23 --------- d-----w C:\Program Files\Yahoo!
2008-08-04 19:44 --------- d-----w C:\Program Files\Java
2008-07-22 19:46 --------- d-----w C:\Program Files\Google
2008-07-22 19:43 --------- d-----w C:\Program Files\LimeWire
2008-07-22 19:42 --------- d-----w C:\Program Files\Opera
2008-07-22 19:40 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Uniblue
2008-06-25 03:01 --------- d-----w C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-06-23 17:52 137,728 ----a-w C:\WINDOWS\system32\spaihhya.dll
2008-06-23 17:46 131,584 ----a-w C:\WINDOWS\system32\xeuvnjrp.dll
2008-06-20 21:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-20 20:57 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Antispyware
2008-06-20 20:23 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-18 16:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-05-26 15:49 147,456 ----a-w C:\WINDOWS\system32\vbzip10.dll
2008-05-26 15:41 63,902 ----a-w C:\WINDOWS\system32\{d8a9a8d9-10df-c492-cecb-a14c27464e72}.dll-uninst.exe
.

<pre>
-c--a-w 319,488 2005-04-26 14:51:10 C:\Program Files\NCS Pearson\etools Live Virginia Edition\etools Live VA Edition .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Mobile Printing"="C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE" [2003-05-23 16:12 630784]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2003-03-30 22:00 13312]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-11-15 17:18 1670144]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-29 12:25 68856]
"Antispyware"="C:\Program Files\AntiSpywareApp\Antispyware.exe" [N/A]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 17:43 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-24 18:45 335872]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-03-01 16:05 200766]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2003-07-15 20:55 274432]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-07-15 15:09 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-07-15 15:08 618496]
"VBSysTray"="C:\PROGRA~1\VEXIRA~1\Bin\VBSysTry.exe" [2006-09-04 17:46 202392]
"AVLoginToDo"="C:\PROGRA~1\VEXIRA~1\Bin\avltd.exe" [2006-03-01 16:34 50816]
"ZCfgSvc.exe"="c:\WINDOWS\System32\ZCfgSvc.exe" [2004-07-28 07:52 409664]
"PRONoMgr.exe"="c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2004-05-26 16:20 86016]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-10-06 15:04 77824]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"0d410306"="C:\WINDOWS\System32\iemmpbmh.dll" [N/A]
"BM0e72309a"="C:\WINDOWS\System32\ythhpqvo.dll" [N/A]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 11:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2003-05-30 12:01 88267 C:\WINDOWS\AGRSMMSG.exe]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 11:37 28672 C:\WINDOWS\system32\nwtray.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-02-05 22:29:37 113664]
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2008-07-30 21:27:05 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2004-07-28 07:53 180290 c:\WINDOWS\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

R1 redbookk;redbookk;C:\WINDOWS\System32\drivers\redbookk.sys [2008-05-26 11:40]
R2 VBShld;VBShld;C:\WINDOWS\System32\Drivers\VBShld.Sys [2006-06-26 10:42]
R3 CONAN;CONAN;C:\WINDOWS\System32\drivers\o2mmb.sys [2003-07-28 20:49]
R3 MbxStby;MbxStby;C:\WINDOWS\System32\drivers\MbxStby.sys [2003-07-24 10:50]
R3 VBEngNT;VBEngNT;C:\WINDOWS\System32\Drivers\VBEngNT.Sys [2006-12-05 14:32]
R3 VBFilter;VBFilter;C:\WINDOWS\System32\Drivers\VBFilter.Sys [2006-03-01 15:10]
R3 VBRec;VBRec;C:\WINDOWS\System32\Drivers\VBRec.Sys [2006-03-01 15:09]
S4 VACompManService;Vexira Antivirus Component Manager Service;C:\PROGRA~1\VEXIRA~1\Bin\vbcmserv.exe [2006-05-30 16:04]

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
.
Contents of the 'Scheduled Tasks' folder

2008-02-18 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []

2008-02-18 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []
.
- - - - ORPHANS REMOVED - - - -

BHO-{4E262DD1-6958-4ED8-973E-E4485DC1EBCA} - C:\WINDOWS\System32\jkkjHAQK.dll
BHO-{509B62FF-EB4A-43D9-8206-87B9CA6498ED} - C:\WINDOWS\System32\fccaArss.dll
BHO-{71866C4D-3D0D-4B59-835F-BE8549DD5ED5} - C:\WINDOWS\System32\yayyYRIC.dll
BHO-{DEA68CA5-B854-434E-9331-7B89A1E589A0} - C:\WINDOWS\System32\cbXOGYPF.dll
BHO-{E18FFCA6-A4FC-4A1F-A6F2-41265D5A7EA0} - C:\WINDOWS\System32\ljJYSllK.dll
BHO-{FC122EBA-52B3-4D10-8B3E-1E649890F98F} - C:\WINDOWS\System32\khfEXpqO.dll
Toolbar-SITEguard - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\mk2y527v.default\


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-06 21:37:35
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?????????A?p?????????? ???B???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\S24EvMon.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\cusrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\Tablet.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
C:\WINDOWS\system32\wbem\wmiadap.exe
C:\WINDOWS\system32\wbem\wmiadap.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-08-06 21:44:10 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-08-07 01:43:42

Pre-Run: 20,549,591,040 bytes free
Post-Run: 20,419,039,232 bytes free

winxpsp1_en_pro_bf.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

308 --- E O F --- 2008-05-20 11:56:49





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:55:18 PM, on 8/6/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\VEXIRA~1\Bin\VBSysTry.exe
C:\WINDOWS\System32\cusrvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\OMGWTFBBQ\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dms.wcs.k12.va.us/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" /Start
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [VBSysTray] "C:\PROGRA~1\VEXIRA~1\Bin\VBSysTry.exe"
O4 - HKLM\..\Run: [AVLoginToDo] "C:\PROGRA~1\VEXIRA~1\Bin\avltd.exe"
O4 - HKLM\..\Run: [ZCfgSvc.exe] c:\WINDOWS\System32\ZCfgSvc.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] "c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [0d410306] rundll32.exe "C:\WINDOWS\System32\iemmpbmh.dll",b
O4 - HKLM\..\Run: [BM0e72309a] Rundll32.exe "C:\WINDOWS\System32\ythhpqvo.dll",s
O4 - HKCU\..\Run: [HP Mobile Printing] "C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Antispyware] "C:\Program Files\AntiSpywareApp\Antispyware.exe" -boot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {F534E6F2-4293-4461-A868-B06AE215A0BA} (rlprint) - http://renplace.wcs.k12.va.us/RenaissanceServer/SharedApp/Downloads/rlprint.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/msohtml1/01/clip_image002.gif
O24 - Desktop Component 1: (no name) - file:///C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg

--
End of file - 7084 bytes

Shaba
2008-08-07, 15:37
Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

1) Antivir PersonalEdition Classic (http://www.free-av.com/)- Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition (http://www.avast.com/eng/avast_4_home.html) - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition (http://free.grisoft.com/ww.homepage) - Free edition of the AVG anti-virus program for Windows.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

Please post a fresh HijackThis log back after that and we'll continue :)

OMGWTFBBQ
2008-08-08, 23:26
I should already have an antivirus program installed. Called Vexira anti-virus.
I installed one of the programs but removed it due to it using too much memory.
Never the less here is a new HJT log. Is it possible to continue without installing one of these programs? Also my internet access has become limited. May we move to e-mail so in case this topic does get archived? my e-mail removed :)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:35:50 PM, on 8/8/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\PROGRA~1\VEXIRA~1\Bin\VBSysTry.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\cusrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\Documents and Settings\Administrator\Desktop\OMGWTFBBQ\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dms.wcs.k12.va.us/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" /Start
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [VBSysTray] "C:\PROGRA~1\VEXIRA~1\Bin\VBSysTry.exe"
O4 - HKLM\..\Run: [AVLoginToDo] "C:\PROGRA~1\VEXIRA~1\Bin\avltd.exe"
O4 - HKLM\..\Run: [ZCfgSvc.exe] c:\WINDOWS\System32\ZCfgSvc.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] "c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [0d410306] rundll32.exe "C:\WINDOWS\System32\iemmpbmh.dll",b
O4 - HKLM\..\Run: [BM0e72309a] Rundll32.exe "C:\WINDOWS\System32\ythhpqvo.dll",s
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [HP Mobile Printing] "C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Antispyware] "C:\Program Files\AntiSpywareApp\Antispyware.exe" -boot
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {F534E6F2-4293-4461-A868-B06AE215A0BA} (rlprint) - http://renplace.wcs.k12.va.us/RenaissanceServer/SharedApp/Downloads/rlprint.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/msohtml1/01/clip_image002.gif
O24 - Desktop Component 1: (no name) - file:///C:/DOCUME~1/ADMINI~1/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg

--
End of file - 7106 bytes

Shaba
2008-08-09, 12:18
I see, thanks for letting me know :)

We will begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

Shaba
2008-08-14, 11:16
Due to the lack of feedback this Topic is closed.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.