Hello thulium,
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at your own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
You need to read the stickies in Before You Post, there put there for a reason, it puts us on the same page and makes the cleanup run faster.
Do this first...Important
Disable the TeaTimer, leave it disabled, do not turn it back on until we're done or it will prevent fixes from taking
Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.<--You need to do this for it to take effect
Please do not proceed until the TeaTimer is disabled
Download Trendmicros Hijackthis (http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe) to your desktop.
Double click it to install
Follow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe
Open HJT Scan and Save a Log File, it will open in Notepad
Go to Format and make sure Wordwrap is Unchecked
Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Submit Reply and not start a New Thread.
DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.
I have a smithfraud and several instances of virtumonde (dll,generic,prx and sci) infecting my computer. My old dial up connection used to download faster. :( I've downloaded the suggested files for scanning but don't know if I've disconnected teatime or not?? When I look to see, it doesn't seem to go as described in the instructions for disconnecting it.
I'm operating XR service pac 3 and using firefox.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:50:21 PM, on 2/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mouse Driver\KMWDSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\LOGI_MWX.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\MSTMON02.EXE
C:\Program Files\Mouse Driver\StartAutorun.exe
C:\Program Files\Common Files\Logitech\PktDrvr\LVCOMS.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Mouse Driver\KMConfig.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\Mouse Driver\KMProcess.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox 3 Beta 5\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://safesearch.cyberdefender.com/smallsearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - ~EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - ~E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {07F11209-B773-40C2-8AFB-5BB013346BD0} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6A83DDDE-435D-478B-89F6-0DAFB9C62309} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {77AB5974-55A3-4737-9FD5-B93C64307F78} - (no file)
O2 - BHO: (no name) - {78ED45D7-3B59-4BE4-B783-7286BB9D7EC8} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {FEE2F348-95F3-40BF-BED4-26B29A5919E0} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [SPIRun] Rundll32 SPIRun.dll,RunDLLEntry
O4 - HKLM\..\Run: [KONICA MINOLTA magicolor 2500W STD] C:\WINDOWS\system32\MSTMON02.EXE STARTUP
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [KMCONFIG] C:\Program Files\Mouse Driver\StartAutorun.exe KMConfig.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\PktDrvr\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [BroadCamRun] "C:\Program Files\NCH Software\BroadCam\broadCam.exe" -logon
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [Steam] "D:\Steam.exe" -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - Global Startup: DualCoreCenter.lnk = C:\Program Files\MSI\DualCoreCenter\StartUpDualCoreCenter.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1209453253968
O20 - AppInit_DLLs: sljdhn.dll rsswjz.dll yfgumn.dll mowqpc.dll ryjnns.dll xfegxm.dll blnrjq.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: BroadCam Service (BroadCamService) - Unknown owner - C:\Program Files\NCH Software\BroadCam\broadCam.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Keyboard And Mouse Communication Service (KMWDSERVICE) - UASSOFT.COM - C:\Program Files\Mouse Driver\KMWDSrv.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
--
End of file - 9213 bytes
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:19:01 PM, on 2/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NCH Software\BroadCam\broadCam.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mouse Driver\KMWDSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\LOGI_MWX.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\MSTMON02.EXE
C:\Program Files\Mouse Driver\StartAutorun.exe
C:\Program Files\Common Files\Logitech\PktDrvr\LVCOMS.EXE
C:\Program Files\Mouse Driver\KMConfig.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\NCH Software\BroadCam\broadCam.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mouse Driver\KMProcess.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\MSI\DualCoreCenter\DualCoreCenter.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://safesearch.cyberdefender.com/smallsearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - ~EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - ~E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {07F11209-B773-40C2-8AFB-5BB013346BD0} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6A83DDDE-435D-478B-89F6-0DAFB9C62309} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {77AB5974-55A3-4737-9FD5-B93C64307F78} - (no file)
O2 - BHO: (no name) - {78ED45D7-3B59-4BE4-B783-7286BB9D7EC8} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {FEE2F348-95F3-40BF-BED4-26B29A5919E0} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [SPIRun] Rundll32 SPIRun.dll,RunDLLEntry
O4 - HKLM\..\Run: [KONICA MINOLTA magicolor 2500W STD] C:\WINDOWS\system32\MSTMON02.EXE STARTUP
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [KMCONFIG] C:\Program Files\Mouse Driver\StartAutorun.exe KMConfig.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\PktDrvr\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [BroadCamRun] "C:\Program Files\NCH Software\BroadCam\broadCam.exe" -logon
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [Steam] "D:\Steam.exe" -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - Global Startup: DualCoreCenter.lnk = C:\Program Files\MSI\DualCoreCenter\StartUpDualCoreCenter.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1209453253968
O20 - AppInit_DLLs: sljdhn.dll yfgumn.dll mowqpc.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: BroadCam Service (BroadCamService) - Unknown owner - C:\Program Files\NCH Software\BroadCam\broadCam.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Keyboard And Mouse Communication Service (KMWDSERVICE) - UASSOFT.COM - C:\Program Files\Mouse Driver\KMWDSrv.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
--
End of file - 9310 bytes
Good Morning,
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
Good Morning,
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:05:44 AM, on 2/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NCH Software\BroadCam\broadCam.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mouse Driver\KMWDSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\LOGI_MWX.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\MSTMON02.EXE
C:\Program Files\Mouse Driver\StartAutorun.exe
C:\Program Files\Common Files\Logitech\PktDrvr\LVCOMS.EXE
C:\Program Files\Mouse Driver\KMConfig.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\NCH Software\BroadCam\broadCam.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mouse Driver\KMProcess.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\MSI\DualCoreCenter\DualCoreCenter.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox 3 Beta 5\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [SPIRun] Rundll32 SPIRun.dll,RunDLLEntry
O4 - HKLM\..\Run: [KONICA MINOLTA magicolor 2500W STD] C:\WINDOWS\system32\MSTMON02.EXE STARTUP
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [KMCONFIG] C:\Program Files\Mouse Driver\StartAutorun.exe KMConfig.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\PktDrvr\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [BroadCamRun] "C:\Program Files\NCH Software\BroadCam\broadCam.exe" -logon
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [Steam] "D:\Steam.exe" -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - Global Startup: DualCoreCenter.lnk = C:\Program Files\MSI\DualCoreCenter\StartUpDualCoreCenter.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1209453253968
O20 - AppInit_DLLs: sljdhn.dll yfgumn.dll mowqpc.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: BroadCam Service (BroadCamService) - Unknown owner - C:\Program Files\NCH Software\BroadCam\broadCam.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Keyboard And Mouse Communication Service (KMWDSERVICE) - UASSOFT.COM - C:\Program Files\Mouse Driver\KMWDSrv.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
--
End of file - 8959 bytes
ComboFix 09-02-21.01 - User 2009-02-23 9:51:18.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2635 [GMT -5:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\cjnwkuuv.ini
c:\windows\system32\cnlemdfj.dll
c:\windows\system32\mdjmfkoi.ini
c:\windows\system32\nvyewack.dll
c:\windows\system32\rmkxpexo.dll
c:\windows\system32\tmp68.tmp
c:\windows\system32\tmp99.tmp
c:\windows\system32\wrbayqjq.dll
c:\windows\Tasks\ffjjwfgy.job
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_seneka
((((((((((((((((((((((((( Files Created from 2009-01-23 to 2009-02-23 )))))))))))))))))))))))))))))))
.
2009-02-22 22:16 . 2009-02-22 22:16 <DIR> d-------- c:\windows\system32\MpEngineStore
2009-02-22 22:16 . 2009-02-22 22:16 215 --a------ c:\windows\system32\MRT.INI
2009-02-22 22:08 . 2009-02-22 22:08 <DIR> d-------- c:\windows\system32\XPSViewer
2009-02-22 22:08 . 2009-02-22 22:17 <DIR> d-------- c:\windows\SxsCaPendDel
2009-02-22 22:08 . 2009-02-22 22:08 <DIR> d-------- c:\program files\Reference Assemblies
2009-02-22 22:08 . 2009-02-22 22:08 <DIR> d-------- c:\program files\MSBuild
2009-02-22 22:08 . 2008-07-06 07:06 1,676,288 --------- c:\windows\system32\xpssvcs.dll
2009-02-22 22:08 . 2008-07-06 07:06 1,676,288 -----c--- c:\windows\system32\dllcache\xpssvcs.dll
2009-02-22 22:08 . 2008-07-06 05:50 597,504 -----c--- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-02-22 22:08 . 2008-07-06 07:06 575,488 --------- c:\windows\system32\xpsshhdr.dll
2009-02-22 22:08 . 2008-07-06 07:06 575,488 -----c--- c:\windows\system32\dllcache\xpsshhdr.dll
2009-02-22 22:08 . 2008-07-06 07:06 117,760 --------- c:\windows\system32\prntvpt.dll
2009-02-22 22:08 . 2008-07-06 07:06 89,088 -----c--- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-02-11 11:44 . 2009-02-11 11:44 <DIR> d-------- c:\program files\Trend Micro
2009-02-11 11:27 . 2009-02-11 11:27 <DIR> d-------- c:\program files\ERUNT
2009-02-03 12:18 . 2009-02-03 12:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-01-28 03:50 . 2009-01-28 03:50 82 --a------ c:\windows\system32\RPRID.KEY
2009-01-28 03:49 . 2009-01-28 03:58 <DIR> d-------- c:\program files\RescuePRO
2009-01-28 03:49 . 2009-01-28 03:48 286,720 --a------ c:\windows\iun507.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-23 14:54 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-23 14:18 --------- d-----w c:\program files\Windows Media Connect 2
2009-02-23 13:45 --------- d-----w c:\program files\Mozilla Firefox 3 Beta 5
2009-02-17 19:13 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-17 19:06 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-11 15:48 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-11 08:08 --------- d-----w c:\documents and settings\User\Application Data\U3
2009-01-23 08:44 --------- d-----w c:\program files\Yahoo!
2009-01-23 08:43 --------- d-----w c:\program files\NCH Software
2009-01-23 08:38 --------- d-----w c:\documents and settings\User\Application Data\NCH Software
2009-01-22 19:24 --------- d-----w c:\program files\Real
2009-01-22 19:24 --------- d-----w c:\program files\Common Files\xing shared
2009-01-22 19:24 --------- d-----w c:\program files\Common Files\Real
2009-01-17 17:09 --------- d-----w c:\documents and settings\User\Application Data\Malwarebytes
2009-01-17 17:09 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-14 21:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 21:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-13 00:54 --------- d-----w c:\program files\Common Files\Download Manager
2009-01-13 00:01 --------- d-----w c:\program files\Unibrain
2009-01-12 23:59 --------- d-----w c:\program files\Intel Desktop Board
2009-01-08 14:24 --------- d-----w c:\documents and settings\All Users\Application Data\NCH Software
2009-01-08 14:19 --------- d-----w c:\program files\NCH Swift Sound
2009-01-08 14:19 --------- d-----w c:\documents and settings\User\Application Data\NCH Swift Sound
2009-01-08 14:19 --------- d-----w c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-01-06 07:16 --------- d-----w c:\program files\Common Files\AVSMedia
2009-01-06 07:16 --------- d-----w c:\program files\AVS4YOU
2009-01-06 07:16 --------- d-----w c:\documents and settings\User\Application Data\AVS4YOU
2009-01-06 07:16 --------- d-----w c:\documents and settings\All Users\Application Data\AVS4YOU
2008-12-26 05:08 6,301,344 ----a-w c:\windows\system32\drivers\nv4_mini.sys
2008-12-24 05:19 --------- d-----w c:\documents and settings\User\Application Data\eGames
2008-12-17 04:31 22,328 ----a-w c:\documents and settings\User\Application Data\PnkBstrK.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2008-08-01 1103216]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-02-06 3325952]
"Steam"="D:\Steam.exe" [2008-10-26 1410296]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-26 13680640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-04 136600]
"KONICA MINOLTA magicolor 2500W STD"="c:\windows\system32\MSTMON02.EXE" [2006-03-08 192512]
"Logitech Hardware Abstraction Layer"="c:\program files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [2006-07-19 94208]
"KMCONFIG"="c:\program files\Mouse Driver\StartAutorun.exe" [2007-03-06 212992]
"LVCOMS"="c:\program files\Common Files\Logitech\PktDrvr\LVCOMS.EXE" [2003-07-21 135214]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2003-07-21 188416]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2003-07-21 69632]
"LogitechGalleryRepair"="c:\program files\Logitech\Video\ISStart.exe" [2003-07-21 188416]
"BroadCamRun"="c:\program files\NCH Software\BroadCam\broadCam.exe" [2009-01-08 368644]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-26 86016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-22 185872]
"nwiz"="nwiz.exe" [2008-12-26 c:\windows\system32\nwiz.exe]
"Logitech Utility"="LOGI_MWX.EXE" [2003-12-17 c:\windows\LOGI_MWX.EXE]
"SPIRun"="SPIRun.dll" [2006-11-29 c:\windows\system32\SPIRun.dll]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-07-19 c:\windows\KHALMNPR.Exe]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
DualCoreCenter.lnk - c:\program files\MSI\DualCoreCenter\StartUpDualCoreCenter.exe [2008-05-13 192512]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-01-14 671744]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sljdhn.dll yfgumn.dll mowqpc.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.enc"= ITIG726.acm
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"d:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"d:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"e:\\etqwded.exe"=
"e:\\etqw.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"d:\\Program Files\\FEARXP2.exe"=
"c:\\Program Files\\GameSpy\\Comrade\\Comrade.exe"=
"c:\\Program Files\\Microsoft Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"86:TCP"= 86:TCP:BroadCam Web Server
R0 Si3531;SiI-3531 SATA Controller;c:\windows\system32\drivers\Si3531.sys [2008-07-25 212008]
R2 BroadCamService;BroadCam Service;c:\program files\NCH Software\BroadCam\broadCam.exe [2009-01-08 368644]
R2 KMWDSERVICE;Keyboard And Mouse Communication Service;c:\program files\Mouse Driver\KMWDSrv.exe [2007-04-05 208896]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2008-08-17 3712]
R2 ubsbm;Unibrain 1394 SBM Driver;c:\windows\system32\drivers\UBSBM.sys [2005-07-27 14080]
R2 ubumapi;Unibrain 1394 FireAPI Driver;c:\windows\system32\drivers\UBUMAPI.sys [2005-07-27 36352]
R3 DualCoreCenter;DualCoreCenter;c:\program files\MSI\DualCoreCenter\NTGLM7X.sys [2008-05-13 28160]
R3 t3;Sound Blaster X-Fi Xtreme Audio;c:\windows\system32\drivers\t3.sys [2008-05-16 732672]
R3 t3filt;t3filt;c:\windows\system32\drivers\t3filt.sys [2008-05-16 1656576]
R3 ubohci;Unibrain 1394 OHCI Driver;c:\windows\system32\drivers\ubohci.sys [2005-07-27 77056]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{44bacc70-487d-11dd-8255-0019db65f765}]
\Shell\AutoRun\command - G:\setupSNK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{461801ec-1579-11dd-81f7-0019db65f765}]
\Shell\AutoRun\command - I:\setupSNK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a6bca976-8b6c-11dd-828a-0019db65f765}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bee16505-f095-11dd-8337-0019db65f765}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
2009-02-12 c:\windows\Tasks\Crysis Wars(R) Updates.job
- c:\windows\Installer\Crysis Wars(R) Updates for All Users.lnk [2008-10-23 12:00]
.
- - - - ORPHANS REMOVED - - - -
URLSearchHooks-~EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
URLSearchHooks-~E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - (no file)
BHO-{07F11209-B773-40C2-8AFB-5BB013346BD0} - (no file)
BHO-{6A83DDDE-435D-478B-89F6-0DAFB9C62309} - (no file)
BHO-{78ED45D7-3B59-4BE4-B783-7286BB9D7EC8} - (no file)
BHO-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)
BHO-{FEE2F348-95F3-40BF-BED4-26B29A5919E0} - (no file)
.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\nvLsp.dll
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\j06bia28.default\
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-23 09:54:23
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SPIRun = Rundll32 SPIRun.dll,RunDLLEntry?
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-484763869-1644491937-682003330-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:39,93,5f,54,b2,bc,a1,89,9b,6c,91,d2,fe,cc,e3,04,fe,83,e8,bd,d1,29,92,
c7,c5,db,c2,48,76,7e,f2,52,a6,1a,13,a7,33,1a,b0,e4,95,2b,0f,8f,36,d5,52,59,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22
[HKEY_USERS\S-1-5-21-484763869-1644491937-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:4e,34,05,e7,9b,9a,02,a2,85,72,35,e9,11,1a,9c,66,60,53,65,43,a4,
43,aa,e3,e6,29,c6,34,8e,c3,6e,f2,ae,fb,b3,97,89,9e,40,32,40,c7,88,71,f4,33,\
"rkeysecu"=hex:d4,4f,30,05,c9,9e,f0,fa,85,de,19,00,32,da,5d,cd
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
c:\windows\system32\rundll32.exe
c:\program files\Mouse Driver\KMCONFIG.exe
c:\windows\system32\rundll32.exe
c:\program files\Mouse Driver\KMProcess.exe
c:\program files\MSI\DualCoreCenter\DualCoreCenter.exe
c:\program files\Windows Live\Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2009-02-23 9:59:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-23 14:59:52
Pre-Run: 230,995,267,584 bytes free
Post-Run: 231,101,915,136 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
231 --- E O F --- 2008-12-19 23:39:50
Hello,
Looking better but there may be more to be removed, this junk installs all over the place. Part of what you where infected with was a rootkit, but its been removed.
No need to quote me on what I post.
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O20 - AppInit_DLLs: sljdhn.dll yfgumn.dll mowqpc.dll
Please download Malwarebytes' Anti-Malware from Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or Here (http://www.besttechie.net/tools/mbam-setup.exe)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a New Hijackthis log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:44:16 PM, on 2/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mouse Driver\KMWDSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\LOGI_MWX.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\MSTMON02.EXE
C:\Program Files\Mouse Driver\StartAutorun.exe
C:\Program Files\Common Files\Logitech\PktDrvr\LVCOMS.EXE
C:\Program Files\Mouse Driver\KMConfig.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Mouse Driver\KMProcess.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\MSI\DualCoreCenter\DualCoreCenter.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox 3 Beta 5\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [SPIRun] Rundll32 SPIRun.dll,RunDLLEntry
O4 - HKLM\..\Run: [KONICA MINOLTA magicolor 2500W STD] C:\WINDOWS\system32\MSTMON02.EXE STARTUP
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [KMCONFIG] C:\Program Files\Mouse Driver\StartAutorun.exe KMConfig.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\PktDrvr\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [BroadCamRun] "C:\Program Files\NCH Software\BroadCam\broadCam.exe" -logon
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [Steam] "D:\Steam.exe" -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - Global Startup: DualCoreCenter.lnk = C:\Program Files\MSI\DualCoreCenter\StartUpDualCoreCenter.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1209453253968
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: BroadCam Service (BroadCamService) - Unknown owner - C:\Program Files\NCH Software\BroadCam\broadCam.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Keyboard And Mouse Communication Service (KMWDSERVICE) - UASSOFT.COM - C:\Program Files\Mouse Driver\KMWDSrv.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
--
End of file - 8714 bytes
MBAM LOG
Malwarebytes' Anti-Malware 1.34
Database version: 1797
Windows 5.1.2600 Service Pack 3
2/23/2009 3:27:17 PM
mbam-log-2009-02-23 (15-27-17).txt
Scan type: Quick Scan
Objects scanned: 61198
Time elapsed: 1 minute(s), 28 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\ghqnjd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fqvjgmwc.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xzjnac.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yqrpvmfq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ytrqlw.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\koyodgof.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
Hi,
I have been in computing since windows 3.1 and have never been a big fan of third party tools line Systemworks, the tools you need are built into windows and they are more than adequate.
Lets get you some Antivirus software, just choose one, more than one is overkill and will bog down your system. I have AVG Free on 2 of my systems and am very happy with it.
AVG Free (http://free.grisoft.com/doc/avg-anti-virus-free/lng/us/tpl/v5)
Free Avast 4 Home Edition (http://www.avast.com/eng/avast_4_home.html)
Avira AntiVirŪ Personal Edition Classic (http://www.free-av.com/)
Firefox is a lot more secure than IE, but this junk still sneaks by.
Your Java maybe outdated and outdated versions let these type of infections onto your system, we need to check it.
Go to your Control Panel and click on the Java Icon ( looks like a little coffee cup ) click on About and you should have Version 6 Update 11 or 12, if not proceed with the instructions.
Download the latest version Here (http://java.sun.com/javase/downloads/index.jsp) save it, do not install it yet.
JRE 6 Update 12 <--This is what you need
Go to your Add Remove Programs in the Control Panel and uninstall any previous versions of Java
Reboot your computer
Install the latest version
You can verify the installation Here (http://www.java.com/en/download/help/testvm.xml)
Also try updating IE to IE7, its also more secure than Version 6
http://www.microsoft.com/downloads/details.aspx?FamilyId=9AE91EBE-3385-447C-8A30-081805B2F90B&displaylang=en
Did you run ATF Cleaner, make sure you ran it to clean out the temp files and such. Click the Firefox tab, just don't select cookies or passwords or you may not able to access some sites if you did not write the passwords down.
ATF Cleaner <-- Yours to keep, run it now and then to clean out the clutter.
Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.
Combofix <---Is not a general cleaning tool, just run it with supervision or you can bork your system
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
When shown the disclaimer, Select "2"
The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Safe Surfn
Ken