PDA

View Full Version : Can you help remove Virtumonde trojan Please ???



smogman
2009-03-05, 14:48
I have tried several times with spybot 1.6 and Vindufix, but it always seems to show up again when a rescan.

Can anyone help ??

smogman
2009-03-05, 21:28
My HJ Scan is; can anyone help with this one ???

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:27, on 2009-03-05
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\WINNT\system32\Brmfrmps.exe
C:\PROGRA~1\Navnt\DefWatch.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\Navnt\Rtvscan.exe
C:\Program Files\Novadigm\radexecd.exe
C:\Program Files\Novadigm\radsched.exe
C:\Program Files\Novadigm\Radstgms.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\hkcmd.exe
C:\PROGRA~1\Navnt\vptray.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\fxsteller.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\firewall.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Novadigm\radppgui.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackice.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\problems.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://insideppg.web.ppg.com
F2 - REG:system.ini: Shell=Explorer.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6112C2F6-B4CA-4DDE-BFC2-E359D111BF2C} - C:\WINNT\system32\qoMcbayA.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: ViewerHelper Class - {78104A01-8E71-4F30-9A36-3793799615B4} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [AccessManager] C:\Program Files\AccessManager\Client\AccessMgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows UDP Control Center] fxsteller.exe
O4 - HKLM\..\Run: [Windows Network Firewall] C:\WINNT\system32\firewall.exe
O4 - HKLM\..\Run: [0ca61319] rundll32.exe "C:\WINNT\system32\dkjcjnul.dll",b
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ConfSrv] C:\Program Files\PPG\Setups\ConfSrv.vbs
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\ARO.exe -rem
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Policies\Explorer\Run: [1] "\\nac.ppg.com\netlogon\gpfix\gpfix.vbs"
O4 - HKCU\..\Policies\Explorer\Run: [2] "\\nac.ppg.com\netlogon\gpfix\gplog.vbs"
O4 - HKCU\..\Policies\Explorer\Run: [3] "C:\Program Files\Novadigm\radppgui.exe"
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: RealSecure(r) Desktop Protector.lnk = ?
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40971 - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-205 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40970 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40971 - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra button: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-205 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40970 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://insideppg.web.ppg.com
O15 - Trusted Zone: *.trustweb.ppg.com
O15 - Trusted Zone: *.trustweb.ppg.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://connect.ppg.com/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nac.ppg.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nac.ppg.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nac.ppg.com
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINNT\system32\Brmfrmps.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\Navnt\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\WorldCom IP VPN Remote Access\Extranet_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\Navnt\Rtvscan.exe
O23 - Service: OracleOra8_HomeClientCache - Unknown owner - C:\Oracle\Ora81\BIN\ONRSD.EXE
O23 - Service: Radia Notify Daemon (radexecd) - Novadigm - C:\Program Files\Novadigm\radexecd.exe
O23 - Service: Radia Scheduler Daemon (radsched) - Novadigm - C:\Program Files\Novadigm\radsched.exe
O23 - Service: Radia MSI Redirector (Radstgms) - Novadigm - C:\Program Files\Novadigm\Radstgms.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe

--
End of file - 10394 bytes

pskelley
2009-03-10, 11:03
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Pinned (sticky) to the top of this forum, and posted above are the directions, make sure you have read and followed them, then post the requested logs, please mention any recent symptoms.

This looks like a company or corporate computer, and it is badly infected. Please see this information.
http://www.systemlookup.com/Startup/15072.html
http://www.sophos.com/security/analyses/viruses-and-spyware/w32poebotj.html

W32/Poebot-J allows a remote attacker to steal internet account user names and passwords, download and execute files from the internet, flood other computers with network packets, retrieve system information and execute arbitrary commands by opening a remote shell on the infected computer.

And that is far from all of the infections!

http://forums.spybot.info/showpost.php?p=25712&postcount=5

Note: When the infected computer in question is a company machine in the workplace, and you are an employee.

The intention of this forum is not to replace a company's IT department, nor can we anticipate alterations or configurations that may have been made to a business machine, or how it will interact with the tools commonly used in the removal of malware.

More than one machine could be at stake, possibly even the server. If sensitive material has been compromised by an infection, the company could be held liable.

To prevent any possible loss or corruption of company information, please inform your IT department or Supervisor when a workplace computer has been infected, immediately.

Thanks for your understanding.

One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

smogman
2009-03-10, 14:18
thanks pskelley.

Actually this used to be my work computer several years ago but no longer is. My kids use it most of the time.

Can you help from here ??

pskelley
2009-03-10, 14:24
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.

OK, but you understand that does not change the information I posted about this infection. If you wish to try to clean it, then read and follow the "Before you Post" directions, disable TeaTimer as instructed and then post a new HJT log.

Thanks

smogman
2009-03-10, 14:46
What is tea timer and how do I disable it ??

I just want to try and clean it so that i take some files off that i wanted to keep. Then, I will blow everything away and reload OS.

pskelley
2009-03-10, 14:56
I just want to try and clean it so that i take some files off that i wanted to keep. Then, I will blow everything away and reload OS.Look forward to a lot of work to clean this computer. If you are intending to reformat anyway, you may want to pull the plug until you have the time to do that?

What is tea timer and how do I disable it ??
If you would take the time to read the directions, you would have the answer to that question.

When Spybot-S&D is installed.
TeaTimer needs to be disabled so that its protection does not interfere with fixes.
How Spybot-S&D protects against the installation of Spyware/Malware.
TeaTimer can be re-enabled once the computer is clean.
Understand that "I will blow everything away and reload OS" will not remove this infection. It will require a complete reformat of the computer.
http://spyware-free.us/tutorials/reformat/
http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html
http://helpdesk.its.uiowa.edu/windows/instructions/reformat.htm

smogman
2009-03-10, 15:41
ok thanks pskelley. I think I understand what you are saying.

My thought was to try and clean it first so that I could pull a few files I wanted to keep before I reformat and loose everything. Are you saying its not worth it do this ??? I'll go with what ever advice you think is best !! Thanks.

pskelley
2009-03-10, 19:15
I am sorry:sad: I believe I have provided information to help you make your decisions, I can not make them for you.

smogman
2009-03-11, 00:51
ok thanks ps lets try and clean it up 1st.....here a new HJ log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:53, on 2009-03-10
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\WINNT\system32\Brmfrmps.exe
C:\PROGRA~1\Navnt\DefWatch.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\Navnt\Rtvscan.exe
C:\Program Files\Novadigm\radexecd.exe
C:\Program Files\Novadigm\radsched.exe
C:\Program Files\Novadigm\Radstgms.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\hkcmd.exe
C:\PROGRA~1\Navnt\vptray.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINNT\fxsteller.exe
C:\WINNT\system32\firewall.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\KAV64.EXE
C:\Program Files\Novadigm\radppgui.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackice.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINNT\system32\DllHost.exe
C:\Program Files\Trend Micro\HijackThis\problems.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://insideppg.web.ppg.com
F2 - REG:system.ini: Shell=Explorer.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {379FC1ED-31A8-485A-AD0E-4EA5163F0A00} - C:\WINNT\system32\qoMcbayA.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {017b14cc-35c8-caeb-4814-3cbc273cc3d5} - {5d3cc372-cbc3-4184-beac-8c53cc41b710} - C:\WINNT\system32\hcxmud.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: ViewerHelper Class - {78104A01-8E71-4F30-9A36-3793799615B4} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [AccessManager] C:\Program Files\AccessManager\Client\AccessMgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows UDP Control Center] fxsteller.exe
O4 - HKLM\..\Run: [Windows Network Firewall] C:\WINNT\system32\firewall.exe
O4 - HKLM\..\Run: [Microsoft Update] KAV64.EXE
O4 - HKLM\..\Run: [0ca61319] rundll32.exe "C:\WINNT\system32\rrjumuof.dll",b
O4 - HKCU\..\Run: [ConfSrv] C:\Program Files\PPG\Setups\ConfSrv.vbs
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\ARO.exe -rem
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [Microsoft Update] KAV64.EXE
O4 - HKCU\..\Policies\Explorer\Run: [1] "\\nac.ppg.com\netlogon\gpfix\gpfix.vbs"
O4 - HKCU\..\Policies\Explorer\Run: [2] "\\nac.ppg.com\netlogon\gpfix\gplog.vbs"
O4 - HKCU\..\Policies\Explorer\Run: [3] "C:\Program Files\Novadigm\radppgui.exe"
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: RealSecure(r) Desktop Protector.lnk = ?
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40971 - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-205 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40970 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40971 - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra button: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-205 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40970 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://insideppg.web.ppg.com
O15 - Trusted Zone: *.trustweb.ppg.com
O15 - Trusted Zone: *.trustweb.ppg.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://connect.ppg.com/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nac.ppg.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nac.ppg.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nac.ppg.com
O20 - AppInit_DLLs: hcxmud.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINNT\system32\Brmfrmps.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\Navnt\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\WorldCom IP VPN Remote Access\Extranet_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\Navnt\Rtvscan.exe
O23 - Service: OracleOra8_HomeClientCache - Unknown owner - C:\Oracle\Ora81\BIN\ONRSD.EXE
O23 - Service: Radia Notify Daemon (radexecd) - Novadigm - C:\Program Files\Novadigm\radexecd.exe
O23 - Service: Radia Scheduler Daemon (radsched) - Novadigm - C:\Program Files\Novadigm\radsched.exe
O23 - Service: Radia MSI Redirector (Radstgms) - Novadigm - C:\Program Files\Novadigm\Radstgms.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe

--
End of file - 10104 bytes

pskelley
2009-03-11, 00:58
TeaTimer is still not disabled?
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

Disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

Post a new HJT log when that has been done.

smogman
2009-03-11, 01:39
ok sorry didn't realize i had to shut off and start again after uncheck.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:40, on 2009-03-10
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\WINNT\system32\Brmfrmps.exe
C:\PROGRA~1\Navnt\DefWatch.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\Navnt\Rtvscan.exe
C:\Program Files\Novadigm\radexecd.exe
C:\Program Files\Novadigm\radsched.exe
C:\Program Files\Novadigm\Radstgms.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\System32\hkcmd.exe
C:\PROGRA~1\Navnt\vptray.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINNT\fxsteller.exe
C:\WINNT\system32\firewall.exe
C:\WINNT\system32\KAV64.EXE
C:\Program Files\Novadigm\radppgui.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackice.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\problems.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://insideppg.web.ppg.com
F2 - REG:system.ini: Shell=Explorer.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {18699115-5793-4B5A-9352-D74EC02EEED2} - C:\WINNT\system32\qoMcbayA.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: ViewerHelper Class - {78104A01-8E71-4F30-9A36-3793799615B4} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O2 - BHO: {73f1c59e-ab07-8b28-4404-fb4b61556b09} - {90b65516-b4bf-4044-82b8-70bae95c1f37} - C:\WINNT\system32\powjti.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [AccessManager] C:\Program Files\AccessManager\Client\AccessMgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows UDP Control Center] fxsteller.exe
O4 - HKLM\..\Run: [Windows Network Firewall] C:\WINNT\system32\firewall.exe
O4 - HKLM\..\Run: [Microsoft Update] KAV64.EXE
O4 - HKLM\..\Run: [0ca61319] rundll32.exe "C:\WINNT\system32\noeojbny.dll",b
O4 - HKCU\..\Run: [ConfSrv] C:\Program Files\PPG\Setups\ConfSrv.vbs
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\ARO.exe -rem
O4 - HKCU\..\RunOnce: [Microsoft Update] KAV64.EXE
O4 - HKCU\..\Policies\Explorer\Run: [1] "\\nac.ppg.com\netlogon\gpfix\gpfix.vbs"
O4 - HKCU\..\Policies\Explorer\Run: [2] "\\nac.ppg.com\netlogon\gpfix\gplog.vbs"
O4 - HKCU\..\Policies\Explorer\Run: [3] "C:\Program Files\Novadigm\radppgui.exe"
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: RealSecure(r) Desktop Protector.lnk = ?
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40971 - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-205 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40970 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40971 - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra button: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-205 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40970 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://insideppg.web.ppg.com
O15 - Trusted Zone: *.trustweb.ppg.com
O15 - Trusted Zone: *.trustweb.ppg.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://connect.ppg.com/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nac.ppg.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nac.ppg.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nac.ppg.com
O20 - AppInit_DLLs: powjti.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINNT\system32\Brmfrmps.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\Navnt\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\WorldCom IP VPN Remote Access\Extranet_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\Navnt\Rtvscan.exe
O23 - Service: OracleOra8_HomeClientCache - Unknown owner - C:\Oracle\Ora81\BIN\ONRSD.EXE
O23 - Service: Radia Notify Daemon (radexecd) - Novadigm - C:\Program Files\Novadigm\radexecd.exe
O23 - Service: Radia Scheduler Daemon (radsched) - Novadigm - C:\Program Files\Novadigm\radsched.exe
O23 - Service: Radia MSI Redirector (Radstgms) - Novadigm - C:\Program Files\Novadigm\Radstgms.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe

--
End of file - 9872 bytes

pskelley
2009-03-11, 01:45
1) Please DO NOT ENABLE Spybot S&D TeaTimer while we work together.

2) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

Download ComboFix from here:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

3) Post also an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

Thanks

smogman
2009-03-11, 02:35
ComboFix 09-03-10.01 - CAR4262 2009-03-10 7:25:08.5 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.254.105 [GMT -5:00]
Running from: c:\documents and settings\car4262\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\MyWay
c:\winnt\aycddd.ini
c:\winnt\dffggh.ini
c:\winnt\fxstaller.exe
c:\winnt\IE4 Error Log.txt
c:\winnt\psuvxx.ini
c:\winnt\smdat32m.sys
c:\winnt\system32\acnqgegr.dll
c:\winnt\system32\AyabcMoq.ini
c:\winnt\system32\AyabcMoq.ini2
c:\winnt\system32\bnutrx.dll
c:\winnt\system32\cmeiwn.dll
c:\winnt\system32\cwbpiyce.ini
c:\winnt\system32\drivers\seneka.sys
c:\winnt\system32\ecyipbwc.dll
c:\winnt\system32\firewall.exe
c:\winnt\system32\foumujrr.ini
c:\winnt\system32\gotjoiyo.dll
c:\winnt\system32\hcxmud.dll
c:\winnt\system32\hhgfwz.dll
c:\winnt\system32\htiwevbo.dll
c:\winnt\system32\htlbrcqb.dll
c:\winnt\system32\iboijwew.dll
c:\winnt\system32\igreal.dll
c:\winnt\system32\ijyhgwry.dll
c:\winnt\system32\ildbapfw.dll
c:\winnt\system32\injkqtwx.dll
c:\winnt\system32\jijyennr.dll
c:\winnt\system32\kazaabackupfiles
c:\winnt\system32\kazaabackupfiles\shServ.exe
c:\winnt\system32\lhbjjcnc.dll
c:\winnt\system32\mdm.exe
c:\winnt\system32\mfihyede.ini
c:\winnt\system32\noeojbny.dll
c:\winnt\system32\notqmh.dll
c:\winnt\system32\nqgasuav.dll
c:\winnt\system32\oxsaxlux.ini
c:\winnt\system32\pckugcxp.dll
c:\winnt\system32\powjti.dll
c:\winnt\system32\qhtvaaia.dll
c:\winnt\system32\qmalggdt.ini
c:\winnt\system32\qoMcbayA.dll
c:\winnt\system32\rjdkti.dll
c:\winnt\system32\rrjumuof.dll
c:\winnt\system32\swqnlinw.dll
c:\winnt\system32\tdgglamq.dll
c:\winnt\system32\ujckgyje.dll
c:\winnt\system32\UpMedia
c:\winnt\system32\vujnhnrt.dll
c:\winnt\system32\webcl32.dll
c:\winnt\system32\xypyggcj.dll
c:\winnt\system32\ynbjoeon.ini
c:\winnt\t\
c:\winnt\waabdd.ini
c:\winnt\Web\default.htt

----- BITS: Possible infected sites -----

hxxp://hummerbonk.com
hxxp://sclkfile02.nac.ppg.com
hxxp://sclkfile04.nac.ppg.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_RpcPatch
-------\Service_RpcTftpd
-------\Service_seneka


((((((((((((((((((((((((( Files Created from 2009-02-10 to 2009-03-10 )))))))))))))))))))))))))))))))
.

2009-03-10 07:29 . 09-03-10 07:29 16,384 --a----t- c:\winnt\system32\Perflib_Perfdata_578.dat
2009-03-10 05:39 . 09-03-10 05:39 54,156 --ah----- c:\winnt\QTFont.qfn
2009-03-10 05:39 . 09-03-10 05:39 1,409 --a------ c:\winnt\QTFont.for
2009-03-09 03:50 . 09-03-09 04:05 514 --a------ C:\kk.exe
2009-03-07 11:21 . 09-03-07 11:21 107,902 --a------ c:\documents and settings\car4262\gu.exe
2009-03-07 11:20 . 09-03-07 11:20 275 --a------ C:\xrtv.exe
2009-03-05 05:55 . 09-03-05 05:55 106,034 --a------ C:\fgjjkq.exe
2009-03-05 04:42 . 09-03-05 04:42 93,266 ---h----- c:\winnt\system32\kav64.exe
2009-03-05 04:42 . 09-03-05 04:42 93,266 --a------ C:\qgasd.exe
2009-03-04 09:27 . 09-03-04 09:27 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-03-04 09:27 . 09-03-04 09:27 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-03-04 09:27 . 09-03-04 09:27 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-03-04 06:15 . 09-03-04 06:15 <DIR> d-------- c:\program files\Advanced Registry Optimizer
2009-03-04 06:15 . 09-03-04 06:15 <DIR> d-------- c:\documents and settings\car4262\Application Data\Sammsoft
2009-03-03 18:17 . 09-03-03 18:17 5,449 --a------ C:\mooo.exe
2009-03-02 18:43 . 09-03-02 18:43 102,912 --a------ c:\winnt\tyz.exe
2009-03-02 18:43 . 09-03-02 18:43 102,912 --a------ C:\tyz.exe
2009-03-02 18:13 . 09-03-02 18:41 102,912 --a------ C:\tupy.exe
2009-03-02 18:11 . 09-03-02 18:12 102,912 --a------ C:\ssetup.exe
2009-03-02 17:45 . 09-03-02 17:45 111,342 --a------ C:\djdd.exe
2009-03-02 17:35 . 09-03-02 17:35 1,922 --a------ C:\famieln.exe
2009-03-02 17:23 . 09-03-02 17:27 90,112 --a------ C:\addsd.exe
2009-03-02 17:09 . 09-03-02 17:09 5,569 --a------ C:\shdgghsdf.exe
2009-03-02 17:01 . 09-03-02 17:01 102,912 --a------ C:\linstall.exe
2009-03-02 17:01 . 09-03-02 16:23 48,690 -r-hs---- c:\winnt\fxsteller.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-10 10:40 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-10 10:40 --------- d-----w c:\program files\QuickTime
2009-03-10 10:34 --------- d-----w c:\program files\LimeWire
2009-03-05 02:11 --------- d---a-w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-04 11:35 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-10 03:43 --------- d-----w c:\program files\Common Files\Adaptec Shared
2009-01-10 03:33 --------- d-----w c:\program files\Easy CD & DVD Cover Creator
2004-05-06 16:11 777 ----a-w c:\program files\trial_setup.ini
2004-05-06 16:11 4,289,024 ----a-w c:\program files\trial_setup.msi
2000-11-30 22:59 271 ---h--w c:\program files\desktop.ini
2000-11-30 22:59 21,952 ---h--w c:\program files\folder.htt
.

------- Sigcheck -------

04-11-02 12:28 11264 8eabf9f47cb3f30541830a6f2ef0a934 c:\winnt\system32\CTFMON.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ConfSrv"="c:\program files\PPG\Setups\ConfSrv.vbs" [03-05-22 11:52 2511]
"AROReminder"="c:\program files\Advanced Registry Optimizer\ARO.exe" [08-08-22 16:33 2084480]
"ctfmon.exe"="ctfmon.exe" [04-11-02 12:28 11264 c:\winnt\system32\CTFMON.EXE]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Microsoft Update"="KAV64.EXE" [09-03-05 04:42 93266 c:\winnt\system32\kav64.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\winnt\System32\igfxtray.exe" [02-03-26 20:28 155648]
"HotKeysCmds"="c:\winnt\System32\hkcmd.exe" [02-03-26 20:20 106496]
"PrinTray"="c:\winnt\System32\spool\DRIVERS\W32X86\2\printray.exe" [01-03-27 03:08 36864]
"vptray"="c:\progra~1\Navnt\vptray.exe" [03-12-17 21:00 90112]
"SetDefPrt"="c:\program files\Brother\Brmfl04a\BrStDvPt.exe" [04-05-25 08:16 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [04-07-20 08:34 851968]
"JobHisInit"="c:\program files\RMClient\JobHisInit.exe" [05-08-01 13:22 151552]
"MplSetUp"="c:\program files\RMClient\MplSetUp.exe" [00-11-04 03:09 40960]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [07-07-12 03:00 132496]
"Synchronization Manager"="mobsync.exe" [03-06-19 11:05 111376 c:\winnt\system32\mobsync.exe]
"Microsoft Update"="KAV64.EXE" [09-03-05 04:42 93266 c:\winnt\system32\kav64.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [99-12-07 07:00 20752 c:\winnt\system32\internat.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 11:05 186640]

[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
"3"="c:\program files\Novadigm\radppgui.exe" [06-10-16 12:25 138090]

c:\documents and settings\PLTAdmin\Start Menu\Programs\Startup\
ReadMe1st.lnk - c:\winnt\System32\Write.exe [2000-11-30 6416]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Photo Loader supervisory.lnk - c:\program files\CASIO\Photo Loader\Plauto.exe [2007-01-01 229376]
RealSecure(r) Desktop Protector.lnk - c:\program files\ISS\issSensors\DesktopProtection\blackice.exe [2005-08-09 823296]
Status Monitor.lnk - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [2005-06-17 819200]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 1 (0x1)
"SynchronousUserGroupPolicy"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwprovau]
03-06-19 11:05 139536 c:\winnt\system32\NWPROVAU.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
04-11-01 10:50 8704 c:\winnt\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=rjdkti.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"VIDC.HFYU"= huffyuv.dll

R2 BlackICE;BlackICE;c:\program files\ISS\issSensors\DesktopProtection\blackd.exe [2005-08-09 847872]
R2 BrSerial;Brother Serial Driver;c:\winnt\system32\drivers\brserial.sys [2005-06-17 56660]
R2 radexecd;Radia Notify Daemon;c:\program files\Novadigm\radexecd.exe [2002-12-02 225280]
R2 radsched;Radia Scheduler Daemon;c:\program files\Novadigm\radsched.exe [2002-09-30 253952]
R2 Radstgms;Radia MSI Redirector;c:\program files\Novadigm\radstgms.exe [2003-03-27 299008]
R3 Eacfilt;Eacfilt Miniport;c:\winnt\system32\drivers\eacfilt.sys [2003-10-30 9049]
R3 NtApm;NT Apm/Legacy Interface Driver;c:\winnt\system32\drivers\NtApm.sys [2000-11-30 9104]
R3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [2003-09-02 49776]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\winnt\system32\drivers\ipsecw2k.sys [2003-10-30 115008]
S3 cwbmidi_device;Crystal WDM MPU-401 UART Driver;c:\winnt\system32\drivers\cwbmidi.sys [2000-11-30 3136]
S3 cwbwdm_device;Crystal WDM Audio Codec Driver;c:\winnt\system32\drivers\cwbwdm.sys [2000-11-30 79264]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\WorldCom IP VPN Remote Access\Extranet_serv.exe [2003-10-30 626688]
S3 OracleOra8_HomeClientCache;OracleOra8_HomeClientCache;c:\oracle\Ora81\bin\ONRSD.EXE [2000-10-19 411244]
S3 RapFile;RapFile;c:\winnt\system32\drivers\RapFile.sys [2005-08-09 36676]
S3 RapNet;RapNet;c:\winnt\system32\drivers\RapNet.sys [2005-08-09 24344]
S4 black;black;c:\winnt\system32\drivers\blackdrv.sys [2005-08-09 229367]

--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon
*Deregistered* - uphcleanhlp
.
- - - - ORPHANS REMOVED - - - -

BHO-{07ee3f2b-dec6-40dd-a579-9243480029a8} - c:\winnt\system32\rjdkti.dll
BHO-{A7BF8473-74F3-4C98-B2FA-2CDCCAA29F4B} - c:\winnt\system32\qoMcbayA.dll
HKCU-Run-Skype - c:\program files\Skype\Phone\Skype.exe
HKLM-Run-AccessManager - c:\program files\AccessManager\Client\AccessMgr.exe
HKLM-Run-Windows Network Firewall - c:\winnt\system32\firewall.exe
HKLM-Run-0ca61319 - c:\winnt\system32\ecyipbwc.dll
HKCU-Explorer_Run-1 - \\nac.ppg.com\netlogon\gpfix\gpfix.vbs
HKCU-Explorer_Run-2 - \\nac.ppg.com\netlogon\gpfix\gplog.vbs


.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.ca/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{685ec120-f786-4498-a8f0-794d47916161} - {C733FB84-6DB3-4363-8AA7-678F9B5E828E} - c:\program files\Microsoft\Rights Management Add-on\RMAFilt.dll
LSP: %SystemRoot%\system32\msafd.dll
Trusted Zone: ppg.com\*.trustweb
Trusted Zone: ppg.com\*.trustweb
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-10 07:29:46
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Update = KAV64.EXE?spyrulz?#!spy!?r0x????????Microsoft Update????????Microsoft Update?hidden v1.0????????????mIRC v6.03 Khaled Mardam-Be
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Microsoft Update = KAV64.EXE?spyrulz?#!spy!?r0x????????Microsoft Update????????Microsoft Update?hidden v1.0????????????mIRC v6.03 Khaled Mardam-Be

scanning hidden files ...


c:\winnt\system32\Perflib_Perfdata_5b4.dat 16384 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(196)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
c:\winnt\system32\msv1_0.dll
.
Completion time: 2009-03-10 7:33:51 - machine was rebooted [CAR4262]
ComboFix-quarantined-files.txt 2009-03-10 12:33:47
ComboFix2.txt 2007-09-19 21:41:01

Pre-Run: 247,802,880 bytes free
Post-Run: 265,146,368 bytes free

238

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:35, on 2009-03-10
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\WINNT\system32\Brmfrmps.exe
C:\PROGRA~1\Navnt\DefWatch.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\Navnt\Rtvscan.exe
C:\Program Files\Novadigm\radexecd.exe
C:\Program Files\Novadigm\radsched.exe
C:\Program Files\Novadigm\Radstgms.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\hkcmd.exe
C:\PROGRA~1\Navnt\vptray.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Novadigm\radppgui.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackice.exe
C:\WINNT\system32\KAV64.EXE
C:\WINNT\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINNT\system32\DllHost.exe
C:\Program Files\Trend Micro\HijackThis\problems.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: ViewerHelper Class - {78104A01-8E71-4F30-9A36-3793799615B4} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Microsoft Update] KAV64.EXE
O4 - HKCU\..\Run: [ConfSrv] C:\Program Files\PPG\Setups\ConfSrv.vbs
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\ARO.exe -rem
O4 - HKCU\..\RunOnce: [Microsoft Update] KAV64.EXE
O4 - HKCU\..\Policies\Explorer\Run: [3] "C:\Program Files\Novadigm\radppgui.exe"
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: RealSecure(r) Desktop Protector.lnk = ?
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40971 - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-205 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40970 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40971 - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra button: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-205 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40970 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://insideppg.web.ppg.com
O15 - Trusted Zone: *.trustweb.ppg.com
O15 - Trusted Zone: *.trustweb.ppg.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://connect.ppg.com/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nac.ppg.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nac.ppg.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nac.ppg.com
O20 - AppInit_DLLs: rjdkti.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINNT\system32\Brmfrmps.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\Navnt\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\WorldCom IP VPN Remote Access\Extranet_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\Navnt\Rtvscan.exe
O23 - Service: OracleOra8_HomeClientCache - Unknown owner - C:\Oracle\Ora81\BIN\ONRSD.EXE
O23 - Service: Radia Notify Daemon (radexecd) - Novadigm - C:\Program Files\Novadigm\radexecd.exe
O23 - Service: Radia Scheduler Daemon (radsched) - Novadigm - C:\Program Files\Novadigm\radsched.exe
O23 - Service: Radia MSI Redirector (Radstgms) - Novadigm - C:\Program Files\Novadigm\Radstgms.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe

--
End of file - 9357 bytes


Adobe Acrobat 5.0
Adobe Flash Player ActiveX
Adobe Shockwave Player
Advanced Registry Optimizer
ATI Display Driver
Brother Driver Deployment Wizard
Brother Drivers
Brother MFL-Pro Suite
CAIR 4.5
CONEXANT HCF V90 56K DATA FAX PCI MODEM (Uninstall)
Conexant HSF V92 56K Data Fax PCI Modem
Dial Analysis
Dial Analysis
DirectX 8.1 Hotfix - KB839643
Explore From Here (Remove only)
HijackThis 2.0.2
IE5 Registration
Intel Ultra ATA Storage Driver
Intel(R) PRO Ethernet Adapter and Software
IP VPN RS Nortel v4.65 (3DES)
J2SE Runtime Environment 5.0 Update 3
Java(TM) 6 Update 2
Juniper Networks Network Connect 5.2.0
Juniper Networks Network Connect 5.3.0
Kaspersky Online Scanner
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
MetaFrame Presentation Server Web Client for Win32
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft Data Access Components KB870669
Microsoft Internet Explorer 6 SP1
Microsoft Office Professional Edition 2003
OpSession Engine
Outlook Express Q823353
Photo Loader 2.3E
Rights Management Add-on for Internet Explorer
Shockwave
SmartDeviceMonitor for Client
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
Symantec AntiVirus Client
Symantec pcAnywhere
TreeSize Professional 2.4
User Profile Hive Cleanup Service
Windows 2000 Hotfix - KB329115
Windows 2000 Hotfix - KB823182
Windows 2000 Hotfix - KB823559
Windows 2000 Hotfix - KB823980
Windows 2000 Hotfix - KB824105
Windows 2000 Hotfix - KB824141
Windows 2000 Hotfix - KB824146
Windows 2000 Hotfix - KB825119
Windows 2000 Hotfix - KB826232
Windows 2000 Hotfix - KB828028
Windows 2000 Hotfix - KB828035
Windows 2000 Hotfix - KB828741
Windows 2000 Hotfix - KB828749
Windows 2000 Hotfix - KB829707
Windows 2000 Hotfix - KB834707
Windows 2000 Hotfix - KB835732
Windows 2000 Hotfix - KB837001
Windows 2000 Hotfix - KB839645
Windows 2000 Hotfix - KB840315
Windows 2000 Hotfix - KB840987
Windows 2000 Hotfix - KB841356
Windows 2000 Hotfix - KB841533
Windows 2000 Hotfix - KB841872
Windows 2000 Hotfix - KB841873
Windows 2000 Hotfix - KB842526
Windows 2000 Hotfix - KB842773
Windows 2000 Hotfix - KB871250
Windows 2000 Hotfix - KB873333
Windows 2000 Hotfix - KB873339
Windows 2000 Hotfix - KB885250
Windows 2000 Hotfix - KB885835
Windows 2000 Hotfix - KB885836
Windows 2000 Hotfix - KB888113
Windows 2000 Hotfix - KB889293
Windows 2000 Hotfix - KB890175
Windows 2000 Hotfix - KB890859
Windows 2000 Hotfix - KB890923
Windows 2000 Hotfix - KB891781
Windows 2000 Hotfix - KB892294
Windows 2000 Hotfix - KB893066
Windows 2000 Hotfix - KB893086
Windows 2000 Hotfix - KB899588
Windows 2000 Hotfix - KB902400
Windows 2000 Hotfix - KB921883
Windows 2000 Hotfix - KB925486
Windows Media Player 7.1
Windows Media Player Hotfix [See wm828026 for more information]
Windows Rights Management Client
Windows Rights Management Client Backwards Compatibility
WinZip
WinZip Command Line Support Add-On
WorldCom IP VPN Remote Access 4.60 (3DES)

pskelley
2009-03-11, 13:17
Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.
Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested:
http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.

Adobe Flash Player ActiveX
Adobe recommends all users of Adobe Flash Player 10.0.12.36 and earlier versions upgrade to the newest version 10.0.22.87
http://www.adobe.com/support/security/bulletins/apsb09-01.html

J2SE Runtime Environment 5.0 Update 3
Java(TM) 6 Update 2
Both out of date and unsafe:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Be aware of this information so you can opt out of anything you do not want.
Microsoft Does MSN Toolbar Distribution Deal With Java:
http://searchengineland.com/microsoft-does-msn-toolbar-distribution-deal-with-java-15413.php

Spybot - Search & Destroy 1.4 <<< uninstall that old version
Please be sure Spybot S&D is up to date and fully immunized.
http://www.safer-networking.org/en/
http://www.safer-networking.org/en/news/2008-07-08.html
http://www.safer-networking.org/en/faq/index.html
http://www.safer-networking.org/en/tutorial/index.html

LimeWire <<< I see p2p programs with no uninstaller, see this:
http://forums.spybot.info/showthread.php?t=282

If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.
combofix will remove p2p programs, if you don't want to do that, don't proceed past here, let me know and I will close this thread.


Follow the directions carefully and in the numbered order.

1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

2) Open notepad and copy/paste the text in the codebox below into it:


File::
C:\kk.exe
C:\xrtv.exe
C:\fgjjkq.exe
C:\qgasd.exe
C:\mooo.exe
c:\winnt\tyz.exe
C:\tyz.exe
C:\tupy.exe
C:\ssetup.exe
C:\djdd.exe
C:\famieln.exe
C:\addsd.exe
C:\shdgghsdf.exe
C:\linstall.exe
c:\winnt\fxsteller.exe
C:\WINNT\system32\KAV64.EXE
c:\winnt\system32\Perflib_Perfdata_5b4.dat

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-

Folder::
c:\program files\LimeWire
c:\documents and settings\car4262

Save this as CFScript

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O4 - HKLM\..\Run: [Microsoft Update] KAV64.EXE
O4 - HKCU\..\RunOnce: [Microsoft Update] KAV64.EXE
O4 - HKCU\..\Policies\Explorer\Run: [3] "C:\Program Files\Novadigm\radppgui.exe"
O14 - IERESET.INF: START_PAGE_URL=http://insideppg.web.ppg.com
O15 - Trusted Zone: *.trustweb.ppg.com
O15 - Trusted Zone: *.trustweb.ppg.com (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nac.ppg.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nac.ppg.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nac.ppg.com
O20 - AppInit_DLLs: rjdkti.dll

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

5) Download Malwarebytes' Anti-Malware to your Desktop
http://www.malwarebytes.org/

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the log from MBAM and a new HJT log.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html

How is the computer running now?

Thanks

smogman
2009-03-11, 18:21
Hi PS. I did removed the programs as instructed and ran combofix using the notepad codebox you supplied.

I could not find some of the "fix checked" items you asked me to select in HJT so i stopped. I have posted the the combofix.txt and a new HJT log since I wasn't sure if i should continue without missing items checked.

ComboFix 09-03-10.03 - CAR4262 2009-03-10 22:34:23.6 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.254.49 [GMT -5:00]
Running from: c:\documents and settings\car4262\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\car4262\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\addsd.exe
C:\djdd.exe
C:\famieln.exe
C:\fgjjkq.exe
C:\kk.exe
C:\linstall.exe
C:\mooo.exe
C:\qgasd.exe
C:\shdgghsdf.exe
C:\ssetup.exe
C:\tupy.exe
C:\tyz.exe
c:\winnt\fxsteller.exe
c:\winnt\system32\KAV64.EXE
c:\winnt\system32\Perflib_Perfdata_5b4.dat
c:\winnt\tyz.exe
C:\xrtv.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\addsd.exe
C:\djdd.exe
C:\famieln.exe
C:\fgjjkq.exe
C:\kk.exe
C:\linstall.exe
C:\mooo.exe
c:\program files\LimeWire
c:\program files\LimeWire\GenericWindowsUtils.dll
c:\program files\LimeWire\i18n.jar
c:\program files\LimeWire\jl011.jar.tmp
c:\program files\LimeWire\lib\jl011.jar
c:\program files\LimeWire\lib\MessagesBundles.jar
c:\program files\LimeWire\lib\mp3sp14.jar
c:\program files\LimeWire\lib\UnpackedJars.7z
c:\program files\LimeWire\lib\vorbis.jar
c:\program files\LimeWire\LimeWire20.dll
c:\program files\LimeWire\MessagesBundles.jar.tmp
c:\program files\LimeWire\mp3sp14.jar.tmp
c:\program files\LimeWire\vorbis.jar.tmp
c:\program files\LimeWire\WindowsFirewall.dll
c:\program files\LimeWire\WindowsV5PlusUtils.dll
c:\program files\LimeWire\xerces.jar
c:\program files\LimeWire\xml-apis.jar
C:\qgasd.exe
C:\shdgghsdf.exe
C:\ssetup.exe
C:\tupy.exe
C:\tyz.exe
c:\winnt\fxsteller.exe
c:\winnt\system32\KAV64.EXE
c:\winnt\t\
c:\winnt\tyz.exe
C:\xrtv.exe

.
((((((((((((((((((((((((( Files Created from 2009-02-11 to 2009-03-11 )))))))))))))))))))))))))))))))
.

2009-03-10 22:24 . 09-03-10 22:24 16,384 --a----t- c:\winnt\system32\Perflib_Perfdata_694.dat
2009-03-10 05:39 . 09-03-10 05:39 54,156 --ah----- c:\winnt\QTFont.qfn
2009-03-10 05:39 . 09-03-10 05:39 1,409 --a------ c:\winnt\QTFont.for
2009-03-07 11:21 . 09-03-07 11:21 107,902 --a------ c:\documents and settings\car4262\gu.exe
2009-03-04 09:27 . 09-03-04 09:27 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-03-04 09:27 . 09-03-04 09:27 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-03-04 09:27 . 09-03-04 09:27 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-03-04 06:15 . 09-03-04 06:15 <DIR> d-------- c:\program files\Advanced Registry Optimizer
2009-03-04 06:15 . 09-03-04 06:15 <DIR> d-------- c:\documents and settings\car4262\Application Data\Sammsoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-11 03:23 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-11 03:21 --------- d---a-w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-10 10:40 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-10 10:40 --------- d-----w c:\program files\QuickTime
2004-05-06 16:11 777 ----a-w c:\program files\trial_setup.ini
2004-05-06 16:11 4,289,024 ----a-w c:\program files\trial_setup.msi
2000-11-30 22:59 271 ---h--w c:\program files\desktop.ini
2000-11-30 22:59 21,952 ---h--w c:\program files\folder.htt
1999-12-07 12:00 32,528 ----a-w c:\winnt\inf\wbfirdma.sys
.

------- Sigcheck -------

04-11-02 12:28 11264 8eabf9f47cb3f30541830a6f2ef0a934 c:\winnt\system32\CTFMON.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ConfSrv"="c:\program files\PPG\Setups\ConfSrv.vbs" [03-05-22 11:52 2511]
"AROReminder"="c:\program files\Advanced Registry Optimizer\ARO.exe" [08-08-22 16:33 2084480]
"ctfmon.exe"="ctfmon.exe" [04-11-02 12:28 11264 c:\winnt\system32\CTFMON.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\winnt\System32\igfxtray.exe" [02-03-26 20:28 155648]
"HotKeysCmds"="c:\winnt\System32\hkcmd.exe" [02-03-26 20:20 106496]
"PrinTray"="c:\winnt\System32\spool\DRIVERS\W32X86\2\printray.exe" [01-03-27 03:08 36864]
"vptray"="c:\progra~1\Navnt\vptray.exe" [03-12-17 21:00 90112]
"SetDefPrt"="c:\program files\Brother\Brmfl04a\BrStDvPt.exe" [04-05-25 08:16 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [04-07-20 08:34 851968]
"JobHisInit"="c:\program files\RMClient\JobHisInit.exe" [05-08-01 13:22 151552]
"MplSetUp"="c:\program files\RMClient\MplSetUp.exe" [00-11-04 03:09 40960]
"Synchronization Manager"="mobsync.exe" [03-06-19 11:05 111376 c:\winnt\system32\mobsync.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [99-12-07 07:00 20752 c:\winnt\system32\internat.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 11:05 186640]

[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
"3"="c:\program files\Novadigm\radppgui.exe" [06-10-16 12:25 138090]

c:\documents and settings\PLTAdmin\Start Menu\Programs\Startup\
ReadMe1st.lnk - c:\winnt\System32\Write.exe [2000-11-30 6416]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Photo Loader supervisory.lnk - c:\program files\CASIO\Photo Loader\Plauto.exe [2007-01-01 229376]
RealSecure(r) Desktop Protector.lnk - c:\program files\ISS\issSensors\DesktopProtection\blackice.exe [2005-08-09 823296]
Status Monitor.lnk - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [2005-06-17 819200]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 1 (0x1)
"SynchronousUserGroupPolicy"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwprovau]
03-06-19 11:05 139536 c:\winnt\system32\NWPROVAU.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
04-11-01 10:50 8704 c:\winnt\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"VIDC.HFYU"= huffyuv.dll

R2 BlackICE;BlackICE;c:\program files\ISS\issSensors\DesktopProtection\blackd.exe [2005-08-09 847872]
R2 BrSerial;Brother Serial Driver;c:\winnt\system32\drivers\brserial.sys [2005-06-17 56660]
R2 radexecd;Radia Notify Daemon;c:\program files\Novadigm\radexecd.exe [2002-12-02 225280]
R2 radsched;Radia Scheduler Daemon;c:\program files\Novadigm\radsched.exe [2002-09-30 253952]
R2 Radstgms;Radia MSI Redirector;c:\program files\Novadigm\radstgms.exe [2003-03-27 299008]
R3 Eacfilt;Eacfilt Miniport;c:\winnt\system32\drivers\eacfilt.sys [2003-10-30 9049]
R3 NtApm;NT Apm/Legacy Interface Driver;c:\winnt\system32\drivers\NtApm.sys [2000-11-30 9104]
R3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [2003-09-02 49776]
R4 black;black;c:\winnt\system32\drivers\blackdrv.sys [2005-08-09 229367]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\winnt\system32\drivers\ipsecw2k.sys [2003-10-30 115008]
S3 cwbmidi_device;Crystal WDM MPU-401 UART Driver;c:\winnt\system32\drivers\cwbmidi.sys [2000-11-30 3136]
S3 cwbwdm_device;Crystal WDM Audio Codec Driver;c:\winnt\system32\drivers\cwbwdm.sys [2000-11-30 79264]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\WorldCom IP VPN Remote Access\Extranet_serv.exe [2003-10-30 626688]
S3 OracleOra8_HomeClientCache;OracleOra8_HomeClientCache;c:\oracle\Ora81\bin\ONRSD.EXE [2000-10-19 411244]
S3 RapFile;RapFile;c:\winnt\system32\drivers\RapFile.sys [2005-08-09 36676]
S3 RapNet;RapNet;c:\winnt\system32\drivers\RapNet.sys [2005-08-09 24344]

--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon
*Deregistered* - uphcleanhlp
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.ca/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{685ec120-f786-4498-a8f0-794d47916161} - {C733FB84-6DB3-4363-8AA7-678F9B5E828E} - c:\program files\Microsoft\Rights Management Add-on\RMAFilt.dll
LSP: %SystemRoot%\system32\msafd.dll
Trusted Zone: ppg.com\*.trustweb
Trusted Zone: ppg.com\*.trustweb
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-10 22:36:32
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(192)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
c:\winnt\system32\msv1_0.dll
.
Completion time: 2009-03-10 22:40:01
ComboFix-quarantined-files.txt 2009-03-11 03:39:51
ComboFix2.txt 2009-03-10 12:33:52
ComboFix3.txt 2007-09-19 21:41:01

Pre-Run: 494,209,536 bytes free
Post-Run: 487,394,816 bytes free

188


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:23, on 2009-03-10
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\WINNT\system32\Brmfrmps.exe
C:\PROGRA~1\Navnt\DefWatch.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\Navnt\Rtvscan.exe
C:\Program Files\Novadigm\radexecd.exe
C:\Program Files\Novadigm\radsched.exe
C:\Program Files\Novadigm\Radstgms.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\PROGRA~1\Navnt\vptray.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Novadigm\radppgui.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackice.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINNT\system32\DllHost.exe
C:\Program Files\Trend Micro\HijackThis\problems.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ViewerHelper Class - {78104A01-8E71-4F30-9A36-3793799615B4} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKCU\..\Run: [ConfSrv] C:\Program Files\PPG\Setups\ConfSrv.vbs
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\ARO.exe -rem
O4 - HKCU\..\Policies\Explorer\Run: [3] "C:\Program Files\Novadigm\radppgui.exe"
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: RealSecure(r) Desktop Protector.lnk = ?
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40971 - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-205 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40970 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINNT\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINNT\system32\shdocvw.dll
O9 - Extra button: (no name) - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40971 - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra button: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-205 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40970 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://insideppg.web.ppg.com
O15 - Trusted Zone: *.trustweb.ppg.com
O15 - Trusted Zone: *.trustweb.ppg.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://connect.ppg.com/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nac.ppg.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nac.ppg.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nac.ppg.com
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINNT\system32\Brmfrmps.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\Navnt\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\WorldCom IP VPN Remote Access\Extranet_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\Navnt\Rtvscan.exe
O23 - Service: OracleOra8_HomeClientCache - Unknown owner - C:\Oracle\Ora81\BIN\ONRSD.EXE
O23 - Service: Radia Notify Daemon (radexecd) - Novadigm - C:\Program Files\Novadigm\radexecd.exe
O23 - Service: Radia Scheduler Daemon (radsched) - Novadigm - C:\Program Files\Novadigm\radsched.exe
O23 - Service: Radia MSI Redirector (Radstgms) - Novadigm - C:\Program Files\Novadigm\Radstgms.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe

--
End of file - 8561 bytes

pskelley
2009-03-11, 19:30
Continue with the instructions, CFScript removes items before HJT and I do a doublecheck. Once you finish following the MBAM instructions, then post a new HJT log and provide some feedback about performamce.

Thanks

smogman
2009-03-11, 22:04
SD the computer seems to be running better.

Malwarebytes' Anti-Malware 1.34
Database version: 1836
Windows 5.0.2195 Service Pack 4

2009-03-11 02:08:10
mbam-log-2009-03-11 (02-07-42).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 93401
Time elapsed: 19 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 21

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\18.tmp (Trojan.Downloader) -> No action taken.
C:\qoobox\Quarantine\C\C.tmp.vir (Trojan.Downloader) -> No action taken.
C:\qoobox\Quarantine\C\djdd.exe.vir (Trojan.Buzus) -> No action taken.
C:\qoobox\Quarantine\C\qgasd.exe.vir (Trojan.Agent) -> No action taken.
C:\qoobox\Quarantine\C\DOCUME~1\car4262\APPLIC~1\winantispyware2007freeinstall[1].exe.vir (Rogue.Installer) -> No action taken.
C:\qoobox\Quarantine\C\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe.vir (Rogue.WinAntiSpyware) -> No action taken.
C:\qoobox\Quarantine\C\WINNT\system32\tmp14.tmp.dll.vir (Trojan.Vundo) -> No action taken.
C:\qoobox\Quarantine\C\WINNT\system32\firewall.exe.vir (Trojan.Buzus) -> No action taken.
C:\qoobox\Quarantine\C\WINNT\system32\kav64.exe.vir (Trojan.Agent) -> No action taken.
C:\qoobox\Quarantine\C\WINNT\system32\tmp17.tmp.dll.vir (Trojan.Vundo) -> No action taken.
C:\qoobox\Quarantine\C\WINNT\system32\tmp19.tmp.dll.vir (Trojan.Vundo) -> No action taken.
C:\qoobox\Quarantine\C\WINNT\system32\tmp1A.tmp.dll.vir (Trojan.Vundo) -> No action taken.
C:\qoobox\Quarantine\C\WINNT\system32\tmp20.tmp.dll.vir (Trojan.Vundo) -> No action taken.
C:\qoobox\Quarantine\C\WINNT\system32\tmp5.tmp.dll.vir (Trojan.Vundo) -> No action taken.
C:\qoobox\Quarantine\C\WINNT\system32\kazaabackupfiles\shServ.exe.vir (Trojan.Agent) -> No action taken.
C:\VundoFix Backups\rqRHxxuR.dll.bad (Trojan.Vundo) -> No action taken.
C:\VundoFix Backups\tmp12.tmp.dll.bad (Trojan.Vundo) -> No action taken.
C:\VundoFix Backups\tmp3B.tmp.dll.bad (Trojan.Vundo) -> No action taken.
C:\VundoFix Backups\tmp3E.tmp.dll.bad (Trojan.Vundo) -> No action taken.
C:\VundoFix Backups\tmp5.tmp.dll.bad (Trojan.Vundo) -> No action taken.
C:\wincdnz.exe (Trojan.Agent) -> No action taken.

ComboFix 09-03-10.03 - CAR4262 2009-03-11 2:31:14.9 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.254.80 [GMT -5:00]
Running from: c:\documents and settings\car4262\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\t\

.
((((((((((((((((((((((((( Files Created from 2009-02-11 to 2009-03-11 )))))))))))))))))))))))))))))))
.

2009-03-11 01:06 . 09-03-11 01:06 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-11 01:06 . 09-03-11 01:06 <DIR> d-------- c:\documents and settings\car4262\Application Data\Malwarebytes
2009-03-11 01:06 . 09-03-11 01:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-11 01:06 . 09-02-11 10:19 38,496 --a------ c:\winnt\system32\drivers\mbamswissarmy.sys
2009-03-11 01:06 . 09-02-11 10:19 15,504 --a------ c:\winnt\system32\drivers\mbam.sys
2009-03-10 22:54 . 09-03-10 22:54 16,384 --a----t- c:\winnt\system32\Perflib_Perfdata_648.dat
2009-03-10 22:24 . 09-03-10 22:24 16,384 --a----t- c:\winnt\system32\Perflib_Perfdata_694.dat
2009-03-10 05:39 . 09-03-10 05:39 54,156 --ah----- c:\winnt\QTFont.qfn
2009-03-10 05:39 . 09-03-10 05:39 1,409 --a------ c:\winnt\QTFont.for
2009-03-07 11:21 . 09-03-07 11:21 107,902 --a------ c:\documents and settings\car4262\gu.exe
2009-03-04 09:27 . 09-03-04 09:27 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-03-04 09:27 . 09-03-04 09:27 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-03-04 09:27 . 09-03-04 09:27 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-03-04 06:15 . 09-03-04 06:15 <DIR> d-------- c:\program files\Advanced Registry Optimizer
2009-03-04 06:15 . 09-03-04 06:15 <DIR> d-------- c:\documents and settings\car4262\Application Data\Sammsoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-11 03:23 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-11 03:21 --------- d---a-w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-10 10:40 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-10 10:40 --------- d-----w c:\program files\QuickTime
2004-05-06 16:11 777 ----a-w c:\program files\trial_setup.ini
2004-05-06 16:11 4,289,024 ----a-w c:\program files\trial_setup.msi
2000-11-30 22:59 271 ---h--w c:\program files\desktop.ini
2000-11-30 22:59 21,952 ---h--w c:\program files\folder.htt
1999-12-07 12:00 32,528 ----a-w c:\winnt\inf\wbfirdma.sys
.

------- Sigcheck -------

04-11-02 12:28 11264 8eabf9f47cb3f30541830a6f2ef0a934 c:\winnt\system32\CTFMON.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ConfSrv"="c:\program files\PPG\Setups\ConfSrv.vbs" [03-05-22 11:52 2511]
"AROReminder"="c:\program files\Advanced Registry Optimizer\ARO.exe" [08-08-22 16:33 2084480]
"ctfmon.exe"="ctfmon.exe" [04-11-02 12:28 11264 c:\winnt\system32\CTFMON.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\winnt\System32\igfxtray.exe" [02-03-26 20:28 155648]
"HotKeysCmds"="c:\winnt\System32\hkcmd.exe" [02-03-26 20:20 106496]
"PrinTray"="c:\winnt\System32\spool\DRIVERS\W32X86\2\printray.exe" [01-03-27 03:08 36864]
"vptray"="c:\progra~1\Navnt\vptray.exe" [03-12-17 21:00 90112]
"SetDefPrt"="c:\program files\Brother\Brmfl04a\BrStDvPt.exe" [04-05-25 08:16 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [04-07-20 08:34 851968]
"JobHisInit"="c:\program files\RMClient\JobHisInit.exe" [05-08-01 13:22 151552]
"MplSetUp"="c:\program files\RMClient\MplSetUp.exe" [00-11-04 03:09 40960]
"Synchronization Manager"="mobsync.exe" [03-06-19 11:05 111376 c:\winnt\system32\mobsync.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [99-12-07 07:00 20752 c:\winnt\system32\internat.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 11:05 186640]

c:\documents and settings\PLTAdmin\Start Menu\Programs\Startup\
ReadMe1st.lnk - c:\winnt\System32\Write.exe [2000-11-30 6416]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Photo Loader supervisory.lnk - c:\program files\CASIO\Photo Loader\Plauto.exe [2007-01-01 229376]
RealSecure(r) Desktop Protector.lnk - c:\program files\ISS\issSensors\DesktopProtection\blackice.exe [2005-08-09 823296]
Status Monitor.lnk - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [2005-06-17 819200]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 1 (0x1)
"SynchronousUserGroupPolicy"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwprovau]
03-06-19 11:05 139536 c:\winnt\system32\NWPROVAU.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
04-11-01 10:50 8704 c:\winnt\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"VIDC.HFYU"= huffyuv.dll

R2 BlackICE;BlackICE;c:\program files\ISS\issSensors\DesktopProtection\blackd.exe [2005-08-09 847872]
R2 BrSerial;Brother Serial Driver;c:\winnt\system32\drivers\brserial.sys [2005-06-17 56660]
R2 radexecd;Radia Notify Daemon;c:\program files\Novadigm\radexecd.exe [2002-12-02 225280]
R2 radsched;Radia Scheduler Daemon;c:\program files\Novadigm\radsched.exe [2002-09-30 253952]
R2 Radstgms;Radia MSI Redirector;c:\program files\Novadigm\radstgms.exe [2003-03-27 299008]
R3 Eacfilt;Eacfilt Miniport;c:\winnt\system32\drivers\eacfilt.sys [2003-10-30 9049]
R3 NtApm;NT Apm/Legacy Interface Driver;c:\winnt\system32\drivers\NtApm.sys [2000-11-30 9104]
R3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [2003-09-02 49776]
R4 black;black;c:\winnt\system32\drivers\blackdrv.sys [2005-08-09 229367]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\winnt\system32\drivers\ipsecw2k.sys [2003-10-30 115008]
S3 cwbmidi_device;Crystal WDM MPU-401 UART Driver;c:\winnt\system32\drivers\cwbmidi.sys [2000-11-30 3136]
S3 cwbwdm_device;Crystal WDM Audio Codec Driver;c:\winnt\system32\drivers\cwbwdm.sys [2000-11-30 79264]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\WorldCom IP VPN Remote Access\Extranet_serv.exe [2003-10-30 626688]
S3 OracleOra8_HomeClientCache;OracleOra8_HomeClientCache;c:\oracle\Ora81\bin\ONRSD.EXE [2000-10-19 411244]
S3 RapFile;RapFile;c:\winnt\system32\drivers\RapFile.sys [2005-08-09 36676]
S3 RapNet;RapNet;c:\winnt\system32\drivers\RapNet.sys [2005-08-09 24344]

--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon
*Deregistered* - MBAMSwissArmy
*Deregistered* - uphcleanhlp
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.ca/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{685ec120-f786-4498-a8f0-794d47916161} - {C733FB84-6DB3-4363-8AA7-678F9B5E828E} - c:\program files\Microsoft\Rights Management Add-on\RMAFilt.dll
LSP: %SystemRoot%\system32\msafd.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-11 02:33:16
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(192)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
c:\winnt\system32\msv1_0.dll
.
Completion time: 2009-03-11 2:35:36
ComboFix-quarantined-files.txt 2009-03-11 07:35:18
ComboFix2.txt 2009-03-11 07:18:02
ComboFix3.txt 2009-03-11 04:05:49
ComboFix4.txt 2009-03-11 03:40:02
ComboFix5.txt 2009-03-11 07:30:47

Pre-Run: 486,882,816 bytes free
Post-Run: 478,696,448 bytes free

141

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:06, on 2009-03-11
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\WINNT\system32\Brmfrmps.exe
C:\PROGRA~1\Navnt\DefWatch.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\Navnt\Rtvscan.exe
C:\Program Files\Novadigm\radexecd.exe
C:\Program Files\Novadigm\radsched.exe
C:\Program Files\Novadigm\Radstgms.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\PROGRA~1\Navnt\vptray.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackice.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINNT\system32\DllHost.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\problems.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ViewerHelper Class - {78104A01-8E71-4F30-9A36-3793799615B4} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKCU\..\Run: [ConfSrv] C:\Program Files\PPG\Setups\ConfSrv.vbs
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\ARO.exe -rem
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: RealSecure(r) Desktop Protector.lnk = ?
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40971 - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-205 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40970 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINNT\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINNT\system32\shdocvw.dll
O9 - Extra button: (no name) - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40971 - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra button: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-205 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40970 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://insideppg.web.ppg.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://connect.ppg.com/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nac.ppg.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nac.ppg.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nac.ppg.com
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINNT\system32\Brmfrmps.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\Navnt\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\WorldCom IP VPN Remote Access\Extranet_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\Navnt\Rtvscan.exe
O23 - Service: OracleOra8_HomeClientCache - Unknown owner - C:\Oracle\Ora81\BIN\ONRSD.EXE
O23 - Service: Radia Notify Daemon (radexecd) - Novadigm - C:\Program Files\Novadigm\radexecd.exe
O23 - Service: Radia Scheduler Daemon (radsched) - Novadigm - C:\Program Files\Novadigm\radsched.exe
O23 - Service: Radia MSI Redirector (Radstgms) - Novadigm - C:\Program Files\Novadigm\Radstgms.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe

--
End of file - 8352 bytes

pskelley
2009-03-11, 22:50
The items MBAM locate all say: No action taken
If you would follow the posted instructions, they would all say:
Quarantined and deleted successfully.

Please run MBAM again and follow the directions this time. Post the scan results and a new HJT log run AFTER the MBAM scan.

smogman
2009-03-11, 23:03
there were 21 infections deleted but then the computer locked up and I had to turn it off. I ran it again when I started back but i think they must have already been purged.

Should I repeat in any particular order ??

pskelley
2009-03-11, 23:15
Please show me the results of an MBAM scan ran after this time. I don't care if it is clean or if what is found says Quarantined and deleted successfully.

Post a new HJT log that is created after the MBAM scan.

smogman
2009-03-12, 00:37
Malwarebytes' Anti-Malware 1.34
Database version: 1836
Windows 5.0.2195 Service Pack 4

2009-03-11 05:37:36
mbam-log-2009-03-11 (05-37-36).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 93297
Time elapsed: 19 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:39, on 2009-03-11
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\WINNT\system32\Brmfrmps.exe
C:\PROGRA~1\Navnt\DefWatch.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\Navnt\Rtvscan.exe
C:\Program Files\Novadigm\radexecd.exe
C:\Program Files\Novadigm\radsched.exe
C:\Program Files\Novadigm\Radstgms.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\PROGRA~1\Navnt\vptray.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackice.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINNT\system32\DllHost.exe
C:\Program Files\Trend Micro\HijackThis\problems.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ViewerHelper Class - {78104A01-8E71-4F30-9A36-3793799615B4} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKCU\..\Run: [ConfSrv] C:\Program Files\PPG\Setups\ConfSrv.vbs
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\ARO.exe -rem
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: RealSecure(r) Desktop Protector.lnk = ?
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40971 - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-205 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40970 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINNT\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINNT\system32\shdocvw.dll
O9 - Extra button: (no name) - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40971 - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra button: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-205 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40970 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://insideppg.web.ppg.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://connect.ppg.com/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nac.ppg.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nac.ppg.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nac.ppg.com
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINNT\system32\Brmfrmps.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\Navnt\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\WorldCom IP VPN Remote Access\Extranet_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\Navnt\Rtvscan.exe
O23 - Service: OracleOra8_HomeClientCache - Unknown owner - C:\Oracle\Ora81\BIN\ONRSD.EXE
O23 - Service: Radia Notify Daemon (radexecd) - Novadigm - C:\Program Files\Novadigm\radexecd.exe
O23 - Service: Radia Scheduler Daemon (radsched) - Novadigm - C:\Program Files\Novadigm\radsched.exe
O23 - Service: Radia MSI Redirector (Radstgms) - Novadigm - C:\Program Files\Novadigm\Radstgms.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe

--
End of file - 8352 bytes

pskelley
2009-03-12, 00:57
Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png


You have Kaspersky Online Scanner onboard, update that program and scan, post the results unless they are clean.

Thanks

smogman
2009-03-12, 04:45
thanks.

I uninstalled Combofix as instructed.

Can you help me out with instructions to use kaspersky online scanner ?? I've never used it before. (actually didn't even know i had it)

pskelley
2009-03-12, 11:38
That may be an old, obsolete verion then? If you have any problems with it, uninstall it and use the new version in the instructions.


http://www.kaspersky.com/kos/eng/partner/default/languages/english/check.html?n=1213442456390

1. Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
2. Click on the Accept button and install any components it needs.
3. The program will install and then begin downloading the latest definition files.
4. After the files have been downloaded on the left side of the page in the Scan section select My Computer
5. This will start the program and scan your system.
6. The scan will take a while, so be patient and let it run.
7. Once the scan is complete, click on View scan report
8. Now, click on the Save Report as button.
9. Save the file to your desktop.
10. Copy and paste that information in your next post

smogman
2009-03-12, 16:07
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, March 11, 2009
Operating System: Microsoft Windows 2000 Professional Service Pack 4 (build 2195)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, March 12, 2009 12:02:50
Records in database: 1891096
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 31300
Threat name: 5
Infected objects: 9
Suspicious objects: 0
Duration of the scan: 01:03:17


File name / Threat name / Threats count
C:\16.tmp Infected: Trojan.Win32.Small.bct 1
C:\Documents and Settings\car4262\filip\duffy-mercy.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Documents and Settings\car4262\filip\ramalamabangbang.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Documents and Settings\car4262\filip\shake ya tailfeathers.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Documents and Settings\car4262\filip\skake your pom pom.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Documents and Settings\car4262\filip\starfield- i will go.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Documents and Settings\car4262\gu.exe Infected: Trojan.Win32.Buzus.aovd 1
C:\Program Files\Common Files\System\kav88.exe Infected: Backdoor.Win32.Agent.aemu 1
C:\WINNT\Downloaded Program Files\10637-69.exe Infected: Trojan.Win32.Diamin.bz 1

The selected area was scanned.

pskelley
2009-03-12, 17:19
Someone using this computer is downloading infected .mp3 files, I suggest you discuss this with all users and have them read this:
http://forums.spybot.info/showthread.php?t=7344
http://forums.spybot.info/showthread.php?t=282
http://www.nutnworks.com/SafeHex/file_sharing.htm
http://arstechnica.com/news.ars/post/20080316-kazaa-downloads-cost-one-man-750-per-song-in-riaa-suit.html

Make sure you can view hidden files and folders for your Operating System:
http://www.bleepingcomputer.com/tutorials/tutorial62.html#win2000

Navigate to these files in RED and delete them.


C:\16.tmp

C:\Documents and Settings\car4262\filip\duffy-mercy.mp3

C:\Documents and Settings\car4262\filip\ramalamabangbang.mp3

C:\Documents and Settings\car4262\filip\shake ya tailfeathers.mp3

C:\Documents and Settings\car4262\filip\skake your pom pom.mp3

C:\Documents and Settings\car4262\filip\starfield- i will go.mp3

C:\Documents and Settings\car4262\gu.exe

C:\Program Files\Common Files\System\kav88.exe

C:\WINNT\Downloaded Program Files\10637-69.exe

Empty the Recycle Bin on the Desktop, restart the computer and post a last HJT log. How is this computer is running now?

Thanks

smogman
2009-03-12, 18:14
Thanks, those mp3 downloads would be my kids, which I'll need to talk to.


C:\Program Files\Common Files\System\kav88.exe

C:\WINNT\Downloaded Program Files\10637-69.exe


I deleted them all with the exception of the two above which I could not find. There is no "system" folder inside common files and 10637-69.exe was not inside downloaded program files. (I did unhide all files inside folders options, although my menu is slightly different)

The computer is running pretty good. The only comment is that I noticed that it was "thinking/working" when idle sometimes. Not sure if that's normal but I did notice that alot more before we first started this process.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:12, on 2009-03-11
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\WINNT\system32\Brmfrmps.exe
C:\PROGRA~1\Navnt\DefWatch.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\Navnt\Rtvscan.exe
C:\Program Files\Novadigm\radexecd.exe
C:\Program Files\Novadigm\radsched.exe
C:\Program Files\Novadigm\Radstgms.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\PROGRA~1\Navnt\vptray.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackice.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINNT\system32\DllHost.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\problems.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ViewerHelper Class - {78104A01-8E71-4F30-9A36-3793799615B4} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ConfSrv] C:\Program Files\PPG\Setups\ConfSrv.vbs
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\ARO.exe -rem
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: RealSecure(r) Desktop Protector.lnk = ?
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40971 - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-205 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40970 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINNT\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINNT\system32\shdocvw.dll
O9 - Extra button: (no name) - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40971 - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra button: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-205 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40970 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://insideppg.web.ppg.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=27986
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://connect.ppg.com/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nac.ppg.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nac.ppg.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nac.ppg.com
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINNT\system32\Brmfrmps.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\Navnt\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\WorldCom IP VPN Remote Access\Extranet_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\Navnt\Rtvscan.exe
O23 - Service: OracleOra8_HomeClientCache - Unknown owner - C:\Oracle\Ora81\BIN\ONRSD.EXE
O23 - Service: Radia Notify Daemon (radexecd) - Novadigm - C:\Program Files\Novadigm\radexecd.exe
O23 - Service: Radia Scheduler Daemon (radsched) - Novadigm - C:\Program Files\Novadigm\radsched.exe
O23 - Service: Radia MSI Redirector (Radstgms) - Novadigm - C:\Program Files\Novadigm\Radstgms.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe

--
End of file - 9058 bytes

pskelley
2009-03-13, 02:33
It is very unlikely Kaspersky would find those pathways unless they exist. I suggest you use Search to be 100% sure they are not there.

Make sure you are still viewing all files and folders. Never having owed 2000 I will have to guess it is Start > Search, then type the files you wish to search for:

kav88.exe and 10637-69.exe

It make take a while, there are a lot of files to search through.

The only comment is that I noticed that it was "thinking/working" when idle sometimes.
I guess you are saying you have a lot of activity and you have a lot of running processes. Since I am not familiar with the Operating Sytem I am going to suggest you ask for help here:

http://www.techsupportforum.com/microsoft-support/windows-nt-2000-2003-server-2008-server/
or here: http://www.geekstogo.com/forum/Windows-XP-2000-2003-NT-f5.html

They might be able to give you some additional help with the OS.

Keep in mind all of this information will not apply to Windows 2000.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html
http://www.microsoft.com/windows/ie/community/columns/protection.mspx
Improve the safety of your browsing and e-mail activities
http://www.microsoft.com/protect/computer/advanced/browsing.mspx

smogman
2009-03-13, 14:12
thanks ds. I searched for the kav88.exe and this is all that came up. should i delete the ???

fileaudit.edm
filecurr.edm
system.bak

pskelley
2009-03-13, 15:46
fileaudit.edm
filecurr.edm
system.bak

I have no idea what those are so it is impossible to advise you.

some information:
http://www.google.com/search?hl=en&q=edm+file&btnG=Google+Search&aq=f&oq=

http://www.google.com/search?hl=en&q=bak+file&btnG=Search

Here are free scanners to use when you are not sure about a file.
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/

smogman
2009-03-14, 00:30
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, March 13, 2009
Operating System: Microsoft Windows 2000 Professional Service Pack 4 (build 2195)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, March 13, 2009 18:50:20
Records in database: 1897167
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 31241
Threat name: 2
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 01:00:16


File name / Threat name / Threats count
C:\Program Files\Common Files\System\kav88.exe Infected: Backdoor.Win32.Agent.aemu 1
C:\WINNT\Downloaded Program Files\10637-69.exe Infected: Trojan.Win32.Diamin.bz 1


Here is another scan, looks like they are still there. The Kav88 says its a backdoor trojan. Any idea why I can find them to delete or what to do next ??

Thanks

pskelley
2009-03-14, 00:46
You can see where they are and I have no idea why you can not find them. I can't do that for you.

Thanks

smogman
2009-03-14, 18:00
Perhaps these are designed to be hidden somehow even though view sttings are changed. Is there a program that will can delete them when found ???

pskelley
2009-03-14, 18:03
I provided that information before:
http://www.bleepingcomputer.com/tutorials/tutorial62.html

when you locate the files, point your mouse and right click, then choose DELETE. Make sure you emty the Recycle Bin on the Desktop after you Delete them.

smogman
2009-03-14, 23:20
you mean spyware doctor 6 ??? is it same idea as kaspersky but also gives you the option to remove the infected files when found ???

Sorry I'm not an expert at this.

pskelley
2009-03-14, 23:23
I have never mentioned Spyware Doctor? If you can't locate those files yourself, I suggest you ask someone with more computer knowledge to lend you a hand. I have done about all I can do remotely.

pskelley
2009-03-15, 00:49
This member started a new topic...this one is closed.