Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Require Assistance in Removing Virtemonde

  1. #1
    Junior Member
    Join Date
    Jun 2008
    Location
    Oz
    Posts
    10

    Unhappy Require Assistance in Removing Virtemonde

    Hi I have recently discovered I have Virtumonde(.dll) running in my system.
    It created the random file wvUkHXPJ.dll and three or so entries.
    I would greatly appreciate help in resolving it's removal. I've attempted removing things in the past to success, but this one has me stumped.

    I am curious as to what I should be posting first, could you please run me through the steps.

    Thankyou,

    Jeremy

    P.S.
    I am running Windows XP SP3 (32bit)
    No antivirus installed (i know bad thing...)

  2. #2
    Junior Member
    Join Date
    Jun 2008
    Location
    Oz
    Posts
    10

    Default Correction & Kaspersky report

    Sorry that is Windows XP Pro SP2 I am running (as seen below).
    ___________________________________________________________________

    The following is the Kaspersky online virus report:

    Sunday, June 08, 2008 3:30:43 PM
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 8/06/2008
    Kaspersky Anti-Virus database records: 838608
    Scan Settings
    Scan using the following antivirus database extended
    Scan Archives true
    Scan Mail Bases true
    Scan Target My Computer
    C:\
    D:\
    E:\
    F:\
    Scan Statistics
    Total number of scanned objects 106161
    Number of viruses found 1
    Number of infected objects 2
    Number of suspicious objects 0
    Duration of the scan process 01:21:03

    Infected Object Name Virus Name Last Action
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Nero\Nero8\Nero BackItUp\Cache\NeroBackItUpScheduler3.log Object is locked skipped
    C:\Documents and Settings\Jeremy\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\Jeremy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\Jeremy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\Jeremy\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Jeremy\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
    C:\Documents and Settings\Jeremy\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Jeremy\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\Jeremy\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Program Files\Nero\Nero8\Nero BackItUp\BIU1.txt Object is locked skipped
    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\Sti_Trace.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\default Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\software Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\system Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\fccyyVNE.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.yff skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\system32\ljJBrRll.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.yff skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\wiadebug.log Object is locked skipped
    C:\WINDOWS\wiaservc.log Object is locked skipped
    D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    Scan process completed.
    -------------------------------------------------------------------------

    I also ran a RAM scan and came up with the following results:

    Sunday, June 08, 2008 3:34:52 PM
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 8/06/2008
    Kaspersky Anti-Virus database records: 838608
    Scan Settings
    Scan using the following antivirus database extended
    Scan Archives true
    Scan Mail Bases true
    Scan Target Memory
    Scan Statistics
    Total number of scanned objects 1852
    Number of viruses found 1
    Number of infected objects 5
    Number of suspicious objects 0
    Duration of the scan process 00:00:46

    Infected Object Name Virus Name Last Action
    [0] [System Process] => C:\WINDOWS\system32\fccyyVNE.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.yff skipped
    [816] winlogon.exe => C:\WINDOWS\system32\fccyyVNE.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.yff skipped
    [464] explorer.exe => C:\WINDOWS\system32\fccyyVNE.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.yff skipped
    [780] Apoint.exe => C:\WINDOWS\system32\fccyyVNE.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.yff skipped
    [3260] iexplore.exe => C:\WINDOWS\system32\fccyyVNE.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.yff skipped
    Scan process completed.
    --------------------------------------------------------------------------

    Apoint.exe is a mouse pointer application for the touchpad on this laptop (Fujitsu 6120).

    Cheers,

    Jeremy

  3. #3
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi diko41

    Please install AntiVir.


    After that download and install TrendMicro HijackThis
    * Once installed open HijackThis by clicking Start > Programs > HijackThis and click the button labeled
    Do a system scan only

    * Click the scan button in the lower left hand corner of the interface and HijackThis will quickly scan your system.
    * Once the scan is complete the scan button will now read save log. Click this button to save the log file to your PC. Once you select where you would like to save the file it will open in your systems default text editor. Typically this application is Notepad. Post the log here.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  4. #4
    Junior Member
    Join Date
    Jun 2008
    Location
    Oz
    Posts
    10

    Default HJT Report

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:34:51 PM, on 10/06/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\WINDOWS\System32\RegSrvc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Wacom_Tablet.exe
    C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
    C:\WINDOWS\system32\Wacom_Tablet.exe
    C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
    C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FAMT9LE.EXE
    D:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/ig
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
    O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [EPSON Stylus Photo R1800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LE.EXE /FU "C:\WINDOWS\TEMP\E_S42B.tmp" /EF "HKCU"
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1209472357675
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1209472347170
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
    O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
    O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe

    --
    End of file - 7206 bytes

  5. #5
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi

    1. Download combofix from any of these links and save it to Desktop:
    Link 1
    Link 2
    Link 3

    **Note: It is important that it is saved directly to your desktop**

    2. Double click combofix.exe & follow the prompts.
    3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log & a fresh hjt log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall

    Combofix should never take more that 20 minutes including the reboot if malware is detected.
    If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
    If that happened we want to know, and also what process you had to end.

    If you have problems with Combofix usage, see here
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  6. #6
    Junior Member
    Join Date
    Jun 2008
    Location
    Oz
    Posts
    10

    Default Combofix and HJT logs respectively

    ComboFix 08-06-09.7 - Jeremy 2008-06-10 17:41:57.1 - NTFSx86
    Running from: C:\Documents and Settings\Jeremy\Desktop\ComboFix.exe

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\system32\dypwfcqj.ini
    C:\WINDOWS\system32\eeogoyhx.dll
    C:\WINDOWS\system32\fccdcYsq.dll
    C:\WINDOWS\system32\fccyyVNE.dll
    C:\WINDOWS\system32\JPXHkUvw.ini
    C:\WINDOWS\system32\JPXHkUvw.ini2
    C:\WINDOWS\system32\jqcfwpyd.dll
    C:\WINDOWS\system32\ljJBrRll.dll
    C:\WINDOWS\system32\qsYcdccf.ini
    C:\WINDOWS\system32\qsYcdccf.ini2
    C:\WINDOWS\system32\xhyogoee.ini

    .
    ((((((((((((((((((((((((( Files Created from 2008-05-10 to 2008-06-10 )))))))))))))))))))))))))))))))
    .

    2008-06-10 15:24 . 2008-06-10 15:24 <DIR> d-------- C:\Program Files\Avira
    2008-06-10 15:24 . 2008-06-10 15:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
    2008-06-09 15:45 . 2008-06-09 15:45 <DIR> d-------- C:\Program Files\Trend Micro
    2008-06-08 12:54 . 2008-06-08 12:54 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
    2008-06-08 12:54 . 2008-06-08 12:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2008-06-08 01:41 . 2008-06-08 12:19 151 --a------ C:\WINDOWS\wininit.ini
    2008-06-08 00:41 . 2008-06-08 00:41 <DIR> d-------- C:\Program Files\PowerISO
    2008-06-06 08:50 . 2008-06-06 08:50 <DIR> d-------- C:\Program Files\Karen's Power Tools
    2008-06-06 08:50 . 2008-06-06 08:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Karen's Power Tools
    2008-06-04 22:01 . 2008-06-04 22:01 <DIR> d-------- C:\Program Files\Touchpad Pro
    2008-06-04 20:47 . 2008-06-04 20:47 <DIR> d-------- C:\Documents and Settings\Jeremy\donkeycache
    2008-06-04 20:46 . 2008-06-04 21:17 <DIR> d-------- C:\Program Files\XMLSpear
    2008-06-04 20:24 . 2008-06-04 20:24 <DIR> d-------- C:\Program Files\TightVNC
    2008-06-03 18:41 . 2008-06-03 18:41 <DIR> d-------- C:\Documents and Settings\Jeremy\Application Data\Alloysoft
    2008-06-03 18:39 . 2008-06-03 18:39 <DIR> d-------- C:\Program Files\Signal
    2008-06-02 16:08 . 2008-06-02 16:13 <DIR> d-------- C:\Program Files\PTGui
    2008-06-02 16:08 . 2008-06-02 16:08 <DIR> d-------- C:\Documents and Settings\Jeremy\Application Data\PTGui Pro
    2008-06-02 12:36 . 2008-06-02 12:36 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\WTablet
    2008-05-23 19:30 . 2008-05-23 19:30 <DIR> d-------- C:\Documents and Settings\Jeremy\Application Data\WTablet
    2008-05-23 19:30 . 2007-09-07 11:31 3,499,304 --a------ C:\WINDOWS\system32\WacomTablet.cpl
    2008-05-23 19:30 . 2007-09-05 14:30 1,910,035 --a------ C:\WINDOWS\system32\WacomTablet.znc
    2008-05-23 19:30 . 2004-08-04 17:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
    2008-05-23 19:30 . 2004-08-04 17:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
    2008-05-23 19:30 . 2004-08-04 15:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
    2008-05-23 19:30 . 2004-08-04 15:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
    2008-05-23 19:29 . 2008-05-23 19:29 <DIR> d-------- C:\WINDOWS\system32\WTablet
    2008-05-23 19:29 . 2008-05-23 19:29 <DIR> d-------- C:\Program Files\Tablet
    2008-05-23 19:29 . 2007-09-07 11:40 1,373,480 --a------ C:\WINDOWS\system32\Wacom_Tablet.exe
    2008-05-23 19:29 . 2007-09-07 11:20 181,544 --a------ C:\WINDOWS\system32\Wintab32.dll
    2008-05-23 19:29 . 2007-09-07 11:33 128,296 --a------ C:\WINDOWS\system32\Wacom_Tablet.dll
    2008-05-23 19:29 . 2007-02-16 10:30 12,848 --a------ C:\WINDOWS\system32\drivers\wacomvhid.sys
    2008-05-23 19:29 . 2007-02-15 16:11 11,440 --a------ C:\WINDOWS\system32\drivers\WacomVKHid.sys
    2008-05-23 19:29 . 2007-02-16 11:12 11,312 --a------ C:\WINDOWS\system32\drivers\wacommousefilter.sys
    2008-05-23 19:25 . 2008-05-23 19:25 <DIR> d-------- C:\Program Files\REAL SKY PRO EDITION
    2008-05-23 19:15 . 2008-05-23 19:22 <DIR> d-------- C:\Program Files\Pocket Tanks Deluxe 1.3
    2008-05-23 18:36 . 2008-05-23 18:36 <DIR> d-------- C:\Program Files\Easy Barcode Creator
    2008-05-23 18:34 . 2008-05-23 18:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
    2008-05-23 18:33 . 2008-05-23 18:34 <DIR> d-------- C:\Program Files\Barcode Maker 5
    2008-05-23 17:01 . 2008-06-08 16:27 69 --a------ C:\WINDOWS\NeroDigital.ini
    2008-05-23 16:58 . 2008-05-23 16:58 <DIR> d-------- C:\Program Files\Shockwave 3D Lights Redux for FS9
    2008-05-22 13:28 . 2008-05-22 13:28 <DIR> d-------- C:\Documents and Settings\Jeremy\Application Data\Nero
    2008-05-22 13:25 . 2008-05-22 13:25 <DIR> d-------- C:\Program Files\Nero
    2008-05-22 13:25 . 2008-05-22 13:27 <DIR> d-------- C:\Program Files\Common Files\Nero
    2008-05-22 13:25 . 2008-05-22 13:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
    2008-05-22 12:29 . 2008-05-22 12:29 <DIR> d-------- C:\Program Files\Red Kawa
    2008-05-22 12:29 . 2008-05-22 12:29 <DIR> d-------- C:\Program Files\AviSynth 2.5
    2008-05-21 23:06 . 2008-05-21 23:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
    2008-05-21 23:02 . 2008-06-04 22:21 156 --a------ C:\WINDOWS\Twunk001.MTX
    2008-05-21 23:02 . 2008-06-04 22:21 3 --a------ C:\WINDOWS\Twain001.Mtx
    2008-05-21 23:02 . 2008-05-21 23:02 0 --a------ C:\WINDOWS\Twunk002.MTX
    2008-05-21 22:23 . 2008-05-21 22:23 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
    2008-05-21 12:23 . 2008-05-21 12:23 <DIR> d-------- C:\WINDOWS\Sun
    2008-05-18 23:49 . 2008-05-18 23:49 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
    2008-05-18 23:49 . 2008-05-19 00:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-05-17 04:52 . 2008-05-17 04:52 <DIR> d-------- C:\Program Files\CleanCache 3.0
    2008-05-17 02:37 . 2008-05-17 02:37 51,600 --a------ C:\WINDOWS\system32\RadLightMPCUninstall.exe
    2008-05-16 22:52 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
    2008-05-16 22:51 . 2008-05-16 22:52 <DIR> d-------- C:\Program Files\Java
    2008-05-16 22:48 . 2008-05-16 22:48 <DIR> d-------- C:\Program Files\Common Files\Java
    2008-05-14 16:15 . 2008-06-02 16:57 <DIR> d-------- C:\Program Files\WinSCP
    2008-05-14 15:01 . 2008-05-14 15:03 <DIR> d-------- C:\Program Files\FreeTrack
    2008-05-14 14:39 . 2008-05-14 14:39 61 ---hs---- C:\WINDOWS\cnerolf.dat
    2008-05-14 14:04 . 2008-05-14 14:04 <DIR> d-------- C:\Program Files\DIFX
    2008-05-14 14:04 . 2008-05-14 14:04 <DIR> d-------- C:\Program Files\Cachya Software
    2008-05-14 13:57 . 2008-05-14 13:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\EPSON
    2008-05-14 13:57 . 2006-12-08 02:04 76,800 --a------ C:\WINDOWS\system32\E_FLB9LE.DLL
    2008-05-14 13:57 . 2006-04-19 02:00 62,976 --a------ C:\WINDOWS\system32\E_FD4B9LE.DLL
    2008-05-14 13:57 . 2004-09-10 20:12 49,152 --a------ C:\WINDOWS\system32\E_DCINST.DLL
    2008-05-14 13:55 . 2008-05-14 13:55 <DIR> d-------- C:\Program Files\EPSON
    2008-05-14 13:55 . 2008-05-14 13:55 <DIR> d-------- C:\EPSON SPR1800
    2008-05-14 13:50 . 2004-08-04 16:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
    2008-05-14 13:50 . 2004-08-04 16:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
    2008-05-14 10:59 . 2008-05-14 10:59 <DIR> d-------- C:\Program Files\Nikon
    2008-05-14 10:58 . 2008-05-14 10:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ultima_T15
    2008-05-14 10:58 . 2008-05-14 10:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\EnterNHelp
    2008-05-14 10:58 . 2008-05-14 10:58 0 --a------ C:\Documents and Settings\All Users\Application Data\PKP_DLdy.DAT
    2008-05-10 16:52 . 2008-05-10 16:52 <DIR> d-------- C:\Program Files\MSXML 4.0

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-06-07 15:23 --------- d-----w C:\Documents and Settings\Jeremy\Application Data\uTorrent
    2008-05-21 12:39 --------- d-----w C:\Program Files\Common Files\Adobe
    2008-05-20 18:56 --------- d-----w C:\Program Files\uTorrent
    2008-05-20 10:55 --------- d-----w C:\Program Files\Microsoft Silverlight
    2008-05-14 01:00 --------- d-----w C:\Program Files\Common Files\Nikon
    2008-05-07 05:42 --------- d-----w C:\Program Files\Microsoft Games
    2008-05-06 07:24 --------- d-----w C:\Documents and Settings\Jeremy\Application Data\iPhoneRingToneMaker
    2008-05-06 04:52 --------- d-----w C:\Documents and Settings\Jeremy\Application Data\Apple Computer
    2008-05-06 01:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
    2008-05-06 01:27 --------- d-----w C:\Program Files\iPhoneRingToneMaker
    2008-04-30 06:39 --------- d-----w C:\Program Files\MSXML 6.0
    2008-04-29 18:26 --------- d-----w C:\Documents and Settings\Jeremy\Application Data\vlc
    2008-04-29 17:49 --------- d-----w C:\Program Files\Apoint2K
    2008-04-29 16:31 --------- d-----w C:\Program Files\Apple Software Update
    2008-04-29 16:13 --------- d-----w C:\Program Files\MSBuild
    2008-04-29 16:06 --------- d-----w C:\Program Files\Reference Assemblies
    2008-04-29 15:10 --------- d-----w C:\Program Files\iTunes
    2008-04-29 15:09 --------- d-----w C:\Program Files\iPod
    2008-04-29 15:09 --------- d-----w C:\Program Files\Bonjour
    2008-04-29 15:08 --------- d-----w C:\Program Files\QuickTime
    2008-04-29 15:06 --------- d-----w C:\Program Files\Common Files\Apple
    2008-04-29 15:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
    2008-04-29 14:55 --------- d-----w C:\Program Files\Windows Live
    2008-04-29 14:50 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
    2008-04-29 14:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
    2008-04-29 14:41 --------- d-----w C:\Program Files\Pro Imaging Powertoys
    2008-04-29 12:25 --------- d-----w C:\Program Files\AC3Filter
    2008-04-29 12:05 --------- d-----w C:\Program Files\Raxco
    2008-04-29 12:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Raxco
    2008-04-29 12:00 --------- d-----w C:\Program Files\VideoLAN
    2008-04-29 11:59 --------- d-----w C:\Program Files\Fujitsu
    2008-04-29 09:19 --------- d-----w C:\Program Files\Microsoft.NET
    2008-04-29 09:19 --------- d-----w C:\Program Files\Microsoft ActiveSync
    2008-04-29 09:19 --------- d-----w C:\Program Files\Common Files\L&H
    2008-04-29 09:18 --------- d-----w C:\Program Files\Microsoft Works
    2008-04-29 08:51 --------- d-----w C:\Program Files\Common Files\InstallShield
    2008-04-29 08:47 --------- d-----w C:\Program Files\Intel
    2008-04-29 08:37 --------- d-----w C:\Program Files\DiskInternals
    2008-04-29 08:37 --------- d-----w C:\Program Files\7-Zip
    2008-04-29 08:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-04-29 08:20 --------- d-----w C:\Program Files\ltmoh
    2008-04-29 08:18 --------- d-----w C:\Program Files\usb_spk
    2008-04-29 08:18 --------- d-----w C:\Program Files\SigmaTel
    2008-04-29 08:10 --------- d-----w C:\Program Files\microsoft frontpage
    2008-04-29 08:09 558,142 ----a-w C:\WINDOWS\java\Packages\WBFP793H.ZIP
    2008-04-29 08:09 155,995 ----a-w C:\WINDOWS\java\Packages\YRNV1VNH.ZIP
    2008-04-16 03:00 230,664 ----a-w C:\WINDOWS\system32\PDBoot.exe
    2008-04-10 02:08 71,184 ----a-r C:\WINDOWS\system32\drivers\DefragFS.sys
    2008-04-01 03:23 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
    2008-04-01 03:23 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
    2008-04-01 03:23 118,056 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
    2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
    2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
    2008-03-19 08:29 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
    2008-03-19 08:26 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
    2008-03-12 03:10 633,344 ----a-w C:\WINDOWS\system32\gpprefcl.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4D7C0BED-D841-499C-B67E-816DE6FE3689}]
    C:\WINDOWS\system32\wvUkHXPJ.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:56 15360]
    "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
    "EPSON Stylus Photo R1800"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LE.exe" [2007-01-12 05:00 177664]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-04-09 19:42 118784]
    "IndicatorUtility"="C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2002-08-28 09:20 81920]
    "AGRSMMSG"="AGRSMMSG.exe" [2003-04-09 19:42 87751 C:\WINDOWS\AGRSMMSG.exe]
    "LoadBtnHnd"="C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe" [2002-08-27 11:01 61440]
    "LoadFujitsuQuickTouch"="C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe" [2002-08-28 09:59 242688]
    "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-09 19:42 114688]
    "PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2002-12-18 14:20 86016]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
    "avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-08-31 12:25 249896]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 17:56 15360]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
    C:\WINDOWS\System32\LgNotify.dll 2003-01-12 17:17 110592 C:\WINDOWS\system32\LgNotify.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "msacm.ac3filter"= ac3filter.acm

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
    -ra------ 2008-04-01 13:21 61440 C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
    --a------ 2007-12-13 19:10 1688872 C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
    --a------ 2007-12-03 14:21 2213160 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    --a------ 2007-03-01 14:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    --a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\uTorrent\\uTorrent.exe"=
    "C:\\Program Files\\WinSCP\\WinSCP.exe"=
    "C:\\Program Files\\Signal\\Signal.exe"=
    "C:\\Program Files\\TightVNC\\WinVNC.exe"=
    "C:\\Program Files\\Touchpad Pro\\Touchpad Media Server Trial\\TouchpadMediaServer.exe"=
    "C:\\Program Files\\Touchpad Pro\\Touchpad Media Server Trial\\TouchpadMediaServer.Patched.exe"=

    R2 PD91Agent;PD91Agent;"C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe" [2008-04-16 13:00]
    R2 TabletServiceWacom;TabletServiceWacom;C:\WINDOWS\system32\Wacom_Tablet.exe [2007-09-07 11:40]
    R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys [2007-02-16 11:12]
    R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys [2007-02-16 10:30]
    R3 WacomVKHid;Virtual Keyboard Driver;C:\WINDOWS\system32\DRIVERS\WacomVKHid.sys [2007-02-15 16:11]
    S3 PD91Engine;PD91Engine;"C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe" [2008-04-16 13:00]
    S3 vhidmini;Cachya Virtual Joystick;C:\WINDOWS\system32\DRIVERS\vhidmini.sys []

    *Newly Created Service* - SSMDRV
    .
    Contents of the 'Scheduled Tasks' folder
    "2008-05-16 21:23:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-06-10 18:03:35
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\WINDOWS\system32\S24EvMon.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    C:\WINDOWS\system32\RegSrvc.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
    C:\Program Files\Apoint2K\ApntEx.exe
    C:\Program Files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2008-06-10 18:13:09 - machine was rebooted [Jeremy]
    ComboFix-quarantined-files.txt 2008-06-10 08:12:45

    Pre-Run: 8,454,881,280 bytes free
    Post-Run: 8,360,423,424 bytes free

    258 --- E O F --- 2008-06-06 12:52:48

    --------------------------------------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:16:23 PM, on 10/06/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
    C:\WINDOWS\System32\RegSrvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Wacom_Tablet.exe
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
    C:\WINDOWS\system32\Wacom_Tablet.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
    C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
    C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/ig
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {4D7C0BED-D841-499C-B67E-816DE6FE3689} - C:\WINDOWS\system32\wvUkHXPJ.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
    O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [EPSON Stylus Photo R1800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LE.EXE /FU "C:\WINDOWS\TEMP\E_S42B.tmp" /EF "HKCU"
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1209472357675
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1209472347170
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
    O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
    O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe

    --
    End of file - 7937 bytes

  7. #7
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi


    Open notepad and copy/paste the text in the quotebox below into it:

    Code:
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4D7C0BED-D841-499C-B67E-816DE6FE3689}]

    Save this as
    CFScript




    Refering to the picture above, drag CFScript into ComboFix.exe
    Then post the resultant log.


    Combofix should never take more that 20 minutes including the reboot if malware is detected.
    If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
    If that happened we want to know, and also what process you had to end.


    Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

    Double-click ATF Cleaner.exe to open it

    Under Main choose:
    Windows Temp
    Current User Temp
    All Users Temp
    Cookies
    Temporary Internet Files
    Prefetch
    Java Cache

    *The other boxes are optional*
    Then click the Empty Selected button.

    If you use Firefox:
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    If you use Opera:
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program.


    Run Kaspersky online scanner and post back its report & a fresh hjt log (without forgetting above meantioned ComboFix resultant log). How's the system running?
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  8. #8
    Junior Member
    Join Date
    Jun 2008
    Location
    Oz
    Posts
    10

    Default new combofix log

    ComboFix 08-06-09.7 - Jeremy 2008-06-11 17:14:58.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.189 [GMT 10:00]
    Running from: C:\Documents and Settings\Jeremy\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Jeremy\Desktop\CFScript.txt
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((( Files Created from 2008-05-11 to 2008-06-11 )))))))))))))))))))))))))))))))
    .

    2008-06-11 17:14 . 2008-06-11 17:14 <DIR> d-------- C:\WINDOWS\LastGood
    2008-06-10 15:24 . 2008-06-10 15:24 <DIR> d-------- C:\Program Files\Avira
    2008-06-10 15:24 . 2008-06-10 15:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
    2008-06-09 15:45 . 2008-06-09 15:45 <DIR> d-------- C:\Program Files\Trend Micro
    2008-06-08 12:54 . 2008-06-08 12:54 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
    2008-06-08 12:54 . 2008-06-08 12:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2008-06-08 01:41 . 2008-06-08 12:19 151 --a------ C:\WINDOWS\wininit.ini
    2008-06-08 00:41 . 2008-06-08 00:41 <DIR> d-------- C:\Program Files\PowerISO
    2008-06-06 08:50 . 2008-06-06 08:50 <DIR> d-------- C:\Program Files\Karen's Power Tools
    2008-06-06 08:50 . 2008-06-06 08:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Karen's Power Tools
    2008-06-04 22:01 . 2008-06-04 22:01 <DIR> d-------- C:\Program Files\Touchpad Pro
    2008-06-04 20:47 . 2008-06-04 20:47 <DIR> d-------- C:\Documents and Settings\Jeremy\donkeycache
    2008-06-04 20:46 . 2008-06-04 21:17 <DIR> d-------- C:\Program Files\XMLSpear
    2008-06-04 20:24 . 2008-06-04 20:24 <DIR> d-------- C:\Program Files\TightVNC
    2008-06-03 18:41 . 2008-06-03 18:41 <DIR> d-------- C:\Documents and Settings\Jeremy\Application Data\Alloysoft
    2008-06-03 18:39 . 2008-06-03 18:39 <DIR> d-------- C:\Program Files\Signal
    2008-06-02 16:08 . 2008-06-02 16:13 <DIR> d-------- C:\Program Files\PTGui
    2008-06-02 16:08 . 2008-06-02 16:08 <DIR> d-------- C:\Documents and Settings\Jeremy\Application Data\PTGui Pro
    2008-06-02 12:36 . 2008-06-02 12:36 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\WTablet
    2008-05-23 19:30 . 2008-05-23 19:30 <DIR> d-------- C:\Documents and Settings\Jeremy\Application Data\WTablet
    2008-05-23 19:30 . 2007-09-07 11:31 3,499,304 --a------ C:\WINDOWS\system32\WacomTablet.cpl
    2008-05-23 19:30 . 2007-09-05 14:30 1,910,035 --a------ C:\WINDOWS\system32\WacomTablet.znc
    2008-05-23 19:30 . 2004-08-04 17:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
    2008-05-23 19:30 . 2004-08-04 17:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
    2008-05-23 19:30 . 2004-08-04 15:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
    2008-05-23 19:30 . 2004-08-04 15:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
    2008-05-23 19:29 . 2008-05-23 19:29 <DIR> d-------- C:\WINDOWS\system32\WTablet
    2008-05-23 19:29 . 2008-05-23 19:29 <DIR> d-------- C:\Program Files\Tablet
    2008-05-23 19:29 . 2007-09-07 11:40 1,373,480 --a------ C:\WINDOWS\system32\Wacom_Tablet.exe
    2008-05-23 19:29 . 2007-09-07 11:20 181,544 --a------ C:\WINDOWS\system32\Wintab32.dll
    2008-05-23 19:29 . 2007-09-07 11:33 128,296 --a------ C:\WINDOWS\system32\Wacom_Tablet.dll
    2008-05-23 19:29 . 2007-02-16 10:30 12,848 --a------ C:\WINDOWS\system32\drivers\wacomvhid.sys
    2008-05-23 19:29 . 2007-02-15 16:11 11,440 --a------ C:\WINDOWS\system32\drivers\WacomVKHid.sys
    2008-05-23 19:29 . 2007-02-16 11:12 11,312 --a------ C:\WINDOWS\system32\drivers\wacommousefilter.sys
    2008-05-23 19:25 . 2008-05-23 19:25 <DIR> d-------- C:\Program Files\REAL SKY PRO EDITION
    2008-05-23 19:15 . 2008-05-23 19:22 <DIR> d-------- C:\Program Files\Pocket Tanks Deluxe 1.3
    2008-05-23 18:36 . 2008-05-23 18:36 <DIR> d-------- C:\Program Files\Easy Barcode Creator
    2008-05-23 18:34 . 2008-05-23 18:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
    2008-05-23 18:33 . 2008-05-23 18:34 <DIR> d-------- C:\Program Files\Barcode Maker 5
    2008-05-23 17:01 . 2008-06-08 16:27 69 --a------ C:\WINDOWS\NeroDigital.ini
    2008-05-23 16:58 . 2008-05-23 16:58 <DIR> d-------- C:\Program Files\Shockwave 3D Lights Redux for FS9
    2008-05-22 13:28 . 2008-05-22 13:28 <DIR> d-------- C:\Documents and Settings\Jeremy\Application Data\Nero
    2008-05-22 13:25 . 2008-05-22 13:25 <DIR> d-------- C:\Program Files\Nero
    2008-05-22 13:25 . 2008-05-22 13:27 <DIR> d-------- C:\Program Files\Common Files\Nero
    2008-05-22 13:25 . 2008-05-22 13:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
    2008-05-22 12:29 . 2008-05-22 12:29 <DIR> d-------- C:\Program Files\Red Kawa
    2008-05-22 12:29 . 2008-05-22 12:29 <DIR> d-------- C:\Program Files\AviSynth 2.5
    2008-05-21 23:06 . 2008-05-21 23:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
    2008-05-21 23:02 . 2008-06-04 22:21 156 --a------ C:\WINDOWS\Twunk001.MTX
    2008-05-21 23:02 . 2008-06-04 22:21 3 --a------ C:\WINDOWS\Twain001.Mtx
    2008-05-21 23:02 . 2008-05-21 23:02 0 --a------ C:\WINDOWS\Twunk002.MTX
    2008-05-21 22:23 . 2008-05-21 22:23 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
    2008-05-21 12:23 . 2008-05-21 12:23 <DIR> d-------- C:\WINDOWS\Sun
    2008-05-18 23:49 . 2008-05-18 23:49 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
    2008-05-18 23:49 . 2008-05-19 00:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-05-17 04:52 . 2008-05-17 04:52 <DIR> d-------- C:\Program Files\CleanCache 3.0
    2008-05-17 02:37 . 2008-05-17 02:37 51,600 --a------ C:\WINDOWS\system32\RadLightMPCUninstall.exe
    2008-05-16 22:52 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
    2008-05-16 22:51 . 2008-05-16 22:52 <DIR> d-------- C:\Program Files\Java
    2008-05-16 22:48 . 2008-05-16 22:48 <DIR> d-------- C:\Program Files\Common Files\Java
    2008-05-14 16:15 . 2008-06-02 16:57 <DIR> d-------- C:\Program Files\WinSCP
    2008-05-14 15:01 . 2008-05-14 15:03 <DIR> d-------- C:\Program Files\FreeTrack
    2008-05-14 14:39 . 2008-05-14 14:39 61 ---hs---- C:\WINDOWS\cnerolf.dat
    2008-05-14 14:04 . 2008-05-14 14:04 <DIR> d-------- C:\Program Files\DIFX
    2008-05-14 14:04 . 2008-05-14 14:04 <DIR> d-------- C:\Program Files\Cachya Software
    2008-05-14 13:57 . 2008-05-14 13:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\EPSON
    2008-05-14 13:57 . 2006-12-08 02:04 76,800 --a------ C:\WINDOWS\system32\E_FLB9LE.DLL
    2008-05-14 13:57 . 2006-04-19 02:00 62,976 --a------ C:\WINDOWS\system32\E_FD4B9LE.DLL
    2008-05-14 13:57 . 2004-09-10 20:12 49,152 --a------ C:\WINDOWS\system32\E_DCINST.DLL
    2008-05-14 13:55 . 2008-05-14 13:55 <DIR> d-------- C:\Program Files\EPSON
    2008-05-14 13:55 . 2008-05-14 13:55 <DIR> d-------- C:\EPSON SPR1800
    2008-05-14 13:50 . 2004-08-04 16:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
    2008-05-14 13:50 . 2004-08-04 16:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
    2008-05-14 10:59 . 2008-05-14 10:59 <DIR> d-------- C:\Program Files\Nikon
    2008-05-14 10:58 . 2008-05-14 10:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ultima_T15
    2008-05-14 10:58 . 2008-05-14 10:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\EnterNHelp
    2008-05-14 10:58 . 2008-05-14 10:58 0 --a------ C:\Documents and Settings\All Users\Application Data\PKP_DLdy.DAT

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-06-07 15:23 --------- d-----w C:\Documents and Settings\Jeremy\Application Data\uTorrent
    2008-05-21 12:39 --------- d-----w C:\Program Files\Common Files\Adobe
    2008-05-20 18:56 --------- d-----w C:\Program Files\uTorrent
    2008-05-20 10:55 --------- d-----w C:\Program Files\Microsoft Silverlight
    2008-05-14 01:00 --------- d-----w C:\Program Files\Common Files\Nikon
    2008-05-10 06:52 --------- d-----w C:\Program Files\MSXML 4.0
    2008-05-07 05:42 --------- d-----w C:\Program Files\Microsoft Games
    2008-05-06 07:24 --------- d-----w C:\Documents and Settings\Jeremy\Application Data\iPhoneRingToneMaker
    2008-05-06 04:52 --------- d-----w C:\Documents and Settings\Jeremy\Application Data\Apple Computer
    2008-05-06 01:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
    2008-05-06 01:27 --------- d-----w C:\Program Files\iPhoneRingToneMaker
    2008-04-30 06:39 --------- d-----w C:\Program Files\MSXML 6.0
    2008-04-29 18:26 --------- d-----w C:\Documents and Settings\Jeremy\Application Data\vlc
    2008-04-29 17:49 --------- d-----w C:\Program Files\Apoint2K
    2008-04-29 16:31 --------- d-----w C:\Program Files\Apple Software Update
    2008-04-29 16:13 --------- d-----w C:\Program Files\MSBuild
    2008-04-29 16:06 --------- d-----w C:\Program Files\Reference Assemblies
    2008-04-29 15:10 --------- d-----w C:\Program Files\iTunes
    2008-04-29 15:09 --------- d-----w C:\Program Files\iPod
    2008-04-29 15:09 --------- d-----w C:\Program Files\Bonjour
    2008-04-29 15:08 --------- d-----w C:\Program Files\QuickTime
    2008-04-29 15:06 --------- d-----w C:\Program Files\Common Files\Apple
    2008-04-29 15:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
    2008-04-29 14:55 --------- d-----w C:\Program Files\Windows Live
    2008-04-29 14:50 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
    2008-04-29 14:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
    2008-04-29 14:41 --------- d-----w C:\Program Files\Pro Imaging Powertoys
    2008-04-29 12:25 --------- d-----w C:\Program Files\AC3Filter
    2008-04-29 12:05 --------- d-----w C:\Program Files\Raxco
    2008-04-29 12:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Raxco
    2008-04-29 12:00 --------- d-----w C:\Program Files\VideoLAN
    2008-04-29 11:59 --------- d-----w C:\Program Files\Fujitsu
    2008-04-29 09:19 --------- d-----w C:\Program Files\Microsoft.NET
    2008-04-29 09:19 --------- d-----w C:\Program Files\Microsoft ActiveSync
    2008-04-29 09:19 --------- d-----w C:\Program Files\Common Files\L&H
    2008-04-29 09:18 --------- d-----w C:\Program Files\Microsoft Works
    2008-04-29 08:51 --------- d-----w C:\Program Files\Common Files\InstallShield
    2008-04-29 08:47 --------- d-----w C:\Program Files\Intel
    2008-04-29 08:37 --------- d-----w C:\Program Files\DiskInternals
    2008-04-29 08:37 --------- d-----w C:\Program Files\7-Zip
    2008-04-29 08:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-04-29 08:20 --------- d-----w C:\Program Files\ltmoh
    2008-04-29 08:18 --------- d-----w C:\Program Files\usb_spk
    2008-04-29 08:18 --------- d-----w C:\Program Files\SigmaTel
    2008-04-29 08:10 --------- d-----w C:\Program Files\microsoft frontpage
    2008-04-29 08:09 558,142 ----a-w C:\WINDOWS\java\Packages\WBFP793H.ZIP
    2008-04-29 08:09 155,995 ----a-w C:\WINDOWS\java\Packages\YRNV1VNH.ZIP
    2008-04-16 03:00 230,664 ----a-w C:\WINDOWS\system32\PDBoot.exe
    2008-04-01 03:23 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
    2008-04-01 03:23 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
    2008-04-01 03:23 118,056 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
    2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
    2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
    2008-03-19 08:29 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
    2008-03-19 08:26 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
    2008-03-12 03:10 633,344 ----a-w C:\WINDOWS\system32\gpprefcl.dll
    .

    ((((((((((((((((((((((((((((( snapshot@2008-06-10_18.12.21.82 )))))))))))))))))))))))))))))))))))))))))
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:56 15360]
    "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
    "EPSON Stylus Photo R1800"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LE.exe" [2007-01-12 05:00 177664]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-04-09 19:42 118784]
    "IndicatorUtility"="C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe" [2002-08-28 09:20 81920]
    "AGRSMMSG"="AGRSMMSG.exe" [2003-04-09 19:42 87751 C:\WINDOWS\AGRSMMSG.exe]
    "LoadBtnHnd"="C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe" [2002-08-27 11:01 61440]
    "LoadFujitsuQuickTouch"="C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe" [2002-08-28 09:59 242688]
    "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-09 19:42 114688]
    "PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2002-12-18 14:20 86016]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
    "avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-08-31 12:25 249896]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 17:56 15360]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
    C:\WINDOWS\System32\LgNotify.dll 2003-01-12 17:17 110592 C:\WINDOWS\system32\LgNotify.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "msacm.ac3filter"= ac3filter.acm

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
    -ra------ 2008-04-01 13:21 61440 C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
    --a------ 2007-12-13 19:10 1688872 C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
    --a------ 2007-12-03 14:21 2213160 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    --a------ 2007-03-01 14:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    --a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\uTorrent\\uTorrent.exe"=
    "C:\\Program Files\\WinSCP\\WinSCP.exe"=
    "C:\\Program Files\\Signal\\Signal.exe"=
    "C:\\Program Files\\TightVNC\\WinVNC.exe"=
    "C:\\Program Files\\Touchpad Pro\\Touchpad Media Server Trial\\TouchpadMediaServer.exe"=
    "C:\\Program Files\\Touchpad Pro\\Touchpad Media Server Trial\\TouchpadMediaServer.Patched.exe"=

    R2 PD91Agent;PD91Agent;"C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe" [2008-04-16 13:00]
    R2 TabletServiceWacom;TabletServiceWacom;C:\WINDOWS\system32\Wacom_Tablet.exe [2007-09-07 11:40]
    R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys [2007-02-16 11:12]
    R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys [2007-02-16 10:30]
    R3 WacomVKHid;Virtual Keyboard Driver;C:\WINDOWS\system32\DRIVERS\WacomVKHid.sys [2007-02-15 16:11]
    S3 PD91Engine;PD91Engine;"C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe" [2008-04-16 13:00]
    S3 vhidmini;Cachya Virtual Joystick;C:\WINDOWS\system32\DRIVERS\vhidmini.sys []

    *Newly Created Service* - SSMDRV
    .
    Contents of the 'Scheduled Tasks' folder
    "2008-05-16 21:23:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-06-11 17:19:04
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    **************************************************************************
    .
    Completion time: 2008-06-11 17:22:46
    ComboFix-quarantined-files.txt 2008-06-11 07:21:42
    ComboFix2.txt 2008-06-10 08:13:10

    Pre-Run: 8,237,936,640 bytes free
    Post-Run: 8,221,175,808 bytes free

    229 --- E O F --- 2008-06-06 12:52:48

  9. #9
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Run Kaspersky online scanner and post back its report & a fresh hjt log (without forgetting above meantioned ComboFix resultant log). How's the system running?
    In case you missed this
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  10. #10
    Junior Member
    Join Date
    Jun 2008
    Location
    Oz
    Posts
    10

    Default updated Kaspersky scan log & HJT log

    The latest Combo fix blog is posted above (the last one)...I decided to do this first & then do the online scan (Kaspersky)...the Kaspersky log & HJT logs are below....

    ---------------------------------------------------------------------------

    KASPERSKY ONLINE SCANNER 7 REPORT
    Thursday, June 12, 2008
    Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
    Kaspersky Online Scanner 7 version: 7.0.25.0
    Program database last update: Wednesday, June 11, 2008 09:22:20
    Records in database: 851314
    Scan settings
    Scan using the following database extended
    Scan archives yes
    Scan mail databases yes
    Scan area My Computer
    C:\
    D:\
    E:\
    Scan statistics
    Files scanned 107117
    Threat name 3
    Infected objects 5
    Suspicious objects 0
    Duration of the scan 01:44:20

    File name Threat name Threats count
    C:\QooBox\Quarantine\C\WINDOWS\system32\eeogoyhx.dll.vir Infected: Trojan.Win32.Agent.rep 1
    C:\QooBox\Quarantine\C\WINDOWS\system32\fccdcYsq.dll.vir Infected: Trojan.Win32.Monder.gen 1
    C:\QooBox\Quarantine\C\WINDOWS\system32\fccyyVNE.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.yff 1
    C:\QooBox\Quarantine\C\WINDOWS\system32\jqcfwpyd.dll.vir Infected: Trojan.Win32.Agent.rep 1
    C:\QooBox\Quarantine\C\WINDOWS\system32\ljJBrRll.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.yff 1
    The selected area was scanned.

    --------------------------------------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:00:54 AM, on 12/06/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
    C:\WINDOWS\System32\RegSrvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Wacom_Tablet.exe
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
    C:\WINDOWS\system32\Wacom_Tablet.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
    C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/ig
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
    O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [EPSON Stylus Photo R1800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LE.EXE /FU "C:\WINDOWS\TEMP\E_S42B.tmp" /EF "HKCU"
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1209472357675
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1209472347170
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
    O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
    O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
    O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe

    --
    End of file - 7805 bytes
    --------------------------------------------------------------------------

    btw the system is running ok-ish (6/10), this is probably due to the viruses/crud above and I have a slight feeling the A'Virus software is slowing it down abit...(don't they all?).

    Btw,
    Thanks for all the help so far

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •