ntload.dll

**rockanroll2** · 2010-04-19, 17:00

Re-opening original post;
http://forums.spybot.info/showthread.php?t=56729

Yes, I still require help. Sorry for the delay but I've had some trouble logging in to this forum with IE, finally figured out to try using Firefox and it worked. HJT log & uninstall list follows;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:30:06 AM, on 4/19/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\System32\ICO.EXE
C:\Windows\System32\Pelmiced.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\17.6.0.32

\ccSvcHst.exe
C:\hp\kbd\kbd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\My Stuff\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program

Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program

Files\Norton Internet Security\Norton Internet Security\Engine\17.6.0.32\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -

C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\17.6.0.32

\IPSBHO.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} -

C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program

Files\Norton Internet Security\Norton Internet Security\Engine\17.6.0.32\coIEPlg.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O13 - Gopher Prefix:
O15 - Trusted Zone: http://*.tenderfoot.com
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) -

http://h20270.www2.hp.com/ediags/gmn...Detection2.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} -

http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) -

https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation -

C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program

Files\Norton Internet Security\Norton Internet Security\Engine\17.6.0.32\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation -

C:\Windows\system32\nvvsvc.exe

--
End of file - 3362 bytes

Uninstall List;

µTorrent
32 Bit HP CIO Components Installer
7-Zip 4.64
Adobe Flash Player 10 ActiveX
Adobe Reader 9
Adobe Shockwave Player 11.5
Any Video Converter 2.7.6
AssaultCube v1.0
Avidemux 2.4
CCleaner
CODE OF HONOR 3 (1.0)
Crysis WARHEAD(R)
Crysis WARHEAD(R)
Enhanced Multimedia Keyboard Solution
FLAC 1.2.1b (remove only)
Glary Utilities Pro 2.21.0.863
GOM Player
Governor of Poker
Halo 2 for Windows Vista
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hoyle Card Games 2010 (remove only)
HP Picasso Media Center Add-In
HP Product Detection
ImgBurn
Indeo® Software
Intel(R) Network Connections Drivers
Intel® Matrix Storage Manager
Java(TM) 6 Update 19
jStrip 3.1
Kremlin
LIVE gaming on Windows Runtime Version 1.0.6027
Microsoft .NET Compact Framework 1.0 SP3
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Office 2000 Premium
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Mouse Suite
Mozilla Firefox (3.6.3)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
Need for Speed Underground 2
Norton Internet Security
NVIDIA Display Control Panel
NVIDIA Drivers
NVIDIA nTune
NVIDIA PhysX
OpenAL
PVSonyDll
Realtek High Definition Audio Driver
RenameWiz Version 3.4.2
SBMAV Disk Cleaner Lite
Sonic RecordNow Data
Spybot - Search & Destroy
System Requirements Lab
TagScanner 5.1 build 555
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Windows 7 Upgrade Advisor
WinRAR archiver
Wolfenstein

Web browser (IE) still loading slowly & frequent popups.
Have installed Firefox which seems to load much faster.
Anything from these lists throwing up a red flag?
Thanks.

**Blade81** · 2010-04-21, 15:35

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

µTorrent

I'd like you to read this thread.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

After that:

Make sure word wrap in notepad is disabled.

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt
Save both reports to your desktop. Post them back to your topic.

---

Download GMER here by clicking download exe -button and then saving it your desktop:

Double-click .exe that you downloaded
Click rootkit-tab, uncheck files option and then click scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log (if the log is long, archive it into a zip file and attach instead of posting) in your reply.

**rockanroll2** · 2010-04-24, 03:09

Blade81,
Logs attached as per your request.
1st time I ran GMER, Vista blue-screened & rebooted.
2nd time I ran GMER with ADS unchecked. 3rd time with ADS checked.
Since my last post, I have uninstalled Norton as it seems to take forever to load. Using MS Security Essentials and Windows Firewall, now.
Also uninstalled uTorrent as suggested.
Thanks for your time & assistance.

**Blade81** · 2010-04-24, 11:33

Hi,

Please paste contents of logs next time instead of attaching them.

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

**rockanroll2** · 2010-04-24, 17:42

Blade81,
Tried to run ComboFix as per intructions.
1st Prompt received; "detected rootkit activity" (auto re-booted)
2nd Prompt after reboot "catchme.cfxxe application error" (bluescreen), then proceeded into an endless reboot cycle.
Would not do; safe mode, command prompt, last known good config, or any other boot option. Inserted Vista installation disk & tried "Repair" 3 times - no luck.
I'm in the process of reinstalling OS from scratch and hope that whatever happened is now gone or repaired (though I'd like to know what "it" was.)
Thanks for trying, but it looks like it wasn't meant to be.

**Blade81** · 2010-04-24, 18:42

Hi,

Let's see if you're able to get any error message out there.

1. Press F8 Before the Windows Vista loading screen
2. Choose the Disable Automatic Restart on System Failure Option
3. Wait while Windows Vista Attempts to Start.
4. Note down error message if it's shown there.

**rockanroll2** · 2010-04-26, 02:07

Disable auto restart had no impact on reboot.
I've re-installed most of my software and (so far) everything looks fine.
Thanks for your time.

**Blade81** · 2010-04-26, 15:14

Glad things work again. Unfortunately, method wasn't likely the desired one this time. Positive thing is that system is clean for sure now.

Thread: ntload.dll

Thread Tools

Display

ntload.dll

Logs attached

ComboFix

Disable auto restart

Posting Permissions