Can you help remove Virtumonde trojan Please ???

S

smogman

New member
I have tried several times with spybot 1.6 and Vindufix, but it always seems to show up again when a rescan.

Can anyone help ??
 
My HJ Scan is; can anyone help with this one ???

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:27, on 2009-03-05
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\WINNT\system32\Brmfrmps.exe
C:\PROGRA~1\Navnt\DefWatch.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\Navnt\Rtvscan.exe
C:\Program Files\Novadigm\radexecd.exe
C:\Program Files\Novadigm\radsched.exe
C:\Program Files\Novadigm\Radstgms.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\hkcmd.exe
C:\PROGRA~1\Navnt\vptray.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\fxsteller.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\firewall.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Novadigm\radppgui.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackice.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\problems.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://insideppg.web.ppg.com
F2 - REG:system.ini: Shell=Explorer.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6112C2F6-B4CA-4DDE-BFC2-E359D111BF2C} - C:\WINNT\system32\qoMcbayA.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: ViewerHelper Class - {78104A01-8E71-4F30-9A36-3793799615B4} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [AccessManager] C:\Program Files\AccessManager\Client\AccessMgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows UDP Control Center] fxsteller.exe
O4 - HKLM\..\Run: [Windows Network Firewall] C:\WINNT\system32\firewall.exe
O4 - HKLM\..\Run: [0ca61319] rundll32.exe "C:\WINNT\system32\dkjcjnul.dll",b
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ConfSrv] C:\Program Files\PPG\Setups\ConfSrv.vbs
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\ARO.exe -rem
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Policies\Explorer\Run: [1] "\\nac.ppg.com\netlogon\gpfix\gpfix.vbs"
O4 - HKCU\..\Policies\Explorer\Run: [2] "\\nac.ppg.com\netlogon\gpfix\gplog.vbs"
O4 - HKCU\..\Policies\Explorer\Run: [3] "C:\Program Files\Novadigm\radppgui.exe"
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: RealSecure(r) Desktop Protector.lnk = ?
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40971 - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-205 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40970 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40971 - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra button: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-205 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40970 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://insideppg.web.ppg.com
O15 - Trusted Zone: *.trustweb.ppg.com
O15 - Trusted Zone: *.trustweb.ppg.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://connect.ppg.com/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nac.ppg.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nac.ppg.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nac.ppg.com
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINNT\system32\Brmfrmps.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\Navnt\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\WorldCom IP VPN Remote Access\Extranet_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\Navnt\Rtvscan.exe
O23 - Service: OracleOra8_HomeClientCache - Unknown owner - C:\Oracle\Ora81\BIN\ONRSD.EXE
O23 - Service: Radia Notify Daemon (radexecd) - Novadigm - C:\Program Files\Novadigm\radexecd.exe
O23 - Service: Radia Scheduler Daemon (radsched) - Novadigm - C:\Program Files\Novadigm\radsched.exe
O23 - Service: Radia MSI Redirector (Radstgms) - Novadigm - C:\Program Files\Novadigm\Radstgms.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe

--
End of file - 10394 bytes
 
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Pinned (sticky) to the top of this forum, and posted above are the directions, make sure you have read and followed them, then post the requested logs, please mention any recent symptoms.

This looks like a company or corporate computer, and it is badly infected. Please see this information.
http://www.systemlookup.com/Startup/15072.html
http://www.sophos.com/security/analyses/viruses-and-spyware/w32poebotj.html
W32/Poebot-J allows a remote attacker to steal internet account user names and passwords, download and execute files from the internet, flood other computers with network packets, retrieve system information and execute arbitrary commands by opening a remote shell on the infected computer.
Click to expand...

And that is far from all of the infections!

http://forums.spybot.info/showpost.php?p=25712&postcount=5
Note: When the infected computer in question is a company machine in the workplace, and you are an employee.

The intention of this forum is not to replace a company's IT department, nor can we anticipate alterations or configurations that may have been made to a business machine, or how it will interact with the tools commonly used in the removal of malware.

More than one machine could be at stake, possibly even the server. If sensitive material has been compromised by an infection, the company could be held liable.

To prevent any possible loss or corruption of company information, please inform your IT department or Supervisor when a workplace computer has been infected, immediately.

Thanks for your understanding.
Click to expand...

One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063
 
thanks pskelley.

Actually this used to be my work computer several years ago but no longer is. My kids use it most of the time.

Can you help from here ??
 
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.

OK, but you understand that does not change the information I posted about this infection. If you wish to try to clean it, then read and follow the "Before you Post" directions, disable TeaTimer as instructed and then post a new HJT log.

Thanks
 
What is tea timer and how do I disable it ??

I just want to try and clean it so that i take some files off that i wanted to keep. Then, I will blow everything away and reload OS.
 
I just want to try and clean it so that i take some files off that i wanted to keep. Then, I will blow everything away and reload OS.
Click to expand...
Look forward to a lot of work to clean this computer. If you are intending to reformat anyway, you may want to pull the plug until you have the time to do that?
What is tea timer and how do I disable it ??
Click to expand...
If you would take the time to read the directions, you would have the answer to that question.
When Spybot-S&D is installed.
TeaTimer needs to be disabled so that its protection does not interfere with fixes.
How Spybot-S&D protects against the installation of Spyware/Malware.
TeaTimer can be re-enabled once the computer is clean.
Click to expand...
Understand that "I will blow everything away and reload OS" will not remove this infection. It will require a complete reformat of the computer.
http://spyware-free.us/tutorials/reformat/
http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html
http://helpdesk.its.uiowa.edu/windows/instructions/reformat.htm
 
ok thanks pskelley. I think I understand what you are saying.

My thought was to try and clean it first so that I could pull a few files I wanted to keep before I reformat and loose everything. Are you saying its not worth it do this ??? I'll go with what ever advice you think is best !! Thanks.
 
I am sorry:sad: I believe I have provided information to help you make your decisions, I can not make them for you.
 
ok thanks ps lets try and clean it up 1st.....here a new HJ log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:53, on 2009-03-10
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\WINNT\system32\Brmfrmps.exe
C:\PROGRA~1\Navnt\DefWatch.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\Navnt\Rtvscan.exe
C:\Program Files\Novadigm\radexecd.exe
C:\Program Files\Novadigm\radsched.exe
C:\Program Files\Novadigm\Radstgms.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\hkcmd.exe
C:\PROGRA~1\Navnt\vptray.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINNT\fxsteller.exe
C:\WINNT\system32\firewall.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\KAV64.EXE
C:\Program Files\Novadigm\radppgui.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackice.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINNT\system32\DllHost.exe
C:\Program Files\Trend Micro\HijackThis\problems.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://insideppg.web.ppg.com
F2 - REG:system.ini: Shell=Explorer.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {379FC1ED-31A8-485A-AD0E-4EA5163F0A00} - C:\WINNT\system32\qoMcbayA.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {017b14cc-35c8-caeb-4814-3cbc273cc3d5} - {5d3cc372-cbc3-4184-beac-8c53cc41b710} - C:\WINNT\system32\hcxmud.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: ViewerHelper Class - {78104A01-8E71-4F30-9A36-3793799615B4} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [AccessManager] C:\Program Files\AccessManager\Client\AccessMgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows UDP Control Center] fxsteller.exe
O4 - HKLM\..\Run: [Windows Network Firewall] C:\WINNT\system32\firewall.exe
O4 - HKLM\..\Run: [Microsoft Update] KAV64.EXE
O4 - HKLM\..\Run: [0ca61319] rundll32.exe "C:\WINNT\system32\rrjumuof.dll",b
O4 - HKCU\..\Run: [ConfSrv] C:\Program Files\PPG\Setups\ConfSrv.vbs
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\ARO.exe -rem
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [Microsoft Update] KAV64.EXE
O4 - HKCU\..\Policies\Explorer\Run: [1] "\\nac.ppg.com\netlogon\gpfix\gpfix.vbs"
O4 - HKCU\..\Policies\Explorer\Run: [2] "\\nac.ppg.com\netlogon\gpfix\gplog.vbs"
O4 - HKCU\..\Policies\Explorer\Run: [3] "C:\Program Files\Novadigm\radppgui.exe"
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: RealSecure(r) Desktop Protector.lnk = ?
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40971 - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-205 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40970 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40971 - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra button: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-205 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40970 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://insideppg.web.ppg.com
O15 - Trusted Zone: *.trustweb.ppg.com
O15 - Trusted Zone: *.trustweb.ppg.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://connect.ppg.com/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nac.ppg.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nac.ppg.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nac.ppg.com
O20 - AppInit_DLLs: hcxmud.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINNT\system32\Brmfrmps.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\Navnt\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\WorldCom IP VPN Remote Access\Extranet_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\Navnt\Rtvscan.exe
O23 - Service: OracleOra8_HomeClientCache - Unknown owner - C:\Oracle\Ora81\BIN\ONRSD.EXE
O23 - Service: Radia Notify Daemon (radexecd) - Novadigm - C:\Program Files\Novadigm\radexecd.exe
O23 - Service: Radia Scheduler Daemon (radsched) - Novadigm - C:\Program Files\Novadigm\radsched.exe
O23 - Service: Radia MSI Redirector (Radstgms) - Novadigm - C:\Program Files\Novadigm\Radstgms.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe

--
End of file - 10104 bytes
 
TeaTimer is still not disabled?
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

Disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

Post a new HJT log when that has been done.
 
ok sorry didn't realize i had to shut off and start again after uncheck.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:40, on 2009-03-10
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\WINNT\system32\Brmfrmps.exe
C:\PROGRA~1\Navnt\DefWatch.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\Navnt\Rtvscan.exe
C:\Program Files\Novadigm\radexecd.exe
C:\Program Files\Novadigm\radsched.exe
C:\Program Files\Novadigm\Radstgms.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\System32\hkcmd.exe
C:\PROGRA~1\Navnt\vptray.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINNT\fxsteller.exe
C:\WINNT\system32\firewall.exe
C:\WINNT\system32\KAV64.EXE
C:\Program Files\Novadigm\radppgui.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackice.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\problems.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://insideppg.web.ppg.com
F2 - REG:system.ini: Shell=Explorer.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {18699115-5793-4B5A-9352-D74EC02EEED2} - C:\WINNT\system32\qoMcbayA.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: ViewerHelper Class - {78104A01-8E71-4F30-9A36-3793799615B4} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O2 - BHO: {73f1c59e-ab07-8b28-4404-fb4b61556b09} - {90b65516-b4bf-4044-82b8-70bae95c1f37} - C:\WINNT\system32\powjti.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [AccessManager] C:\Program Files\AccessManager\Client\AccessMgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows UDP Control Center] fxsteller.exe
O4 - HKLM\..\Run: [Windows Network Firewall] C:\WINNT\system32\firewall.exe
O4 - HKLM\..\Run: [Microsoft Update] KAV64.EXE
O4 - HKLM\..\Run: [0ca61319] rundll32.exe "C:\WINNT\system32\noeojbny.dll",b
O4 - HKCU\..\Run: [ConfSrv] C:\Program Files\PPG\Setups\ConfSrv.vbs
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\ARO.exe -rem
O4 - HKCU\..\RunOnce: [Microsoft Update] KAV64.EXE
O4 - HKCU\..\Policies\Explorer\Run: [1] "\\nac.ppg.com\netlogon\gpfix\gpfix.vbs"
O4 - HKCU\..\Policies\Explorer\Run: [2] "\\nac.ppg.com\netlogon\gpfix\gplog.vbs"
O4 - HKCU\..\Policies\Explorer\Run: [3] "C:\Program Files\Novadigm\radppgui.exe"
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: RealSecure(r) Desktop Protector.lnk = ?
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40971 - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-205 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40970 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40971 - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra button: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-205 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40970 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://insideppg.web.ppg.com
O15 - Trusted Zone: *.trustweb.ppg.com
O15 - Trusted Zone: *.trustweb.ppg.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://connect.ppg.com/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nac.ppg.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nac.ppg.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nac.ppg.com
O20 - AppInit_DLLs: powjti.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINNT\system32\Brmfrmps.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\Navnt\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\WorldCom IP VPN Remote Access\Extranet_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\Navnt\Rtvscan.exe
O23 - Service: OracleOra8_HomeClientCache - Unknown owner - C:\Oracle\Ora81\BIN\ONRSD.EXE
O23 - Service: Radia Notify Daemon (radexecd) - Novadigm - C:\Program Files\Novadigm\radexecd.exe
O23 - Service: Radia Scheduler Daemon (radsched) - Novadigm - C:\Program Files\Novadigm\radsched.exe
O23 - Service: Radia MSI Redirector (Radstgms) - Novadigm - C:\Program Files\Novadigm\Radstgms.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe

--
End of file - 9872 bytes
 
1) Please DO NOT ENABLE Spybot S&D TeaTimer while we work together.

2) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

Download ComboFix from here:

Link 1

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • See this Link for programs that need to be disabled and instruction on how to disable them.
  • Remember to re-enable them when we're done.

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
whatnext.jpg

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

3) Post also an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

Thanks
 
ComboFix 09-03-10.01 - CAR4262 2009-03-10 7:25:08.5 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.254.105 [GMT -5:00]
Running from: c:\documents and settings\car4262\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\MyWay
c:\winnt\aycddd.ini
c:\winnt\dffggh.ini
c:\winnt\fxstaller.exe
c:\winnt\IE4 Error Log.txt
c:\winnt\psuvxx.ini
c:\winnt\smdat32m.sys
c:\winnt\system32\acnqgegr.dll
c:\winnt\system32\AyabcMoq.ini
c:\winnt\system32\AyabcMoq.ini2
c:\winnt\system32\bnutrx.dll
c:\winnt\system32\cmeiwn.dll
c:\winnt\system32\cwbpiyce.ini
c:\winnt\system32\drivers\seneka.sys
c:\winnt\system32\ecyipbwc.dll
c:\winnt\system32\firewall.exe
c:\winnt\system32\foumujrr.ini
c:\winnt\system32\gotjoiyo.dll
c:\winnt\system32\hcxmud.dll
c:\winnt\system32\hhgfwz.dll
c:\winnt\system32\htiwevbo.dll
c:\winnt\system32\htlbrcqb.dll
c:\winnt\system32\iboijwew.dll
c:\winnt\system32\igreal.dll
c:\winnt\system32\ijyhgwry.dll
c:\winnt\system32\ildbapfw.dll
c:\winnt\system32\injkqtwx.dll
c:\winnt\system32\jijyennr.dll
c:\winnt\system32\kazaabackupfiles
c:\winnt\system32\kazaabackupfiles\shServ.exe
c:\winnt\system32\lhbjjcnc.dll
c:\winnt\system32\mdm.exe
c:\winnt\system32\mfihyede.ini
c:\winnt\system32\noeojbny.dll
c:\winnt\system32\notqmh.dll
c:\winnt\system32\nqgasuav.dll
c:\winnt\system32\oxsaxlux.ini
c:\winnt\system32\pckugcxp.dll
c:\winnt\system32\powjti.dll
c:\winnt\system32\qhtvaaia.dll
c:\winnt\system32\qmalggdt.ini
c:\winnt\system32\qoMcbayA.dll
c:\winnt\system32\rjdkti.dll
c:\winnt\system32\rrjumuof.dll
c:\winnt\system32\swqnlinw.dll
c:\winnt\system32\tdgglamq.dll
c:\winnt\system32\ujckgyje.dll
c:\winnt\system32\UpMedia
c:\winnt\system32\vujnhnrt.dll
c:\winnt\system32\webcl32.dll
c:\winnt\system32\xypyggcj.dll
c:\winnt\system32\ynbjoeon.ini
c:\winnt\t\
c:\winnt\waabdd.ini
c:\winnt\Web\default.htt

----- BITS: Possible infected sites -----

hxxp://hummerbonk.com
hxxp://sclkfile02.nac.ppg.com
hxxp://sclkfile04.nac.ppg.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_RpcPatch
-------\Service_RpcTftpd
-------\Service_seneka


((((((((((((((((((((((((( Files Created from 2009-02-10 to 2009-03-10 )))))))))))))))))))))))))))))))
.

2009-03-10 07:29 . 09-03-10 07:29 16,384 --a----t- c:\winnt\system32\Perflib_Perfdata_578.dat
2009-03-10 05:39 . 09-03-10 05:39 54,156 --ah----- c:\winnt\QTFont.qfn
2009-03-10 05:39 . 09-03-10 05:39 1,409 --a------ c:\winnt\QTFont.for
2009-03-09 03:50 . 09-03-09 04:05 514 --a------ C:\kk.exe
2009-03-07 11:21 . 09-03-07 11:21 107,902 --a------ c:\documents and settings\car4262\gu.exe
2009-03-07 11:20 . 09-03-07 11:20 275 --a------ C:\xrtv.exe
2009-03-05 05:55 . 09-03-05 05:55 106,034 --a------ C:\fgjjkq.exe
2009-03-05 04:42 . 09-03-05 04:42 93,266 ---h----- c:\winnt\system32\kav64.exe
2009-03-05 04:42 . 09-03-05 04:42 93,266 --a------ C:\qgasd.exe
2009-03-04 09:27 . 09-03-04 09:27 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-03-04 09:27 . 09-03-04 09:27 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-03-04 09:27 . 09-03-04 09:27 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-03-04 06:15 . 09-03-04 06:15 <DIR> d-------- c:\program files\Advanced Registry Optimizer
2009-03-04 06:15 . 09-03-04 06:15 <DIR> d-------- c:\documents and settings\car4262\Application Data\Sammsoft
2009-03-03 18:17 . 09-03-03 18:17 5,449 --a------ C:\mooo.exe
2009-03-02 18:43 . 09-03-02 18:43 102,912 --a------ c:\winnt\tyz.exe
2009-03-02 18:43 . 09-03-02 18:43 102,912 --a------ C:\tyz.exe
2009-03-02 18:13 . 09-03-02 18:41 102,912 --a------ C:\tupy.exe
2009-03-02 18:11 . 09-03-02 18:12 102,912 --a------ C:\ssetup.exe
2009-03-02 17:45 . 09-03-02 17:45 111,342 --a------ C:\djdd.exe
2009-03-02 17:35 . 09-03-02 17:35 1,922 --a------ C:\famieln.exe
2009-03-02 17:23 . 09-03-02 17:27 90,112 --a------ C:\addsd.exe
2009-03-02 17:09 . 09-03-02 17:09 5,569 --a------ C:\shdgghsdf.exe
2009-03-02 17:01 . 09-03-02 17:01 102,912 --a------ C:\linstall.exe
2009-03-02 17:01 . 09-03-02 16:23 48,690 -r-hs---- c:\winnt\fxsteller.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-10 10:40 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-10 10:40 --------- d-----w c:\program files\QuickTime
2009-03-10 10:34 --------- d-----w c:\program files\LimeWire
2009-03-05 02:11 --------- d---a-w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-04 11:35 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-10 03:43 --------- d-----w c:\program files\Common Files\Adaptec Shared
2009-01-10 03:33 --------- d-----w c:\program files\Easy CD & DVD Cover Creator
2004-05-06 16:11 777 ----a-w c:\program files\trial_setup.ini
2004-05-06 16:11 4,289,024 ----a-w c:\program files\trial_setup.msi
2000-11-30 22:59 271 ---h--w c:\program files\desktop.ini
2000-11-30 22:59 21,952 ---h--w c:\program files\folder.htt
.

------- Sigcheck -------

04-11-02 12:28 11264 8eabf9f47cb3f30541830a6f2ef0a934 c:\winnt\system32\CTFMON.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ConfSrv"="c:\program files\PPG\Setups\ConfSrv.vbs" [03-05-22 11:52 2511]
"AROReminder"="c:\program files\Advanced Registry Optimizer\ARO.exe" [08-08-22 16:33 2084480]
"ctfmon.exe"="ctfmon.exe" [04-11-02 12:28 11264 c:\winnt\system32\CTFMON.EXE]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Microsoft Update"="KAV64.EXE" [09-03-05 04:42 93266 c:\winnt\system32\kav64.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\winnt\System32\igfxtray.exe" [02-03-26 20:28 155648]
"HotKeysCmds"="c:\winnt\System32\hkcmd.exe" [02-03-26 20:20 106496]
"PrinTray"="c:\winnt\System32\spool\DRIVERS\W32X86\2\printray.exe" [01-03-27 03:08 36864]
"vptray"="c:\progra~1\Navnt\vptray.exe" [03-12-17 21:00 90112]
"SetDefPrt"="c:\program files\Brother\Brmfl04a\BrStDvPt.exe" [04-05-25 08:16 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [04-07-20 08:34 851968]
"JobHisInit"="c:\program files\RMClient\JobHisInit.exe" [05-08-01 13:22 151552]
"MplSetUp"="c:\program files\RMClient\MplSetUp.exe" [00-11-04 03:09 40960]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [07-07-12 03:00 132496]
"Synchronization Manager"="mobsync.exe" [03-06-19 11:05 111376 c:\winnt\system32\mobsync.exe]
"Microsoft Update"="KAV64.EXE" [09-03-05 04:42 93266 c:\winnt\system32\kav64.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [99-12-07 07:00 20752 c:\winnt\system32\internat.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 11:05 186640]

[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
"3"="c:\program files\Novadigm\radppgui.exe" [06-10-16 12:25 138090]

c:\documents and settings\PLTAdmin\Start Menu\Programs\Startup\
ReadMe1st.lnk - c:\winnt\System32\Write.exe [2000-11-30 6416]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Photo Loader supervisory.lnk - c:\program files\CASIO\Photo Loader\Plauto.exe [2007-01-01 229376]
RealSecure(r) Desktop Protector.lnk - c:\program files\ISS\issSensors\DesktopProtection\blackice.exe [2005-08-09 823296]
Status Monitor.lnk - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [2005-06-17 819200]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 1 (0x1)
"SynchronousUserGroupPolicy"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwprovau]
03-06-19 11:05 139536 c:\winnt\system32\NWPROVAU.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
04-11-01 10:50 8704 c:\winnt\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=rjdkti.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"VIDC.HFYU"= huffyuv.dll

R2 BlackICE;BlackICE;c:\program files\ISS\issSensors\DesktopProtection\blackd.exe [2005-08-09 847872]
R2 BrSerial;Brother Serial Driver;c:\winnt\system32\drivers\brserial.sys [2005-06-17 56660]
R2 radexecd;Radia Notify Daemon;c:\program files\Novadigm\radexecd.exe [2002-12-02 225280]
R2 radsched;Radia Scheduler Daemon;c:\program files\Novadigm\radsched.exe [2002-09-30 253952]
R2 Radstgms;Radia MSI Redirector;c:\program files\Novadigm\radstgms.exe [2003-03-27 299008]
R3 Eacfilt;Eacfilt Miniport;c:\winnt\system32\drivers\eacfilt.sys [2003-10-30 9049]
R3 NtApm;NT Apm/Legacy Interface Driver;c:\winnt\system32\drivers\NtApm.sys [2000-11-30 9104]
R3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [2003-09-02 49776]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\winnt\system32\drivers\ipsecw2k.sys [2003-10-30 115008]
S3 cwbmidi_device;Crystal WDM MPU-401 UART Driver;c:\winnt\system32\drivers\cwbmidi.sys [2000-11-30 3136]
S3 cwbwdm_device;Crystal WDM Audio Codec Driver;c:\winnt\system32\drivers\cwbwdm.sys [2000-11-30 79264]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\WorldCom IP VPN Remote Access\Extranet_serv.exe [2003-10-30 626688]
S3 OracleOra8_HomeClientCache;OracleOra8_HomeClientCache;c:\oracle\Ora81\bin\ONRSD.EXE [2000-10-19 411244]
S3 RapFile;RapFile;c:\winnt\system32\drivers\RapFile.sys [2005-08-09 36676]
S3 RapNet;RapNet;c:\winnt\system32\drivers\RapNet.sys [2005-08-09 24344]
S4 black;black;c:\winnt\system32\drivers\blackdrv.sys [2005-08-09 229367]

--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon
*Deregistered* - uphcleanhlp
.
- - - - ORPHANS REMOVED - - - -

BHO-{07ee3f2b-dec6-40dd-a579-9243480029a8} - c:\winnt\system32\rjdkti.dll
BHO-{A7BF8473-74F3-4C98-B2FA-2CDCCAA29F4B} - c:\winnt\system32\qoMcbayA.dll
HKCU-Run-Skype - c:\program files\Skype\Phone\Skype.exe
HKLM-Run-AccessManager - c:\program files\AccessManager\Client\AccessMgr.exe
HKLM-Run-Windows Network Firewall - c:\winnt\system32\firewall.exe
HKLM-Run-0ca61319 - c:\winnt\system32\ecyipbwc.dll
HKCU-Explorer_Run-1 - \\nac.ppg.com\netlogon\gpfix\gpfix.vbs
HKCU-Explorer_Run-2 - \\nac.ppg.com\netlogon\gpfix\gplog.vbs


.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.ca/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{685ec120-f786-4498-a8f0-794d47916161} - {C733FB84-6DB3-4363-8AA7-678F9B5E828E} - c:\program files\Microsoft\Rights Management Add-on\RMAFilt.dll
LSP: %SystemRoot%\system32\msafd.dll
Trusted Zone: ppg.com\*.trustweb
Trusted Zone: ppg.com\*.trustweb
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-10 07:29:46
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Update = KAV64.EXE?spyrulz?#!spy!?r0x????????Microsoft Update????????Microsoft Update?hidden v1.0????????????mIRC v6.03 Khaled Mardam-Be
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Microsoft Update = KAV64.EXE?spyrulz?#!spy!?r0x????????Microsoft Update????????Microsoft Update?hidden v1.0????????????mIRC v6.03 Khaled Mardam-Be

scanning hidden files ...


c:\winnt\system32\Perflib_Perfdata_5b4.dat 16384 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(196)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
c:\winnt\system32\msv1_0.dll
.
Completion time: 2009-03-10 7:33:51 - machine was rebooted [CAR4262]
ComboFix-quarantined-files.txt 2009-03-10 12:33:47
ComboFix2.txt 2007-09-19 21:41:01

Pre-Run: 247,802,880 bytes free
Post-Run: 265,146,368 bytes free

238

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:35, on 2009-03-10
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\WINNT\system32\Brmfrmps.exe
C:\PROGRA~1\Navnt\DefWatch.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\Navnt\Rtvscan.exe
C:\Program Files\Novadigm\radexecd.exe
C:\Program Files\Novadigm\radsched.exe
C:\Program Files\Novadigm\Radstgms.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\hkcmd.exe
C:\PROGRA~1\Navnt\vptray.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Novadigm\radppgui.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackice.exe
C:\WINNT\system32\KAV64.EXE
C:\WINNT\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINNT\system32\DllHost.exe
C:\Program Files\Trend Micro\HijackThis\problems.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: ViewerHelper Class - {78104A01-8E71-4F30-9A36-3793799615B4} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Microsoft Update] KAV64.EXE
O4 - HKCU\..\Run: [ConfSrv] C:\Program Files\PPG\Setups\ConfSrv.vbs
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\ARO.exe -rem
O4 - HKCU\..\RunOnce: [Microsoft Update] KAV64.EXE
O4 - HKCU\..\Policies\Explorer\Run: [3] "C:\Program Files\Novadigm\radppgui.exe"
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: RealSecure(r) Desktop Protector.lnk = ?
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40971 - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-205 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40970 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40971 - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra button: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-205 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40970 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://insideppg.web.ppg.com
O15 - Trusted Zone: *.trustweb.ppg.com
O15 - Trusted Zone: *.trustweb.ppg.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://connect.ppg.com/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nac.ppg.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nac.ppg.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nac.ppg.com
O20 - AppInit_DLLs: rjdkti.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINNT\system32\Brmfrmps.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\Navnt\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\WorldCom IP VPN Remote Access\Extranet_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\Navnt\Rtvscan.exe
O23 - Service: OracleOra8_HomeClientCache - Unknown owner - C:\Oracle\Ora81\BIN\ONRSD.EXE
O23 - Service: Radia Notify Daemon (radexecd) - Novadigm - C:\Program Files\Novadigm\radexecd.exe
O23 - Service: Radia Scheduler Daemon (radsched) - Novadigm - C:\Program Files\Novadigm\radsched.exe
O23 - Service: Radia MSI Redirector (Radstgms) - Novadigm - C:\Program Files\Novadigm\Radstgms.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe

--
End of file - 9357 bytes


Adobe Acrobat 5.0
Adobe Flash Player ActiveX
Adobe Shockwave Player
Advanced Registry Optimizer
ATI Display Driver
Brother Driver Deployment Wizard
Brother Drivers
Brother MFL-Pro Suite
CAIR 4.5
CONEXANT HCF V90 56K DATA FAX PCI MODEM (Uninstall)
Conexant HSF V92 56K Data Fax PCI Modem
Dial Analysis
Dial Analysis
DirectX 8.1 Hotfix - KB839643
Explore From Here (Remove only)
HijackThis 2.0.2
IE5 Registration
Intel Ultra ATA Storage Driver
Intel(R) PRO Ethernet Adapter and Software
IP VPN RS Nortel v4.65 (3DES)
J2SE Runtime Environment 5.0 Update 3
Java(TM) 6 Update 2
Juniper Networks Network Connect 5.2.0
Juniper Networks Network Connect 5.3.0
Kaspersky Online Scanner
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
MetaFrame Presentation Server Web Client for Win32
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft Data Access Components KB870669
Microsoft Internet Explorer 6 SP1
Microsoft Office Professional Edition 2003
OpSession Engine
Outlook Express Q823353
Photo Loader 2.3E
Rights Management Add-on for Internet Explorer
Shockwave
SmartDeviceMonitor for Client
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
Symantec AntiVirus Client
Symantec pcAnywhere
TreeSize Professional 2.4
User Profile Hive Cleanup Service
Windows 2000 Hotfix - KB329115
Windows 2000 Hotfix - KB823182
Windows 2000 Hotfix - KB823559
Windows 2000 Hotfix - KB823980
Windows 2000 Hotfix - KB824105
Windows 2000 Hotfix - KB824141
Windows 2000 Hotfix - KB824146
Windows 2000 Hotfix - KB825119
Windows 2000 Hotfix - KB826232
Windows 2000 Hotfix - KB828028
Windows 2000 Hotfix - KB828035
Windows 2000 Hotfix - KB828741
Windows 2000 Hotfix - KB828749
Windows 2000 Hotfix - KB829707
Windows 2000 Hotfix - KB834707
Windows 2000 Hotfix - KB835732
Windows 2000 Hotfix - KB837001
Windows 2000 Hotfix - KB839645
Windows 2000 Hotfix - KB840315
Windows 2000 Hotfix - KB840987
Windows 2000 Hotfix - KB841356
Windows 2000 Hotfix - KB841533
Windows 2000 Hotfix - KB841872
Windows 2000 Hotfix - KB841873
Windows 2000 Hotfix - KB842526
Windows 2000 Hotfix - KB842773
Windows 2000 Hotfix - KB871250
Windows 2000 Hotfix - KB873333
Windows 2000 Hotfix - KB873339
Windows 2000 Hotfix - KB885250
Windows 2000 Hotfix - KB885835
Windows 2000 Hotfix - KB885836
Windows 2000 Hotfix - KB888113
Windows 2000 Hotfix - KB889293
Windows 2000 Hotfix - KB890175
Windows 2000 Hotfix - KB890859
Windows 2000 Hotfix - KB890923
Windows 2000 Hotfix - KB891781
Windows 2000 Hotfix - KB892294
Windows 2000 Hotfix - KB893066
Windows 2000 Hotfix - KB893086
Windows 2000 Hotfix - KB899588
Windows 2000 Hotfix - KB902400
Windows 2000 Hotfix - KB921883
Windows 2000 Hotfix - KB925486
Windows Media Player 7.1
Windows Media Player Hotfix [See wm828026 for more information]
Windows Rights Management Client
Windows Rights Management Client Backwards Compatibility
WinZip
WinZip Command Line Support Add-On
WorldCom IP VPN Remote Access 4.60 (3DES)
 
Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.
Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested:
http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.

Adobe Flash Player ActiveX
Adobe recommends all users of Adobe Flash Player 10.0.12.36 and earlier versions upgrade to the newest version 10.0.22.87
http://www.adobe.com/support/security/bulletins/apsb09-01.html

J2SE Runtime Environment 5.0 Update 3
Java(TM) 6 Update 2
Both out of date and unsafe:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Be aware of this information so you can opt out of anything you do not want.
Microsoft Does MSN Toolbar Distribution Deal With Java:
http://searchengineland.com/microsoft-does-msn-toolbar-distribution-deal-with-java-15413.php

Spybot - Search & Destroy 1.4 <<< uninstall that old version
Please be sure Spybot S&D is up to date and fully immunized.
http://www.safer-networking.org/en/
http://www.safer-networking.org/en/news/2008-07-08.html
http://www.safer-networking.org/en/faq/index.html
http://www.safer-networking.org/en/tutorial/index.html

LimeWire <<< I see p2p programs with no uninstaller, see this:
http://forums.spybot.info/showthread.php?t=282
If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.
Click to expand...
combofix will remove p2p programs, if you don't want to do that, don't proceed past here, let me know and I will close this thread.


Follow the directions carefully and in the numbered order.

1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

2) Open notepad and copy/paste the text in the codebox below into it:

Code: 
File::
C:\kk.exe
C:\xrtv.exe
C:\fgjjkq.exe
C:\qgasd.exe
C:\mooo.exe
c:\winnt\tyz.exe
C:\tyz.exe
C:\tupy.exe
C:\ssetup.exe
C:\djdd.exe
C:\famieln.exe
C:\addsd.exe
C:\shdgghsdf.exe
C:\linstall.exe
c:\winnt\fxsteller.exe
C:\WINNT\system32\KAV64.EXE
c:\winnt\system32\Perflib_Perfdata_5b4.dat 

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-

Folder::
c:\program files\LimeWire
c:\documents and settings\car4262

Save this as CFScript

CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O4 - HKLM\..\Run: [Microsoft Update] KAV64.EXE
O4 - HKCU\..\RunOnce: [Microsoft Update] KAV64.EXE
O4 - HKCU\..\Policies\Explorer\Run: [3] "C:\Program Files\Novadigm\radppgui.exe"
O14 - IERESET.INF: START_PAGE_URL=http://insideppg.web.ppg.com
O15 - Trusted Zone: *.trustweb.ppg.com
O15 - Trusted Zone: *.trustweb.ppg.com (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nac.ppg.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nac.ppg.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nac.ppg.com
O20 - AppInit_DLLs: rjdkti.dll

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

5) Download Malwarebytes' Anti-Malware to your Desktop
http://www.malwarebytes.org/

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the log from MBAM and a new HJT log.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html

How is the computer running now?

Thanks
 
Hi PS. I did removed the programs as instructed and ran combofix using the notepad codebox you supplied.

I could not find some of the "fix checked" items you asked me to select in HJT so i stopped. I have posted the the combofix.txt and a new HJT log since I wasn't sure if i should continue without missing items checked.

ComboFix 09-03-10.03 - CAR4262 2009-03-10 22:34:23.6 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.254.49 [GMT -5:00]
Running from: c:\documents and settings\car4262\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\car4262\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\addsd.exe
C:\djdd.exe
C:\famieln.exe
C:\fgjjkq.exe
C:\kk.exe
C:\linstall.exe
C:\mooo.exe
C:\qgasd.exe
C:\shdgghsdf.exe
C:\ssetup.exe
C:\tupy.exe
C:\tyz.exe
c:\winnt\fxsteller.exe
c:\winnt\system32\KAV64.EXE
c:\winnt\system32\Perflib_Perfdata_5b4.dat
c:\winnt\tyz.exe
C:\xrtv.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\addsd.exe
C:\djdd.exe
C:\famieln.exe
C:\fgjjkq.exe
C:\kk.exe
C:\linstall.exe
C:\mooo.exe
c:\program files\LimeWire
c:\program files\LimeWire\GenericWindowsUtils.dll
c:\program files\LimeWire\i18n.jar
c:\program files\LimeWire\jl011.jar.tmp
c:\program files\LimeWire\lib\jl011.jar
c:\program files\LimeWire\lib\MessagesBundles.jar
c:\program files\LimeWire\lib\mp3sp14.jar
c:\program files\LimeWire\lib\UnpackedJars.7z
c:\program files\LimeWire\lib\vorbis.jar
c:\program files\LimeWire\LimeWire20.dll
c:\program files\LimeWire\MessagesBundles.jar.tmp
c:\program files\LimeWire\mp3sp14.jar.tmp
c:\program files\LimeWire\vorbis.jar.tmp
c:\program files\LimeWire\WindowsFirewall.dll
c:\program files\LimeWire\WindowsV5PlusUtils.dll
c:\program files\LimeWire\xerces.jar
c:\program files\LimeWire\xml-apis.jar
C:\qgasd.exe
C:\shdgghsdf.exe
C:\ssetup.exe
C:\tupy.exe
C:\tyz.exe
c:\winnt\fxsteller.exe
c:\winnt\system32\KAV64.EXE
c:\winnt\t\
c:\winnt\tyz.exe
C:\xrtv.exe

.
((((((((((((((((((((((((( Files Created from 2009-02-11 to 2009-03-11 )))))))))))))))))))))))))))))))
.

2009-03-10 22:24 . 09-03-10 22:24 16,384 --a----t- c:\winnt\system32\Perflib_Perfdata_694.dat
2009-03-10 05:39 . 09-03-10 05:39 54,156 --ah----- c:\winnt\QTFont.qfn
2009-03-10 05:39 . 09-03-10 05:39 1,409 --a------ c:\winnt\QTFont.for
2009-03-07 11:21 . 09-03-07 11:21 107,902 --a------ c:\documents and settings\car4262\gu.exe
2009-03-04 09:27 . 09-03-04 09:27 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-03-04 09:27 . 09-03-04 09:27 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-03-04 09:27 . 09-03-04 09:27 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-03-04 06:15 . 09-03-04 06:15 <DIR> d-------- c:\program files\Advanced Registry Optimizer
2009-03-04 06:15 . 09-03-04 06:15 <DIR> d-------- c:\documents and settings\car4262\Application Data\Sammsoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-11 03:23 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-11 03:21 --------- d---a-w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-10 10:40 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-10 10:40 --------- d-----w c:\program files\QuickTime
2004-05-06 16:11 777 ----a-w c:\program files\trial_setup.ini
2004-05-06 16:11 4,289,024 ----a-w c:\program files\trial_setup.msi
2000-11-30 22:59 271 ---h--w c:\program files\desktop.ini
2000-11-30 22:59 21,952 ---h--w c:\program files\folder.htt
1999-12-07 12:00 32,528 ----a-w c:\winnt\inf\wbfirdma.sys
.

------- Sigcheck -------

04-11-02 12:28 11264 8eabf9f47cb3f30541830a6f2ef0a934 c:\winnt\system32\CTFMON.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ConfSrv"="c:\program files\PPG\Setups\ConfSrv.vbs" [03-05-22 11:52 2511]
"AROReminder"="c:\program files\Advanced Registry Optimizer\ARO.exe" [08-08-22 16:33 2084480]
"ctfmon.exe"="ctfmon.exe" [04-11-02 12:28 11264 c:\winnt\system32\CTFMON.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\winnt\System32\igfxtray.exe" [02-03-26 20:28 155648]
"HotKeysCmds"="c:\winnt\System32\hkcmd.exe" [02-03-26 20:20 106496]
"PrinTray"="c:\winnt\System32\spool\DRIVERS\W32X86\2\printray.exe" [01-03-27 03:08 36864]
"vptray"="c:\progra~1\Navnt\vptray.exe" [03-12-17 21:00 90112]
"SetDefPrt"="c:\program files\Brother\Brmfl04a\BrStDvPt.exe" [04-05-25 08:16 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [04-07-20 08:34 851968]
"JobHisInit"="c:\program files\RMClient\JobHisInit.exe" [05-08-01 13:22 151552]
"MplSetUp"="c:\program files\RMClient\MplSetUp.exe" [00-11-04 03:09 40960]
"Synchronization Manager"="mobsync.exe" [03-06-19 11:05 111376 c:\winnt\system32\mobsync.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [99-12-07 07:00 20752 c:\winnt\system32\internat.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 11:05 186640]

[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
"3"="c:\program files\Novadigm\radppgui.exe" [06-10-16 12:25 138090]

c:\documents and settings\PLTAdmin\Start Menu\Programs\Startup\
ReadMe1st.lnk - c:\winnt\System32\Write.exe [2000-11-30 6416]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Photo Loader supervisory.lnk - c:\program files\CASIO\Photo Loader\Plauto.exe [2007-01-01 229376]
RealSecure(r) Desktop Protector.lnk - c:\program files\ISS\issSensors\DesktopProtection\blackice.exe [2005-08-09 823296]
Status Monitor.lnk - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [2005-06-17 819200]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 1 (0x1)
"SynchronousUserGroupPolicy"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwprovau]
03-06-19 11:05 139536 c:\winnt\system32\NWPROVAU.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
04-11-01 10:50 8704 c:\winnt\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"VIDC.HFYU"= huffyuv.dll

R2 BlackICE;BlackICE;c:\program files\ISS\issSensors\DesktopProtection\blackd.exe [2005-08-09 847872]
R2 BrSerial;Brother Serial Driver;c:\winnt\system32\drivers\brserial.sys [2005-06-17 56660]
R2 radexecd;Radia Notify Daemon;c:\program files\Novadigm\radexecd.exe [2002-12-02 225280]
R2 radsched;Radia Scheduler Daemon;c:\program files\Novadigm\radsched.exe [2002-09-30 253952]
R2 Radstgms;Radia MSI Redirector;c:\program files\Novadigm\radstgms.exe [2003-03-27 299008]
R3 Eacfilt;Eacfilt Miniport;c:\winnt\system32\drivers\eacfilt.sys [2003-10-30 9049]
R3 NtApm;NT Apm/Legacy Interface Driver;c:\winnt\system32\drivers\NtApm.sys [2000-11-30 9104]
R3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [2003-09-02 49776]
R4 black;black;c:\winnt\system32\drivers\blackdrv.sys [2005-08-09 229367]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\winnt\system32\drivers\ipsecw2k.sys [2003-10-30 115008]
S3 cwbmidi_device;Crystal WDM MPU-401 UART Driver;c:\winnt\system32\drivers\cwbmidi.sys [2000-11-30 3136]
S3 cwbwdm_device;Crystal WDM Audio Codec Driver;c:\winnt\system32\drivers\cwbwdm.sys [2000-11-30 79264]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\WorldCom IP VPN Remote Access\Extranet_serv.exe [2003-10-30 626688]
S3 OracleOra8_HomeClientCache;OracleOra8_HomeClientCache;c:\oracle\Ora81\bin\ONRSD.EXE [2000-10-19 411244]
S3 RapFile;RapFile;c:\winnt\system32\drivers\RapFile.sys [2005-08-09 36676]
S3 RapNet;RapNet;c:\winnt\system32\drivers\RapNet.sys [2005-08-09 24344]

--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon
*Deregistered* - uphcleanhlp
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.ca/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{685ec120-f786-4498-a8f0-794d47916161} - {C733FB84-6DB3-4363-8AA7-678F9B5E828E} - c:\program files\Microsoft\Rights Management Add-on\RMAFilt.dll
LSP: %SystemRoot%\system32\msafd.dll
Trusted Zone: ppg.com\*.trustweb
Trusted Zone: ppg.com\*.trustweb
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-10 22:36:32
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(192)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
c:\winnt\system32\msv1_0.dll
.
Completion time: 2009-03-10 22:40:01
ComboFix-quarantined-files.txt 2009-03-11 03:39:51
ComboFix2.txt 2009-03-10 12:33:52
ComboFix3.txt 2007-09-19 21:41:01

Pre-Run: 494,209,536 bytes free
Post-Run: 487,394,816 bytes free

188


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:23, on 2009-03-10
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\WINNT\system32\Brmfrmps.exe
C:\PROGRA~1\Navnt\DefWatch.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\Navnt\Rtvscan.exe
C:\Program Files\Novadigm\radexecd.exe
C:\Program Files\Novadigm\radsched.exe
C:\Program Files\Novadigm\Radstgms.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\PROGRA~1\Navnt\vptray.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Novadigm\radppgui.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackice.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINNT\system32\DllHost.exe
C:\Program Files\Trend Micro\HijackThis\problems.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ViewerHelper Class - {78104A01-8E71-4F30-9A36-3793799615B4} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKCU\..\Run: [ConfSrv] C:\Program Files\PPG\Setups\ConfSrv.vbs
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\ARO.exe -rem
O4 - HKCU\..\Policies\Explorer\Run: [3] "C:\Program Files\Novadigm\radppgui.exe"
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: RealSecure(r) Desktop Protector.lnk = ?
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40971 - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-205 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40970 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINNT\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINNT\system32\shdocvw.dll
O9 - Extra button: (no name) - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40971 - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra button: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-205 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40970 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://insideppg.web.ppg.com
O15 - Trusted Zone: *.trustweb.ppg.com
O15 - Trusted Zone: *.trustweb.ppg.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://connect.ppg.com/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nac.ppg.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nac.ppg.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nac.ppg.com
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINNT\system32\Brmfrmps.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\Navnt\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\WorldCom IP VPN Remote Access\Extranet_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\Navnt\Rtvscan.exe
O23 - Service: OracleOra8_HomeClientCache - Unknown owner - C:\Oracle\Ora81\BIN\ONRSD.EXE
O23 - Service: Radia Notify Daemon (radexecd) - Novadigm - C:\Program Files\Novadigm\radexecd.exe
O23 - Service: Radia Scheduler Daemon (radsched) - Novadigm - C:\Program Files\Novadigm\radsched.exe
O23 - Service: Radia MSI Redirector (Radstgms) - Novadigm - C:\Program Files\Novadigm\Radstgms.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe

--
End of file - 8561 bytes
 
Continue with the instructions, CFScript removes items before HJT and I do a doublecheck. Once you finish following the MBAM instructions, then post a new HJT log and provide some feedback about performamce.

Thanks
 
SD the computer seems to be running better.

Malwarebytes' Anti-Malware 1.34
Database version: 1836
Windows 5.0.2195 Service Pack 4

2009-03-11 02:08:10
mbam-log-2009-03-11 (02-07-42).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 93401
Time elapsed: 19 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 21

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\18.tmp (Trojan.Downloader) -> No action taken.
C:\qoobox\Quarantine\C\C.tmp.vir (Trojan.Downloader) -> No action taken.
C:\qoobox\Quarantine\C\djdd.exe.vir (Trojan.Buzus) -> No action taken.
C:\qoobox\Quarantine\C\qgasd.exe.vir (Trojan.Agent) -> No action taken.
C:\qoobox\Quarantine\C\DOCUME~1\car4262\APPLIC~1\winantispyware2007freeinstall[1].exe.vir (Rogue.Installer) -> No action taken.
C:\qoobox\Quarantine\C\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe.vir (Rogue.WinAntiSpyware) -> No action taken.
C:\qoobox\Quarantine\C\WINNT\system32\tmp14.tmp.dll.vir (Trojan.Vundo) -> No action taken.
C:\qoobox\Quarantine\C\WINNT\system32\firewall.exe.vir (Trojan.Buzus) -> No action taken.
C:\qoobox\Quarantine\C\WINNT\system32\kav64.exe.vir (Trojan.Agent) -> No action taken.
C:\qoobox\Quarantine\C\WINNT\system32\tmp17.tmp.dll.vir (Trojan.Vundo) -> No action taken.
C:\qoobox\Quarantine\C\WINNT\system32\tmp19.tmp.dll.vir (Trojan.Vundo) -> No action taken.
C:\qoobox\Quarantine\C\WINNT\system32\tmp1A.tmp.dll.vir (Trojan.Vundo) -> No action taken.
C:\qoobox\Quarantine\C\WINNT\system32\tmp20.tmp.dll.vir (Trojan.Vundo) -> No action taken.
C:\qoobox\Quarantine\C\WINNT\system32\tmp5.tmp.dll.vir (Trojan.Vundo) -> No action taken.
C:\qoobox\Quarantine\C\WINNT\system32\kazaabackupfiles\shServ.exe.vir (Trojan.Agent) -> No action taken.
C:\VundoFix Backups\rqRHxxuR.dll.bad (Trojan.Vundo) -> No action taken.
C:\VundoFix Backups\tmp12.tmp.dll.bad (Trojan.Vundo) -> No action taken.
C:\VundoFix Backups\tmp3B.tmp.dll.bad (Trojan.Vundo) -> No action taken.
C:\VundoFix Backups\tmp3E.tmp.dll.bad (Trojan.Vundo) -> No action taken.
C:\VundoFix Backups\tmp5.tmp.dll.bad (Trojan.Vundo) -> No action taken.
C:\wincdnz.exe (Trojan.Agent) -> No action taken.

ComboFix 09-03-10.03 - CAR4262 2009-03-11 2:31:14.9 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.254.80 [GMT -5:00]
Running from: c:\documents and settings\car4262\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\t\

.
((((((((((((((((((((((((( Files Created from 2009-02-11 to 2009-03-11 )))))))))))))))))))))))))))))))
.

2009-03-11 01:06 . 09-03-11 01:06 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-11 01:06 . 09-03-11 01:06 <DIR> d-------- c:\documents and settings\car4262\Application Data\Malwarebytes
2009-03-11 01:06 . 09-03-11 01:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-11 01:06 . 09-02-11 10:19 38,496 --a------ c:\winnt\system32\drivers\mbamswissarmy.sys
2009-03-11 01:06 . 09-02-11 10:19 15,504 --a------ c:\winnt\system32\drivers\mbam.sys
2009-03-10 22:54 . 09-03-10 22:54 16,384 --a----t- c:\winnt\system32\Perflib_Perfdata_648.dat
2009-03-10 22:24 . 09-03-10 22:24 16,384 --a----t- c:\winnt\system32\Perflib_Perfdata_694.dat
2009-03-10 05:39 . 09-03-10 05:39 54,156 --ah----- c:\winnt\QTFont.qfn
2009-03-10 05:39 . 09-03-10 05:39 1,409 --a------ c:\winnt\QTFont.for
2009-03-07 11:21 . 09-03-07 11:21 107,902 --a------ c:\documents and settings\car4262\gu.exe
2009-03-04 09:27 . 09-03-04 09:27 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-03-04 09:27 . 09-03-04 09:27 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-03-04 09:27 . 09-03-04 09:27 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-03-04 06:15 . 09-03-04 06:15 <DIR> d-------- c:\program files\Advanced Registry Optimizer
2009-03-04 06:15 . 09-03-04 06:15 <DIR> d-------- c:\documents and settings\car4262\Application Data\Sammsoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-11 03:23 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-11 03:21 --------- d---a-w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-10 10:40 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-10 10:40 --------- d-----w c:\program files\QuickTime
2004-05-06 16:11 777 ----a-w c:\program files\trial_setup.ini
2004-05-06 16:11 4,289,024 ----a-w c:\program files\trial_setup.msi
2000-11-30 22:59 271 ---h--w c:\program files\desktop.ini
2000-11-30 22:59 21,952 ---h--w c:\program files\folder.htt
1999-12-07 12:00 32,528 ----a-w c:\winnt\inf\wbfirdma.sys
.

------- Sigcheck -------

04-11-02 12:28 11264 8eabf9f47cb3f30541830a6f2ef0a934 c:\winnt\system32\CTFMON.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ConfSrv"="c:\program files\PPG\Setups\ConfSrv.vbs" [03-05-22 11:52 2511]
"AROReminder"="c:\program files\Advanced Registry Optimizer\ARO.exe" [08-08-22 16:33 2084480]
"ctfmon.exe"="ctfmon.exe" [04-11-02 12:28 11264 c:\winnt\system32\CTFMON.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\winnt\System32\igfxtray.exe" [02-03-26 20:28 155648]
"HotKeysCmds"="c:\winnt\System32\hkcmd.exe" [02-03-26 20:20 106496]
"PrinTray"="c:\winnt\System32\spool\DRIVERS\W32X86\2\printray.exe" [01-03-27 03:08 36864]
"vptray"="c:\progra~1\Navnt\vptray.exe" [03-12-17 21:00 90112]
"SetDefPrt"="c:\program files\Brother\Brmfl04a\BrStDvPt.exe" [04-05-25 08:16 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [04-07-20 08:34 851968]
"JobHisInit"="c:\program files\RMClient\JobHisInit.exe" [05-08-01 13:22 151552]
"MplSetUp"="c:\program files\RMClient\MplSetUp.exe" [00-11-04 03:09 40960]
"Synchronization Manager"="mobsync.exe" [03-06-19 11:05 111376 c:\winnt\system32\mobsync.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [99-12-07 07:00 20752 c:\winnt\system32\internat.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 11:05 186640]

c:\documents and settings\PLTAdmin\Start Menu\Programs\Startup\
ReadMe1st.lnk - c:\winnt\System32\Write.exe [2000-11-30 6416]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Photo Loader supervisory.lnk - c:\program files\CASIO\Photo Loader\Plauto.exe [2007-01-01 229376]
RealSecure(r) Desktop Protector.lnk - c:\program files\ISS\issSensors\DesktopProtection\blackice.exe [2005-08-09 823296]
Status Monitor.lnk - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [2005-06-17 819200]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 1 (0x1)
"SynchronousUserGroupPolicy"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwprovau]
03-06-19 11:05 139536 c:\winnt\system32\NWPROVAU.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
04-11-01 10:50 8704 c:\winnt\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"VIDC.HFYU"= huffyuv.dll

R2 BlackICE;BlackICE;c:\program files\ISS\issSensors\DesktopProtection\blackd.exe [2005-08-09 847872]
R2 BrSerial;Brother Serial Driver;c:\winnt\system32\drivers\brserial.sys [2005-06-17 56660]
R2 radexecd;Radia Notify Daemon;c:\program files\Novadigm\radexecd.exe [2002-12-02 225280]
R2 radsched;Radia Scheduler Daemon;c:\program files\Novadigm\radsched.exe [2002-09-30 253952]
R2 Radstgms;Radia MSI Redirector;c:\program files\Novadigm\radstgms.exe [2003-03-27 299008]
R3 Eacfilt;Eacfilt Miniport;c:\winnt\system32\drivers\eacfilt.sys [2003-10-30 9049]
R3 NtApm;NT Apm/Legacy Interface Driver;c:\winnt\system32\drivers\NtApm.sys [2000-11-30 9104]
R3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [2003-09-02 49776]
R4 black;black;c:\winnt\system32\drivers\blackdrv.sys [2005-08-09 229367]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\winnt\system32\drivers\ipsecw2k.sys [2003-10-30 115008]
S3 cwbmidi_device;Crystal WDM MPU-401 UART Driver;c:\winnt\system32\drivers\cwbmidi.sys [2000-11-30 3136]
S3 cwbwdm_device;Crystal WDM Audio Codec Driver;c:\winnt\system32\drivers\cwbwdm.sys [2000-11-30 79264]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\WorldCom IP VPN Remote Access\Extranet_serv.exe [2003-10-30 626688]
S3 OracleOra8_HomeClientCache;OracleOra8_HomeClientCache;c:\oracle\Ora81\bin\ONRSD.EXE [2000-10-19 411244]
S3 RapFile;RapFile;c:\winnt\system32\drivers\RapFile.sys [2005-08-09 36676]
S3 RapNet;RapNet;c:\winnt\system32\drivers\RapNet.sys [2005-08-09 24344]

--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon
*Deregistered* - MBAMSwissArmy
*Deregistered* - uphcleanhlp
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.ca/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{685ec120-f786-4498-a8f0-794d47916161} - {C733FB84-6DB3-4363-8AA7-678F9B5E828E} - c:\program files\Microsoft\Rights Management Add-on\RMAFilt.dll
LSP: %SystemRoot%\system32\msafd.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-11 02:33:16
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(192)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
c:\winnt\system32\msv1_0.dll
.
Completion time: 2009-03-11 2:35:36
ComboFix-quarantined-files.txt 2009-03-11 07:35:18
ComboFix2.txt 2009-03-11 07:18:02
ComboFix3.txt 2009-03-11 04:05:49
ComboFix4.txt 2009-03-11 03:40:02
ComboFix5.txt 2009-03-11 07:30:47

Pre-Run: 486,882,816 bytes free
Post-Run: 478,696,448 bytes free

141

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:06, on 2009-03-11
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\WINNT\system32\Brmfrmps.exe
C:\PROGRA~1\Navnt\DefWatch.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\Navnt\Rtvscan.exe
C:\Program Files\Novadigm\radexecd.exe
C:\Program Files\Novadigm\radsched.exe
C:\Program Files\Novadigm\Radstgms.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\PROGRA~1\Navnt\vptray.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackice.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINNT\system32\DllHost.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\problems.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ViewerHelper Class - {78104A01-8E71-4F30-9A36-3793799615B4} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKCU\..\Run: [ConfSrv] C:\Program Files\PPG\Setups\ConfSrv.vbs
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\ARO.exe -rem
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: RealSecure(r) Desktop Protector.lnk = ?
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40971 - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-205 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40970 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINNT\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINNT\system32\shdocvw.dll
O9 - Extra button: (no name) - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40971 - {685ec120-f786-4498-a8f0-794d47916161} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra button: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-205 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Microsoft\Rights Management Add-on\RMARes.dll,-40970 - {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - C:\Program Files\Microsoft\Rights Management Add-on\RMAFilt.dll (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://insideppg.web.ppg.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://connect.ppg.com/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nac.ppg.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nac.ppg.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nac.ppg.com
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINNT\system32\Brmfrmps.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\Navnt\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\WorldCom IP VPN Remote Access\Extranet_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\Navnt\Rtvscan.exe
O23 - Service: OracleOra8_HomeClientCache - Unknown owner - C:\Oracle\Ora81\BIN\ONRSD.EXE
O23 - Service: Radia Notify Daemon (radexecd) - Novadigm - C:\Program Files\Novadigm\radexecd.exe
O23 - Service: Radia Scheduler Daemon (radsched) - Novadigm - C:\Program Files\Novadigm\radsched.exe
O23 - Service: Radia MSI Redirector (Radstgms) - Novadigm - C:\Program Files\Novadigm\Radstgms.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe

--
End of file - 8352 bytes
 
The items MBAM locate all say: No action taken
If you would follow the posted instructions, they would all say:
Quarantined and deleted successfully.

Please run MBAM again and follow the directions this time. Post the scan results and a new HJT log run AFTER the MBAM scan.
 
there were 21 infections deleted but then the computer locked up and I had to turn it off. I ran it again when I started back but i think they must have already been purged.

Should I repeat in any particular order ??
 
You must log in or register to reply here.
Back
Top