Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde Infection


  • This topic is locked This topic is locked
14 replies to this topic

#1 dzrt

dzrt

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:06 AM

Posted 30 July 2007 - 10:52 PM

It looks like Virtumonde (whatever that is) has infected my computer. I have followed the directions under “Preparation Guide For Use Before Posting A Hijackthis Log.” Even after all of the scans Nod32 continues to alert me to the infection and I continue to instruct it to delete file C:\WINNT\system32\pmnljgh.dll. Please help!

My HijackThis log follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:46:35 PM, on 7/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\CFusionMX\runtime\bin\jrunsvc.exe
C:\CFusionMX\db\slserver52\bin\swagent.exe
C:\CFusionMX\db\slserver52\bin\swstrtr.exe
C:\CFusionMX\runtime\bin\jrun.exe
C:\CFusionMX\db\slserver52\bin\swsoc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\system32\RunDLL32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realevent.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {069C2AFB-4619-4A56-938E-96EAA4F8AC96} - C:\WINNT\system32\jkhhi.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {CFB8D3A5-9306-495C-BD87-CCE77C79AB5C} - C:\WINNT\system32\jkhfe.dll (file missing)
O2 - BHO: (no name) - {DCD53738-C4F9-414A-A03C-C7405A4AC844} - C:\WINNT\system32\pmnljgh.dll
O2 - BHO: (no name) - {FB142E5E-4A82-4722-8EE3-29983ED32959} - C:\WINNT\system32\pmnnl.dll (file missing)
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Ink Monitor] "C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StatusClient] "C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" /auto
O4 - HKLM\..\Run: [TomcatStartup] "C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Carbonite Backup] "C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NBInstall] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\MBDownloader_876919.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OfotoNow USB Detection] "C:\WINNT\system32\RunDLL32.exe" C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/big/1.1....g/GoogleNav.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1185764250765
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_3us.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O20 - Winlogon Notify: pmnljgh - C:\WINNT\SYSTEM32\pmnljgh.dll
O20 - Winlogon Notify: pmnnl - C:\WINNT\system32\pmnnl.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ColdFusion MX Application Server - Macromedia Inc. - C:\CFusionMX\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX ODBC Agent - Unknown owner - C:\CFusionMX\db\slserver52\bin\swagent.exe
O23 - Service: ColdFusion MX ODBC Server - Unknown owner - C:\CFusionMX\db\slserver52\bin\swstrtr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 9985 bytes

BC AdBot (Login to Remove)

 


#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:06 PM

Posted 31 July 2007 - 08:51 AM

Hello and welcome aboard :thumbsup:

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES.
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a fresh HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
Hi there, stranger!

#3 dzrt

dzrt
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:06 AM

Posted 31 July 2007 - 09:27 PM

Hi Rawe,

Thanks for taking on my Virtumonde mess.

I ran VundoFix many times prior to posting my HiJackthis log. (I also ran all of the other programs/scans listed in the “Preparation Guide For Use Before Posting A Hijackthis Log.”) Whenever I scan for Vundo it comes back with “C:\WINNT\system32\pmnnl.dll. I have the program remove Vundo, restart my computer, and then try scanning again only to find the same file has returned.

Following is the C:\vundofix.txt file and a new HijackThis log:

VundoFix V6.5.6

Checking Java version...

Sun Java not detected
Scan started at 6:11:14 PM 7/21/2007

Listing files found while scanning....

C:\WINNT\system32\efhkj.bak1
C:\WINNT\system32\efhkj.bak2
C:\WINNT\system32\efhkj.ini
C:\WINNT\system32\jkhfe.dll
C:\WINNT\system32\srxegkfx.dll
C:\WINNT\system32\ykewtsly.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\efhkj.bak1
C:\WINNT\system32\efhkj.bak1 Has been deleted!

Attempting to delete C:\WINNT\system32\efhkj.bak2
C:\WINNT\system32\efhkj.bak2 Has been deleted!

Attempting to delete C:\WINNT\system32\efhkj.ini
C:\WINNT\system32\efhkj.ini Has been deleted!

Attempting to delete C:\WINNT\system32\jkhfe.dll
C:\WINNT\system32\jkhfe.dll Has been deleted!

Attempting to delete C:\WINNT\system32\srxegkfx.dll
C:\WINNT\system32\srxegkfx.dll Could not be deleted.

Attempting to delete C:\WINNT\system32\ykewtsly.dll
C:\WINNT\system32\ykewtsly.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINNT\system32\srxegkfx.dll
C:\WINNT\system32\srxegkfx.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.6

Checking Java version...

Sun Java not detected
Scan started at 10:08:07 AM 7/22/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.6

Checking Java version...

Scan started at 4:19:05 PM 7/22/2007

Listing files found while scanning....

C:\WINNT\system32\ihhkj.bak1
C:\WINNT\system32\ihhkj.ini
C:\WINNT\system32\jkhhi.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\ihhkj.bak1
C:\WINNT\system32\ihhkj.bak1 Has been deleted!

Attempting to delete C:\WINNT\system32\ihhkj.ini
C:\WINNT\system32\ihhkj.ini Has been deleted!

Attempting to delete C:\WINNT\system32\jkhhi.dll
C:\WINNT\system32\jkhhi.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINNT\system32\jkhhi.dll
C:\WINNT\system32\jkhhi.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.6

Checking Java version...

Scan started at 6:47:32 PM 7/22/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.6

Checking Java version...

Scan started at 4:35:51 PM 7/29/2007

Listing files found while scanning....

C:\WINNT\system32\lnnmp.bak1
C:\WINNT\system32\lnnmp.ini
C:\WINNT\system32\pmnnl.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\lnnmp.bak1
C:\WINNT\system32\lnnmp.bak1 Has been deleted!

Attempting to delete C:\WINNT\system32\lnnmp.ini
C:\WINNT\system32\lnnmp.ini Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.6

Checking Java version...

Scan started at 5:07:14 PM 7/29/2007

Listing files found while scanning....

C:\WINNT\system32\pmnnl.dll

Beginning removal...

Performing Repairs to the registry.
Done!

VundoFix V6.5.6

Checking Java version...

Scan started at 6:06:23 PM 7/29/2007

Listing files found while scanning....

C:\WINNT\system32\pmnnl.dll

VundoFix V6.5.6

Checking Java version...

Scan started at 7:29:38 PM 7/29/2007

Listing files found while scanning....

C:\WINNT\system32\pmnnl.dll

Beginning removal...

Performing Repairs to the registry.
Done!

VundoFix V6.5.6

Checking Java version...

Scan started at 5:52:17 PM 7/31/2007

Listing files found while scanning....

C:\WINNT\system32\pmnnl.dll

Beginning removal...

Performing Repairs to the registry.
Done!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:18:47 PM, on 7/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\CFusionMX\runtime\bin\jrunsvc.exe
C:\CFusionMX\db\slserver52\bin\swagent.exe
C:\CFusionMX\db\slserver52\bin\swstrtr.exe
C:\CFusionMX\runtime\bin\jrun.exe
C:\CFusionMX\db\slserver52\bin\swsoc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\system32\RunDLL32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\JavaSoft\JRE\1.3.1_02\bin\javaw.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {069C2AFB-4619-4A56-938E-96EAA4F8AC96} - C:\WINNT\system32\jkhhi.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {CFB8D3A5-9306-495C-BD87-CCE77C79AB5C} - C:\WINNT\system32\jkhfe.dll (file missing)
O2 - BHO: (no name) - {DCD53738-C4F9-414A-A03C-C7405A4AC844} - C:\WINNT\system32\pmnljgh.dll
O2 - BHO: (no name) - {FB142E5E-4A82-4722-8EE3-29983ED32959} - C:\WINNT\system32\pmnnl.dll (file missing)
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Ink Monitor] "C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StatusClient] "C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" /auto
O4 - HKLM\..\Run: [TomcatStartup] "C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Carbonite Backup] "C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NBInstall] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\MBDownloader_876919.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OfotoNow USB Detection] "C:\WINNT\system32\RunDLL32.exe" C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/big/1.1....g/GoogleNav.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1185764250765
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_3us.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O20 - Winlogon Notify: pmnljgh - C:\WINNT\SYSTEM32\pmnljgh.dll
O20 - Winlogon Notify: pmnnl - C:\WINNT\system32\pmnnl.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ColdFusion MX Application Server - Macromedia Inc. - C:\CFusionMX\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX ODBC Agent - Unknown owner - C:\CFusionMX\db\slserver52\bin\swagent.exe
O23 - Service: ColdFusion MX ODBC Server - Unknown owner - C:\CFusionMX\db\slserver52\bin\swstrtr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 10070 bytes

#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:06 PM

Posted 01 August 2007 - 01:45 PM

Hi again, lets continue :thumbsup: Sorry for the minor delay..

Please download Combofix to your desktop:
  • Double-click combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Hi there, stranger!

#5 dzrt

dzrt
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:06 AM

Posted 01 August 2007 - 09:15 PM

Here is my ComboFix log:

ComboFix 07-07-30.2 - "Administrator" 2007-08-01 18:53:40.1 [GMT -7:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\installer\3137d.msi


((((((((((((((((((((((((( Files Created from 2007-07-02 to 2007-08-02 )))))))))))))))))))))))))))))))


2007-08-01 18:51 51,200 --a------ C:\WINNT\nircmd.exe
2007-07-29 19:09 83,096 --a------ C:\WINNT\system32\SSSensor.dll
2007-07-29 19:09 60,496 --a------ C:\WINNT\system32\drivers\Teefer.sys
2007-07-29 19:09 21,075 --a------ C:\WINNT\system32\drivers\wpsdrvnt.sys
2007-07-29 19:09 14,568 --a------ C:\WINNT\system32\drivers\wg6n.sys
2007-07-29 19:09 14,568 --a------ C:\WINNT\system32\drivers\wg5n.sys
2007-07-29 19:09 14,568 --a------ C:\WINNT\system32\drivers\wg4n.sys
2007-07-29 19:09 14,568 --a------ C:\WINNT\system32\drivers\wg3n.sys
2007-07-29 19:08 <DIR> d-------- C:\Program Files\Sygate
2007-07-22 16:46 <DIR> d-------- C:\WINNT\system32\Panda Software
2007-07-22 15:32 76,560 --a------ C:\WINNT\system32\drivers\tmcomm.sys
2007-07-22 13:55 <DIR> d-------- C:\DOCUME~1\ADMINI~1\.housecall6.6
2007-07-22 12:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-22 10:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-22 10:35 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-21 18:11 <DIR> d-------- C:\VundoFix Backups
2007-07-17 06:27 <DIR> d-------- C:\Program Files\Windows Defender
2007-07-16 19:51 31,254 --a------ C:\WINNT\system32\pmnljgh.dll
2007-07-16 16:37 <DIR> d-------- C:\Program Files\iTunes
2007-07-16 16:37 <DIR> d-------- C:\Program Files\iPod
2007-07-16 16:34 <DIR> d-------- C:\Program Files\QuickTime
2007-07-16 16:32 <DIR> d----c--- C:\WINNT\system32\DRVSTORE
2007-07-16 16:32 <DIR> d-------- C:\Program Files\Apple Software Update
2007-07-16 16:31 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-07-16 16:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-31 19:11 22 --a------ C:\qpmd8376.bin
2007-07-31 19:09 24 --a------ C:\WINNT\system32\DVCStateBkp-{00000002-00000000-0000000C-00001102-00000004-00581102}.dat
2007-07-31 19:09 24 --a------ C:\WINNT\system32\DVCState-{00000002-00000000-0000000C-00001102-00000004-00581102}.dat
2007-07-31 18:57 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\U3
2007-07-22 13:43 15296 --a------ C:\WINNT\mozver.dat
2007-07-22 10:37 --------- d-------- C:\Program Files\Lavasoft
2007-07-16 16:45 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Apple Computer
2007-06-04 15:18 9344 --a------ C:\WINNT\system32\drivers\NSDriver.sys
2007-06-04 15:17 8320 --a------ C:\WINNT\system32\drivers\AWRTRD.sys
2007-06-04 15:14 6272 --a------ C:\WINNT\system32\drivers\AWRTPD.sys
2007-06-01 21:14 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\AdobeUM
2007-05-16 08:12 683520 --a------ C:\WINNT\system32\inetcomm.dll
2005-12-15 18:15 75984 --a--c--- C:\DOCUME~1\ADMINI~1\APPLIC~1\GDIPFONTCACHEV1.DAT
2004-08-09 23:30 40960 --a------ C:\Program Files\Uninstall_CDS.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{069C2AFB-4619-4A56-938E-96EAA4F8AC96}]
C:\WINNT\system32\jkhhi.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CFB8D3A5-9306-495C-BD87-CCE77C79AB5C}]
C:\WINNT\system32\jkhfe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DCD53738-C4F9-414A-A03C-C7405A4AC844}]
2007-07-16 19:51 31254 --a------ C:\WINNT\system32\pmnljgh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FB142E5E-4A82-4722-8EE3-29983ED32959}]
C:\WINNT\system32\pmnnl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" [2001-01-03 12:50 C:\WINNT\system32\SK9910DM.EXE]
"GWMDMMSG"="GWMDMMSG.exe" [2002-03-06 08:08 C:\WINNT\GWMDMMSG.exe]
"WINDVDPatch"="CTHELPER.EXE" [2002-02-07 16:01 C:\WINNT\system32\CTHELPER.EXE]
"Jet Detection"="C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-10-03 23:00]
"Ink Monitor"="C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe" [2001-12-07 02:48]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-05-08 20:05]
"StatusClient"="C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 17:51]
"TomcatStartup"="C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-03-31 20:28]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 00:56 C:\WINNT\system32\rundll32.exe]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-04-24 18:04]
"Carbonite Backup"="C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2007-05-31 17:18]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"OfotoNow USB Detection"="C:\WINNT\system32\RunDLL32.exe" [2004-08-04 00:56]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2002-06-03 05:55:35]
Monitor.lnk - C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe [2005-10-14 16:41:52]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{DCD53738-C4F9-414A-A03C-C7405A4AC844}"= C:\WINNT\system32\pmnljgh.dll [2007-07-16 19:51 31254]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnljgh]
pmnljgh.dll 2007-07-16 19:51 31254 C:\WINNT\system32\pmnljgh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnnl]
C:\WINNT\system32\pmnnl.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check 2.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check 2.lnk
backup=C:\WINNT\pss\EPSON Status Monitor 3 Environment Check 2.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
"C:\Program Files\Microsoft Money\System\Money Express.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINNT\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
"C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot

R0 sbp2port;SBP-2 Transport/Protocol Bus Driver;C:\WINNT\system32\DRIVERS\sbp2port.sys
R0 Teefer;Teefer for NT;C:\WINNT\system32\Drivers\Teefer.sys
R1 nod32drv;nod32drv;C:\WINNT\system32\drivers\nod32drv.sys
R1 Sk9920nt;PS/2 Keyboard Filter Driver for NT 4.0;C:\WINNT\system32\DRIVERS\Sk9920nt.sys
R1 wpsdrvnt;wpsdrvnt;\??\C:\WINNT\system32\drivers\wpsdrvnt.sys
R2 ColdFusion MX ODBC Agent;ColdFusion MX ODBC Agent;C:\CFusionMX\db\slserver52\bin\swagent.exe "ColdFusion MX ODBC Agent"
R2 wg3n;SyGate for NT, wg3n;C:\WINNT\system32\Drivers\wg3n.sys
R2 wg4n;SyGate for NT, wg4n;C:\WINNT\system32\Drivers\wg4n.sys
R2 wg5n;SyGate for NT, wg5n;C:\WINNT\system32\Drivers\wg5n.sys
R2 wg6n;SyGate for NT, wg6n;C:\WINNT\system32\Drivers\wg6n.sys
R3 Dot4;MS IEEE-1284.4 Driver;C:\WINNT\system32\DRIVERS\Dot4.sys
R3 Dot4Print;Print Class Driver for IEEE-1284.4;C:\WINNT\system32\DRIVERS\Dot4Prt.sys
R3 dot4usb;MS Dot4USB Filter Dot4USB Filter;C:\WINNT\system32\DRIVERS\dot4usb.sys
R3 E100B;Intel® PRO Adapter Driver;C:\WINNT\system32\DRIVERS\e100b325.sys
R3 GTWModem;GTW V.92 Voicemodem;C:\WINNT\system32\DRIVERS\GWMDM.sys
R3 Sk99202k;PS/2 Keyboard Filter Driver for Win2000;C:\WINNT\system32\DRIVERS\Sk99202k.sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINNT\system32\drivers\WmBEnum.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINNT\system32\drivers\WmXlCore.sys
S1 Cdr4_xp;Cdr4_xp;C:\WINNT\system32\drivers\Cdr4_xp.sys
S1 Cdralw2k;Cdralw2k;C:\WINNT\system32\drivers\Cdralw2k.sys
S3 BCMModem;BCM V.90 56K Modem;C:\WINNT\system32\DRIVERS\BCMDM.sys
S3 DivioUSBDCam;DN-CAM;C:\WINNT\system32\DRIVERS\pcam.sys
S3 iscFlash;iscFlash;\??\C:\WINNT\SYSTEM32\DRIVERS\iscflash.sys
S3 PCDRDRV;Pcdr Helper Driver;\??\C:\Atf\Qctest\PCDoc\PCDRDRV.sys
S3 PcdrNt;PcdrNt;C:\WINNT\system32\drivers\PcdrNt.sys
S3 WmFilter;Logitech WingMan HID Filter Driver;C:\WINNT\system32\drivers\WmFilter.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINNT\system32\drivers\WmVirHid.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a4fde2a0-2d5b-11db-9d02-000347f70642}]
AutoRun\command- M:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f0d54efe-5bf1-11db-9d07-000347f70642}]
AutoRun\command- M:\LaunchU3.exe -a


Contents of the 'Scheduled Tasks' folder
2007-07-22 05:05:02 C:\WINNT\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-08-01 09:21:14 C:\WINNT\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-01 19:03:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-01 19:08:38
C:\ComboFix-quarantined-files.txt ... 2007-08-01 19:07

--- E O F ---

#6 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:06 PM

Posted 02 August 2007 - 05:05 AM

1) Please download VirtumundoBegone
2) Save VirtumundoBeGone.exe to your desktop.
3) Run VirtumundoBeGone.exe and follow the instructions. Don't worry if you see BLUE SCREEN "Fatal Error" message, this is normal and expected.
4) When it's finished, reboot.

It will create a logfile on your desktop called VBG.TXT, copy and paste all of it's content to your reply. :thumbsup:
Hi there, stranger!

#7 dzrt

dzrt
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:06 AM

Posted 02 August 2007 - 03:01 PM

Here's the VBG log:


[08/02/2007, 12:53:06] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Administrator\Desktop\VirtumundoBeGone.exe" )
[08/02/2007, 12:53:14] - Detected System Information:
[08/02/2007, 12:53:14] - Windows Version: 5.1.2600, Service Pack 2
[08/02/2007, 12:53:14] - Current Username: Administrator (Admin)
[08/02/2007, 12:53:14] - Windows is in NORMAL mode.
[08/02/2007, 12:53:14] - Searching for Browser Helper Objects:
[08/02/2007, 12:53:14] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[08/02/2007, 12:53:14] - BHO 2: {069C2AFB-4619-4A56-938E-96EAA4F8AC96} ()
[08/02/2007, 12:53:14] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/02/2007, 12:53:14] - Checking for HKLM\...\Winlogon\Notify\jkhhi
[08/02/2007, 12:53:14] - Key not found: HKLM\...\Winlogon\Notify\jkhhi, continuing.
[08/02/2007, 12:53:14] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[08/02/2007, 12:53:14] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/02/2007, 12:53:14] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[08/02/2007, 12:53:14] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[08/02/2007, 12:53:14] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[08/02/2007, 12:53:14] - BHO 5: {CFB8D3A5-9306-495C-BD87-CCE77C79AB5C} ()
[08/02/2007, 12:53:14] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/02/2007, 12:53:14] - Checking for HKLM\...\Winlogon\Notify\jkhfe
[08/02/2007, 12:53:14] - Key not found: HKLM\...\Winlogon\Notify\jkhfe, continuing.
[08/02/2007, 12:53:14] - BHO 6: {DCD53738-C4F9-414A-A03C-C7405A4AC844} ()
[08/02/2007, 12:53:14] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/02/2007, 12:53:14] - Checking for HKLM\...\Winlogon\Notify\pmnljgh
[08/02/2007, 12:53:14] - Found: HKLM\...\Winlogon\Notify\pmnljgh - This is probably Virtumundo.
[08/02/2007, 12:53:14] - Assigning {DCD53738-C4F9-414A-A03C-C7405A4AC844} MSEvents Object
[08/02/2007, 12:53:14] - BHO list has been changed! Starting over...
[08/02/2007, 12:53:14] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[08/02/2007, 12:53:14] - BHO 2: {069C2AFB-4619-4A56-938E-96EAA4F8AC96} ()
[08/02/2007, 12:53:14] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/02/2007, 12:53:14] - Checking for HKLM\...\Winlogon\Notify\jkhhi
[08/02/2007, 12:53:14] - Key not found: HKLM\...\Winlogon\Notify\jkhhi, continuing.
[08/02/2007, 12:53:14] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[08/02/2007, 12:53:14] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/02/2007, 12:53:14] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[08/02/2007, 12:53:14] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[08/02/2007, 12:53:14] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[08/02/2007, 12:53:14] - BHO 5: {CFB8D3A5-9306-495C-BD87-CCE77C79AB5C} ()
[08/02/2007, 12:53:14] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/02/2007, 12:53:14] - Checking for HKLM\...\Winlogon\Notify\jkhfe
[08/02/2007, 12:53:14] - Key not found: HKLM\...\Winlogon\Notify\jkhfe, continuing.
[08/02/2007, 12:53:14] - BHO 6: {DCD53738-C4F9-414A-A03C-C7405A4AC844} (MSEvents Object)
[08/02/2007, 12:53:14] - ALERT: Found MSEvents Object!
[08/02/2007, 12:53:14] - BHO 7: {FB142E5E-4A82-4722-8EE3-29983ED32959} ()
[08/02/2007, 12:53:14] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/02/2007, 12:53:14] - Checking for HKLM\...\Winlogon\Notify\pmnnl
[08/02/2007, 12:53:14] - Found: HKLM\...\Winlogon\Notify\pmnnl - This is probably Virtumundo.
[08/02/2007, 12:53:14] - Assigning {FB142E5E-4A82-4722-8EE3-29983ED32959} MSEvents Object
[08/02/2007, 12:53:14] - BHO list has been changed! Starting over...
[08/02/2007, 12:53:14] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[08/02/2007, 12:53:14] - BHO 2: {069C2AFB-4619-4A56-938E-96EAA4F8AC96} ()
[08/02/2007, 12:53:14] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/02/2007, 12:53:14] - Checking for HKLM\...\Winlogon\Notify\jkhhi
[08/02/2007, 12:53:14] - Key not found: HKLM\...\Winlogon\Notify\jkhhi, continuing.
[08/02/2007, 12:53:14] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[08/02/2007, 12:53:14] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/02/2007, 12:53:14] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[08/02/2007, 12:53:14] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[08/02/2007, 12:53:14] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[08/02/2007, 12:53:14] - BHO 5: {CFB8D3A5-9306-495C-BD87-CCE77C79AB5C} ()
[08/02/2007, 12:53:14] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/02/2007, 12:53:14] - Checking for HKLM\...\Winlogon\Notify\jkhfe
[08/02/2007, 12:53:14] - Key not found: HKLM\...\Winlogon\Notify\jkhfe, continuing.
[08/02/2007, 12:53:14] - BHO 6: {DCD53738-C4F9-414A-A03C-C7405A4AC844} (MSEvents Object)
[08/02/2007, 12:53:14] - ALERT: Found MSEvents Object!
[08/02/2007, 12:53:14] - BHO 7: {FB142E5E-4A82-4722-8EE3-29983ED32959} (MSEvents Object)
[08/02/2007, 12:53:14] - ALERT: Found MSEvents Object!
[08/02/2007, 12:53:14] - Finished Searching Browser Helper Objects
[08/02/2007, 12:53:14] - *** Detected MSEvents Object
[08/02/2007, 12:53:14] - Trying to remove MSEvents Object...
[08/02/2007, 12:53:15] - Terminating Process: IEXPLORE.EXE
[08/02/2007, 12:53:17] - Terminating Process: RUNDLL32.EXE
[08/02/2007, 12:53:17] - Disabling Automatic Shell Restart
[08/02/2007, 12:53:17] - Terminating Process: EXPLORER.EXE
[08/02/2007, 12:53:18] - Suspending the NT Session Manager System Service
[08/02/2007, 12:53:18] - Terminating Windows NT Logon/Logoff Manager
[08/02/2007, 12:53:19] - Re-enabling Automatic Shell Restart
[08/02/2007, 12:53:19] - File to disable: C:\WINNT\system32\pmnljgh.dll
[08/02/2007, 12:53:19] - Renaming C:\WINNT\system32\pmnljgh.dll -> C:\WINNT\system32\pmnljgh.dll.vir
[08/02/2007, 12:53:19] - File successfully renamed!
[08/02/2007, 12:53:19] - Removing HKLM\...\Browser Helper Objects\{DCD53738-C4F9-414A-A03C-C7405A4AC844}
[08/02/2007, 12:53:19] - Removing HKCR\CLSID\{DCD53738-C4F9-414A-A03C-C7405A4AC844}
[08/02/2007, 12:53:19] - Adding Kill Bit for ActiveX for GUID: {DCD53738-C4F9-414A-A03C-C7405A4AC844}
[08/02/2007, 12:53:19] - Deleting ATLEvents/MSEvents Registry entries
[08/02/2007, 12:53:19] - Removing HKLM\...\Winlogon\Notify\pmnljgh
[08/02/2007, 12:53:19] - Searching for Browser Helper Objects:
[08/02/2007, 12:53:19] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[08/02/2007, 12:53:19] - BHO 2: {069C2AFB-4619-4A56-938E-96EAA4F8AC96} ()
[08/02/2007, 12:53:19] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/02/2007, 12:53:19] - Checking for HKLM\...\Winlogon\Notify\jkhhi
[08/02/2007, 12:53:19] - Key not found: HKLM\...\Winlogon\Notify\jkhhi, continuing.
[08/02/2007, 12:53:19] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[08/02/2007, 12:53:19] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/02/2007, 12:53:19] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[08/02/2007, 12:53:19] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[08/02/2007, 12:53:19] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[08/02/2007, 12:53:19] - BHO 5: {CFB8D3A5-9306-495C-BD87-CCE77C79AB5C} ()
[08/02/2007, 12:53:19] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/02/2007, 12:53:19] - Checking for HKLM\...\Winlogon\Notify\jkhfe
[08/02/2007, 12:53:19] - Key not found: HKLM\...\Winlogon\Notify\jkhfe, continuing.
[08/02/2007, 12:53:19] - BHO 6: {FB142E5E-4A82-4722-8EE3-29983ED32959} (MSEvents Object)
[08/02/2007, 12:53:19] - ALERT: Found MSEvents Object!
[08/02/2007, 12:53:19] - Finished Searching Browser Helper Objects
[08/02/2007, 12:53:19] - *** Detected MSEvents Object
[08/02/2007, 12:53:19] - Trying to remove MSEvents Object...
[08/02/2007, 12:53:20] - Terminating Process: IEXPLORE.EXE
[08/02/2007, 12:53:20] - Terminating Process: RUNDLL32.EXE
[08/02/2007, 12:53:20] - Disabling Automatic Shell Restart
[08/02/2007, 12:53:20] - Terminating Process: EXPLORER.EXE
[08/02/2007, 12:53:20] - Suspending the NT Session Manager System Service
[08/02/2007, 12:53:20] - Terminating Windows NT Logon/Logoff Manager
[08/02/2007, 12:53:20] - Re-enabling Automatic Shell Restart
[08/02/2007, 12:53:20] - File to disable: C:\WINNT\system32\pmnnl.dll
[08/02/2007, 12:53:20] - Removing HKLM\...\Browser Helper Objects\{FB142E5E-4A82-4722-8EE3-29983ED32959}
[08/02/2007, 12:53:20] - Removing HKCR\CLSID\{FB142E5E-4A82-4722-8EE3-29983ED32959}
[08/02/2007, 12:53:20] - Adding Kill Bit for ActiveX for GUID: {FB142E5E-4A82-4722-8EE3-29983ED32959}
[08/02/2007, 12:53:20] - Deleting ATLEvents/MSEvents Registry entries
[08/02/2007, 12:53:20] - Removing HKLM\...\Winlogon\Notify\pmnnl
[08/02/2007, 12:53:20] - Searching for Browser Helper Objects:
[08/02/2007, 12:53:20] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[08/02/2007, 12:53:20] - BHO 2: {069C2AFB-4619-4A56-938E-96EAA4F8AC96} ()
[08/02/2007, 12:53:20] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/02/2007, 12:53:20] - Checking for HKLM\...\Winlogon\Notify\jkhhi
[08/02/2007, 12:53:20] - Key not found: HKLM\...\Winlogon\Notify\jkhhi, continuing.
[08/02/2007, 12:53:20] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[08/02/2007, 12:53:20] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/02/2007, 12:53:20] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[08/02/2007, 12:53:20] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[08/02/2007, 12:53:20] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[08/02/2007, 12:53:20] - BHO 5: {CFB8D3A5-9306-495C-BD87-CCE77C79AB5C} ()
[08/02/2007, 12:53:20] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/02/2007, 12:53:20] - Checking for HKLM\...\Winlogon\Notify\jkhfe
[08/02/2007, 12:53:20] - Key not found: HKLM\...\Winlogon\Notify\jkhfe, continuing.
[08/02/2007, 12:53:20] - Finished Searching Browser Helper Objects
[08/02/2007, 12:53:20] - Finishing up...
[08/02/2007, 12:53:20] - A restart is needed.
[08/02/2007, 12:53:56] - Attempting to Restart via STOP error (Blue Screen!)

[08/02/2007, 12:57:56] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Administrator\Desktop\VirtumundoBeGone.exe" )
[08/02/2007, 12:57:58] - Detected System Information:
[08/02/2007, 12:57:58] - Windows Version: 5.1.2600, Service Pack 2
[08/02/2007, 12:57:58] - Current Username: Administrator (Admin)
[08/02/2007, 12:57:58] - Windows is in NORMAL mode.
[08/02/2007, 12:57:58] - Searching for Browser Helper Objects:
[08/02/2007, 12:57:58] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[08/02/2007, 12:57:58] - BHO 2: {069C2AFB-4619-4A56-938E-96EAA4F8AC96} ()
[08/02/2007, 12:57:58] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/02/2007, 12:57:58] - Checking for HKLM\...\Winlogon\Notify\jkhhi
[08/02/2007, 12:57:58] - Key not found: HKLM\...\Winlogon\Notify\jkhhi, continuing.
[08/02/2007, 12:57:58] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[08/02/2007, 12:57:58] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/02/2007, 12:57:58] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[08/02/2007, 12:57:58] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[08/02/2007, 12:57:58] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[08/02/2007, 12:57:58] - BHO 5: {CFB8D3A5-9306-495C-BD87-CCE77C79AB5C} ()
[08/02/2007, 12:57:58] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/02/2007, 12:57:58] - Checking for HKLM\...\Winlogon\Notify\jkhfe
[08/02/2007, 12:57:58] - Key not found: HKLM\...\Winlogon\Notify\jkhfe, continuing.
[08/02/2007, 12:57:58] - BHO 6: {DCD53738-C4F9-414A-A03C-C7405A4AC844} ()
[08/02/2007, 12:57:58] - WARNING: BHO has no default name. Checking for Winlogon reference.
[08/02/2007, 12:57:58] - No filename found. Continuing.
[08/02/2007, 12:57:58] - Finished Searching Browser Helper Objects
[08/02/2007, 12:57:58] - Finishing up...
[08/02/2007, 12:57:58] - Nothing found! Exiting...

#8 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:06 PM

Posted 02 August 2007 - 06:33 PM

And then a fresh HijackThis log please :thumbsup:

Also delete the following file if present:

C:\WINNT\system32\pmnljgh.dll.vir
Hi there, stranger!

#9 dzrt

dzrt
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:06 AM

Posted 02 August 2007 - 07:03 PM

I did not find C:\WINNT\system32\pmnljgh.dll.vir in the HijackThis results. Log follows:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:46:44 PM, on 8/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\CFusionMX\runtime\bin\jrunsvc.exe
C:\CFusionMX\db\slserver52\bin\swagent.exe
C:\CFusionMX\runtime\bin\jrun.exe
C:\CFusionMX\db\slserver52\bin\swstrtr.exe
C:\CFusionMX\db\slserver52\bin\swsoc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\system32\RunDLL32.exe
C:\Program Files\JavaSoft\JRE\1.3.1_02\bin\javaw.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\WINNT\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {069C2AFB-4619-4A56-938E-96EAA4F8AC96} - C:\WINNT\system32\jkhhi.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {CFB8D3A5-9306-495C-BD87-CCE77C79AB5C} - C:\WINNT\system32\jkhfe.dll (file missing)
O2 - BHO: (no name) - {DCD53738-C4F9-414A-A03C-C7405A4AC844} - (no file)
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Ink Monitor] "C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StatusClient] "C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" /auto
O4 - HKLM\..\Run: [TomcatStartup] "C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Carbonite Backup] "C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [NBInstall] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\MBDownloader_876919.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OfotoNow USB Detection] "C:\WINNT\system32\RunDLL32.exe" C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/big/1.1....g/GoogleNav.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1185764250765
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_3us.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O20 - Winlogon Notify: pmnljgh - C:\WINNT\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ColdFusion MX Application Server - Macromedia Inc. - C:\CFusionMX\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX ODBC Agent - Unknown owner - C:\CFusionMX\db\slserver52\bin\swagent.exe
O23 - Service: ColdFusion MX ODBC Server - Unknown owner - C:\CFusionMX\db\slserver52\bin\swstrtr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 9717 bytes

#10 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:06 PM

Posted 03 August 2007 - 05:05 AM

Hi again :thumbsup:

Go ahead and delete Combofix/VundoFix/VirtumondeBegone if you wish.

Please run a scan with HijackThis and check the following objects for removal:

O2 - BHO: (no name) - {069C2AFB-4619-4A56-938E-96EAA4F8AC96} - C:\WINNT\system32\jkhhi.dll (file missing)
O2 - BHO: (no name) - {CFB8D3A5-9306-495C-BD87-CCE77C79AB5C} - C:\WINNT\system32\jkhfe.dll (file missing)
O2 - BHO: (no name) - {DCD53738-C4F9-414A-A03C-C7405A4AC844} - (no file)
O4 - HKLM\..\Run: [NBInstall] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\MBDownloader_876919.exe
O20 - Winlogon Notify: pmnljgh - C:\WINNT\


Now close ALL other open windows but HijackThis and hit FIX CHECKED. Exit HijackThis.

==

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply. :flowers:

Hi there, stranger!

#11 dzrt

dzrt
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:06 AM

Posted 03 August 2007 - 08:19 PM

Hi Rawe,

I deleted the four files and ran DSS. Following are the main.txt and extra.txt file contents in that order:

Deckard's System Scanner v20070729.57
Run by Administrator on 2007-08-03 at 18:09:50
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
34: 2007-08-04 01:10:00 UTC - RP1565 - Deckard's System Scanner Restore Point
33: 2007-08-02 01:53:23 UTC - RP1564 - ComboFix created restore point
32: 2007-07-30 02:23:17 UTC - RP1563 - Software Distribution Service 3.0
31: 2007-07-30 02:08:36 UTC - RP1562 - Installed Sygate Personal Firewall
30: 2007-07-22 23:37:46 UTC - RP1561 - Windows Defender Checkpoint


-- First Restore Point --
1: 2007-06-25 00:00:16 UTC - RP1532 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:11:26 PM, on 8/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\CFusionMX\runtime\bin\jrunsvc.exe
C:\CFusionMX\db\slserver52\bin\swagent.exe
C:\CFusionMX\runtime\bin\jrun.exe
C:\CFusionMX\db\slserver52\bin\swstrtr.exe
C:\CFusionMX\db\slserver52\bin\swsoc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\system32\RunDLL32.exe
C:\Program Files\JavaSoft\JRE\1.3.1_02\bin\javaw.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\DOCUME~1\ADMINI~1\MYDOCU~1\DOWNLO~1\Administrator.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Ink Monitor] "C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StatusClient] "C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" /auto
O4 - HKLM\..\Run: [TomcatStartup] "C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Carbonite Backup] "C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OfotoNow USB Detection] "C:\WINNT\system32\RunDLL32.exe" C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/big/1.1....g/GoogleNav.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1185764250765
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_3us.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ColdFusion MX Application Server - Macromedia Inc. - C:\CFusionMX\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX ODBC Agent - Unknown owner - C:\CFusionMX\db\slserver52\bin\swagent.exe
O23 - Service: ColdFusion MX ODBC Server - Unknown owner - C:\CFusionMX\db\slserver52\bin\swstrtr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 9300 bytes

-- HijackThis Fixed Entries (C:\DOCUME~1\ADMINI~1\MYDOCU~1\DOWNLO~1\backups\) --

backup-20070803-180307-388 O2 - BHO: (no name) - {DCD53738-C4F9-414A-A03C-C7405A4AC844} - (no file)
backup-20070803-180307-535 O20 - Winlogon Notify: pmnljgh - C:\WINNT\
backup-20070803-180307-608 O2 - BHO: (no name) - {CFB8D3A5-9306-495C-BD87-CCE77C79AB5C} - C:\WINNT\system32\jkhfe.dll (file missing)
backup-20070803-180307-721 O4 - HKLM\..\Run: [NBInstall] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\MBDownloader_876919.exe
backup-20070803-180307-816 O2 - BHO: (no name) - {069C2AFB-4619-4A56-938E-96EAA4F8AC96} - C:\WINNT\system32\jkhhi.dll (file missing)

-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe,2
.js - JSFile - shell\open\command - "C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Teefer (Teefer for NT) - c:\winnt\system32\drivers\teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
R1 wpsdrvnt - c:\winnt\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
R3 pfc (Padus ASPI Shell) - c:\winnt\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>

S3 catchme - c:\docume~1\admini~1\locals~1\temp\catchme.sys (file missing)
S3 DivioUSBDCam (DN-CAM) - c:\winnt\system32\drivers\pcam.sys <Not Verified; Divio Inc.; NW802 USB PC Camera>
S3 iscFlash - c:\winnt\system32\drivers\iscflash.sys (file missing)
S3 PCDRDRV (Pcdr Helper Driver) - c:\atf\qctest\pcdoc\pcdrdrv.sys (file missing)
S3 PcdrNt - c:\winnt\system32\drivers\pcdrnt.sys <Not Verified; PC-Doctor Inc.; PC-Doctor NT 3.0>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 aawservice (Ad-Aware 2007 Service) - "c:\program files\lavasoft\ad-aware 2007\aawservice.exe" <Not Verified; Lavasoft AB; Ad-Aware 2007 Service>
R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >
R2 ColdFusion MX Application Server - "c:\cfusionmx\runtime\bin\jrunsvc.exe" <Not Verified; Macromedia Inc.; Macromedia JRun Application Server>
R2 ColdFusion MX ODBC Agent - c:\cfusionmx\db\slserver52\bin\swagent.exe "coldfusion mx odbc agent"
R2 ColdFusion MX ODBC Server - c:\cfusionmx\db\slserver52\bin\swstrtr.exe "coldfusion mx odbc server"
R2 EPSONStatusAgent2 (EPSON Printer Status Agent2) - c:\program files\common files\epson\ebapi\sagent2.exe <Not Verified; SEIKO EPSON CORPORATION; EPSON Bidirectional Printer>

S3 PictureTaker - c:\fixit\pt\pctkrnt.sys (file missing)


-- Scheduled Tasks -------------------------------------------------------------

2007-08-03 02:29:04 330 --ah----- C:\WINNT\Tasks\MP Scheduled Scan.job
2007-07-21 22:05:02 284 --a------ C:\WINNT\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-07-03 and 2007-08-03 -----------------------------

2007-07-29 19:18:06 0 dr------- C:\Documents and Settings\NetworkService\Favorites
2007-07-29 19:17:05 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Mozilla
2007-07-29 19:09:14 60496 --a------ C:\WINNT\system32\drivers\Teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
2007-07-29 19:09:10 21075 --a------ C:\WINNT\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
2007-07-29 19:08:45 0 d-------- C:\Program Files\Sygate
2007-07-22 16:46:29 0 d-------- C:\WINNT\system32\Panda Software
2007-07-22 13:55:04 0 d-------- C:\Documents and Settings\Administrator\.housecall6.6
2007-07-22 13:54:30 0 d-------- C:\WINNT\Sun
2007-07-22 13:54:30 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2007-07-22 13:42:57 0 d-------- C:\Program Files\Java
2007-07-22 13:42:35 0 d-------- C:\Program Files\Common Files\Java
2007-07-22 12:26:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-07-22 10:37:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-07-22 10:35:29 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-21 18:11:14 0 d-------- C:\VundoFix Backups
2007-07-17 06:27:18 0 d-------- C:\Program Files\Windows Defender
2007-07-16 16:37:50 0 d-------- C:\Program Files\iPod
2007-07-16 16:37:31 0 d-------- C:\Program Files\iTunes
2007-07-16 16:34:43 0 d-------- C:\Program Files\QuickTime
2007-07-16 16:32:34 0 d-------- C:\Program Files\Apple Software Update
2007-07-16 16:32:00 0 d------c- C:\WINNT\system32\DRVSTORE
2007-07-16 16:31:26 0 d-------- C:\Program Files\Common Files\Apple
2007-07-16 16:31:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple


-- Find3M Report ---------------------------------------------------------------

2007-08-02 12:55:46 22 --a------ C:\qpmd8376.bin
2007-08-02 12:53:58 24 --a------ C:\WINNT\system32\DVCStateBkp-{00000002-00000000-0000000C-00001102-00000004-00581102}.dat
2007-08-02 12:53:58 24 --a------ C:\WINNT\system32\DVCState-{00000002-00000000-0000000C-00001102-00000004-00581102}.dat
2007-08-01 19:12:56 0 d-------- C:\Documents and Settings\Administrator\Application Data\U3
2007-07-22 13:43:58 15296 --a------ C:\WINNT\mozver.dat
2007-07-22 13:42:35 0 d-------- C:\Program Files\Common Files
2007-07-22 10:37:08 0 d-------- C:\Program Files\Lavasoft
2007-07-16 16:45:21 0 d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" [01/03/2001 12:50 PM C:\WINNT\system32\SK9910DM.EXE]
"GWMDMMSG"="GWMDMMSG.exe" [03/06/2002 08:08 AM C:\WINNT\GWMDMMSG.exe]
"WINDVDPatch"="CTHELPER.EXE" [02/07/2002 04:01 PM C:\WINNT\system32\CTHELPER.EXE]
"Jet Detection"="C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [10/03/2001 11:00 PM]
"Ink Monitor"="C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe" [12/07/2001 02:48 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05/08/2003 08:05 PM]
"StatusClient"="C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [12/16/2002 05:51 PM]
"TomcatStartup"="C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [03/31/2003 08:28 PM]
"NvCplDaemon"="RUNDLL32.exe" [08/04/2004 12:56 AM C:\WINNT\system32\rundll32.exe]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [04/24/2007 06:04 PM]
"Carbonite Backup"="C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe" [05/31/2007 05:18 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [06/29/2007 06:24 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07/10/2007 09:18 AM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 04:00 AM]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [10/15/2004 07:40 PM]
"GWMDMpi"="C:\WINNT\GWMDMpi.exe" [03/06/2002 08:08 AM]
"UpdReg"="C:\WINNT\UpdReg.EXE" [05/10/2000 11:00 PM]
"@"="" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 09:24 AM]
"OfotoNow USB Detection"="C:\WINNT\system32\RunDLL32.exe" [08/04/2004 12:56 AM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [05/31/2005 01:04 AM]
"@"="" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [6/3/2002 5:55:35 AM]
Monitor.lnk - C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe [10/14/2005 4:41:52 PM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check 2.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check 2.lnk
backup=C:\WINNT\pss\EPSON Status Monitor 3 Environment Check 2.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
"C:\Program Files\Microsoft Money\System\Money Express.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINNT\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
"C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a4fde2a0-2d5b-11db-9d02-000347f70642}]
AutoRun\command- M:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f0d54efe-5bf1-11db-9d07-000347f70642}]
AutoRun\command- M:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2007-08-03 at 18:12:12 ---------



Deckard's System Scanner v20070729.57
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.00GHz
Percentage of Memory in Use: 63%
Physical Memory (total/avail): 511.3 MiB / 184.2 MiB
Pagefile Memory (total/avail): 1246.81 MiB / 919.5 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1972.41 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 74.55 GiB total, 47.12 GiB free.
D: is Removable (No Media)
E: is CDROM (No Media)
F: is CDROM (No Media)
G: is Removable (Unformatted)
H: is CDROM (No Media)
I: is Removable (No Media)
J: is Removable (No Media)
K: is Removable (No Media)
M: is CDROM (CDFS)
N: is Removable (FAT)


-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FW: Sygate Personal Firewall v4.6 (Sygate Technologies, Inc.) Disabled
AV: ESET NOD32 antivirus system 2.70 v2.70 (ESET, spol. s r.o.)

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CLASSPATH=.;C:\Program Files\JavaSoft\JRE\1.3.1_02\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=HOME
ComSpec=C:\WINNT\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\HOME
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\system32\wbem;C:\Program Files\QuickTime\QTSystem"
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0204
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\JavaSoft\JRE\1.3.1_02\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINNT
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=HOME
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINNT


-- User Profiles ---------------------------------------------------------------

Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Creative\SBAudigy\Program\Ctzapxx.EXE" /U /S /R
--> C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINNT\IsUninst.exe -fC:\WINNT\orun32.isu
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{510582B9-2633-11D4-99DC-0000F49094C7}\Setup.exe" UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINNT\INF\PCHealth.inf
3-D TopoQuads 2.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{627A7DBA-0391-4169-B4E8-03DA8A690F4A}\setup.exe" -l0x9 NoMode
Ad-Aware 2007 --> MsiExec.exe /X{E31C348B-63A9-4CBF-8D7F-D932ABB63244}
Adobe Acrobat 4.0 --> C:\WINNT\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.dll"
Adobe Acrobat 5.0 --> C:\WINNT\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Photoshop 7.0.1 --> C:\WINNT\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe SVG Viewer 3.0 --> C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
AFSearch --> c:\afsearch\_uninstall\uninstall.exe
Apple Mobile Device Support --> MsiExec.exe /I{A43B2A2F-1DB5-47F9-A608-F11A4835D7CB}
Apple Software Update --> MsiExec.exe /I{74EC78BC-B379-4E29-9006-8F161DCAABA6}
ArcSoft Media Card Companion --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CEC2A5B9-CE19-4F2E-9C8F-F310C0EAB993}\Setup.exe" -l0x9
ArcSoft PhotoImpression 3.0 --> C:\WINNT\IsUninst.exe -f"C:\Program Files\ArcSoft\PhotoImpression\Uninst.isu"
Atari: The 80 Classic Games --> C:\WINNT\IsUninst.exe -f"C:\Program Files\Atari\The 80 Classic Games\Uninst.isu"
Canon Camera Access Library --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CAL\Uninst.ini"
Canon Camera Support Core Library --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CSCLIB\Uninst.ini"
Canon Camera Window DC_DV 5 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC\Uninst.ini"
Canon Camera Window DC_DV 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowDVC6\Uninst.ini"
Canon Camera Window MC 6 for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\CameraWindowMC\Uninst.ini"
Canon EOS-1D Mark II N WIA Driver --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{35260E0B-A8C2-4D25-97E2-448DE7275C85} /l1033
Canon EOS-1Ds Mark II WIA Driver --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{652C4ADF-0A29-4B02-9211-EE61675847DE}
Canon EOS 5D WIA Driver --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BB3AB664-D92B-4CB5-8B3E-D841841F4E68} /l1033
Canon EOS Kiss_N REBEL_XT 350D WIA Driver --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{33CF7CDF-9805-4500-9CC7-D19D52AD63C4} /l1033
Canon IXY 320, PowerShot S230, IXUS v3 WIA Driver --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{B8CD1189-53D6-4C51-8082-14B812EABBA8}
Canon MovieEdit Task for ZoomBrowser EX --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{68D27126-BF6A-457D-8DD0-5F35E8D41310}
Canon PhotoRecord --> MsiExec.exe /X{6693BD7C-CB4E-43AC-A0D6-10D1A1B88DCF}
Canon PowerShot G3 WIA Driver --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{B94061DC-B2BB-42F7-800D-BCBF678AA8B3}
Canon RAW Image Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\RAW Image Task\Uninst.ini"
Canon RemoteCapture Task for ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\CameraWindow\RemoteCaptureTask DC\Uninst.ini"
Canon Utilities Digital Photo Professional 2.1 --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\Digital Photo Professional\Uninst.ini"
Canon Utilities EOS Utility --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\EOS Utility\Uninst.ini"
Canon Utilities FileViewerUtility 1.0 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{0627E8E9-6822-4A5E-9225-286741CDC3E4}
Canon Utilities PhotoStitch --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\Program Files\Canon\PhotoStitch\Uninst.ini"
Canon Utilities RemoteCapture 2.6 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{B08894AF-D523-46B1-9B9B-2DA6B29CDD23}
Canon Utilities ZoomBrowser EX --> "C:\Program Files\Common Files\Canon\UIW\1.0.0.0\Uninst.exe" "C:\PROGRA~1\Canon\ZOOMBR~1\Program\Uninst.ini"
Carbonite Backup --> C:\Program Files\Carbonite\Carbonite Backup\CarboniteSetup.exe /remove
CleanUp! --> C:\Program Files\CleanUp!\uninstall.exe
ColdFusion MX --> MsiExec.exe /X{D69FD9A6-AA50-45C6-A622-71AF0F28AEC1}
Copy Utility --> C:\WINNT\IsUninst.exe -f"C:\Program Files\EPSON\Copy Utility\Uninst.isu"
DN-CAM --> C:\WINNT\pcamrm.exe DN-CAM
DVD Player --> "C:\Program Files\InstallShield Installation Information\{C1939820-A945-11D4-86F6-0001031E5712}\setup.exe" REMOVEALL
DVD Solution --> "C:\Program Files\Uninstall_CDS.exe"
DX-Ball 2 --> C:\Program Files\LDA Games\DX-Ball 2\Uninstall.exe
EPSON Photo Print --> C:\WINNT\IsUninst.exe -f"C:\Program Files\EPSON\Photo Print\Uninst.isu"
EPSON Printer Software --> C:\WINNT\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /r
EPSON Smart Panel --> C:\Program Files\EPSON\Smart Panel\SPUninst.exe
Flickr Uploadr 2.3 --> "C:\Program Files\Flickr Uploadr\uninstall.exe"
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
GTW V.92 Voicemodem --> C:\WINNT\GWMDMU.exe verbose
HelpSpot --> MsiExec.exe /I{F1FBF021-B965-42D3-BF63-D7A121B5490D}
HijackThis 2.0.2 --> "C:\Documents and Settings\Administrator\My Documents\Downloads\HijackThis.exe" /uninstall
hp LaserJet 1010 Series --> MsiExec.exe /x {292C47B2-8DB7-47BF-896C-C3C5EE8108C4}
Ink Monitor --> C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe -U
Intel® PRO Ethernet Adapter and Software --> Prounstl.exe
iTunes --> MsiExec.exe /I{9357AE3A-B2ED-4138-BB9B-0564352C3F0A}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Kyodai --> "C:\Program Files\Kyodai Mahjongg\unins000.exe"
Logitech Gaming Software --> MsiExec.exe /X{FAAA508A-05C0-488B-BFC2-F9217E545A81}
Macromedia Dreamweaver MX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8B4AB829-DFD3-436D-B808-D9733D76C590}\Setup.exe" -l0x9 mmUninstall
Macromedia Extension Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A5BA14E0-7384-11D4-BAE7-00409631A2C8}\setup.exe" -l0x9 mmUninstall
Macromedia Fireworks MX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{930B2432-43D4-11D5-9871-00C04F8EEB39}\Setup.exe" -l0x9 UNINSTALL
Macromedia Flash MX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3BE480ED-E17A-431A-981C-5C2EDDBCD3BF}\Setup.exe" -l0x9 UNINSTALL
Microsoft Data Access Components KB870669 --> C:\WINNT\muninst.exe C:\WINNT\INF\KB870669.inf
Microsoft Office Basic Edition 2003 --> MsiExec.exe /I{91130409-6000-11D3-8CFE-0150048383C9}
Microsoft Office XP Developer - English --> C:\Program Files\Microsoft Office Developer\Setup\Microsoft Office XP Developer - English\setup.exe /MaintMode
Microsoft Office XP Media Content --> MsiExec.exe /I{90300409-6000-11D3-8CFE-0050048383C9}
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Office XP Small Business --> MsiExec.exe /I{91130409-6000-11D3-8CFE-0050048383C9}
Microsoft Visual SourceSafe 6.0 --> "C:\Program Files\Microsoft Visual Studio\VSS\setup\win32\1033\Setup.exe"
Mozilla Firefox (2.0.0.5) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Nero OEM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NOD32 antivirus system --> C:\Program Files\Eset\Setup\setup.exe /UNINSTALL
NVIDIA Windows 2000/XP Display Drivers --> rundll32.exe C:\WINNT\System32\nvinstnt.dll,NvUninstallNT4 nvgw.inf
Office 2003 Setup Files --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2BD74F5D-4089-4064-B6AF-8E8A93022650}\setup.exe" -l0x9
Ofoto Easy Upload ActiveX Control --> RunDll32 advpack.dll,LaunchINFSection C:\WINNT\Downloaded Program Files\axofupld.inf, Uninstall
OfotoNow --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2875A5F5-E613-4F99-9B47-8882C9DD24A5}\Setup.exe" -l0x9 anything
Panda TotalScan --> C:\WINNT\system32\Panda Software\ActiveScan2\ascuninst.exe
PC-Doctor for Windows --> C:\WINNT\UNWISE32.EXE C:\PROGRA~1\PC-DOC~1\INSTALL.LOG
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
PowerDirector Express --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EDE721EC-870A-11D8-9D75-000129760D75}\setup.exe" -uninstall
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
PowerProducer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\setup.exe" -uninstall
PS/2 Millennium Keyboard --> SKUninst.exe SK_PS2MillenniumKeyboard
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
RealOne Player --> C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0
Recover My Photos --> "C:\Program Files\GetData\Recover My Photos\unins000.exe"
ScanToWeb --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EBAE381B-60A6-4863-AA9F-FCAB755BC9E5}\Setup.exe" ADDREMOVEDLG
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINNT\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINNT\$NtUninstallKB923723$\spuninst\spuninst.exe"
Shockwave --> C:\WINNT\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINNT\system32\Macromed\SHOCKW~1\Install.log
Sound Blaster Audigy --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9115E7DB-3B29-445A-802D-11E0AA945B7F}\setup.exe" -l0x9
Special Edition Using Access 2002 --> C:\PROGRA~1\Seau10\UNWISE.EXE C:\PROGRA~1\Seau10\INSTALL.LOG
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Super Bounce Out! from GameHouse --> C:\PROGRA~1\GAMEHO~1\BOUNCE~1\UNWISE.EXE /U C:\PROGRA~1\GAMEHO~1\BOUNCE~1\INSTALL.LOG
Super Collapse! II --> C:\PROGRA~1\GAMEHO~1\COLLAP~1\UNWISE.EXE /U C:\PROGRA~1\GAMEHO~1\COLLAP~1\INSTALL.LOG
Sygate Personal Firewall --> MsiExec.exe /I{F34D9A5F-484A-4E31-A9D3-908CB265B289}
TOPO! --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{F19BED0D-E57B-4240-AF3D-87CF9E6D7BF1}
TOPO! --> C:\WINNT\IsUninst.exe -fC:\TOPO!\Uninst.isu
TOPO! California Map Pack --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{CAA9CB43-207D-4518-AF7B-EE51FDC0EAE7}
Viewpoint Media Player (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}


-- End of Deckard's System Scanner: finished at 2007-08-03 at 18:12:12 ---------

#12 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:06 PM

Posted 04 August 2007 - 04:50 AM

Please do enable your Sygate firewall if it isn't running. It's critical to have firewall & anti-virus running in the background.

Is is this a program you recognize and/or use?

AFSearch

Also, how is the system running now -- any issues, popups, warnings, anything? If so, please give me whatever info you can :thumbsup:
Hi there, stranger!

#13 dzrt

dzrt
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:06 AM

Posted 04 August 2007 - 10:49 AM

Wow, looks like you fixed it! I stopped using that computer once the problems started and so I failed to notice that the problems had stopped. I have deleted AFSearch. Now that it appears to be fixed I have connected it to my router and turned on Sygate. Thank you so much for your help! You should receive a donation through PayPal in a few.

Niki

#14 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:06 PM

Posted 04 August 2007 - 01:00 PM

Glad to be of help! :thumbsup:

Please read here how to clear old restore points and create a new one.

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Here's some tips for future to prevent spyware:

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Comodo BOCLEAN <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed. (My favourite)
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Other necessary Programs:
  • More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox.
And also see TonyKlein's good advice:
So how did I get infected in the first place?
Hi there, stranger!

#15 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:06 PM

Posted 06 August 2007 - 07:58 AM

Since this issue appears to be resolved, this Topic has been closed. Should you need this Topic reopened, please PM a Staff member with the address of this thread. :thumbsup:
Hi there, stranger!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users