Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trogen.vundo_winfixer_etc...


  • This topic is locked This topic is locked
8 replies to this topic

#1 JPX

JPX

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:41 PM

Posted 09 August 2007 - 11:21 AM

SYSTEM:
Win XP SP2
IE 7.0
NAV 10.02 Corporate Edition -- Current Def file
Adaware 2007 -- Current Def file
HijakThis

BACKGROUND:
Basically I clicked on a file, it installed some nastly little virus that goes out to the net and starts installing multiple trogens and other malware on the host machine.
I have been able to remove most of the threats, but I am still haunted by IE Popups that are listed as viral. I did some research and that is when I downloaded hijackthis.
I may have removed the trogen last night, but Im still not sure. It seems to just reappear after some time when I think I deleted it and the popups just come back under a differnt name. It takes over an hour to perform an entire system scan and Ive just about had enough of scanning this system over and over to remove something thats going to come right back.
==========

QUESTION:
In my HijackThis Log (to be posted below) I have "C:\WINDOWS\system32\cersnt.dll" listed as a BHO. I cant remove this because it is locked by other programs. I check to see what had it locked and this is what I found.
Process that are locking this path/file.....winlogon.exe --- explore.exe --- iexplore.exe --- winlogon.exe --- yes, winlogon.exe was listed twice. Obviously this file is locked by the core functions of my OS and Internet Explorer.
I guess what Im asking is this the virus? I reserched most "weird" .dll files I seen and this one has no information that I can find. Either way I need help to remove any malware or viruses that are still bouncing around my system.


HijackThis LOG::::::::::::::::::::::::::::::
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:20:13 PM, on 2007-08-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Rockwell\EventServer.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Rockwell Software\RSCommon\RSOBSERV.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Desktop Sidebar\dsidebar.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe
C:\PROGRA~1\ROCKWE~1\RSLinx\RSLINX.EXE
C:\Program Files\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe
C:\Program Files\Common Files\Rockwell\RsvcHost.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Rockwell\EventClientMultiplexer.exe
C:\Program Files\Rockwell Software\RSView Enterprise\ServerFramework.exe
C:\Program Files\Common Files\Rockwell\RnaDirServer.exe
C:\Program Files\Common Files\Rockwell\RNADirMultiplexor.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe
C:\DOCUME~1\JEREMY~1\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\JEREMY~1\LOCALS~1\Temp\Adobelm_Cleanup.0001

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.220.1.254:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1f885ab7-89ea-49e8-b73d-392b04098427} - C:\WINDOWS\system32\cersnt.dll
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [SIDEBAR] "C:\Program Files\Desktop Sidebar\dsidebar.exe"
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: CADE - {605E5D27-BFA0-471F-87ED-98A2623D633C} - C:\Program Files\CADE Pro 2.10.0\Web\new.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
O16 - DPF: {16A017B9-6CB4-47C7-8E81-6E9396FAC2B6} (IDVRCtrlX Control) - http://10.110.60.159/NSIDVRCtrlX.ocx
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {32C11E38-E587-4BE9-9ABB-D69158C21CE5} (Moonlight MPEG-4 Video Decoder) - http://10.110.103.194/activex/decoder/mpeg4_dec.cab
O16 - DPF: {466FE5FE-9B04-4BD8-9993-C4FBDAEB7122} (JMWiseCam Control) - http://10.110.103.130/JMWiseCam.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://lov-amsterm/msrdp.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://217.155.216.154/activex/AxisPlayer.cab
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (Web Camera Server Control) - http://10.110.103.132/csi_netcam.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {AEF76437-F960-4EBC-97EA-7BBB4230CF38} (OcarptMain Class) - https://oca.microsoft.com/en/secure/ocarpt.CAB
O16 - DPF: {C111A91F-D4EC-4D22-8D27-C3BCB0389F43} (AudioHandlerEmbedded) - http://10.110.34.10/activex/AMC.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://www.level-9.ch:53762/activex/AMC.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BEITZEL
O17 - HKLM\Software\..\Telephony: DomainName = BEITZEL
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BEITZEL
O20 - AppInit_DLLs: c:\windows\system32\jkhfcaw.dll
O20 - Winlogon Notify: cersnt - C:\WINDOWS\SYSTEM32\cersnt.dll
O23 - Service: 1784-PCIDS DeviceNet - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\PcidsService.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: dnWhoDisp - Unknown owner - C:\Program Files\Rockwell Software\RSLINX\dnwhodisp.exe
O23 - Service: Rockwell Event Multiplexer (EventClientMultiplexer) - Rockwell Software Inc. - C:\Program Files\Common Files\Rockwell\EventClientMultiplexer.exe
O23 - Service: Rockwell Event Server (EventServer) - Rockwell Software Inc. - C:\Program Files\Common Files\Rockwell\EventServer.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Harmony - Rockwell Software Inc. - C:\Program Files\Rockwell Software\RSCommon\RSOBSERV.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: GFI LANguard N.S.S. Scheduled Scans Service (lnss_sscans) - GFI Software Ltd. - C:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: FactoryTalk Diagnostics Local Reader (RNADiagnosticsService) - Rockwell Automation - C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe
O23 - Service: FactoryTalk Diagnostics CE Receiver (RNADiagReceiver) - Unknown owner - C:\Program Files\Common Files\Rockwell\RNADiagReceiver.exe
O23 - Service: Rockwell Directory Server (RNADirectory) - Rockwell Software Inc. - C:\Program Files\Common Files\Rockwell\RnaDirServer.exe
O23 - Service: Rockwell Directory Multiplexer (RNADirMultiplexor) - Rockwell Software Inc. - C:\Program Files\Common Files\Rockwell\RNADirMultiplexor.exe
O23 - Service: Rockwell HMI Activity Logger - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\RsActivityLogServ.exe
O23 - Service: Rockwell HMI Alarm Logger - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\RsAlarmLogServ.exe
O23 - Service: Rockwell HMI Diagnostics - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe
O23 - Service: Rockwell HMI Framework - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\ServerFramework.exe
O23 - Service: Rockwell Tag Server - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\TagSrv.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: RSLinx Classic (RSLinx) - Rockwell Software, Inc. - C:\PROGRA~1\ROCKWE~1\RSLinx\RSLINX.EXE
O23 - Service: RSLinx Enterprise (RSLinxNG) - Rockwell Automation - C:\Program Files\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe
O23 - Service: Rockwell Application Services (RsvcHost) - Rockwell Software Inc. - C:\Program Files\Common Files\Rockwell\RsvcHost.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: 1789-SIM Simulator Module (SimModuleService) - Unknown owner - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\SimModuleService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 15590 bytes



Thanks,
JPX

BC AdBot (Login to Remove)

 


#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:41 AM

Posted 10 August 2007 - 03:19 AM

Yes that is your trojan :thumbsup: Vundo/Virtumonde/Winfixer -- all the same.

Please download Combofix to your desktop:
  • Double-click combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Edited by Rawe, 10 August 2007 - 03:20 AM.

Hi there, stranger!

#3 JPX

JPX
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:41 PM

Posted 13 August 2007 - 08:57 PM

RAWE, thank you for your response. I have been deleting variants of these files for 3 days.
I have used MoveonBoot and an Unlocker program to allow me access to remove these files.
The only issue is I cant find the root of these. Since my last post I have run the vundofixer.exe
and checked with Blacklight to see if a root pack existed(It did not). It always looks hopeful as I
always find infections to remove, but they always come back. Below is posted my ComboFix log.


ComboFix 07-07-30.2 - "jeremy perando" 2007-08-13 21:36:34.2 [GMT -4:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\awvvu.exe
C:\WINDOWS\system32\geebb.exe
C:\WINDOWS\system32\geeby.exe
C:\WINDOWS\system32\mljjg.exe
C:\WINDOWS\system32\pmkhg.exe
C:\WINDOWS\system32\ssqrs.exe
C:\WINDOWS\system32\sstts.exe
C:\WINDOWS\system32\vtsqo.exe
C:\WINDOWS\system32\vtutt.exe
C:\WINDOWS\system32\exe2hcp.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\JEREMY~1\APPLIC~1\tmp1.tmp.exe
C:\DOCUME~1\JEREMY~1\APPLIC~1\tmp3.tmp.exe
C:\DOCUME~1\JEREMY~1\APPLIC~1\tmp5.tmp.exe
C:\DOCUME~1\JEREMY~1\APPLIC~1\tmp64.tmp.exe
C:\DOCUME~1\JEREMY~1\APPLIC~1\tmpA.tmp.exe
C:\WINDOWS\system32\dne8fca4c2.dat
C:\WINDOWS\system32\tmp3.tmp.dll
C:\WINDOWS\system32\tmp6.tmp.dll
C:\WINDOWS\system32\tmp8.tmp.dll
C:\WINDOWS\system32\tmpA.tmp.dll


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-07-14 to 2007-08-14 )))))))))))))))))))))))))))))))


2007-08-13 21:45 92,674 --a------ C:\WINDOWS\system32\msexnet.dll
2007-08-13 21:45 18 --a------ C:\WINDOWS\system32\dne8fca4c2.dat
2007-08-13 21:44 105,540 --a------ C:\WINDOWS\system32\awvtt.exe
2007-08-13 21:10 <DIR> d-------- C:\Program Files\TrojanHunter 4.7
2007-08-13 19:54 <DIR> d-------- C:\VundoFix Backups
2007-08-13 15:52 <DIR> d-------- C:\WINDOWS\srchasst
2007-08-13 12:32 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-08-13 11:13 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\AdobeUM
2007-08-10 02:34 <DIR> d-------- C:\Program Files\GiPo@Utilities
2007-08-10 02:34 <DIR> d-------- C:\Program Files\Common Files\Gibinsoft Shared
2007-08-10 02:20 <DIR> d-------- C:\virus
2007-08-09 12:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-07 11:37 <DIR> d-------- C:\DOCUME~1\JEREMY~1\APPLIC~1\Desktop Sidebar
2007-08-07 11:35 <DIR> d-------- C:\Program Files\Desktop Sidebar
2007-08-02 00:55 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-02 00:46 1,970 --a------ C:\WINDOWS\system32\tmp.reg
2007-08-02 00:45 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-08-02 00:45 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-08-02 00:45 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-08-02 00:40 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-01 23:06 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-01 23:06 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-01 23:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-01 22:26 70,312 --a------ C:\Program Files\codec_setup.exe
2007-08-01 22:25 <DIR> d-------- C:\DOCUME~1\LOCALS~1\.housecall6.6
2007-08-01 22:18 <DIR> d--hs---- C:\DOCUME~1\LOCALS~1\UserData
2007-08-01 17:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-08-01 16:36 <DIR> d-------- C:\DOCUME~1\JEREMY~1\.housecall6.6
2007-08-01 16:24 13,344 --a------ C:\WINDOWS\system32\jkhfcaw.dll
2007-08-01 15:13 <DIR> d-------- C:\Program Files\Spb Software House
2007-07-25 10:40 <DIR> d-------- C:\Program Files\NCP
2007-07-23 17:08 <DIR> d-------- C:\Program Files\iPAQ Phone Data Manager
2007-07-23 17:07 <DIR> d-------- C:\Program Files\Quick GPS Connection Data Download Manager
2007-07-23 17:07 <DIR> d-------- C:\Program Files\CREDANT
2007-07-23 17:04 <DIR> d-------- C:\Program Files\Real
2007-07-23 17:04 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-07-23 17:04 <DIR> d-------- C:\Program Files\Common Files\Real
2007-07-23 17:03 <DIR> d-------- C:\DOCUME~1\JEREMY~1\APPLIC~1\Real
2007-07-23 16:59 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2007-07-23 16:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sonic
2007-07-23 16:58 <DIR> d-------- C:\Program Files\Common Files\HP
2007-07-23 16:57 87,268 --a------ C:\WINDOWS\hpqins69.dat
2007-07-23 16:49 25,600 --a------ C:\WINDOWS\system32\drivers\usbser.sys
2007-07-16 15:19 <DIR> d-------- C:\Program Files\Hirschmann


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-13 21:45 --------- d-------- C:\Program Files\Symantec AntiVirus
2007-07-30 13:24 --------- d-------- C:\Program Files\Microsoft ActiveSync
2007-07-23 17:08 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-23 16:58 --------- d-------- C:\Program Files\HP
2007-07-16 16:48 15360 --a------ C:\WINDOWS\system32\selm_isx.dll
2007-07-09 18:09 --------- d-------- C:\Program Files\Microsoft Voice Command
2007-07-05 16:58 --------- d-------- C:\Program Files\DSTfix
2007-06-26 16:32 --------- d-------- C:\Program Files\ControlFLASH
2007-06-25 07:53 --------- d-------- C:\Program Files\AvantGo
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8eaeb933-0b50-4571-85f4-0467ee2e91ff}]
2007-08-13 21:45 92674 --a------ C:\WINDOWS\system32\msexnet.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-25 09:36]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 12:42]
"nwiz"="nwiz.exe" [2006-04-25 11:28 C:\WINDOWS\system32\nwiz.exe]
"THGuard"="C:\Program Files\TrojanHunter 4.7\THGuard.exe" [2007-08-11 20:49]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\msexnet]
msexnet.dll 2007-08-13 21:45 92674 C:\WINDOWS\system32\msexnet.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\AlienGUIse\fastload.dll 2001-12-21 02:34 24576 C:\Program Files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=c:\windows\system32\jkhfcaw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

R0 ALLOW-IO;ALLOW-IO;C:\WINDOWS\system32\Drivers\ALLOW-IO.sys
R0 gagp30kx;Microsoft Generic AGPv3.0 Filter for K8 Processor Platforms;C:\WINDOWS\system32\DRIVERS\gagp30kx.sys
R0 hotcore;hotcore;C:\WINDOWS\system32\drivers\hotcore.sys
R0 sbp2port;SBP-2 Transport/Protocol Bus Driver;C:\WINDOWS\system32\DRIVERS\sbp2port.sys
R0 viamraid;viamraid;C:\WINDOWS\system32\drivers\viamraid.sys
R1 AmdK8;AMD Processor Driver;C:\WINDOWS\system32\DRIVERS\AmdK8.sys
R1 V2IMount;V2IMount;C:\WINDOWS\system32\drivers\V2IMount.sys
R1 VirtualBackplane;A-B Virtual Backplane;\??\C:\WINDOWS\system32\drivers\VirtualBackplane.sys
R1 vmm;Virtual Machine Monitor;\??\C:\WINDOWS\system32\Drivers\vmm.sys
R2 CVPND;Cisco Systems, Inc. VPN Service;"C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"
R2 CVPNDRVA;Cisco Systems IPsec Driver;\??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
R2 EZUSB;Dialog General Purpose USB Driver (ezusb.sys);C:\WINDOWS\system32\Drivers\ezusb.sys
R2 IISADMIN;IIS Admin;C:\WINDOWS\system32\inetsrv\inetinfo.exe
R2 lnss_sscans;GFI LANguard N.S.S. Scheduled Scans Service;C:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
R2 Rockwell HMI Framework;Rockwell HMI Framework;C:\Program Files\Rockwell Software\RSView Enterprise\ServerFramework.exe
R2 SNMP;SNMP Service;C:\WINDOWS\System32\snmp.exe
R2 TACN1000;TACN1000;\??\C:\WINDOWS\system32\drivers\TACN1000.sys
R2 TAPccWdm;TAPccWdm;\??\C:\WINDOWS\system32\drivers\TAPccWdm.sys
R3 DCamUSBET;USB2.0 1.3M PC CAM;C:\WINDOWS\system32\DRIVERS\etDevice.sys
R3 DNE;Deterministic Network Enhancer Miniport;C:\WINDOWS\system32\DRIVERS\dne2000.sys
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
R3 EventServer;Rockwell Event Server;"C:\Program Files\Common Files\Rockwell\EventServer.exe"
R3 FiltUSBET;ET USB Device Lower Filter;C:\WINDOWS\system32\DRIVERS\etFilter.sys
R3 HSF_DPV;HSF_DPV;C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
R3 HSFHWVIA;HSFHWVIA;C:\WINDOWS\system32\DRIVERS\HSFHWVIA.sys
R3 irsir;Microsoft Serial Infrared Driver;C:\WINDOWS\system32\DRIVERS\irsir.sys
R3 PcmkWdm;%PcmkWdm.DeviceDesc%;C:\WINDOWS\system32\DRIVERS\PcmkWdm.sys
R3 RTL8023xp;Realtek 10/100/1000 PCI NIC Family NDIS XP Driver;C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
R3 ScanUSBET;ET USB Still Image Capture Device;C:\WINDOWS\system32\DRIVERS\etScan.sys
R3 SynTP;Synaptics TouchPad Driver;C:\WINDOWS\system32\DRIVERS\SynTP.sys
R3 VPCNetS2;Virtual Machine Network Services Driver;C:\WINDOWS\system32\DRIVERS\VMNetSrv.sys
S1 abpicw2k;AB PIC/AIC+ Driver;C:\WINDOWS\system32\DRIVERS\abpicw2k.sys
S2 MtxIic;MtxIic;\??\C:\WINDOWS\system32\drivers\MtxIicKrnlNT.sys
S3 1784-PCIDS DeviceNet;1784-PCIDS DeviceNet;C:\Program Files\Rockwell Software\RSLogix Emulate 5000\PcidsService.exe
S3 ABKTCX;Rockwell Software 1784-KTC(X) Driver;C:\WINDOWS\system32\Drivers\ABKTCX.sys
S3 ADM8511;Belkin USB Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\NET8511.SYS
S3 ADM851X;ADM851X USB To Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\ADM851X.SYS
S3 Bridge;MAC Bridge;C:\WINDOWS\system32\DRIVERS\bridge.sys
S3 BridgeMP;MAC Bridge Miniport;C:\WINDOWS\system32\DRIVERS\bridge.sys
S3 cmudau;C-Media USB Sound Interface;C:\WINDOWS\system32\drivers\cmudaxu.sys
S3 CVirtA;Cisco Systems VPN Adapter;C:\WINDOWS\system32\DRIVERS\CVirtA.sys
S3 maxidemo;Maxi_Vista_Demo_Driver;C:\WINDOWS\system32\DRIVERS\maxidemo.sys
S3 maxivista;Maxi_Vista_DriverA;C:\WINDOWS\system32\DRIVERS\maxivista.sys
S3 maxivistb;Maxi_Vista_DriverB;C:\WINDOWS\system32\DRIVERS\maxivistb.sys
S3 maxivistc;Maxi_Vista_DriverC;C:\WINDOWS\system32\DRIVERS\maxivistc.sys
S3 MaxtorFrontPanel1;Maxtor 1394 Storage Front Panel Driver;C:\WINDOWS\system32\DRIVERS\mxofwfp.sys
S3 MSIRCOMM;Microsoft IR Communications Driver;C:\WINDOWS\system32\DRIVERS\MSIRCOMM.sys
S3 pcidnt;A-B 1784-PCIDS;C:\WINDOWS\system32\Drivers\pcidnt.sys
S3 Rockwell HMI Alarm Logger;Rockwell HMI Alarm Logger;"C:\Program Files\Rockwell Software\RSView Enterprise\RsAlarmLogServ.exe"
S3 RS_SS_NT;RSLinx Classic S-S SD/SD2 Device Driver;C:\WINDOWS\system32\RS_SS_NT.SYS
S3 RSI-PKTX-A;RSI-PKTX-A;C:\WINDOWS\system32\drivers\RSI-PKTX-A.SYS
S3 RsiKtControl;RsiKtControl;C:\WINDOWS\system32\RSIKT.SYS
S3 RSLINXNGKtControl;RSLINXNGKtControl;C:\WINDOWS\system32\drivers\RSIKTNG.SYS
S3 RSSERIAL;RSLinx Classic Serial Driver;C:\WINDOWS\system32\RSSERIAL.SYS
S3 SimModuleService;1789-SIM Simulator Module;C:\Program Files\Rockwell Software\RSLogix Emulate 5000\SimModuleService.exe
S3 SNMPTRAP;SNMP Trap Service;C:\WINDOWS\System32\snmptrap.exe
S3 tunmp;Microsoft Tun Miniport Adapter Driver;C:\WINDOWS\system32\DRIVERS\tunmp.sys
S3 TVICHW32;TVICHW32;\??\C:\WINDOWS\system32\DRIVERS\TVICHW32.SYS
S3 usbser;USB Modem Driver;C:\WINDOWS\system32\DRIVERS\usbser.sys
S3 vncdrv;vncdrv;C:\WINDOWS\system32\DRIVERS\vncdrv.sys
S3 wceusbsh;Windows CE USB Serial Host Driver;C:\WINDOWS\system32\DRIVERS\wceusbsh.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d092e858-1ac7-11dc-b93b-000b6b4dcbda}]
AutoRun\command- J:\Installer.exe


Contents of the 'Scheduled Tasks' folder
2006-05-22 03:15:57 C:\WINDOWS\Tasks\Critical Battery Alarm Program.job
2007-08-03 20:00:00 C:\WINDOWS\Tasks\{08A8508C-7269-47C1-A611-C69BD3A93F6F}_BEITZEL_jeremy perando.job - C:\WINDOWS\system32\mobsync.exe
2007-08-13 20:00:00 C:\WINDOWS\Tasks\{4D7302E1-19B8-4DD1-B9A2-50910BA51772}_BEITZEL_jeremy perando.job - C:\WINDOWS\system32\mobsync.exe
2007-08-06 13:00:00 C:\WINDOWS\Tasks\{C5D6C737-0C68-4B23-B1D9-842E7D82D4A7}_BEITZEL_jeremy perando.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-13 21:45:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Fonts]
"Bank Gothic Light BT (TrueType)"="bgothl.ttf"
"Bank Gothic Medium BT (TrueType)"="bgothm.ttf"
"CityBlueprint (TrueType)"="cityb___.ttf"
"Commercial Pi BT (TrueType)"="compi.ttf"
"Dutch 801 Roman BT (TrueType)"="dutch.ttf"
"Commercial Script BT (TrueType)"="comsc.ttf"
"Swiss 721 Bold BT (TrueType)"="swissb.ttf"
"SansSerif (TrueType)"="sanss___.ttf"
"SansSerif Bold (TrueType)"="sanssb__.ttf"
"SansSerif BoldOblique (TrueType)"="sanssbo_.ttf"
"SansSerif Oblique (TrueType)"="sansso__.ttf"
"Stylus BT (TrueType)"="stylu.ttf"
"Swiss 721 BT (TrueType)"="swiss.ttf"
"Romantic Bold (TrueType)"="romab___.ttf"
"Swiss 721 Bold Italic BT (TrueType)"="swissbi.ttf"
"Swiss 721 Bold Outline BT (TrueType)"="swissbo.ttf"
"Swiss 721 Condensed BT (TrueType)"="swissc.ttf"
"Swiss 721 Bold Condensed BT (TrueType)"="swisscb.ttf"
"Swiss 721 Bold Condensed Italic BT (TrueType)"="swisscbi.ttf"
"Swiss 721 Bold Condensed Outline BT (TrueType)"="swisscbo.ttf"
"SuperFrench (TrueType)"="supef___.ttf"
"GDT (TrueType)"="gdt_____.ttf"
"Dutch 801 Bold BT (TrueType)"="dutchb.ttf"
"Dutch 801 Bold Italic BT (TrueType)"="dutchbi.ttf"
"Dutch 801 Extra Bold BT (TrueType)"="dutcheb.ttf"
"Dutch 801 Italic BT (TrueType)"="dutchi.ttf"
"EuroRoman (TrueType)"="eurr____.ttf"
"Romantic (TrueType)"="romantic.ttf"
"Romantic Italic (TrueType)"="romai___.ttf"
"Monospace 821 BT (TrueType)"="monos.ttf"
"Monospace 821 Bold BT (TrueType)"="monosb.ttf"
"Monospace 821 Bold Italic BT (TrueType)"="monosbi.ttf"
"Monospace 821 Italic BT (TrueType)"="monosi.ttf"
"PanRoman (TrueType)"="panroman.ttf"
"Swiss 721 Black Condensed Italic BT (TrueType)"="swisscki.ttf"
"EuroRoman Oblique (TrueType)"="eurro___.ttf"
"ISOCPEUR Italic (TrueType)"="isocpeui.ttf"
"Swiss 721 Condensed Italic BT (TrueType)"="swissci.ttf"
"Vineta BT (TrueType)"="vinet.ttf"
"ISOCTEUR (TrueType)"="isocteur.ttf"
"Technic (TrueType)"="technic_.ttf"
"ISOCTEUR Italic (TrueType)"="isocteui.ttf"
"ISOCPEUR (TrueType)"="isocpeur.ttf"
"Swiss 721 Black BT (TrueType)"="swissk.ttf"
"CountryBlueprint (TrueType)"="counb___.ttf"
"Swiss 721 Light Condensed BT (TrueType)"="swisscl.ttf"
"Swiss 721 Light Condensed Italic BT (TrueType)"="swisscli.ttf"
"Swiss 721 Extended BT (TrueType)"="swisse.ttf"
"Swiss 721 Bold Extended BT (TrueType)"="swisseb.ttf"
"Swiss 721 Black Extended BT (TrueType)"="swissek.ttf"
"Universal Math 1 BT (TrueType)"="umath.ttf"
"Swiss 721 Italic BT (TrueType)"="swissi.ttf"
"Swiss 721 Black Condensed BT (TrueType)"="swissck.ttf"
"Swiss 721 Black Italic BT (TrueType)"="swisski.ttf"
"Swiss 721 Black Outline BT (TrueType)"="swissko.ttf"
"Swiss 721 Light BT (TrueType)"="swissl.ttf"
"Swiss 721 Light Italic BT (TrueType)"="swissli.ttf"
"TechnicBold (TrueType)"="techb___.ttf"
"TechnicLite (TrueType)"="techl___.ttf"
"Swiss 721 Light Extended BT (TrueType)"="swissel.ttf"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MCD]
"Enable"=dword:00000001
"SwapSync"=dword:00000001
"Palettized Formats"=dword:00000001
"IO Priority"=dword:00000000
"Use Generic Stencil"=dword:00000001
"Enumerate as ICD"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/adv6api.dll]
".Owner"="{A8739816-022C-11D6-A85D-00C04F9AEAFB}"
"{A8739816-022C-11D6-A85D-00C04F9AEAFB}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/msrdp.ocx]
".Owner"="{9059F30F-4EB1-4BD2-9FDC-36F43A218F4A}"
"{9059F30F-4EB1-4BD2-9FDC-36F43A218F4A}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/webeye.ocx]
".Owner"="{A8739816-022C-11D6-A85D-00C04F9AEAFB}"
"{A8739816-022C-11D6-A85D-00C04F9AEAFB}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/webeyeaudio.ocx]
".Owner"="{A8739816-022C-11D6-A85D-00C04F9AEAFB}"
"{A8739816-022C-11D6-A85D-00C04F9AEAFB}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/mfc42.dll]
".Owner"="Unknown Owner"
"{A8739816-022C-11D6-A85D-00C04F9AEAFB}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/msvcrt.dll]
".Owner"="Unknown Owner"
"{A8739816-022C-11D6-A85D-00C04F9AEAFB}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/olepro32.dll]
".Owner"="Unknown Owner"
"{A8739816-022C-11D6-A85D-00C04F9AEAFB}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\StillImage]
"WIADevicePresent"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\StillImage\Registered Applications]
"eMPIA AMCAP"="C:\WINDOWS\etAMCAP.exe /StiDevice: /StiEvent:"
"ET2700 PC CAM Application"="C:\WINDOWS\etCAP.exe /StiDevice: /StiEvent:"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000200

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-13 21:46:54 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-13 21:46
C:\ComboFix2.txt ... 2007-08-02 01:10

--- E O F ---

#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:41 AM

Posted 14 August 2007 - 04:30 AM

Please go to Control Panel -> Add/Remove Programs and look for the following entry (let me know if it is there, no need to do anything with it):

TripleHead2GO

Then, please open notepad and copy/paste the text in the quotebox into it

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8eaeb933-0b50-4571-85f4-0467ee2e91ff}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\msexnet]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=""

File::
c:\windows\system32\jkhfcaw.dll
C:\WINDOWS\system32\msexnet.dll
C:\WINDOWS\system32\awvtt.exe
C:\WINDOWS\hpqins69.dat


Save it as CFScript.txt on your desktop.

Posted Image

Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply. :thumbsup:

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Hi there, stranger!

#5 JPX

JPX
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:41 PM

Posted 15 August 2007 - 09:40 PM

When I posted the first combofix log, I seen the file that was installed by the virus at the time this all started. ( C:\WINDOWS\system32\jkhfcaw.dll )
I ran a moveonboot to delete it and was then able to remove all active threats. Since then, I now get no detection of spyware with s&d and the random files have stopped showing up in the hijack this log.
Just when I thought it was ok, I still have the trogen.vundo detected by Symantec in the restore files and the Hijack This folder. So i dumped the restore and did a system scan. I went ahead and ran the script in combo fix and
posted it below. I just wanted to give you a run down of what I have been doing so you dont get any stange log readings. Also, The file ( C:\WINDOWS\srchasst ) will always reapear after it is unlocked from winlogon and deleted.
I think we are getting close, and I just want to thank you again for helping me out with this. Below is the most current log created by running the script you supplied to me.


Matrox TripleHead2Go -- Is in the Add/Remove Programs sections. I installed this a while back. Its a small device that will allow the video reselution to be streached across 3 monitors, something like 3840 X 1024. It was nice, but seemed slightly fuzzy.



ComboFix 07-07-30.2 - "jeremy perando" 2007-08-15 22:08:47.3 [GMT -4:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True
Command switches used :: C:\Documents and Settings\jeremy perando\Desktop\CFScript.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\hpqins69.dat
C:\WINDOWS\system32\_000005_.tmp.dll
C:\WINDOWS\system32\awvtt.exe
C:\WINDOWS\system32\dne8fca4c2.dat


((((((((((((((((((((((((( Files Created from 2007-07-16 to 2007-08-16 )))))))))))))))))))))))))))))))


2007-08-15 22:04 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-08-15 21:37 <DIR> d-------- C:\WINDOWS\LastGood
2007-08-15 17:07 <DIR> d-------- C:\WINDOWS\srchasst
2007-08-13 21:10 <DIR> d-------- C:\Program Files\TrojanHunter 4.7
2007-08-13 19:54 <DIR> d-------- C:\VundoFix Backups
2007-08-13 12:32 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-08-13 11:13 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\AdobeUM
2007-08-10 02:34 <DIR> d-------- C:\Program Files\GiPo@Utilities
2007-08-10 02:34 <DIR> d-------- C:\Program Files\Common Files\Gibinsoft Shared
2007-08-10 02:20 <DIR> d-------- C:\virus
2007-08-09 12:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-07 11:37 <DIR> d-------- C:\DOCUME~1\JEREMY~1\APPLIC~1\Desktop Sidebar
2007-08-07 11:35 <DIR> d-------- C:\Program Files\Desktop Sidebar
2007-08-02 00:55 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-02 00:46 1,970 --a------ C:\WINDOWS\system32\tmp.reg
2007-08-02 00:45 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-08-02 00:45 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-08-02 00:45 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-08-02 00:40 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-01 23:06 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-01 23:06 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-01 23:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-01 22:26 70,312 --a------ C:\Program Files\codec_setup.exe
2007-08-01 22:25 <DIR> d-------- C:\DOCUME~1\LOCALS~1\.housecall6.6
2007-08-01 22:18 <DIR> d--hs---- C:\DOCUME~1\LOCALS~1\UserData
2007-08-01 17:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-08-01 16:36 <DIR> d-------- C:\DOCUME~1\JEREMY~1\.housecall6.6
2007-08-01 15:13 <DIR> d-------- C:\Program Files\Spb Software House
2007-07-25 10:40 <DIR> d-------- C:\Program Files\NCP
2007-07-23 17:08 <DIR> d-------- C:\Program Files\iPAQ Phone Data Manager
2007-07-23 17:07 <DIR> d-------- C:\Program Files\Quick GPS Connection Data Download Manager
2007-07-23 17:07 <DIR> d-------- C:\Program Files\CREDANT
2007-07-23 17:04 <DIR> d-------- C:\Program Files\Real
2007-07-23 17:04 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-07-23 17:04 <DIR> d-------- C:\Program Files\Common Files\Real
2007-07-23 17:03 <DIR> d-------- C:\DOCUME~1\JEREMY~1\APPLIC~1\Real
2007-07-23 16:59 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared
2007-07-23 16:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sonic
2007-07-23 16:58 <DIR> d-------- C:\Program Files\Common Files\HP
2007-07-23 16:49 25,600 --a------ C:\WINDOWS\system32\drivers\usbser.sys
2007-07-16 15:19 <DIR> d-------- C:\Program Files\Hirschmann


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-15 21:25 --------- d-------- C:\Program Files\Symantec AntiVirus
2007-07-30 13:24 --------- d-------- C:\Program Files\Microsoft ActiveSync
2007-07-23 17:08 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-23 16:58 --------- d-------- C:\Program Files\HP
2007-07-16 16:48 15360 --a------ C:\WINDOWS\system32\selm_isx.dll
2007-07-09 18:09 --------- d-------- C:\Program Files\Microsoft Voice Command
2007-07-05 16:58 --------- d-------- C:\Program Files\DSTfix
2007-06-26 16:32 --------- d-------- C:\Program Files\ControlFLASH
2007-06-25 07:53 --------- d-------- C:\Program Files\AvantGo
2007-05-17 07:28 549376 --------- C:\WINDOWS\system32\oleaut32.dll
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-25 09:36]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 12:42]
"nwiz"="nwiz.exe" [2006-04-25 11:28 C:\WINDOWS\system32\nwiz.exe]
"THGuard"="C:\Program Files\TrojanHunter 4.7\THGuard.exe" [2007-08-11 20:49]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\AlienGUIse\fastload.dll 2001-12-21 02:34 24576 C:\Program Files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

R0 ALLOW-IO;ALLOW-IO;C:\WINDOWS\system32\Drivers\ALLOW-IO.sys
R0 gagp30kx;Microsoft Generic AGPv3.0 Filter for K8 Processor Platforms;C:\WINDOWS\system32\DRIVERS\gagp30kx.sys
R0 hotcore;hotcore;C:\WINDOWS\system32\drivers\hotcore.sys
R0 sbp2port;SBP-2 Transport/Protocol Bus Driver;C:\WINDOWS\system32\DRIVERS\sbp2port.sys
R0 viamraid;viamraid;C:\WINDOWS\system32\drivers\viamraid.sys
R1 AmdK8;AMD Processor Driver;C:\WINDOWS\system32\DRIVERS\AmdK8.sys
R1 V2IMount;V2IMount;C:\WINDOWS\system32\drivers\V2IMount.sys
R1 VirtualBackplane;A-B Virtual Backplane;\??\C:\WINDOWS\system32\drivers\VirtualBackplane.sys
R1 vmm;Virtual Machine Monitor;\??\C:\WINDOWS\system32\Drivers\vmm.sys
R2 CVPND;Cisco Systems, Inc. VPN Service;"C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"
R2 CVPNDRVA;Cisco Systems IPsec Driver;\??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
R2 EZUSB;Dialog General Purpose USB Driver (ezusb.sys);C:\WINDOWS\system32\Drivers\ezusb.sys
R2 IISADMIN;IIS Admin;C:\WINDOWS\system32\inetsrv\inetinfo.exe
R2 lnss_sscans;GFI LANguard N.S.S. Scheduled Scans Service;C:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
R2 Rockwell HMI Framework;Rockwell HMI Framework;C:\Program Files\Rockwell Software\RSView Enterprise\ServerFramework.exe
R2 SNMP;SNMP Service;C:\WINDOWS\System32\snmp.exe
R2 TACN1000;TACN1000;\??\C:\WINDOWS\system32\drivers\TACN1000.sys
R2 TAPccWdm;TAPccWdm;\??\C:\WINDOWS\system32\drivers\TAPccWdm.sys
R3 DCamUSBET;USB2.0 1.3M PC CAM;C:\WINDOWS\system32\DRIVERS\etDevice.sys
R3 DNE;Deterministic Network Enhancer Miniport;C:\WINDOWS\system32\DRIVERS\dne2000.sys
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
R3 EventServer;Rockwell Event Server;"C:\Program Files\Common Files\Rockwell\EventServer.exe"
R3 FiltUSBET;ET USB Device Lower Filter;C:\WINDOWS\system32\DRIVERS\etFilter.sys
R3 HSF_DPV;HSF_DPV;C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
R3 HSFHWVIA;HSFHWVIA;C:\WINDOWS\system32\DRIVERS\HSFHWVIA.sys
R3 irsir;Microsoft Serial Infrared Driver;C:\WINDOWS\system32\DRIVERS\irsir.sys
R3 PcmkWdm;%PcmkWdm.DeviceDesc%;C:\WINDOWS\system32\DRIVERS\PcmkWdm.sys
R3 RTL8023xp;Realtek 10/100/1000 PCI NIC Family NDIS XP Driver;C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
R3 ScanUSBET;ET USB Still Image Capture Device;C:\WINDOWS\system32\DRIVERS\etScan.sys
R3 SynTP;Synaptics TouchPad Driver;C:\WINDOWS\system32\DRIVERS\SynTP.sys
R3 VPCNetS2;Virtual Machine Network Services Driver;C:\WINDOWS\system32\DRIVERS\VMNetSrv.sys
S1 abpicw2k;AB PIC/AIC+ Driver;C:\WINDOWS\system32\DRIVERS\abpicw2k.sys
S2 MtxIic;MtxIic;\??\C:\WINDOWS\system32\drivers\MtxIicKrnlNT.sys
S2 spupdsvc;Windows Service Pack Installer update service;C:\WINDOWS\system32\spupdsvc.exe
S3 1784-PCIDS DeviceNet;1784-PCIDS DeviceNet;C:\Program Files\Rockwell Software\RSLogix Emulate 5000\PcidsService.exe
S3 ABKTCX;Rockwell Software 1784-KTC(X) Driver;C:\WINDOWS\system32\Drivers\ABKTCX.sys
S3 ADM8511;Belkin USB Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\NET8511.SYS
S3 ADM851X;ADM851X USB To Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\ADM851X.SYS
S3 Bridge;MAC Bridge;C:\WINDOWS\system32\DRIVERS\bridge.sys
S3 BridgeMP;MAC Bridge Miniport;C:\WINDOWS\system32\DRIVERS\bridge.sys
S3 cmudau;C-Media USB Sound Interface;C:\WINDOWS\system32\drivers\cmudaxu.sys
S3 CVirtA;Cisco Systems VPN Adapter;C:\WINDOWS\system32\DRIVERS\CVirtA.sys
S3 maxidemo;Maxi_Vista_Demo_Driver;C:\WINDOWS\system32\DRIVERS\maxidemo.sys
S3 maxivista;Maxi_Vista_DriverA;C:\WINDOWS\system32\DRIVERS\maxivista.sys
S3 maxivistb;Maxi_Vista_DriverB;C:\WINDOWS\system32\DRIVERS\maxivistb.sys
S3 maxivistc;Maxi_Vista_DriverC;C:\WINDOWS\system32\DRIVERS\maxivistc.sys
S3 MaxtorFrontPanel1;Maxtor 1394 Storage Front Panel Driver;C:\WINDOWS\system32\DRIVERS\mxofwfp.sys
S3 MSIRCOMM;Microsoft IR Communications Driver;C:\WINDOWS\system32\DRIVERS\MSIRCOMM.sys
S3 pcidnt;A-B 1784-PCIDS;C:\WINDOWS\system32\Drivers\pcidnt.sys
S3 Rockwell HMI Alarm Logger;Rockwell HMI Alarm Logger;"C:\Program Files\Rockwell Software\RSView Enterprise\RsAlarmLogServ.exe"
S3 RS_SS_NT;RSLinx Classic S-S SD/SD2 Device Driver;C:\WINDOWS\system32\RS_SS_NT.SYS
S3 RSI-PKTX-A;RSI-PKTX-A;C:\WINDOWS\system32\drivers\RSI-PKTX-A.SYS
S3 RsiKtControl;RsiKtControl;C:\WINDOWS\system32\RSIKT.SYS
S3 RSLINXNGKtControl;RSLINXNGKtControl;C:\WINDOWS\system32\drivers\RSIKTNG.SYS
S3 RSSERIAL;RSLinx Classic Serial Driver;C:\WINDOWS\system32\RSSERIAL.SYS
S3 SimModuleService;1789-SIM Simulator Module;C:\Program Files\Rockwell Software\RSLogix Emulate 5000\SimModuleService.exe
S3 SNMPTRAP;SNMP Trap Service;C:\WINDOWS\System32\snmptrap.exe
S3 tunmp;Microsoft Tun Miniport Adapter Driver;C:\WINDOWS\system32\DRIVERS\tunmp.sys
S3 TVICHW32;TVICHW32;\??\C:\WINDOWS\system32\DRIVERS\TVICHW32.SYS
S3 usbser;USB Modem Driver;C:\WINDOWS\system32\DRIVERS\usbser.sys
S3 vncdrv;vncdrv;C:\WINDOWS\system32\DRIVERS\vncdrv.sys
S3 wceusbsh;Windows CE USB Serial Host Driver;C:\WINDOWS\system32\DRIVERS\wceusbsh.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d092e858-1ac7-11dc-b93b-000b6b4dcbda}]
AutoRun\command- J:\Installer.exe


Contents of the 'Scheduled Tasks' folder
2006-05-22 03:15:57 C:\WINDOWS\Tasks\Critical Battery Alarm Program.job
2007-08-03 20:00:00 C:\WINDOWS\Tasks\{08A8508C-7269-47C1-A611-C69BD3A93F6F}_BEITZEL_jeremy perando.job - C:\WINDOWS\system32\mobsync.exe
2007-08-14 20:00:00 C:\WINDOWS\Tasks\{4D7302E1-19B8-4DD1-B9A2-50910BA51772}_BEITZEL_jeremy perando.job - C:\WINDOWS\system32\mobsync.exe
2007-08-15 13:01:57 C:\WINDOWS\Tasks\{C5D6C737-0C68-4B23-B1D9-842E7D82D4A7}_BEITZEL_jeremy perando.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-15 22:12:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Fonts]
"Bank Gothic Light BT (TrueType)"="bgothl.ttf"
"Bank Gothic Medium BT (TrueType)"="bgothm.ttf"
"CityBlueprint (TrueType)"="cityb___.ttf"
"Commercial Pi BT (TrueType)"="compi.ttf"
"Dutch 801 Roman BT (TrueType)"="dutch.ttf"
"Commercial Script BT (TrueType)"="comsc.ttf"
"Swiss 721 Bold BT (TrueType)"="swissb.ttf"
"SansSerif (TrueType)"="sanss___.ttf"
"SansSerif Bold (TrueType)"="sanssb__.ttf"
"SansSerif BoldOblique (TrueType)"="sanssbo_.ttf"
"SansSerif Oblique (TrueType)"="sansso__.ttf"
"Stylus BT (TrueType)"="stylu.ttf"
"Swiss 721 BT (TrueType)"="swiss.ttf"
"Romantic Bold (TrueType)"="romab___.ttf"
"Swiss 721 Bold Italic BT (TrueType)"="swissbi.ttf"
"Swiss 721 Bold Outline BT (TrueType)"="swissbo.ttf"
"Swiss 721 Condensed BT (TrueType)"="swissc.ttf"
"Swiss 721 Bold Condensed BT (TrueType)"="swisscb.ttf"
"Swiss 721 Bold Condensed Italic BT (TrueType)"="swisscbi.ttf"
"Swiss 721 Bold Condensed Outline BT (TrueType)"="swisscbo.ttf"
"SuperFrench (TrueType)"="supef___.ttf"
"GDT (TrueType)"="gdt_____.ttf"
"Dutch 801 Bold BT (TrueType)"="dutchb.ttf"
"Dutch 801 Bold Italic BT (TrueType)"="dutchbi.ttf"
"Dutch 801 Extra Bold BT (TrueType)"="dutcheb.ttf"
"Dutch 801 Italic BT (TrueType)"="dutchi.ttf"
"EuroRoman (TrueType)"="eurr____.ttf"
"Romantic (TrueType)"="romantic.ttf"
"Romantic Italic (TrueType)"="romai___.ttf"
"Monospace 821 BT (TrueType)"="monos.ttf"
"Monospace 821 Bold BT (TrueType)"="monosb.ttf"
"Monospace 821 Bold Italic BT (TrueType)"="monosbi.ttf"
"Monospace 821 Italic BT (TrueType)"="monosi.ttf"
"PanRoman (TrueType)"="panroman.ttf"
"Swiss 721 Black Condensed Italic BT (TrueType)"="swisscki.ttf"
"EuroRoman Oblique (TrueType)"="eurro___.ttf"
"ISOCPEUR Italic (TrueType)"="isocpeui.ttf"
"Swiss 721 Condensed Italic BT (TrueType)"="swissci.ttf"
"Vineta BT (TrueType)"="vinet.ttf"
"ISOCTEUR (TrueType)"="isocteur.ttf"
"Technic (TrueType)"="technic_.ttf"
"ISOCTEUR Italic (TrueType)"="isocteui.ttf"
"ISOCPEUR (TrueType)"="isocpeur.ttf"
"Swiss 721 Black BT (TrueType)"="swissk.ttf"
"CountryBlueprint (TrueType)"="counb___.ttf"
"Swiss 721 Light Condensed BT (TrueType)"="swisscl.ttf"
"Swiss 721 Light Condensed Italic BT (TrueType)"="swisscli.ttf"
"Swiss 721 Extended BT (TrueType)"="swisse.ttf"
"Swiss 721 Bold Extended BT (TrueType)"="swisseb.ttf"
"Swiss 721 Black Extended BT (TrueType)"="swissek.ttf"
"Universal Math 1 BT (TrueType)"="umath.ttf"
"Swiss 721 Italic BT (TrueType)"="swissi.ttf"
"Swiss 721 Black Condensed BT (TrueType)"="swissck.ttf"
"Swiss 721 Black Italic BT (TrueType)"="swisski.ttf"
"Swiss 721 Black Outline BT (TrueType)"="swissko.ttf"
"Swiss 721 Light BT (TrueType)"="swissl.ttf"
"Swiss 721 Light Italic BT (TrueType)"="swissli.ttf"
"TechnicBold (TrueType)"="techb___.ttf"
"TechnicLite (TrueType)"="techl___.ttf"
"Swiss 721 Light Extended BT (TrueType)"="swissel.ttf"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MCD]
"Enable"=dword:00000001
"SwapSync"=dword:00000001
"Palettized Formats"=dword:00000001
"IO Priority"=dword:00000000
"Use Generic Stencil"=dword:00000001
"Enumerate as ICD"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/adv6api.dll]
".Owner"="{A8739816-022C-11D6-A85D-00C04F9AEAFB}"
"{A8739816-022C-11D6-A85D-00C04F9AEAFB}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/msrdp.ocx]
".Owner"="{9059F30F-4EB1-4BD2-9FDC-36F43A218F4A}"
"{9059F30F-4EB1-4BD2-9FDC-36F43A218F4A}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/webeye.ocx]
".Owner"="{A8739816-022C-11D6-A85D-00C04F9AEAFB}"
"{A8739816-022C-11D6-A85D-00C04F9AEAFB}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/webeyeaudio.ocx]
".Owner"="{A8739816-022C-11D6-A85D-00C04F9AEAFB}"
"{A8739816-022C-11D6-A85D-00C04F9AEAFB}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/mfc42.dll]
".Owner"="Unknown Owner"
"{A8739816-022C-11D6-A85D-00C04F9AEAFB}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/msvcrt.dll]
".Owner"="Unknown Owner"
"{A8739816-022C-11D6-A85D-00C04F9AEAFB}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/olepro32.dll]
".Owner"="Unknown Owner"
"{A8739816-022C-11D6-A85D-00C04F9AEAFB}"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\StillImage]
"WIADevicePresent"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\StillImage\Registered Applications]
"eMPIA AMCAP"="C:\WINDOWS\etAMCAP.exe /StiDevice: /StiEvent:"
"ET2700 PC CAM Application"="C:\WINDOWS\etCAP.exe /StiDevice: /StiEvent:"

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

#6 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:41 AM

Posted 16 August 2007 - 06:36 AM

Please post a fresh HijackThis log :thumbsup:

As for system restore, we'll clean it up in a bit, as for HijackThis folder -- you can go ahead and delete the HijackThis backups if they are what were found.
Hi there, stranger!

#7 JPX

JPX
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:41 PM

Posted 20 August 2007 - 11:30 AM

I went ahead and removed the virus from the restore by running a full symantec scan after disabling restore. Here is the latest
HijackThis log, I hope we got everything.......



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:27:11 PM, on 8/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Rockwell\EventServer.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Rockwell Software\RSCommon\RSOBSERV.EXE
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe
C:\Program Files\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe
C:\PROGRA~1\ROCKWE~1\RSLinx\RSLINX.EXE
C:\Program Files\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe
C:\Program Files\Common Files\Rockwell\RsvcHost.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Rockwell\EventClientMultiplexer.exe
C:\Program Files\Rockwell Software\RSView Enterprise\ServerFramework.exe
C:\Program Files\Common Files\Rockwell\RnaDirServer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\TrojanHunter 4.7\THGuard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Common Files\Rockwell\RNADirMultiplexor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HJT.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.220.1.254:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.7\THGuard.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
O16 - DPF: {16A017B9-6CB4-47C7-8E81-6E9396FAC2B6} (IDVRCtrlX Control) - http://10.110.60.159/NSIDVRCtrlX.ocx
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {32C11E38-E587-4BE9-9ABB-D69158C21CE5} (Moonlight MPEG-4 Video Decoder) - http://10.110.103.194/activex/decoder/mpeg4_dec.cab
O16 - DPF: {466FE5FE-9B04-4BD8-9993-C4FBDAEB7122} (JMWiseCam Control) - http://10.110.103.130/JMWiseCam.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://lov-amsterm/msrdp.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://217.155.216.154/activex/AxisPlayer.cab
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (Web Camera Server Control) - http://10.110.103.132/csi_netcam.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {AEF76437-F960-4EBC-97EA-7BBB4230CF38} (OcarptMain Class) - https://oca.microsoft.com/en/secure/ocarpt.CAB
O16 - DPF: {C111A91F-D4EC-4D22-8D27-C3BCB0389F43} (AudioHandlerEmbedded) - http://10.110.34.10/activex/AMC.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://www.level-9.ch:53762/activex/AMC.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BEITZEL
O17 - HKLM\Software\..\Telephony: DomainName = BEITZEL
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BEITZEL
O23 - Service: 1784-PCIDS DeviceNet - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\PcidsService.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: dnWhoDisp - Unknown owner - C:\Program Files\Rockwell Software\RSLINX\dnwhodisp.exe
O23 - Service: Rockwell Event Multiplexer (EventClientMultiplexer) - Rockwell Software Inc. - C:\Program Files\Common Files\Rockwell\EventClientMultiplexer.exe
O23 - Service: Rockwell Event Server (EventServer) - Rockwell Software Inc. - C:\Program Files\Common Files\Rockwell\EventServer.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Harmony - Rockwell Software Inc. - C:\Program Files\Rockwell Software\RSCommon\RSOBSERV.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: GFI LANguard N.S.S. Scheduled Scans Service (lnss_sscans) - GFI Software Ltd. - C:\Program Files\GFI\LANguard Network Security Scanner 3\sscansvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: FactoryTalk Diagnostics Local Reader (RNADiagnosticsService) - Rockwell Automation - C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe
O23 - Service: FactoryTalk Diagnostics CE Receiver (RNADiagReceiver) - Unknown owner - C:\Program Files\Common Files\Rockwell\RNADiagReceiver.exe
O23 - Service: Rockwell Directory Server (RNADirectory) - Rockwell Software Inc. - C:\Program Files\Common Files\Rockwell\RnaDirServer.exe
O23 - Service: Rockwell Directory Multiplexer (RNADirMultiplexor) - Rockwell Software Inc. - C:\Program Files\Common Files\Rockwell\RNADirMultiplexor.exe
O23 - Service: Rockwell HMI Activity Logger - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\RsActivityLogServ.exe
O23 - Service: Rockwell HMI Alarm Logger - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\RsAlarmLogServ.exe
O23 - Service: Rockwell HMI Diagnostics - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\HMIDIAGNOSTICSLSTADAPT.exe
O23 - Service: Rockwell HMI Framework - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\ServerFramework.exe
O23 - Service: Rockwell Tag Server - Rockwell Software, Inc. - C:\Program Files\Rockwell Software\RSView Enterprise\TagSrv.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: RSLinx Classic (RSLinx) - Rockwell Software, Inc. - C:\PROGRA~1\ROCKWE~1\RSLinx\RSLINX.EXE
O23 - Service: RSLinx Enterprise (RSLinxNG) - Rockwell Automation - C:\Program Files\Rockwell Software\RSLinx Enterprise\RSLinxNG.exe
O23 - Service: Rockwell Application Services (RsvcHost) - Rockwell Software Inc. - C:\Program Files\Common Files\Rockwell\RsvcHost.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: 1789-SIM Simulator Module (SimModuleService) - Unknown owner - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\SimModuleService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 13943 bytes

#8 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:41 AM

Posted 20 August 2007 - 12:00 PM

Run a scan with HijackThis and checkfix the following:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank


Then exit HijackThis.

=========

Updating Java and Clearing Cache
  • Go to Start > Control Panel double-click on the Software icon > Add/Remove Programs.
  • Search in the list for ALL previous installed versions of Java. (J2SE Runtime Environment.... )
    They should have next icon next to it: Posted Image
    Select them and click Remove once at a time.
  • Now please install the Java Runtime Environment (JRE) 6u2 manually..
  • Note to reboot the computer after updating:http://java.sun.com/javase/downloads/index.jsp
[/list]Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Hows the system running now? :thumbsup:
Hi there, stranger!

#9 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:41 AM

Posted 30 August 2007 - 12:07 PM

Since this issue appears to be resolved, this Topic has been closed. Should you need this Topic reopened, please PM a Staff member. :thumbsup:
Hi there, stranger!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users