Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ie Is Hijacked, I Have Pmnlk.exe, No Desktop Background


  • Please log in to reply
4 replies to this topic

#1 DanC1186

DanC1186

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:12:35 PM

Posted 21 May 2007 - 11:41 PM

Logfile of HijackThis v1.99.1
Scan saved at 11:32:45 PM, on 5/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Administrator\Desktop\help\avgnospy\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Documents and Settings\Administrator\Desktop\help\avgnospy\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Geoff\Desktop\HiJackThis_v2.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\Geoff\LOCALS~1\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gomyron.com/NjU2NA==/2/3560/hp/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.0.101
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Documents and Settings\Administrator\Desktop\help\avgnospy\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [utldpwe.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\utldpwe.dll,ggxtgkb
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{62CEF0FA-4890-4BCE-AC6C-BFEAD29A8D65}: NameServer = 85.255.114.74,85.255.112.61
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C06C288-6228-4130-89C6-A779D8E175F8}: NameServer = 85.255.114.74,85.255.112.61
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9C67722-EB91-4C2C-B7B8-A4E9EDB4655E}: NameServer = 85.255.114.74,85.255.112.61
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.74 85.255.112.61
O17 - HKLM\System\CS1\Services\Tcpip\..\{62CEF0FA-4890-4BCE-AC6C-BFEAD29A8D65}: NameServer = 85.255.114.74,85.255.112.61
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.74 85.255.112.61
O17 - HKLM\System\CS2\Services\Tcpip\..\{62CEF0FA-4890-4BCE-AC6C-BFEAD29A8D65}: NameServer = 85.255.114.74,85.255.112.61
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.74 85.255.112.61
O17 - HKLM\System\CS3\Services\Tcpip\..\{62CEF0FA-4890-4BCE-AC6C-BFEAD29A8D65}: NameServer = 85.255.114.74,85.255.112.61
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.74 85.255.112.61
O20 - AppInit_DLLs:
O21 - SSODL: msdns - {F40D7BB6-7CD0-48FB-B3F6-C92EC730F17F} - (no file)
O21 - SSODL: iedns - {28D7E48A-C5A3-41DF-8A7A-7DDD54F93DE1} - (no file)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Documents and Settings\Administrator\Desktop\help\avgnospy\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: hpqwmiex - Unknown owner - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: ieupdater2 (Microsoft IEUpdater2) - Unknown owner - C:\Documents and Settings\Geoff\ie_updater.exe (file missing)
O23 - Service: TCP and UDP Supp0rt - Unknown owner - C:\WINDOWS\system32\tccpip.exe (file missing)

thanks in advance

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:35 PM

Posted 22 May 2007 - 03:56 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum DanC1186 :thumbsup:

First right click on a blank area of your desktop and select 'New',then select 'Folder.
Right click on that new folder and select 'Rename',rename it to HJT
Now move Hijackthis.exe into the HJT folder and run it from there from now on please.

***************************

Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

Please then reboot your computer into Safe Mode by doing the following:

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.

***************************

Download and run Fixwareout from the link below:
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
After the reboot post the contents of the logfile C:\fixwareout\report.txt in your next reply.

***************************

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Please post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

***************************

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 DanC1186

DanC1186
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:12:35 PM

Posted 23 May 2007 - 02:57 PM

"Geoff" - 2007-05-23 14:34:09 Service Pack 2
ComboFix 07-05.23.5.V - Running from: "C:\Documents and Settings\Geoff\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\WINDOWS\system32\bund1\temp.txt
C:\Documents and Settings\All Users.\documents\settings
C:\WINDOWS\system32\bund1
C:\WINDOWS\system32\smpi1
C:\WINDOWS\system32\drivers\runtime2.sys


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\LEGACY_WINDBG48
-------\runtime
-------\windbg48


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-23 ))))))))))))))))))))))))))))))))))


2007-05-23 14:23 <DIR> d-------- C:\VundoFix Backups
2007-05-23 14:15 7,521 --a------ C:\dnsbak.reg
2007-05-22 00:07 <DIR> d-------- C:\Program Files\iTunes
2007-05-21 23:48 48,816 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-05-21 23:48 109,744 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-05-21 23:47 <DIR> d-------- C:\Program Files\Symantec AntiVirus
2007-05-21 22:51 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-05-21 22:50 <DIR> d-------- C:\Program Files\Real
2007-05-21 22:48 <DIR> d-------- C:\Program Files\Windows Defender
2007-05-21 22:47 <DIR> d-------- C:\Program Files\iPod
2007-05-21 22:46 <DIR> d-------- C:\DOCUME~1\Geoff\APPLIC~1\vlc
2007-05-21 22:44 <DIR> d-------- C:\Program Files\VideoLAN
2007-05-21 22:29 0 --a------ C:\WINDOWS\nsreg.dat
2007-05-21 22:28 <DIR> d-------- C:\Program Files\myProcMan
2007-05-21 20:44 2,065 --a------ C:\WINDOWS\mozver.dat
2007-05-21 20:11 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\GetRightToGo
2007-05-21 19:52 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-05-21 18:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-21 17:52 <DIR> d-------- C:\Program Files\msn gaming zone
2007-05-21 17:38 <DIR> d-------- C:\WINDOWS\pss
2007-05-21 17:31 <DIR> d-------- C:\Program Files\7-Zip
2007-05-21 16:46 <DIR> d-------- C:\Program Files\Abexo
2007-05-21 16:32 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-05-21 16:32 <DIR> d-------- C:\!KillBox
2007-05-21 16:31 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-05-21 16:08 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Netscape
2007-05-21 15:51 1,572,864 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-05-21 15:51 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-05-21 15:51 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Intuit
2007-05-20 13:39 <DIR> d-------- C:\WINDOWS\system32\SBO
2007-05-18 13:12 5,413 --a------ C:\xcrashdump.dat
2007-05-15 17:40 29,440 --a------ C:\WINDOWS\swin32.dll
2007-05-15 17:40 14,080 --a------ C:\WINDOWS\wml.exe
2007-05-11 15:36 <DIR> d-------- C:\SAV
2007-04-24 21:41 36,352 --a------ C:\WINDOWS\system32\__c00FE590.dat
2007-04-24 21:41 36,352 --a------ C:\WINDOWS\system32\__c00E8100.dat
2007-04-24 21:41 36,352 --a------ C:\WINDOWS\system32\__c00CBDC4.dat
2007-04-24 21:41 36,352 --a------ C:\WINDOWS\system32\__c0059921.dat
2007-04-24 19:42 1 --a------ C:\WINDOWS\system32\ps.dat
2007-04-24 19:42 1 --a------ C:\WINDOWS\system32\cookie.dat
2007-04-24 19:38 36,352 --a------ C:\WINDOWS\system32\__c006EB3.dat
2007-04-24 19:38 36,352 --a------ C:\WINDOWS\system32\__c0056F6D.dat
2007-04-24 19:38 36,352 --a------ C:\WINDOWS\system32\__c002AA0C.dat


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-22 04:49:07 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-05-22 04:48:32 -------- d-----w C:\Program Files\Symantec
2007-05-22 03:55:52 -------- d-----w C:\DOCUME~1\Geoff\APPLIC~1\Real
2007-05-22 03:51:24 -------- d-----w C:\Program Files\Common Files\Real
2007-05-17 23:54:09 -------- d-----w C:\DOCUME~1\Geoff\APPLIC~1\LimeWire
2007-05-15 22:36:44 -------- d-----w C:\Program Files\Norton Internet Security
2007-05-02 00:02:55 341 ----a-w C:\WINDOWS\system32\lsprst7.dll
2007-05-01 15:48:26 73 ----a-w C:\WINDOWS\system32\ssprs.dll
2007-05-01 05:15:25 1,025 ----a-w C:\WINDOWS\system32\sysprs7.dll
2007-04-25 04:08:29 -------- d--h--w C:\Program Files\BHO Plugin
2007-04-09 01:54:06 -------- d-----w C:\DOCUME~1\Geoff\APPLIC~1\Lavasoft
2007-04-06 22:12:49 -------- d-----w C:\Program Files\Windows NT
2007-04-04 02:08:23 8,464 ----a-w C:\WINDOWS\system32\sporder.dll
2007-04-04 02:06:36 63,488 ----a-w C:\WINDOWS\system32\ykxrjeh.dll
2007-04-04 02:06:33 87,040 ----a-w C:\WINDOWS\system32\utldpwe.dll
2007-03-22 20:47:35 46,344 ----a-w C:\WINDOWS\NSSetDefaultBrowser.EXE


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{160E8594-8F32-4F25-BC85-75DE4CA0508E}=C:\WINDOWS\system32\pmnlk.dll []
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 21:49]
"!AVG Anti-Spyware"="C:\Documents and Settings\Administrator\Desktop\help\avgnospy\AVG Anti-Spyware 7.5\avgas.exe" [2006-10-07 07:20]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"utldpwe.dll"="C:\WINDOWS\system32\utldpwe.dll" [2007-04-03 21:06]
"QlbCtrl"="%ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" []
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-17 15:29 C:\WINDOWS\system32\CHDAudPropShortcut.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 19:26]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 20:33]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Documents and Settings\Administrator\Desktop\help\avgnospy\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 09:13]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnlk]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BootService]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Brave-Sentry]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Configuration Manager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnfo32s]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunOnce2Upd]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\setup]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spoolsvv]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{ZN}]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480


Contents of the 'Scheduled Tasks' folder
2007-05-03 16:33:02 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-05-23 05:00:00 C:\WINDOWS\tasks\At1.job
2007-05-23 14:00:00 C:\WINDOWS\tasks\At10.job
2007-05-23 15:00:00 C:\WINDOWS\tasks\At11.job
2007-05-23 16:00:00 C:\WINDOWS\tasks\At12.job
2007-05-23 17:00:00 C:\WINDOWS\tasks\At13.job
2007-05-23 18:00:00 C:\WINDOWS\tasks\At14.job
2007-05-20 19:00:00 C:\WINDOWS\tasks\At15.job
2007-05-21 20:00:00 C:\WINDOWS\tasks\At16.job
2007-05-22 21:00:00 C:\WINDOWS\tasks\At17.job
2007-05-22 22:00:00 C:\WINDOWS\tasks\At18.job
2007-05-22 23:00:00 C:\WINDOWS\tasks\At19.job
2007-05-23 06:00:00 C:\WINDOWS\tasks\At2.job
2007-05-23 00:00:00 C:\WINDOWS\tasks\At20.job
2007-05-23 01:00:00 C:\WINDOWS\tasks\At21.job
2007-05-23 02:00:00 C:\WINDOWS\tasks\At22.job
2007-05-23 03:00:00 C:\WINDOWS\tasks\At23.job
2007-05-23 04:00:00 C:\WINDOWS\tasks\At24.job
2007-05-23 07:00:00 C:\WINDOWS\tasks\At3.job
2007-05-23 08:00:00 C:\WINDOWS\tasks\At4.job
2007-05-23 09:00:00 C:\WINDOWS\tasks\At5.job
2007-05-23 10:00:00 C:\WINDOWS\tasks\At6.job
2007-05-23 11:00:00 C:\WINDOWS\tasks\At7.job
2007-05-23 12:00:00 C:\WINDOWS\tasks\At8.job
2007-05-23 13:00:00 C:\WINDOWS\tasks\At9.job
2007-02-23 03:16:00 C:\WINDOWS\tasks\Easy Internet Sign-up.job
2007-04-26 05:40:05 C:\WINDOWS\tasks\HPCeeSchedule.job
2007-05-23 19:34:50 C:\WINDOWS\tasks\MP Scheduled Scan.job

********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-23 14:38:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


********************************************************************

Completion time: 2007-05-23 14:39:05 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-23 14:39

--- E O F ---

VundoFix V6.4.1

Checking Java version...

Scan started at 2:23:08 PM 5/23/2007

Listing files found while scanning....

C:\WINDOWS\system32\klnmp.bak1
C:\WINDOWS\system32\klnmp.bak2
C:\WINDOWS\system32\klnmp.ini
C:\WINDOWS\system32\ljmvavun.dll
C:\WINDOWS\system32\nuvavmjl.ini
C:\WINDOWS\system32\pmnlk.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\klnmp.bak1
C:\WINDOWS\system32\klnmp.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\klnmp.bak2
C:\WINDOWS\system32\klnmp.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\klnmp.ini
C:\WINDOWS\system32\klnmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ljmvavun.dll
C:\WINDOWS\system32\ljmvavun.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nuvavmjl.ini
C:\WINDOWS\system32\nuvavmjl.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnlk.dll
C:\WINDOWS\system32\pmnlk.dll Has been deleted!

Performing Repairs to the registry.
Done!


Fixwareout Last edited 5/15/2007
Post this report in the forums please
...
»»»»»Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdayl.exe"

»»»»»

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.


Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other
C:\WINDOWS\temp\kdayl.ren 66329 08/04/2004

»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="C:\\Program Files\\hpq\\HP Wireless Assistant\\HP Wireless Assistant.exe"
"!AVG Anti-Spyware"="\"C:\\Documents and Settings\\Administrator\\Desktop\\help\\avgnospy\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"KernelFaultCheck"="%systemroot%\\system32\\dumprep 0 -k"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"utldpwe.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\utldpwe.dll,ggxtgkb"
"QlbCtrl"="%ProgramFiles%\\Hewlett-Packard\\HP Quick Launch Buttons\\QlbCtrl.exe /Start"
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»


SDFix: Version 1.84

Run by Geoff - Wed 05/23/2007 - 14:05:30.78

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
Microsoft IEUpdater2
TCP and UDP Supp0rt
wincom32

ImagePath:
C:\Documents and Settings\Geoff\ie_updater.exe /start
C:\WINDOWS\system32\tccpip.exe /winnt
\??\C:\WINDOWS\system32\wincom32.sys

Microsoft IEUpdater2 - Deleted
TCP and UDP Supp0rt - Deleted
wincom32 - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing SharedAccess Service

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\168231~1 - Deleted
C:\DOCUME~1\LOCALS~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\FG8ISBCM\1304_1~1 - Deleted
C:\DOCUME~1\LOCALS~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\I12CV5XG\1304_1~1 - Deleted
C:\DOCUME~1\LOCALS~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\Q91K3VN6\1304_1~1 - Deleted
C:\Documents and Settings\Geoff\Application Data\Install.dat - Deleted
C:\WINDOWS\system32\drivers\core.cache.dsk - Deleted
C:\WINDOWS\system32\RunOnce2.tm_ - Deleted
C:\WINDOWS\Temp\startdrv.exe - Deleted
C:\WINDOWS\Uninst2.htm - Deleted
C:\WINDOWS\Unist1.htm - Deleted



Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
:lzx32.sys 71608
:xpdt.sys 79094
Total size: 150702 bytes.

system32: deleted 150702 bytes in 2 streams.

Checking for remaining Streams

C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Documents and Settings\Geoff\My Documents\My Documents\~WRL0301.tmp
C:\Documents and Settings\Geoff\My Documents\My Documents\~WRL0479.tmp
C:\Documents and Settings\Geoff\My Documents\My Documents\~WRL0700.tmp
C:\Documents and Settings\Geoff\My Documents\My Documents\~WRL0827.tmp
C:\Documents and Settings\Geoff\My Documents\My Documents\~WRL0855.tmp
C:\Documents and Settings\Geoff\My Documents\My Documents\~WRL1225.tmp
C:\Documents and Settings\Geoff\My Documents\My Documents\~WRL1681.tmp
C:\Documents and Settings\Geoff\My Documents\My Documents\~WRL2319.tmp
C:\Documents and Settings\Geoff\My Documents\My Documents\~WRL2330.tmp
C:\Documents and Settings\Geoff\My Documents\My Documents\~WRL2422.tmp
C:\Documents and Settings\Geoff\My Documents\My Documents\~WRL2648.tmp
C:\Documents and Settings\Geoff\My Documents\My Documents\~WRL2695.tmp
C:\Documents and Settings\Geoff\My Documents\My Documents\~WRL3089.tmp
C:\Documents and Settings\Geoff\My Documents\My Documents\~WRL3151.tmp
C:\Documents and Settings\Geoff\My Documents\My Documents\~WRL3936.tmp
C:\Documents and Settings\Geoff\My Documents\My Documents\~WRL3982.tmp

Finished

#4 DanC1186

DanC1186
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:12:35 PM

Posted 23 May 2007 - 02:59 PM

Logfile of HijackThis v1.99.1
Scan saved at 2:54:46 PM, on 5/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Administrator\Desktop\help\avgnospy\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Documents and Settings\Administrator\Desktop\help\avgnospy\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Geoff\Desktop\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gomyron.com/NjU2NA==/2/3560/hp/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.0.101
O2 - BHO: (no name) - {160E8594-8F32-4F25-BC85-75DE4CA0508E} - C:\WINDOWS\system32\pmnlk.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {DC4F5474-0EF5-45F8-8498-F93D19ACA7E7} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Documents and Settings\Administrator\Desktop\help\avgnospy\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [utldpwe.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\utldpwe.dll,ggxtgkb
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.74 85.255.112.61
O17 - HKLM\System\CS1\Services\Tcpip\..\{62CEF0FA-4890-4BCE-AC6C-BFEAD29A8D65}: NameServer = 85.255.114.74,85.255.112.61
O20 - AppInit_DLLs:
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: pmnlk - C:\WINDOWS\
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Documents and Settings\Administrator\Desktop\help\avgnospy\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: hpqwmiex - Unknown owner - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

#5 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:35 PM

Posted 23 May 2007 - 06:08 PM

First disable Windows Defender's real-time protection,as it may interfere.
* Open Microsoft Windows Defender. Click Start>All Programs>Windows Defender.
* Click on 'Tools'>'Options'.
* Under 'Real-time protection options', unselect the 'Turn on real-time protection' check box
* Click 'Save'.

*********************************

Please disable Spybot S&D’s protection,or it will interfere.
You can enable it after you're clean.
Open Spybot and click on 'Mode' and check 'Advanced Mode'.
Click on 'Tools' in bottom left hand corner.
Click on the 'System Startup' icon.
Uncheck 'Teatimer' box and/or uncheck 'Resident'.
Click the 'Allow Change' box.
Then, check next to the computer clock to see if the icon for Spybot is still there.
If it is, right click it and choose 'exit Spybot-S&D Resident'.
Reboot the computer.

*********************************

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as..Save as Type: 'All Files' File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktop and agree to merge it into the registry,then reboot.

REGEDIT4
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Brave-Sentry]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnfo32s]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunOnce2Upd]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spoolsvv]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=-

*********************************

Please download the OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\wml.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\utldpwe.dll
C:\WINDOWS\system32\__c00FE590.dat
C:\WINDOWS\system32\__c00E8100.dat
C:\WINDOWS\system32\__c00CBDC4.dat
C:\WINDOWS\system32\__c0059921.dat
C:\WINDOWS\system32\__c006EB3.dat
C:\WINDOWS\system32\__c0056F6D.dat
C:\WINDOWS\system32\__c002AA0C.dat
C:\WINDOWS\system32\ykxrjeh.dll


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.

********************************

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {160E8594-8F32-4F25-BC85-75DE4CA0508E} - C:\WINDOWS\system32\pmnlk.dll (file missing)
O2 - BHO: (no name) - {DC4F5474-0EF5-45F8-8498-F93D19ACA7E7} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [utldpwe.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\utldpwe.dll,ggxtgkb
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.74 85.255.112.61
O17 - HKLM\System\CS1\Services\Tcpip\..\{62CEF0FA-4890-4BCE-AC6C-BFEAD29A8D65}: NameServer = 85.255.114.74,85.255.112.61
O20 - Winlogon Notify: pmnlk - C:\WINDOWS\

Exit Hijackthis.

Restart your pc.
Post a new Hijackthis log into your next reply.
Let me know how your pc is running now.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users