Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions


MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.


Unread postby Bob4 » January 10th, 2009, 4:11 pm

OK I have asked fro some advice and hopefully were getinng closer.
There seems to be 2 other infections going on and 1 of them is not letting us get that 02 line to go away.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

If you need help on disabling your anitvirus visit this link.

3. Open notepad and copy/paste the text in the quotebox below into it:

c:\documents and settings\Tom\LOCAL SETTINGS\Temp\RLOOCCUE.exe
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0536321F-23FA-464F-8B53-12F03CFF164E}]

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


Refering to the picture above, drag CFScript into ComboFix.exe

NOTE: This script was done for this user specifically.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Download haxfix.exe and save it to your desktop.
Double click on haxfix.exe to run it.
A red "dos window" (dos box) will open with this options:
  • 1. Make logfile
  • E. Exit Haxfix

  • Select option 1. Make logfile by typing 1 and then pressing Enter.
  • Haxfix will start scanning the computer.
    When it is finished a logfile will open: haxlog.txt
  • Copy the contents of that logfile and paste it into this thread.

In your next reply I would like to see:
  • A new HJT log
  • The report from ComboFix
  • The report from Haxfix

User avatar
MRU Master
MRU Master
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida
Register to Remove


Unread postby duffer » January 10th, 2009, 5:58 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:52:01 PM, on 1/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\No-IP\DUC20.exe
C:\Program Files\Spamihilator\spamihilator.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\No-IP\DUC20.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: CheckIt 86 Extension Class - {82DF1118-9B92-45d8-B78F-1737A69A06E1} - C:\Program Files\CheckIt\86\CheckIt86.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Spamihilator] "C:\Program Files\Spamihilator\spamihilator.exe"
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOaldr.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 3.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CheckIt\86\AddToTrustList.js
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se6662.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 3661854406
O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://www.youbet.net/wr_5_8/controls/ybrequest.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://c.ancestry.com/cab/ImageViewer/MFImgVwr.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://tw.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.c ... mplete.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - http://www.seagate.com/support/disc/asp ... atools.cab
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: Google Update Service (gupdate1c9202de24f0e3e) (gupdate1c9202de24f0e3e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Yahoo! Zimbra Desktop Service - Unknown owner - C:\zimbra\zdesktop\zdesktop.exe

End of file - 8767 bytes

ComboFix 09-01-08.04 - Tom 2009-01-10 14:54:22.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.829 [GMT -6:00]
Running from: c:\documents and settings\Tom\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Tom\Desktop\CFScript.txt
AV: AVG 7.5.552 *On-access scanning disabled* (Updated)
* Created a new restore point

c:\documents and settings\Tom\LOCAL SETTINGS\Temp\RLOOCCUE.exe

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


((((((((((((((((((((((((( Files Created from 2008-12-10 to 2009-01-10 )))))))))))))))))))))))))))))))

2009-01-07 21:13 . 2009-01-07 21:16 <DIR> d-------- C:\regsearch
2009-01-07 12:35 . 2009-01-07 12:35 <DIR> d-------- c:\program files\ERUNT
2009-01-07 12:32 . 2009-01-07 18:24 <DIR> d-------- C:\Reg Finder
2009-01-05 17:25 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2009-01-05 17:24 . 2009-01-05 17:24 <DIR> d-------- c:\program files\Panda Security
2009-01-01 16:37 . 2009-01-01 16:37 664 --a------ c:\windows\system32\d3d9caps.dat
2009-01-01 12:27 . 2009-01-01 12:27 <DIR> d-------- c:\documents and settings\Georgia\Application Data\Malwarebytes
2008-12-31 21:22 . 2008-12-31 21:22 <DIR> d-------- c:\program files\Opera
2008-12-31 21:17 . 2008-12-31 21:17 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-26 19:33 . 2009-01-07 21:08 <DIR> d-------- C:\1avgtemp1
2008-12-24 15:09 . 2009-01-09 00:06 250 --a------ c:\windows\gmer.ini
2008-12-24 12:59 . 2009-01-09 06:25 <DIR> d-------- C:\1avgtemp
2008-12-24 12:44 . 2008-12-24 12:47 11,164,087 --------- c:\windows\system32\TAQAUEZOZJR
2008-12-23 03:24 . 2008-12-23 03:24 665,088 --------- c:\windows\system32\spsplib1.dll
2008-12-17 17:16 . 2008-12-17 17:32 <DIR> d-------- c:\windows\NV36961336.TMP
2008-12-17 17:16 . 2008-09-17 23:55 453,152 --------- c:\windows\system32\nvuninst.exe
2008-12-17 17:16 . 2008-09-17 23:55 201,050 --------- c:\windows\system32\nvapps.nvb

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2009-01-10 20:49 --------- d-----w c:\documents and settings\Tom\Application Data\Spamihilator
2009-01-10 19:40 --------- d-----w c:\documents and settings\Tom\Application Data\AVG7
2009-01-10 00:38 --------- d-----w c:\program files\QuoteTracker
2009-01-07 18:34 --------- d-----w c:\documents and settings\Tom\Application Data\uTorrent
2009-01-07 18:33 --------- d-----w c:\program files\Java
2009-01-07 18:31 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-05 00:38 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-05 00:38 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-01 18:47 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-01 18:46 --------- d-----w c:\program files\SpywareBlaster
2009-01-01 18:13 --------- d-----w c:\program files\Spamihilator
2009-01-01 03:46 --------- d-----w c:\program files\YPOPs
2008-12-27 01:04 --------- d-----w c:\documents and settings\Tom\Application Data\Move Networks
2008-12-18 23:04 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-06 21:29 --------- d-----w c:\documents and settings\Tom\Application Data\Thinstall
2008-12-06 21:23 --------- d-----w c:\documents and settings\All Users\Application Data\LogMeIn
2008-12-06 16:58 --------- d-----w c:\documents and settings\Tom\Application Data\DivX
2008-12-06 16:56 --------- d-----w c:\program files\DivX
2008-12-05 03:06 --------- d-----w c:\program files\Windows Live Safety Center
2008-11-25 21:11 0 ---h--w c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2008-11-25 21:08 --------- d-----w c:\program files\Motorola Phone Tools
2008-11-25 21:04 --------- d-----w c:\program files\Common Files\Motorola Shared
2008-11-25 21:02 92,064 ------w c:\documents and settings\Tom\mqdmmdm.sys
2008-11-25 21:02 9,232 ------w c:\documents and settings\Tom\mqdmmdfl.sys
2008-11-25 21:02 79,328 ------w c:\documents and settings\Tom\mqdmserd.sys
2008-11-25 21:02 66,656 ------w c:\documents and settings\Tom\mqdmbus.sys
2008-11-25 21:02 6,208 ------w c:\documents and settings\Tom\mqdmcmnt.sys
2008-11-25 21:02 5,936 ------w c:\documents and settings\Tom\mqdmwhnt.sys
2008-11-25 21:02 4,048 ------w c:\documents and settings\Tom\mqdmcr.sys
2008-11-25 21:02 25,600 ------w c:\documents and settings\Tom\usbsermptxp.sys
2008-11-25 21:02 22,768 ------w c:\documents and settings\Tom\usbsermpt.sys
2004-02-12 00:25 560 ------w c:\documents and settings\Tom\PCDOC.BAT
2004-02-07 02:00 26,296 ------w c:\documents and settings\Tom\Application Data\GDIPFONTCACHEV1.DAT
2008-05-07 02:53 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008050620080507\index.dat

((((((((((((((((((((((((((((( snapshot@2009-01-08_23.57.09.01 )))))))))))))))))))))))))))))))))))))))))
+ 2009-01-10 21:00:33 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_6c8.dat
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-16 590848]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"Spamihilator"="c:\program files\Spamihilator\spamihilator.exe" [2008-12-23 1321984]
"MXO Auto Loader"="c:\windows\MXOaldr.exe" [2002-08-09 118784]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-31 136600]
"nwiz"="nwiz.exe" [2008-09-17 c:\windows\system32\nwiz.exe]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-03-02 219136]

c:\documents and settings\Tom\Start Menu\Programs\Startup\
No-IP DUC.lnk - c:\program files\No-IP\DUC20.exe [2006-11-16 1172992]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HPAiODevice(hp officejet g series) - 3.lnk - c:\program files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 151552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
2008-03-02 16:20 9216 c:\windows\system32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-16 20:35 87352 c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.g723"= g723.acm
"vidc.I263"= I263_32.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete\0pgdfgsvc C 1

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet g series) - 1.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HPAiODevice(hp officejet g series) - 1.lnk
backup=c:\windows\pss\HPAiODevice(hp officejet g series) - 1.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet g series) - 2.lnk]
backup=c:\windows\pss\HPAiODevice(hp officejet g series) - 2.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk.disabled]
backup=c:\windows\pss\Microsoft Office.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk.disabled]
backup=c:\windows\pss\WinZip Quick Pick.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Tom^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 18:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
--a------ 2002-08-29 06:00 44032 c:\windows\ime\imkr6_1\imekrmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-03 23:31 208952 c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---h----- 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2002-08-29 06:00 59392 c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--------- 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--------- 2008-09-17 23:55 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCDRealtime]
--------- 2003-03-15 22:46 168448 c:\windows\realtime.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2002-08-29 06:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2002-08-29 06:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--------- 2003-09-20 19:12 77824 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--------- 2008-09-16 11:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--------- 2008-10-30 08:40 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--------- 2008-09-17 23:55 1657376 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"winvnc"=2 (0x2)
"TapiSrv"=2 (0x2)
"SCardSvr"=3 (0x3)
"RDSessMgr"=2 (0x2)
"RasMan"=3 (0x3)
"mnmsrvc"=3 (0x3)
"ERSvc"=2 (0x2)
"Browser"=3 (0x3)
"TermService"=2 (0x2)
"Backup Server"=3 (0x3)

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"TPP Auto Loader"=c:\windows\tppaldr.exe

"EnableFirewall"= 0 (0x0)

"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Spamihilator\\cdcc.exe"=
"c:\\Program Files\\Spamihilator\\dccproc.exe"=
"c:\\Program Files\\Spamihilator\\spamihilator.exe"=

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-01-05 28544]
R4 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-12-06 47640]
R4 Yahoo! Zimbra Desktop Service;Yahoo! Zimbra Desktop Service;c:\zimbra\zdesktop\zdesktop.exe [2008-12-05 139264]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\5.tmp --> c:\windows\system32\5.tmp [?]
S3 radpms;Driver for RADPMS Device;c:\windows\system32\DRIVERS\radpms.sys --> c:\windows\system32\DRIVERS\radpms.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X; [x]
S3 TPP300;USB Storage Adapter V3 (TPP);c:\windows\system32\drivers\TPP300.SYS [2003-09-29 33669]
S3 USB-100;Realtek RTL8150 USB 10/100 Fast Ethernet Adapter;c:\windows\system32\drivers\RTL8150.SYS [2005-10-07 24447]
S4 Backup Server;Backup Server;c:\progra~1\NOVANE~1\BACKUP~2.EXE [2004-01-05 576512]
S4 gupdate1c9202de24f0e3e;Google Update Service (gupdate1c9202de24f0e3e);c:\program files\Google\Update\GoogleUpdate.exe [2008-09-26 133104]
S4 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 RLOOCCUE;RLOOCCUE;c:\docume~1\Tom\LOCALS~1\Temp\RLOOCCUE.exe --> c:\docume~1\Tom\LOCALS~1\Temp\RLOOCCUE.exe [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PKWWJRDY
Contents of the 'Scheduled Tasks' folder

2009-01-10 c:\windows\Tasks\defrag.job
- c:\windows\system32\defrag.exe [2008-04-13 18:12]

2009-01-10 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-09-26 17:54]
------- Supplementary Scan -------
uStart Page = hxxp://www.google.com/advanced_search?hl=en
uLocal Page = c:\windows\PCHealth\HelpCtr\System\panels\blank.htm
mLocal Page = c:\windows\PCHealth\HelpCtr\System\panels\blank.htm
uInternet Settings,ProxyOverride =
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Add To CheckIt &86 Trust List - c:\progra~1\CheckIt\86\AddToTrustList.js
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: www.msi.com.tw

O16 -: DirectAnimation Java Classes - file://c:\i386\DAJAVA.CAB
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\i386\XMLDSO.CAB
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://tw.msi.com.tw/autobios/LOnline/install.cab
c:\windows\Downloaded Program Files\MSIWDev.inf
FF - ProfilePath - c:\documents and settings\Tom\Application Data\Mozilla\Firefox\Profiles\default.vt9\
FF - prefs.js: browser.startup.homepage - hxxp://www.okhistory.org
FF - plugin: c:\documents and settings\Tom\Application Data\Mozilla\Firefox\Profiles\default.vt9\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071102000004.dll
FF - plugin: c:\program files\Google\Update\\npGoogleOneClick7.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30401.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll


catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-10 15:00:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(508)
------------------------ Other Running Processes ------------------------
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Grisoft\AVG7\avgamsvr.exe
c:\program files\Grisoft\AVG7\avgupsvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Hewlett-Packard\AiO\Shared\Bin\hposts07.exe
c:\program files\Hewlett-Packard\AiO\Shared\Bin\hpofxm07.exe
Completion time: 2009-01-10 15:06:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-10 21:06:17
ComboFix2.txt 2009-01-09 13:11:29
ComboFix3.txt 2009-01-09 05:58:50

Pre-Run: 50,314,506,240 bytes free
Post-Run: 50,310,930,432 bytes free

275 --- E O F --- 2008-12-12 09:03:41

HAXFIX logfile - by Marckie

version 5.054
Sat 01/10/2009 15:08:08.65
running from C:\HaxFix

--- Checking for Haxdoor ---

checking for a3d files
a3d files not found

checking for matching notify keys
matching notify keys found

checking for matching services
no matching services found

checking for matching safeboot services
no matching safeboot services found

--- Checking for Goldun - Spybanker ---

checking for SSODL keys
no ssodl keys found

checking for notify keys
no notify keys found

checking for services
no services found

checking for random used files and services
these files are not necessarily malicious
C:\blakleyCdrive\Program Files\Canon Creative\ImageStrip\Graphics\CmraBtn.bmp
C:\blakleyCdrive\Program Files\INSIGHT98\ER6\EN\rpt\1\Toolbox\Master Sheets\stevia.pdf
C:\blakleyCdrive\Program Files\Microsoft Works\workscor\j0187771.wmf
C:\blakleyCdrive\Program Files\MySoftware\MyAdvanced LabelDesigner\Clipart\MENS_RM.PCX
C:\Documents and Settings\Tom\My Documents\My Pictures\amy&josh\thumbs\253t[1].jpg
C:\mea\Program Files\Intuit\QuickBooks Pro\Components\Services\logo3.html
C:\mea\Program Files\Intuit\QuickBooks Pro\Components\Services\insurance1.html
C:\mea\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00191_.WMF
C:\mea\Program Files\Microsoft Office\CLIPART\PUB60COR\J0285822.WMF
C:\mea\Program Files\Microsoft Office\CLIPART\PUB60COR\J0285820.WMF
C:\Program Files\Common Files\Research In Motion\Shared\Loader Files\8310-v4.2.2.170_P2.5.0.30\Java\net_rim_crypto_keystore_browser_certificate.cod
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00191_.WMF
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0285822.WMF
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0285820.WMF
no matching services found

checking for browser helper objects
no known browser helper objects found

checking for appinit files
no files found

checking for possible infected files
please submit these file here: http://www.bleepingcomputer.com/submit- ... channel=11
no files found

checking for Active Setup Installed Components
no known Active Setup Installed Components found

checking iexplore.exe
iexplore.exe is not infected

--- Checking for other Goldun, Spybanker and Haxdoor files ---
no other Haxdoor or Goldun files found

--- Catchme logfile - thank you Gmer ---

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-10 15:17:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

--- Analysing Catchme logfile ---

no matching regkeys found

Regular Member
Posts: 27
Joined: December 29th, 2005, 7:43 pm


Unread postby Bob4 » January 10th, 2009, 9:35 pm

OK that line is finally gone.
I just need to know 2 things before we finish up.

Did you download and install Sophos Anti-Rootkit ?

Does everything seem to be running ok ?
User avatar
MRU Master
MRU Master
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida


Unread postby duffer » January 10th, 2009, 11:19 pm

I have been running slow for some time now. since malwarebytes and Virus scans were not turning up anything, I tired several rootkit programs. Sophos was one of them, But I never really found any thing with them. It was just recently when I got the AV 2008 fake alert and then kfrls.dll problem.

Right now, things are running much faster.

Thanks for your help
Regular Member
Posts: 27
Joined: December 29th, 2005, 7:43 pm


Unread postby Bob4 » January 11th, 2009, 8:26 am

Great news ! Image

Your log now appears to be clean.

Lets do a few things to tidy up.
Please do these in the order I suggest!

You may delete the following
Reg Finder

The following will implement some cleanup procedures for the tool we used as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

A few things to help with possible threats

These are optional . But will help protect you further.
Some of these you may already have.

Windows Updates
Be certain automatic updates is turned on for XP. - For Vista Or if you like to do it manually be sure to visit http://update.microsoft.com/ regularly. This requires internet explorer to do so.

This will ensure your computer has always the latest security updates available installed on your computer.
If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Install SpywareBlaster

SpywareBlaster will add a large list of programs and sites to your Browser settings that will protect you from accidentally running or downloading known malicious programs.
After the installation, click Download Latest Protection Updates. When it finishes, click Enable All Protection.



This tool bar will help protect you from.

Over 4,000 fake bank and credit sites.
Tens of thousands of pornographic
and adult sites.
The never ending fake phishing sites.
Malicious sites, which can infect you
with spyware and adware if you visit
Sites to download software which
may infect your computer with
spyware, a virus or adware

Download and Install a HOSTS File

Download HostsXpert and unzip it to your computer, somewhere where you can find it.
  • Run HostsXpert
  • If Hosts file is Read Only, click on Make Writeable, otherwise move on to next stage.
  • Click Download button.
  • Click MVPs Hosts
  • Click Merge File
  • Press OK to download latest MVPs update and merge it with your Hosts.
  • When finished click File Handling
  • Click Make Read Only to secure your Hosts file.
  • Exit HostsXpert.

Make your Internet Explorer more secure
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click on the Security tab
3. Click the Internet icon so it becomes highlighted.
4. Click on Default Level and click Ok
5. Click on the Custom Level button.

Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

6. Next press the Apply button and then the OK to exit the Internet Properties page.

So many people are point and click crazy either because there naive or their in a rush.

Always watch closely to any software your installing.
If they want to install something more than their program stop right there and investigate what it is they want to place on your computer.
If they give you the option not to install it choose that until you investigate it completely.
The more you install that you don't want or need the more you'll wish you didn't.

If your anything like me you should be mad these people have done this to you.
Please take the time to tell us what you would like to be done to these idiots!
We can only get something done about this if the people that we help, like you, are prepared to complain.
We have a dedicated forum for collecting these complaints Malware Complaints, you do not have to be registered to post.. just find your country room and register your complaint.

The infections you had was Delf

Safe and Happy Surfing. :)
User avatar
MRU Master
MRU Master
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida


Unread postby NonSuch » January 16th, 2009, 2:31 pm

As this issue is resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Posts: 27257
Joined: February 23rd, 2005, 7:08 am
Location: California
Register to Remove


  • Similar Topics
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!

Who is online

Users browsing this forum: No registered users and 44 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware